How To Use Open Source Intelligence For Executive Protection

For years, companies have been using online data to protect their organizations against cyber compromise. But can open source intelligence (OSINT) be used to support other enterprise functions like brand and executive protection?

The short answer is yes. News, social media, the dark web, and other public online data sources host a variety of risk indicators—from damaging pre-viral content to physical violence planning. Without easy access to this information, organizations are more likely to overlook risks, causing lasting reputation damage and harm to executives and other assets.

With the right web monitoring tools, enterprises can make faster, more informed decisions in response to risks impacting brand reputation and executive safety.

Web monitoring has become more important for executive and brand protection since early 2020. According to a survey by Infinite Global, almost half of non-executive directors significantly increased their reputation management efforts since the onset of COVID-19. Other evolving risk factors, like disease transmission, cyber compromise, and social unrest means that executive protection teams also need to reconsider their information-sourcing strategy in the post-pandemic world.

What is web monitoring, and how do effective web monitoring tools support brand and executive protection?

What is web monitoring?

Web monitoring is the aggregation and analysis of publicly available web content. This content is used by organizations to inform security response, risk management, or business and marketing strategies.

The timeliness and breadth of online information help security and brand management teams avoid information gaps and respond in real-time or near real-time to risk. A 2021 Forrester survey found that 82% of enterprise risk professionals believe real-time information is more crucial than ever. Web monitoring enables organizations to access accurate risk information that may be unavailable or slower on other sources.

Web monitoring is a broad term that covers all content types and uses. Other common terms under the umbrella of web monitoring include:

• Social media monitoring or social listening. This focuses on public social media chatter and is common for supporting marketing, PR, and physical security teams.
• Open-source intelligence (OSINT). OSINT is a data collection methodology for any publicly available sources, online or offline. In an online context, this includes social media content, public records, news, and unindexed websites, to name a few.
• Threat intelligence. According to Gartner, threat intelligence is “evidence-based knowledge… about an existing or emerging menace or hazard to assets.” The term is usually associated with cybersecurity, relying on online data inputs relevant for digital risk protection.

What does web monitoring look like for executive and brand protection teams? For some applications, web monitoring often means directly accessing raw content, like a social media post in its original form. Raw data analysis is valuable for threat detection and investigations. 

For example, the content of an individual post may be crucial for detecting and responding to an immediate risk like a bomb threat on an executive’s travel route and supporting a follow-up investigation.

But some brand reputation functions, like marketing, don’t need to interact directly with raw content. For them, web monitoring means accessing key trends and insights generated from a large set of incoming data. This could mean, for example, public sentiment towards a new product, or post volumes over time mentioning the product.

Applications for brand & executive protection: Brand reputation management

A 2020 survey on the state of corporate reputation found that global executives credit 63% of their company’s market value to its reputation. As more businesses and consumers embrace digital transformation, online spaces provide valuable data for guiding brand management decisions and detecting brand reputation risks before they escalate. When we talk about using online data for brand protection, what does this actually look like? 

• Brand-damaging content detection. When the media or the public take a negative stance on a product, service, or company action, they use public social media and news channels to voice their concerns. Web monitoring helps companies detect and respond to negative chatter, minimizing reputation damage before it goes viral. 
• Misinformation and counterfeiting detection. Amazon detected over 2M counterfeit goods in 2020—and according to Mimecast, brand impersonation attacks increased by almost 400% in the first half of that year. Brand impersonation and counterfeiting attempts are performed on mainstream social media, as well as covert sites like less-regulated social networks and marketplaces. 

An effective web monitoring strategy can scan a wide range of sources for these risks so brands can quickly find and address misleading content, brand impersonation, and counterfeits affecting their brand.

• Marketing and PR strategizing. News and social media content are valuable for evaluating public reactions and sentiment towards a brand’s products, services, and image. Web monitoring tools help aggregate sentiment and key analytics surrounding product launches and other public corporate activities so brand management teams can adapt their strategy.
• Crisis management. A company’s crisis response is the top factor in deciding its reputation, according to a 2020 survey by Weber Shandwick and KRC Research. As we’ve seen throughout the COVID-19 pandemic, real-time online information is crucial for informing risk response. For example, public social media content can detect misinformation and alert security teams to new outbreaks affecting supply chains, customers, and personnel. A more informed crisis response strategy helps retain the trust of stakeholders, employees, and customers, reinforcing a company’s reputation.

