Trending Topics

Using WEBINT and OSINT to tackle extremist groups

Agencies that familiarize themselves with extremists’ cyber haunts stand a better chance of uncovering potential problems before they materialize

deep-web-1292333_1920 (1).jpg

Extremists gravitate to the dark web, where they can use a variety of technologies to conceal their activities.


By Johnmichael O’Hare

Times of economic uncertainty and social unrest provide favorable conditions for extremism. Groups spanning a range of ideological persuasions can take advantage of the turmoil to promote their narratives, recruit new members, and, in some cases, commit violent acts.

Extremists from the far left and far right hold opposed worldviews but share one common thread: They rely on online resources to achieve their goals. Such groups leverage several social media platforms and internet forums to communicate with followers and organize activities. Online tools enable extremism. But law enforcement agencies that familiarize themselves with extremists’ cyber haunts stand a better chance of uncovering potential problems before they materialize.

Indeed, getting up to speed on internet extremism helps officers protect the public and might also expose threats made against the officers, themselves.

Extremists: Fueling the fire

Among the recent string of violent events that have gripped our country, we have seen a massive amount of public unrest driven by agitators from across the extremist spectrum. Large sections of cities and neighborhoods have been shut down, property and businesses have been destroyed, and, tragically, people have lost their lives. In some cities, we have seen a perfect storm of rioting, violent crime and the coronavirus pandemic happening at the same time.

In addition, COVID-19 has provided cover for extremist activity. The pandemic has fomented fear and uncertainty around the world, and the resulting economic downturn has left millions of people out of work. Extremists now use online platforms to conduct messaging campaigns, aiming to exploit the dual crises.

In one investigation, the Institute for Strategic Dialogue, working with BBC Click, found that 34 COVID-19 disinformation websites racked up 80 million interactions on Facebook from January to April 2020. ISD’s report noted those interactions dwarfed the number of Facebook interactions the Centers for Disease Control and Prevention gathered during the same timeframe: a comparatively paltry 6.4 million.

Extremist groups organize acts of public violence and disinformation campaigns as part of their communications strategy, which seeks to keep adherents motivated and find recruits. The familiar surface web – home to widely used social media platforms – is often the key outlet for an extremist group’s propaganda. And if extremists are booted off the mainstream social media platforms, they often resurface on alternative platforms.

Misleading and inflammatory messaging, while problematic enough, offers a path to radicalization and, from there, a short hop to incitements to violence. Violent calls to action can and do appear on the surface web, but the more sophisticated threat actors are likely to plan and coordinate violent activities in the web’s subterranean levels.

The deep web, for example, operates below the surface web and can prove difficult to navigate since Google and other search engines don’t index websites in this layer. The dark web, a subset of the deep web, harbors a range of illegal activities, including marketplaces dealing in stolen credit card data and illicit drugs. Extremists also gravitate to the dark web, where they can use a variety of technologies to conceal their activities. Tools of the trade include anonymizing routers, no-log virtual private networks and proxy servers.

Overcoming the challenges with OSINT and WEBINT

Law enforcement faces several challenges when investigating extremists’ online activities. The sheer scale of the surface web and its underground counterparts present one obstacle. As of July 2020, there were 1.78 billion websites, according to Internet Live Stats’ counter. Add to that billions of social media accounts and it becomes clear that threat actors have many places to hide.

The Dallas Morning News quotes Eric Jackson, the former chief of the Dallas FBI, saying that “it’s necessary for law enforcement to study extremists and learn the goals of the groups, their tactics, their use of social media platforms, the language they use to communicate, their use of props, such as their clothing, tattoos, graffiti.”

In addition, threat actors, including those associated with extremist groups, will attempt to anonymize themselves. They might employ one or multiple fake social media profiles, using email addresses from service providers that don’t verify a person’s identity. In doing so, they will use an online “handle” rather than their actual name. The more sophisticated extremists will use the dark web’s higher level of anonymity, adding another degree of difficulty to data collection and evidence gathering.

Another law enforcement challenge: respecting protected speech while investigating threat actors who could endanger lives, destroy property, or obstruct government administration. Speech might be offensive, but it doesn’t always rise to the level of a specific, imminent threat. Determining what is acceptable or what is a violation of the law can sometimes be challenging for officers.

Law enforcement agencies, however, can follow investigative practices and deploy technologies that address the obstacles of an online investigation. Those assets can help your organization uncover the threats extremist groups and individuals pose within your jurisdiction.

