Proactive Security: Using Behavioral Indicators and Attackers Modus Operandi to Prevent Threats
In 2004, the United States Marine Corps introduced the "Combat Hunter program" in response to the guerrilla warfare in Iraq and Afghanistan. The program was designed to train military personnel to recognize suspicious behavior and identify potential threats in a non-urban environment. Later they implemented the program was in other branches of the US military and law enforcement agencies, such as the FBI and local police departments.
In 2006, Israel introduced a new method of security called "Proactive Security", which incorporated many elements of the Combat Hunter system. Proactive Security is a method of observing people's behavior to identify potential threats before they occur. By using behavioral indicators and Attackers Modus Operandi (AMO), an early stage of an attack can be identified, and proactive action can be taken to prevent further damage.
Everything starts with a thorough risk assessment in Proactive Security. This means that all potential threats are analyzed and evaluated. Subsequently, a behavioral analysis of the local population is conducted, and a "baseline" of normal behavior is established. The reason why this baseline needs to be re-established every time is that every group or trend has a different definition of what normal behavior is. For instance, when I moved to a neighborhood in my youth, where the diversity of different ethnic groups was more significant, I had to get used to the way the people of the Dutch Antilles would communicate. It always seemed very aggressive to me, they were always shouting with a lot of gestures. Until I realized that this was their way of communicating. From my perspective, this was abnormal behavior, but within their own social group, it is normal communication.
Now, based on the collected data, behavioral indicators can be established and behavior that may indicate a potential threat can be easily flagged. Think of behavior, such as nervousness or aggression, but also abnormal movements or new friends can be a red flag.
AMOs are also used to gain insight into what an attack might look like. This includes, among other things, the choice of targets and the tactics and methods used, but also an assessment of the weapons or access to other possible tools that may be available. By having this knowledge, an organization can proactively defend itself and react to attacks at an early stage or even perform a preemptive strike.
One of the main principles of Proactive Security is that "actions speak louder than words." People's behavior can often provide more information than what they say. To get an idea of the possible planning, we look at three markers: Planning, Preparation, and Pre-contact ques. The objective, of course, is to prevent an attack from taking place ultimately. The planning stage is where the potential perpetrator collects data. This can be done through internet surfing behavior but also library visits, archives, interviews, or physical espionage techniques. When a plan is made, a preparation period follows, and nowadays, the internet plays a significant role in this process. Criminals are increasingly seeking alternative ways to avoid detection. In the last phase, potential pre-contact cues are examined. These are small signs that indicate a person's malevolent intent. Gavin de Becker's book "The Gift of Fear" describes "the universal code of violence," which predicts the likelihood of violence. One of the factors that make an attack more or less likely is if the attacker wonders, "Can I get away with it?" By this, he means, are there people or other factors nearby that could cause trouble if he were to attack this person. For example: just before a fight, it is common to see an attacker look around to assess their surroundings and position themselves to launch an effective attack. This is a classic example of a pre-contact cue.
In a world where threats are becoming more sophisticated, it is vital to understand how to defend against an attack. Proactive security can help organizations identify threats before they occur, and AI can be a valuable tool in analyzing behavioral indicators and identifying potentially suspicious behavior. AI can also help collect and analyze data from various sources to identify potential threats. There are several examples of AI software used to detect patterns and identify potentially dangerous situations. For instance, Pegasus uses machine learning algorithms to analyze vast amounts of data and identify patterns and trends that could indicate a potential threat. Another example is Dataminr's technology, which analyzes social media to detect breaking news and potential threats.
As technology continues to develop, and more data becomes available for analysis, the use of AI in security will likely increase. However, it is essential to recognize the potential drawbacks and risks of using AI. For instance, it can lead to privacy issues and errors in data analysis. Therefore, it is crucial to establish clear rules and guidelines for using these technologies. Limiting the type of data that can be collected and processed, providing transparency about the algorithms used, and establishing rules for using the results are some critical steps. Additionally, we must be aware of the potential consequences of using these technologies and remain critical of their application. It is crucial to recognize that technology can never replace human expertise and judgment.
My biggest fear is that transparency is easy to maintain when most people do not truly understand what they are looking at. Just like with a calculator, I can input a number and care little about how the device arrived at its answer because I cannot do the calculation in my head. Even if I have a vague idea of what the answer should be, this becomes increasingly challenging for complex analyses. During my analysis of my grandfather using ChatGPT for my father's memoirs, it suggested that my grandfather was a resistance hero during World War II and was held by the Germans for some time. However, it turned out to be about a cousin of my grandfather, and despite providing support to people in need, he probably did not actively participate in the resistance. In short, it is easy to mix up data, and if we then have a less critical and less active controlling authority, I fear that we will face a Minority Report-style future where people can be imprisoned based on behavioral models without a chance of acquittal.
I hope that we are wise enough not to disregard human "common sense" so quickly.
