4 key OSINT tactics for monitoring extremists online

With America facing a growing number of extremist threats, effective police online surveillance using open-source intelligence sources can foil attacks and save lives


The Department of Homeland Security offers a troubling assessment of the terrorist threat landscape.

The agency’s June 2022 National Terrorist Advisory Bulletin pointed to a “more dynamic” environment with prospects for violence against targets including public gatherings, faith-based organizations, schools, government offices and critical infrastructure. The bulletin cites threat actors’ recent mobilization and points to the potential for domestic violent extremists (DVEs) to ramp up their calls for violence amid the U.S. mid-term election cycle.

Unfortunately, the world wide web is proving to be an especially useful recruitment, meeting and planning tool for DVEs, whether through fringe chat groups or obscure sites on the dark web. Worse yet, those threat actors can use the internet to reinforce each other’s hate-based beliefs, while hiding their identities, locations and activities. This is a real problem for public safety in general, and police in particular, especially because DVEs can build alliances regionally, nationally and globally at virtually no cost on a plethora of online platforms.

Law enforcement agencies need to identify and monitor domestic violent extremists who are likely to act on their violent impulses.
Law enforcement agencies need to identify and monitor domestic violent extremists who are likely to act on their violent impulses.

To combat these domestic terrorist threats, while protecting Americans’ right to free speech and protest, law enforcement agencies need to identify and monitor DVEs who are likely to act on their violent impulses. Fortunately, 90%-95% of the information being exchanged between these hostile actors is considered open source, which is publicly available but primarily located below the surface web on the deep and dark web. In other words, investigators can track threat actors and their hostile intentions once they know how to find them online.

To do so, law enforcement organizations must effectively collect and analyze a staggering amount of online information. Open-source intelligence (OSINT) tools and techniques, however, can help agencies sift through huge volumes of often unindexed data, to uncover patterns and connections, and alert agencies to threat actors requiring closer attention.

Here are four key OSINT tactics that can help investigators crack down on and prevent domestic attacks.

1. Cast a wide and deep net

Law enforcement agencies must cast a wide and deep net to monitor extremists. The reason? The web is a multi-layered, vast ecosystem of forums, chat groups, marketplaces and other areas where threat actors gather to offer each other encouragement, share information on methods and tactics, and coordinate activities.

Most of the information crucial to an investigation is likely to be hidden on the deep and dark web, beneath the surface layer of popularly used internet sites. Dark web sites are not indexed by conventional search engines, which means investigators must use specialized browsers to access otherwise hidden data. Agencies that limit themselves to a narrow scanning of surface websites have no chance of obtaining a comprehensive picture of threat actors, their associates, and their plans.

While human intuition and skill remain of paramount importance, artificial intelligence (AI) can augment the tradecraft of experienced investigators. AI-enabled tools can scour websites and social platforms to identify and collect a host of textual and graphical data: keywords, phrases, quotes from manifestos, logos pictures, memes, and videos – all of which can help bring to light threat actors and emerging threats.

Technology lets law enforcement agencies deploy online dragnets efficiently, economically and without having to hire lots of additional human experts.

2. Look for the important piece of hay in the haystack

The conventional needle-in-the-haystack metaphor, in common use for centuries, doesn’t quite fit the modern world of online investigations.

Indeed, when looking through publicly available data to identify serious threats to domestic security, an officer needs to search for the important piece of hay in the haystack, rather than an alien outlier – the idiomatic needle. That’s because today’s DVEs are members of the public and look the same as everyone else – one whisp of hay among many.

A threat actor at the heart of efforts to whip up hate among a group of online followers may not readily stand out. But law enforcement agencies must find that person, nevertheless. The objective for investigators is to pick up the telling pieces of data that can lead to an identification. An image of a person of interest, an object they are associated with such as a car and its license plate, or a video that shows the person standing with other people known to investigators – those elements can establish an identity.

Once one or more DVEs have been identified, the investigator needs to start mapping out their direct and indirect connections. This is where the wide and deep investigative net comes into play. Investigators, ideally, should be able to determine the role and function of each connection to create a complete view of the DVE network and its components. Because this can be a confusing, complicated task, it is helpful to map out these connections on paper, or digitally for more complex cases, to provide a richer picture that’s easier to understand and analyze. Think of it as the stereotypical bulletin board with photos and strings – the stuff of many police procedural TV shows.

3. Operate in online stealth mode

When monitoring DVEs and potential terrorist threats online, it is vital for an investigator to operate in stealth mode with absolute anonymity and security to completely shield their actual identity. This applies whether law enforcement is just sifting through online DVE content, collecting case-sensitive and specific data, or interacting in undercover mode with hostile players over the web. If investigators let their guard down and reveal who they are, they run the risk of the extremist threat actors shutting down their operation and moving on. In truly serious instances, investigators could also put themselves and their loved ones in danger.

At the same time, while working in stealth mode, investigators must conduct themselves within the limits of the law and the rules governing undercover work. This is important because they must ensure the intelligence they gather can be used to conduct further investigations – whether it's search warrants, some type of interdiction against key DVE(s), and/or the collection of evidence to identify other individuals or groups that are actively plotting, planning, recruiting, financing and promoting a criminal terrorist ideology.

This is a balancing act, to be sure, but it is part of the reality of modern police work. DVEs are a growing threat to public safety and security, and they are doing their planning and attack coordination in cyberspace. Law enforcement must respond to this fact using the same stealth skills that they have brought to undercover work for decades.

4. Adopt a hunter approach

As soon as an OSINT investigation identifies a viable DVE threat, it is essential for law enforcement investigators to adopt a hunter approach to unmasking and foiling this threat. This method involves adopting an active, vigilant and relentless attitude to learning everything that can be known about one or more DVEs and their plans. Yet at the same time, the hunter must ensure that their pursuit does not violate the rights of free speech and protest in America. Again, this is a difficult but necessary balancing act.

Remember, the fundamental objective of policing is prevention first. So, if a department/agency wants to develop a prevention culture with respect to domestic terrorism, it must have hunters on staff who are aggressive at developing evidence, finding and tracking people in networks, and identifying the recruiting, financing, supporting, planning and everything else associated with the execution of violence. But again, it must be remembered that it is not illegal to think a violent thought, but it is illegal to act upon it.

The four tactics outlined above make it possible for law enforcement to get the most out of their OSINT investigations. Executed properly, these tactics have been proven to help police detect, monitor and foil DVE-driven attacks.

The challenge for law enforcement agencies is to pull together investigative methods, tools and cultural structures to zero in on threat actors in a timely and efficient manner. Those approaches can be supported through AI-based web intelligence, which lets investigators cast their net wide and deep and then rapidly and accurately sift through massive amounts of data collected from online sources and social platforms so they can find their one strand or hay of evidence that will generate the inertia needed to drive the investigation. The correct data that is timeously found will generate actionable intelligence to thwart impending attacks, obtain arrest warrants and present evidence for prosecuting DVE groups and individuals.

Although technology bolsters these tactics, it is the combination of automated tools and human investigators that makes the difference in identifying threat actors and diffusing the potential for violence.

NEXT: Why all law enforcement officers should read the 9/11 Commission Report

Recommended for you

Copyright © 2022 Police1. All rights reserved.