Introduction“Becoming a seasoned PI [protective intelligence] practitioner takes years and a lot of practical experience, but almost anyone can take the basic principals of protective intelligence and employ them effectively to spot suspicious behavior. One of the grand secrets we want to share is that when it comes to terrorist and criminal trade craft, the bad guys are not really as good as the public is led to believe. They are often awkward and make mistakes. One of the big factors that allow them to succeed is that nobody is looking for them. When they are ‘watched back,’ the likelihood of their mission succeeding is dramatically reduced...

By understanding how attacks are conducted – i.e., the exact steps and actions required for a successful attack – measures can then be taken to proactively identify early indicators that planning for an attack is underway. Even before it is known who is involved in the activity, the fact that someone is undertaking such efforts can be identified.”

-STRATFOR

TEDD Principles (Watching the Watchers)

Stratfor states that poor surveillance tradecraft is the “Achilles’” heel of criminals.

“What does ‘bad’ surveillance look like? The US government uses the acronym TEDD to illustrate the principles one can use to identify surveillance. A person who sees someone repeatedly over TIME, in different ENVIRONMENTS, over DISTANCE, or who displays poor DEMEANOR, can assume he or she is under surveillance.”

Poor demeanor is defined as that which looks suspicious or unnatural. If the surveillant looks “out of place,” meaning they are wearing attire that is not consistent with the environment, or whether they are performing a task that is not consistent with their cover story. Other examples include the surveillant avoiding eye contact with the target, moving when the target moves, avoiding security personnel, making sudden turns and stops, bad body language, etc.

Anyone who violates any of the TEDD principles, is potentially an adversary conducting pre-operational surveillance.

Proper State of MindSituational awareness is the process of recognizing a threat at an early stage and taking measures to avoid it. The first step in being aware, is for one to acknowledge that threats exist.

“Situational awareness, then, is best practiced at a balanced level referred to as ‘relaxed awareness,’ a state of mind that can be maintained indefinitely without all the stress associated with being on constant alert.” When one is in a state of relaxed awareness, it if far easier to transition into an alert state and spring to action (in contrast to being in a complacent state).

Surveillance: GoalsEstablishing patterns→ Determining the target’s vulnerabilities→ Noting weaknesses

→Identifying potential attack methods

Establishing patterns - This goal in particular, requires the surveillants to conduct their surveillance several times, and at different times of day. Thus making them more vulnerable to detection.

Ask - What are the differences in what the surveillant looks for when the target is a building/- place/event, rather than a person?

Person - “When the target is a person, perhaps targeted for assassination or kidnapping, surveillants will look for patterns of behavior such as the time the target leaves for work, the transportation method, and the route taken.”

Place - “For fixed targets such as buildings, the surveillance will be used to determine physical security measures as well as patterns of behavior within the guard force, if guards are employed. For example, the surveillance will look not only for fences, gates, locks, and alarms but also for times when fewer guards are present or when the guards are about to come on or off their shifts.”

Countersurveillance Secrets

Stratfor defines countersurveillance as “the process of detecting and mitigating hostile surveillance.”

“An effective CS program depends on knowing two ”secrets:” first, hostile surveillance is vulnerable to detection because those performing it are not always as sophisticated in their tradecraft as commonly perceived; and second, hostile surveillance can be manipulated and the operatives forced into making errors that will reveal their presence.”

Countersurveillance Secrets Cont.

Secret 1: Hostile surveillance is vulnerable to detection for several reasons. (1) In order to surveil the target adequately, the adversary will need to be within viewing distance of the target, thus giving the target’s security assets an opportunity to detect them. The longer that the surveillance persists, the greater the chance of detection. (2) High quality surveillance requires significant resources and manpower, and proper training. Most criminals are lacking in these areas, thus making them vulnerable. The lack of manpower is especially troublesome for the surveillants because less people translates into a greater likelihood that the target will see the same person multiple times, violating TEDD principles.

Countersurveillance Secrets Cont.

