Stopping an Active Shooter with OSINT: How Publicly Available Information Becomes Actionable Intelligence
Open-source intelligence (OSINT) remains a relatively misunderstood craft, but for years the practice of collecting and analyzing publicly available information (PAI) has played a role in law enforcement and corporate investigations. Whether as part of proactive security efforts, or to support the investigation of a crime that has already happened, there is no doubt that transforming publicly available information into actionable OSINT is both a valuable resource and a demanding process.
Many factors need to be considered to both generate and leverage valuable OSINT, such as where and how the initial data was gathered to ensure it was ethical and relevant, and how it can be normalized into useful formats for effective analysis. Humans must then interpret that data and verify it, followed by determining if something is a high-risk threat and what actions need to be taken in response.
A few years ago, ShadowDragon put this process to the test when a client faced an urgent physical safety threat. As a result of deploying best practices and the right technology and analyst team, no one was hurt. The outcome of this use case is a blueprint that other companies could learn from if ever faced with a similar threat.
The Challenge
ShadowDragon received a call from one of our clients, a global financial technology company that operates online payment systems, sharing that it had detected an active shooter threat via ShadowDragon’s online public data monitoring tool: OIMonitor.
OIMonitor can monitor publicly available data sources and allows users to configure keywords in any language, providing alerts associated with the defined terms. The financial technology company had been actively monitoring publicly available information for potential threats of violence against its corporate offices and executives for some time to identify and mitigate any threats that may present physical harm to its employees.
As a result of deploying best practices and the right technology and analyst team, no one was hurt.
That particular day, the search keywords the company was monitoring alerted it to an individual online who had made a threat to carry out an active shooter attack against its offices. After the threat was detected, the client’s security team moved into the verification stage of the investigative process. This included identifying who posted the threat, determining if it was a credible threat, and where the individual was physically located to understand the probability of an active shooter situation happening.
The team used ShadowDragon’s SocialNet tool to complete this process. SocialNet enables investigators to map out online identities, and the connections between those identities, within minutes. Investigators can then follow the breadcrumbs of their target’s digital life to discover hidden correlations within their research.
This verification process ultimately addressed many of the questions you or I would have had in this situation about the threat’s who, where, what, why, when, and how. So, could investigators find more publicly available information to verify and answer these time sensitive questions in that moment? Thankfully, the answer was yes.
The Solution
The company was able to use SocialNet to verify most of the information needed to deem the individual who made the post a legitimate threat and confirm that the threatened acts of violence were probable.
The speed of an investigator’s work can quite literally mean life or death.
To determine if a threat is probable, the investigator needs to evaluate the threat, obtain information about the poster, and analyze if the poster is frequently making threats or if the account is new or old. In this case, SocialNet was heavily utilized to determine the poster’s capabilities, intent, and probability of following through on the threat.
SocialNet is designed to help investigators automate the manual efforts of researching a specific target’s social media aliases and personal identities online. In a situation where someone has made a threat of violence in a public forum, the speed of an investigator’s work can quite literally mean life or death.
With the information gleaned quickly through SocialNet about the poster in the verifying phase, the company had an actionable document that showed what the actor had posted and who the actor was, but it still needed to identify where the threat was located. Its next course of action was to involve law enforcement to ascertain the exact physical location of the bad actor.
The customer had already created online identities that could be used to communicate with the threat actor. They used these to casually discuss topics, via direct messages, with the perpetrator, and then deploy the ShadowDragon attribution application case system (now end-of-life). This tool, called Spotter and no longer available, enabled the customer to create a specialized tracking link for the suspect and passively collect information that the suspect interacted with.
For instance, the client could pass the individual a link to cnn.com in a conversation, and it would route that link through the ShadowDragon system to display cnn.com to the target. Essential information could then be gleaned from the known threat actor through this process, such as the individual’s IP address.
The IP address acquired matched a netblock owned by a local hotel, which was located near the targeted company’s corporate headquarters. Within 12 hours, law enforcement was given the dossier that the client had documented through the use of SocialNet, online data sources, the original threatening post, and the hotel's address. Hotel employees verified the suspect had rented a room and was in the building. Law enforcement then identified and arrested the suspect, while also uncovering weapons that would have been used in the attack.
The Results
This example of turning PAI into OSINT makes it clear that practice, planning, and sticking to an incident response plan—while thinking on your toes—is critical in the investigative process.
Analytical rigor and existing relationships with law enforcement ultimately enabled the client to respond to this threat within 12 hours and stop the threat before it was launched. While most threats made online don't manifest in the physical world, some do.
We learned from this situation that investigative tools built to augment the heavy manual lifting of analysts and investigators can make a significant difference in protecting communities from real, active threats. A good team and an organized plan are also key elements to ensuring that once publicly available information unveils a potential threat, the correct process is taken to transform the information into intelligence that can be actioned on.
We all know there is always a large signal-to-noise ratio; in other words, not all publicly available information has value or specific meaning to an investigator. Still, a repeatable process can be followed to detect, respond to, and protect many different problem sets for threats against corporations, the government, or other use cases.
Daniel Clemens is the founder and CEO of ShadowDragon, a leader in ethical open-source intelligence (OSINT), unique datasets, and investigative training. Clemens has dedicated his career to solving complex crimes that leverage technology and the Internet. His decades of experience include aiding in extensive research and offensive action against emerging threats, creating scalable curriculum for long term investigations, and offering insights to uncover clues for anti-human trafficking organizations globally.
© ShadowDragon