OSINT, or open-source intelligence, is an important tool law enforcement agencies can use to guide an investigation. OSINT encompasses a wealth of publicly available information, from traditional print publications to today’s vast array of digital media outlets.

A skilled investigator can gather a multitude of leads through OSINT. Searching the surface web can yield phone numbers, social media handles and IP addresses that can help resolve the identity of threat actors. Scanning the surface web can help launch an inquiry and, in some cases, might be all you need to snuff out a threat.

The open web, however, has its limitations. The surface websites Google indexes amount to perhaps 4% to 5% of all web sites. So, investigators need different tools when pursuing threat actors who have learned to anonymize themselves across the deep and dark webs. As it happens, extremist groups have become increasingly adept at concealing their activity and adopting operational security practices.

At this point, investigators need to couple OSINT with a web intelligence (WEBINT) tool. Automated WEBINT can execute searches that not only cover the surface web but also probe the deep and dark web layers. WEBINT, ideally, should be deployed in conjunction with artificial intelligence (AI). With AI, agencies can create custom search parameters – an extremist group’s hashtag or catchphrase plus the name of your local jurisdiction, for instance – to conduct a comprehensive inquiry.

AI provides another benefit: The ability to quickly process and make actionable the enormous amounts of data a WEBINT sweep might uncover. AI-powered WEBINT can sift through terabytes of data to zero in on the pieces of information relevant to the investigation. AI also enables investigators to find correlations among the various bits of data collected, which can move a law enforcement agency closer to uncovering an extremist group’s violent plans.

Importantly, automated WEBINT and AI enable law enforcement to scour data and make connections much faster than relying entirely on manual processes and human talent. Time is a precious commodity in any police investigation. Automated, intelligent tools, when properly applied, can help you rapidly identify threat actors and when it’s time to build a case, direct you toward the data to preserve as evidence.

Conducting an investigation

Online investigations of extremist groups, or any type of threat actor for that matter, call for careful planning and execution. Here are five recommendations:

1. Understand the legal and regulatory environment: Existing regulations such as 28 CFR Part 23, Criminal Intelligence Systems Operating Policies, provide the legal framework for conducting online investigations. For example, 28 CFR Part 23, which applies to any law enforcement agency accepting federal funding, establishes “reasonable suspicion” as the standard for collecting and maintaining intelligence data on an individual. This regulation also requires a law enforcement agency’s investigative unit to protect the data it collects to ensure it isn’t modified or accessed without authorization.

Agencies would also do well to keep tabs on regulatory trends. The European Union’s General Data Protection Regulation (GDPR) includes consent requirements that affect data collection. In the U.S., some states are moving in a similar direction. The California Consumer Privacy Act went into effect in January 2020 and privacy legislation is pending elsewhere.

2. Develop a policy: Every law enforcement agency planning to conduct online investigations should develop a policy that reflects the relevant regulations and legal standards. Investigators need to know the specific dos and don’ts of conducting an investigation and handling data. Agencies that fail to have a policy open themselves to civil litigation.

3. Be prepared for blowback: Law enforcement agencies investigating extremist groups risk retaliation if their activities become known. The recent BlueLeaks data leak, which targeted police departments and fusion centers, demonstrates law enforcement’s vulnerability. Operational security is a must.

4. Know what to look for: Agencies need to know what to look for with regard to extremist groups. That knowledge must include the lingo a specific organization uses. Catchphrases, slang terms and abbreviations can all provide keywords that you can apply to your searches. Bear in mind that some of the keywords may be numerically encoded – the first letters of the words in a phrase are assigned a number corresponding to its position in the alphabet.

5. Take advantage of technology: You’ll likely end up with a data deluge while running an online investigation. All that data will do you little good if you lack the technology for processing it. Manual approaches could well take weeks, but AI-enabled automation can get the job done in a matter of hours.

Keep learning

Keeping tabs on extremist groups calls for a mix of human intuition, research and technology tools. But an overarching consideration is the need for ongoing learning. Extremist groups can readily change their preferred online platforms, keywords differ from group to group and week to week, and new laws and regulations can complicate matters.

You’ll need to continuously self-educate to operate in this fluid and dynamic environment.

NEXT: How to harness the power of AI in law enforcement

About the author

Johnmichael O’Hare is the sales and business development director of Cobwebs Technologies ( He is the former Commander of the Vice, Intelligence and Narcotics Division for the Hartford (Connecticut) Police Department. Contact him on