Corporate global security operations centres (GSOCs) bear the responsibility for protecting C-suite executives from physical and reputational harm amid the social upheaval, extreme weather events, and escalating cyber threats. That mission, daunting as it is, becomes more difficult when GSOCs lack the data necessary for conducting a comprehensive threat assessment.
Threat intelligence
Unfortunately, many centres never move past basic threat intelligence which focuses on scenario-driven queries such as “what” could go wrong and “where” the event could occur.
They fail to capture information that could help them identify threat actors, the critical “who” and “who else” is involved, and uncover their plans before a plot unfolds.
Addressing threat environment
GSOC's approaches should span all aspects of executive protection, from pre-mission planning to real-time operations
GSOC executive protection teams must expand their narrow-focus intelligence capabilities to deal with an increasingly complicated threat environment. They need to obtain a wide-angle view that strategically places individual events into a broader context, while also uncovering the bits of data that, when correlated, can make all the difference in diffusing a potential crisis.
In addition, these intelligence approaches should span all aspects of executive protection, from pre-mission planning to real-time, location-based operations. Here then are five intelligence-based capabilities all executive protection teams need today:
1) Advanced scouting intelligence
GSOCs often rely on threat intelligence companies to alert them to dangerous situations or compromises that could impact the executives under their protection. While threat intelligence is important, it stops well short of providing the complete picture.
Executive protection teams need more than superficial information gleaned from news feeds or international weather reports. The centralised GSOC, serving as the risk HQ, must take a proactive approach to mine intelligence data. To that end, GSOCs should provide advanced scouting intelligence.
Data-driven insights
If an executive aims to attend an event in another country, the centre should provide data-driven insights for pre-mission planning. That means digging into local news, international news, the geopolitical structure, and weather conditions among other factors.
GSOCs should also probe the deep and dark layers of the web in addition to the commonly used and well-traveled websites, forums, and online platforms. A thorough understanding of the pending event and its context lends executive protection teams an intelligence edge when it's time to deploy.
2) An understanding of threat actors' intelligence capabilities
GSOCs should use "red teaming" to get inside the head of a threat actor and uncover an executive's vulnerabilities
But advanced scouting doesn't end there. GSOCs should also use "red teaming" to get inside the head of a threat actor and uncover an executive's vulnerabilities. Red teaming determines what an adversary might be able to find out about executives, their family members, and entourages. What's their level of exposure? Publicly available photos posted online can prove particularly harmful.
For example, a photo of an executive's private jet could reveal a tail number that a threat actor could track, via open-source intelligence, to determine where the plane is heading. Images of vehicle license plates can be similarly exploited.
Ways to strengthen vulnerability assessment
A red team may also find images of the executive's family members, tagged in online photos and readily identifiable. Online sources may also reveal where family members work and mention where their children attend school. This investigative intelligence should explore three or four degrees of separation, not just immediate relationships.
The GSOC's red team can also check for data leaks, breaches, and evidence of doxing to strengthen the vulnerability assessment well before the executive travels to the event.
3) Deep, dark web intelligence
Open-source intelligence often relies on information gathered from the surface web of everyday use. GSOCs, however, must also look for threats lurking beneath the familiar online world.
The deep web, for example, houses myriad sites that aren't indexed and, therefore, can't be searched using standard web browsers. The dark web, a subset of the deep web, is even less accessible, requiring specialised software such as an anonymising browser.
Situational awareness
The dark web, in particular, demands a GSOC investigator's attention. Threat actors use this web layer to communicate, collaborate and plan operations with a relatively high degree of secrecy. Failure to tap this information resource can dramatically reduce threat visibility and limit an executive protection team's situational awareness.
GSOCs, however, can conduct deep and dark web investigations, provided they have the know-how and technology tools to do so.
Exploiting the dark web
Acquiring such skills requires time, commitment, and, potentially, new investigative policies
Acquiring such skills requires time, commitment, and, potentially, new investigative policies. Existing guidelines, for example, may prohibit GSOC personnel from downloading an anonymising browser.
In addition, investigators could stumble upon an exploit in the dark web, which could compromise their computers and networks. A computer used to explore the dark web should be isolated from the GSOC's production network as a matter of policy. With the proper tools, investigative techniques, and procedural guardrails in place, a GSOC can tap a valuable intelligence source.