Secret 2: Hostile surveillance can be manipulated and forced to show itself by the use of various techniques. These techniques include the following: stair-stepping, varying routes/departure times, using intrusion points, and timing stops.

Countersurveillance TechniquesThe channel - “a long, straight corridor that has several exits or

routes at the far end.” Example: The target of surveillance can use a channel to force the surveillant to follow closely behind because the surveillant cannot parallel the target’s route, and they can’t know which way the target will travel at the end of the channel.

Stair-stepping - “making turns in a vehicle or on foot that deviate slightly from the most direct route to the destination.” As the target conducts a stair-step sequence, the surveillant is likely to reveal himself, by following the target through the series of turns.

Varying Routes/Departure Times - This can catch the surveillants off guard, thus forcing them into action abruptly or it can cause the surveillants to remain in place longer (thus drawing attention to themselves).

Protective Intelligence

“PI is the process used to identify and assess threats.”

The primary components of a PI program are countersurveillance, investigations, and analysis. Countersurveillance acts is the eyes and ears of the of the PI program, seeking to detect surveillants in their pre-operational phase.

The investigative and analytical components serve several purposes:

1.Enable the countersurveillance arm to focus their efforts on the most vulnerable and highest risk targets

2.Database and analyze observations of the counter surveillance team

3.Interpret events, identify, and track people of interest

4.Database and analyze communications from mentally disturbed individuals

Red TeamingOne function of the PI process is “Red Teaming.” Red teaming is the process of viewing the security program from the point of view of the adversary. For example, using this new perspective in determining when the principal is most vulnerable to attack (time, location, route, etc.). Then taking this information to strengthen areas where security measures are lacking.

Red teaming functions can be categorized into two parts: research and physical.

Part of red teaming, is conducting what Stratfor refers to as “cyberstalker research.” This is a process of conducting a detailed survey of all sensitive information about the target that can be gathered via open sources (publicly available) online. By conducting this research, the security program can identify information that can potentially be used by an adversary to carry out an attack against the target. In the case that a target has sensitive information about him or her online, the best course of action is to have it removed, or to have it changed to information that will mislead a potential attacker (a disinformation campaign).

The part of red teaming that most people are familiar with is physical red teaming. That is, physically testing security measures by attempting to gain access to a facility or to physically conduct surveillance on the target. The purpose here, is to test the effectiveness of the security program, then correct deficiencies so that when the real thing happens, the security team reacts property.

Mexico – Examining the Cartel War Through a

Protective LensAfter reviewing attacks on public figures by cartel members in Mexico, Stratfor has identified common characteristics of the attacks.

All four police officials were killed in close proximity to their homes, during arrival/departure.

These are common themes in executive protection, reiterated by R.L. Oatman and Gavin De Becker – The area around the principal’s vehicle during arrival/departure and predictable locations such as work and home, are high-risk areas. The adversary identifies these as advantageous attack sites because they are time and place predictable.

The Labastida Killing: Tactical Implications

Labastida Calderon was a commander of the traffic and contraband division in Mexico’s Federal Preventative Police. He was killed while eating lunch at a restaurant in Mexico City. At the time of the attack he was accompanied by his bodyguard (also killed) and several police agents. Below are implications drawn from the attacks:

1.Attackers cannot be permitted free rein to do surveillance

2.Personal information of potential targets, such as schedules, must be guarded carefully

3.If there are protective agents, the attackers will neutralize them first.

4.Observation skills and attack recognition are critical.

5.VIPs need to take responsibility in their own protection by varying times, routes, and locations.

Final Thoughts“How to Look for Trouble” should be required reading for executive protection professionals. It highlights important themes in protection, and it gives the protective specialist tools to better scan for threats. Most importantly, it restates that protective specialists need to focus their efforts proactively (searching for hostile surveillance), rather than reacting after the attack has taken place.

Let me know what you thought of this note by contacting me at support@epnexus.com

Want more? Download Full EP Note Here