A tailored approach to digital executive protection allows security teams to maximize resources and identify threats without relying on 24×7 physical executive protection
Executive protection teams face threats from many sources including social media, telephone, email, and event in-person physical threats. The teams must determine which are valid threats that require action, and which are mere online rants or harassment that should be monitored, but are largely harmless. When the threat is concerning enough to cause teams to take action, a typical response consists of physical, procedural, and technical security protocols (guns, guards, gates). However, unless an individual has 24×7 executive protection (which is costly), these threats don’t often escalate while an executive protection team is present. Because of this, digital executive protection is critical.
Social Media Monitoring
The major social media platforms have teams who can detect threatening behavior and violent rhetoric, and remove it quickly. As a result of their success, a lot of the threatening content is moving to non-traditional forums or social media platforms that are less-regulated. These sites include deep web forums and dark web doxxing sites where actors are very organized and structured about who’s information to target and release on the Internet. There are also special interest forums focused on technology, finance, or even home to disgruntled ex-employees that pose significant risk.
Technical Signature Analysis
People like to post online, and they tend to do so when they are emotionally charged. The perception of online anonymity has changed the game and sometimes individuals go so far as to make physical threats. When actors post they leave a digital trail. That trail can be monitored. Sophisticated actors don’t use real names or locations, but timely attribution can link the actor’s real identity to an online persona,monitoring can ensue, and alerts can be generated if threats occur. In addition, the actor’s posts may unknowingly reveal a location or leave an IP address allowing him to be further identified.
The Proper Approach to Digital Executive Protection
A tailored approach to digital executive protection allows security teams to maximize resources and identify threats without relying on 24×7 physical executive protection. This approach includes:
Tailored Social Media and Open Source Intelligence Collection: Building a collection engine that minimizes visibility gaps is critical: everything from breach data, to external traffic sources, to foreign media posts, Protective DNS, and business information should be optimized. For example if a threat actor posts a vile threat but deletes it a day later, the collection engine should be able to catch it. This requires appropriate data engineering of structured and unstructured data to search and alert.
Threat Actor Engagement and Tailored Access: Seeing and engaging actors requires access to the platforms where they engage, an authentic looking profile, and research. If a threat actor is harassing or making accusations against a company’s executive team, they are likely to leave digital breadcrumbs on chat forums or websites designed to attack the company, as well as social media forums.
Technical Signatures Analysis: Public information sources can help identify a threat actor’s patterns. This data can reveal important information enabling experienced investigators to to match online activity, a general physical location, or movement patterns over time.
Meaningful Analysis: A system that alerts on the proper negative sentiment in a timely manner is critical to relevant and actionable intelligence. Understanding social norms, stylometric attributes, and context to actors allows analysts to rapidly identify and determine malicious capability and intent.
Attribution and Coordination: A critical factor in successful digital executive protection is the ability to attribute an actor’s online personas without alerting the actor. This approach includes:
• Watching for pattern of life indicators such as the threat actor conducting surveillance activities
• Collecting and analyzing content for trigger words or photos
• Recurring communication with the Client’s security or physical team. Attribution should not be resource intensive and should occur in a timely manner
None of these many elements are a solution in themselves, but together they can seamlessly bridge the physical and the digital world. Combining these pieces allows a digital investigator to continue executive protection monitoring, manage the intelligence for a threat actor as well as the victim, and ensure proper protection.