Digital Executive Protection: Your Physical Security is Gone, Now What?

by | Mar 23, 2021 | Blog, Executive Shield

Executive protection teams face the unenviable job of triaging daily threat posts coming from many directions, including social media, phone calls, emails, and even in person. They must cull through this and determine what is valid and requires action, and what is just online bluster and should simply be monitored. When the threat is valid and concerning enough to take action, we often see a physical infrastructure initial response – such as security cameras, sensors, and other “hardening” steps at the company’s office location or employee’s home.

However, if the threat is serious enough, a physical protection team is normally assigned to the executive’s residence or facility where the threat activity is likely to occur. But what happens when the threat doesn’t materialize? What should be done when the physical protection team leaves?

That’s where the digital executive protection services take over and the good news is there is a lot that can be done.

Pattern of Life Analysis

People like to post online, and they like to post particularly when they are emotionally charged (often the trigger for a physical threat). Threat actors don’t always post on the popular social media platforms either; in fact, our investigations have found the trend is toward non-traditional platforms that aren’t as effective at monitoring or taking down inflammatory content.

Additionally, when actors post they leave a digital trail, and if you know where their digital playground is you can actually collect and monitor this. Sophisticated actors will know not to use real names or locations, but that’s where attribution comes into play. Attribution will link the actor’s real identity to an online persona and then monitoring techniques will collect and alert if there is any threatening rhetoric generated. Further, the digital trail might reveal geolocation information which could be the actor unknowingly revealing a location or leaving an IP address footprint on a website.

People also like to use their phones, and specifically the apps on their phones. Commercial mobile data data is another public information source that can help identify a threat actor’s patterns. This data could reveal several important information points for investigators. For example, an IP address could be matched to online activity or a general physical location, or a mobile device signature could reveal movement patterns over time.

None of these pieces of information are solutions in themselves, but together they form a seamless handoff from the physical to the digital world. Putting these pieces together allows for a digital investigator to continue executive protection monitoring and manage the intelligence for a threat actor as well as the victim.

Social Media Monitoring

The digital social world is now moving beyond the top four or five major platforms (this can certainly vary in non-US countries that might be just adopting these platforms on a national scale). The major social media platforms have invested resources in the content monitoring space and have relatively sophisticated cybersecurity teams. These teams can detect anomalous behavior (such as sock puppet creation) and inflammatory or violent rhetoric and remove it quickly. As a result, we see a lot of the threat actor violent content moving to non-traditional forums or social media platforms that are in a more nascent stage of self-regulation.

Additionally, threat actors will often gravitate to others of the same ideology which will also elicit more responses or views when they choose to operate on a ‘niche’ forum. Some types of these forums include far-left or far-right deep web forums, dark web doxxing sites (where actors even have lists of who’s information to target and release on the Internet), and a rising number of interest forums such as Silicon Valley tech, financial, or even disgruntled ex-employees (that pose real insider threat risks).

Most threat intelligence vendors will provide public content from the top four or five social media platforms and are only beginning to incorporate the non-traditional platforms. The reality is it requires tailored access to many of these platforms, it requires an authentic looking profile, and it requires research just to find where the threat actor of concern is even operating. For example, if a threat actor is publicly harassing or making accusations against an executive at a financial institution to influence the company’s stock, it might make sense to collect on a far-right or far-left forum, but the actor is much more likely to post or leave digital breadcrumbs on investment sites frequented by hedge fund investors or short sellers.

The Right Approach

Client protection teams should not feel helpless or out of options in the event a physical security team (or infrastructure) is handed off. There are very real options for enduring digital executive protection services that also won’t require the hefty costs a physical security team demands.
There is no one size fits all and digital executive protection requires a comprehensive set of approaches. These include tailored research, determining where the actor lives in the digital world and unmasking the true identity, collecting the digital content information, setting up meaningful alert mechanisms, and ensuring close communication with a Client’s security team.

Coordination is also key. Nothing substitutes the sense of security with a physical protective detail, and likewise nothing substitutes the direct on-the-ground potential for intelligence collection. However, threats often emerge quickly and have a tendency to stick around in the grey area of “do we need continued round the clock protection or not?”. The digital protection investigators have that ability to provide long-term monitoring options that can trigger the physical response when it is needed.

Critical factors for success in digital executive protection include attributing an actor’s online personas (without revealing it to the actor), watching for pattern of life indicators such as the threat actor conducting surveillance activities (even if direct physical access to the office or home doesn’t happen), collecting and analyzing post content for trigger words or photos, and recurring communication with the Client’s security or physical team. Gathering information over time on a threat actor (or network) also has the added benefit of potential legal or law enforcement mitigation actions.

Trust and security teams should not feel there is only one option when it comes to real threats against the employees they are charged with protecting. They also shouldn’t feel at the mercy of threat intelligence feeds that aren’t collecting the right and meaningful content they need to assess credible threats or an actor’s real location. The right approach is a tailored approach to digital executive protection that can maximize time and resources for security teams without having to rely on round the clock physical protection.

About Nisos

Nisos is the Managed Intelligence® company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.

For more information visit: email: | 703-382-8400