Executive protection

Executive threats come from all directions: from unforeseen physical risks to doxing and negative press. Public online content is often the earliest and most accurate source of executive threat data. And alongside traditional executive protection tools—like bodyguards and security cams—web monitoring is crucial for surfacing this information and reducing blind spots.

Web monitoring supports executive protection teams by:

• Identifying targeted hate and attack planning. According to CSIS data, domestic terror incidents peaked in 2020 and are occurring at a higher rate than the US has seen in decades. Executives are often targeted in online discussions by extremists opposed to the company’s values or actions—or simply because of an executive’s religious views or ethnicity. Less-regulated networks like alt-tech, chan sites, and anonymized forums are valuable for locating hate or harmful intent targeting VIPs.
• Detecting physical security threats. According to a 2021 report by Genetic, physical threats have been identified as a top priority for security teams as a result of COVID-19. Bystanders near a natural disaster, shooting, or another physical threat often document the event on social media in real-time. This information allows executive protection teams to respond to threats faster and improve situational awareness near critical locations—like an executive’s office, travel route, home, or event facility. 
• Assessing publicly available patterns of life. Public social media posts of a VIP’s pet, daily routine, or travel plans may seem harmless. But this information can be leveraged by threat actors to target executives—either to improve social engineering or to locate an executive. Executive protection teams can use web monitoring to assess an executive’s patterns of life and remove any vulnerable content.

Travel risk management

In 2019, a GBTA survey revealed that 46% of UK and US business travelers work for companies that lack transparent travel security policies. Organizations that still fall into this category are more likely to risk executive safety as travel resumes in an even more complex and unpredictable threat landscape.

Effective web monitoring gives travel risk management teams more timely, accurate data, helping organizations stay ahead of COVID-era travel risks. Web monitoring applications for travel risk management include addressing:

• Disease transmission and healthcare. Monitoring public social media activity illuminates foot traffic levels in specific areas without security personnel being physically present. This data also supports contact tracing and outbreak prediction, which can inform travel planning and risk response. 
• Travel logistics and disruptions. The pandemic has complicated Visas, border crossings, and other logistics. Localized news and media sources are valuable for accessing up-to-date information about travel restrictions abroad—especially if a last-minute detour is required. Since security teams may be unfamiliar with relevant news sources in other countries, web monitoring tools like Flashpoint are useful for aggregating and translating content from global sources.
• Unforeseen crises. Social media is often the earliest and most reliable source of location-based risk information as bystanders observe a crisis through their devices. This can provide early threat detection and reduce blind spots for security teams supporting vulnerable business travelers.
  
  Travel risk management teams also use social media content to assess public sentiment in target destinations so they can stay better prepared for social unrest or political instability. Monitoring mentions of relevant locations on covert sites like chan boards and alt-tech also help security teams predict violent planning and attacks.

Digital risk protection

Genetic’s 2021 EMEA Physical Security Report found that cybersecurity is a top priority in 2021 for almost 7 out of 10 physical security teams. Since the pandemic’s onset, cybercriminals have exploited public fear and domestic workforces to capitalize on social engineering strategies and vulnerable systems. 

Increased cyber risks are likely to persist even as the world returns to a “new normal.” Brand management functions need to stay vigilant in the event of a data breach, which can create costly long-term reputation damage. Executive protection teams must also consider increased cybersecurity risks to executives, who often carry the highest payoff for attackers.

A web monitoring strategy that covers fringe social networks and forums, paste sites, and dark web marketplaces helps executive and brand management teams:

• Find doxing indicators and other data leaks as early as possible. Doxing—which typically leaks location, contact, and financial data for VIPs—can compromise an executive’s digital and physical security. Content on doxing and paste sites alerts executive protection teams to targeted data leaks compromising high-profile individuals in their care. Brand protection teams can also use web monitoring software to scan unindexed forums, messaging apps, and marketplaces for new data leak indicators that could escalate into a PR disaster. 
• Get familiar with emerging adversary tactics. From social engineering to SIM jacking, cyberattack strategies are constantly evolving. By monitoring malicious hacking chatter on the deep and dark web, executive protection teams can stay up-to-date on emerging strategies and adapt their digital risk strategy accordingly.

Data discovery for threat intelligence

It is estimated that 90% of the world’s data has been created in the last two years alone. What that means for businesses is that they may be significantly more vulnerable to information breaches than ever before. Every new employee brings new risks to a company. As they grow, organizations become more susceptible to phishing scams or other information-related attacks.

