Kiris Group Intelligence Security

The Truth Behind "Active Monitoring"...

The world has changed a lot since the Cold War, but much of what is done in the intelligence domain remains rooted in time-honoured logic, delivered in a 21st Century way. This is absolutely the case with online HUMINT and intelligence gathering. Indeed, the development of online profiles as an intelligence collection tool is a crucial OSINT collection technique.

Accessing closed sources - once the sole preserve of access agents - has proved an invaluable OSINT tool in recent times and is one of the many areas where OSINT starts to prove its real value in mirroring traditional intelligence gathering methods. In essence, online profiles are HUMINT and agent-running for the 21st Century, and vitally, can be used to complement the automated collection process we offer to deliver full spectrum online monitoring.

Having outlined in previous posts, the way in which we use passive online monitoring (keywords, geofences and search strings) to deliver an enduring “finger on the pulse” function, accessing closed sources is a way to take things a step further; delivering acute insight that only human interaction can generate. Ultimately, this allows us to employ a hybrid strategy between leveraging both automated collection and a responsive engagement strategy, giving access to more data, faster and ultimately generating better intelligence.

Rooted in old-school HUMINT principles a “floodlight, torchlight, laserlight” approach can be taken, whereby all relevant sources are identified (floodlight) in the first instance, and information is then refined (torchlight) and finally prioritised for persistent engagement and monitoring (laser light).

We aim to avoid trace and attribution, curating our online presence to fit specific parameters, carefully tailored to gain access to critical information – using tools such as VPNs and VMs to manage our digital foorprint.

But how does this work in practice? The digital age has given rise to endless sources where conversations take place and information is exchanged – potentially to plan, plot and execute acts that require rapid, real world security intervention. For example, during the 2020 US election, the creation of the Facebook group “Stop the Steal” resulted in over 100,000 users planning protests and asking questions such as “How do we go about overthrowing the [sic.] Gub’ment?” Although the overarching “Stop the Steal” forum was not a difficult group to penetrate, it was estimated that as a result of the group, there were over 60 campaigns and sub-groups created which then migrated to the messaging app MeWe for fear of law enforcement infiltration. The ability to gain access to these more tactical group chats flagged the planning of protests and information on what then turned into the Capitol Hill riot, providing extremely valuable intelligence.

In addition to the intelligence-gathering used as a reactive measure to understand crises, accessing closed sources offers opportunity to pro-actively respond. Again, in the case of the 2020 US Election, group members decided to move communications to a less mainstream platform as a result of suspicion of government monitoring. This inherent sense of suspicion provided an opportunity for those running monitoring activity to seize the initiative and suggest the creation of smaller forums before other group members did.

So, why is this useful for online monitoring? Principally, this is in the processing and dissemination of data, there is no longer reliance on a physical agent to provide information access; so, the removal of this agent ultimately reduces delay in the transmission of information and increases the speed of our OODA loop as well as increasing the credibility of information gathered by generating direct access. Secondly, this allow us to be responsive, we can easily adapt strategy and pursue new avenues or investigation needs. Finally, we can further identify the 5 Ws – who, what, when, where and why, allowing us to determine potential future threats and crises before they arise. As a result of the identification of the 5 Ws, we can conduct pre-emptive crisis management based on a predictive analysis from a large amount of reliable, quantifiable and multi-source data, giving the maximum amount of time to secure, engage and react to the threat.

The ability to be pre-positioned to pull information from closed, more difficult to access sources is extremely valuable. This allows for the impactful collection of data that can be analysed and processed to provide key insights and intelligence on potential threats – allowing the maximum amount of time to respond to potential crises and future threats.