4) Deanonymisation of threat actors
Typical threat intelligence offerings help a GSOC answer the "what" question as they prepare to protect executives on the move. That is, they provide information on a particular incident in the executive's vicinity. But it's critically important to address the "who" question as well.
That task calls for savvy investigators augmented by artificial intelligence. GSOCs can use AI to craft custom searches spanning the surface, deep and dark webs. Casting such a wide net lets investigators pursue threat actors, who can move rapidly between commonplace public networks and more obscure platforms.
Artificial intelligence
A crackdown on surface web activities, for instance, will drive threat actors to a dark web hideout. An investigator confined to the surface web will soon lose the trail. A scouring of all the web's layers will generate loads of data, which GSOCs will need to parse. AI can also prove an asset here, accelerating the process of extracting actionable intelligence from, potentially, terabytes of data.
Manual data analysis can take days, if not longer, bogging down investigations and delaying the flow of crucial intelligence to teams on the front lines of executive protection.
Automated approaches and network monitoring
Learning about networks becomes important when a security team needs to exfiltrate an executive
Automated investigative approaches can quickly correlate the bits of data collected in a web search – threat actors' online handles, IP addresses, phone numbers, and photos, for example. String together enough informational breadcrumbs can help deanonymise threat actors. Once an identity is unmasked, platform analysis lets investigators uncover additional relationships and entire networks of threat actors.
Learning about networks becomes important when a security team needs to exfiltrate an executive. A threat actor network could operate in several geographic locations, not just the area in which an incident occurred. It makes no sense to evacuate an executive from one dangerous location only to relocate him or her to another trouble spot.
5) Real-time situational intelligence
The traditional intelligence approach still in use is reliant on historical data to help organisations make executive protection decisions. GSOCs have to move past this and incorporate real-time situational intelligence as a core component of their executive protection programs.
On the ground security teams will then be able to ensure that the strategies and protocols used to safeguard executives are based on current, actionable and trustworthy intelligence gleaned from multiple verified sources.
Perimeter protection
Real-time situational intelligence requires analysing data that is relevant to a specific event within a geographical area and time. This strategic approach will require a virtual perimeter to be placed around the geographic area in which an executive will be active – a conference venue and the surrounding city, for instance.
GSOC analysts can then evaluate all online activity emanating within the predetermined boundary. This examination can take place before and during an event and the resulting intelligence can be fed through to ‘on-the-ground’ protection teams in real-time while an incident unfolds, or before an event.
Unstructured data analysis
GSOCs must be able to analyse unstructured data in various formats including online platforms and remote sensors
Additionally, analysis of publicly available information can yield important locational clues such as photos of well-known landmarks, images containing signage, or other objects with text that can offer additional geographic markers. But to take advantage of such intelligence sources, GSOCs must be able to analyse unstructured data in various formats including online platforms and remote sensors.
Interpreted correctly this will provide real-time data that can be used as a basis for actionable and trustworthy intelligence. This ability will also bolster the on-the-ground situational capabilities of the security team.
Alert notifications
Forward-deployed executive protection teams can also contribute their real-time situational intelligence as events unfold on the ground. Teams receiving alerts from the central GSOC can vet that information based on what they are seeing locally.
They can disseminate that intelligence back to the GSOC, which in turn can incorporate those insights into their data and adjust an alert level accordingly. Direct communication between the GSOC and on-the-ground executive protection teams is crucial. This flow of intelligence completes a virtuous circle: The pre-mission planning intelligence supports the executive protection team and the team's real-time intelligence informs and refines the GSOC's guidance.
Restricting data limits visibility
The current threat landscape, more varied and complex than ever, requires a comprehensive response. GSOCs and their executive protection teams need to take in as much data from as many intelligence sources as possible. Restricting data gathering to a few conventional websites severely limits visibility.
The multitude of online platforms, and the staggering amounts of structured and unstructured data they generate, make technology an important asset for getting the intelligence job done within a reasonable timeframe.
Toward a bigger intelligence picture
It's not all about automation, however. Highly skilled personnel, including red teams, are a major part of the intelligence operation. Policies and best practices for intelligence gathering round out the list of requirements.
GSOCs must pursue the big picture when it comes to executive protection. A narrow view of data sources, techniques, and technologies won't suffice. It's no time for tunnel vision when lives and reputations are at stake.