In recent years, open-source data discovery has become a critical process for companies and their in-house security teams in order to mitigate these risks. Platforms like Flashpoint are used extensively for these purposes.

Flashpoint specializes in the gathering and aggregating of open-source online data for threat intelligence.

Examples of open-source data include:

• Public social media data
• Blogs
• News sources
• Public dark web data
• Online forums

By gathering and filtering information from these sources, companies can determine which information is crucial to know and act on it.

Dark web discovery

Flashpoint gives clients the ability to detect security issues surrounding their businesses, partners, employees, and locations. It does this by surfacing deep and dark web data that is otherwise difficult to sift through.

The dark web itself does not have a high barrier to access. A Tor browser is all that is needed to access these sites. Navigating the dark web, however, comes with a range of challenges.

Due to the nature of dark web content, most organizations do not allow their employees to use the Tor browser.

Dark web data is also unstructured and unindexed, making it incredibly difficult to find meaningful content. Black markets and illegal activity are rampant on dark websites, and disturbing information could be lurking around any corner.

Many organizations outsource these investigations to third-party agencies, which can be very expensive.

For these reasons, a safe, anonymous, in-house deep and dark web tool is a necessary investment for data exploration beyond the surface web.

Social media data discovery

When most people think about social media, their minds jump straight to morning cappuccinos and cat videos. However, social media is also full of critical information for threat intelligence.

When aggregated and organized, social media posts create a wealth of information about a given location, topic, or event. This data supports incident response, executive protection, retail loss prevention, and public safety.

Social media networks supply data that is indispensable for threat intelligence. However, searching these networks one by one is time-consuming. Today’s security teams need real-time data, aggregated from as many sources as possible to stay on top of critical threats.

For example, during the Rio Olympics in 2016, Flashpoint was used by a security team for executive protection. When the system detected a picture of a gun posted on social media along the exit route, the team deemed it as a significant threat. They were able to react and reroute the executive to a different exit airport.

The value of alternative data

Information from social media and darknet sources is increasingly important to observe for threat intelligence purposes. This type of data is very useful for discovering patterns and trends related to human behavior and our interaction with technology. It is also crucial for staying on top of any information leaked by employees or associates that could end up in the wrong hands.

These data sources can help security teams observe and qualify which entities within their organizations need to be better protected. Social media data sources and other web content add additional context to traditional security data. They provide information about when and where the content originated, as well as information about who is interacting with the content.

Data discovery tools and social listening platforms help companies understand patterns and trends in the world. These insights can guide organizations to optimize the safety and security of their information, their employees, their customers, and their brands.

Analyzing patterns and trends helps companies make better decisions. Flashpoint is helping these companies by providing them with faster access to information that is otherwise expensive and time-consuming to gather.

Flashpoint gathers public social media and dark web data which provides what is essentially an ‘information security safety net.’ Users can export the data to perform advanced analysis and derive more detailed information from the content. Accessing this data in one platform and reducing the need for the Tor network is critical for today’s security workflow.

How executive protection services are changing

Executive protection is a set of security measures intended to mitigate risk for people whose reputations, wealth, or positions require heightened personal security. When employees, spokespeople, and stakeholders are at an elevated personal risk, it is the role of the organization they represent to assess and manage that risk accordingly.

Executive protection services can range from a single physical security professional to an entire suite of high-tech risk assessment tools. 

In any business, your people are your most valuable assets, and the measures needed to protect them both on and offline are changing.

Cyber risks are ever-increasing

In the past, executive protection (EP) services mostly consisted of muscle, quick hands, and sharp eyes between the client and a threat. These days the strategies needed can be likened more to a game of chess than a game of rugby. Not only are executive protection services becoming more intelligence-driven, but also more internet-based.

As executives’ digital footprints increase online, so do the risks. As more and more risks are borne from the online world, a growing number of aspects of executive protection are being handled from behind a computer screen. The barrier between an individual’s professional and personal persona is blurred by corporate participation in online photo sharing and blogging. This leads to increased avenues for cyberstalking: delusions of grandeur and obsession from followers, and spear-phishing from cybercriminals.

Executives and high-profile individuals, like the rest of us, now carry a tremendous amount of high-value information about themselves and the organizations they represent in the palms of their hands.

Building smart threat intelligence

Traditional internet search engines like Google provide access to a wealth of potentially useful information and deliver alerts for threat intelligence. However, Google accesses only surface web data, so the results are limited.

Social media networks also supply data that is indispensable for threat intelligence, however searching these networks one by one is time-consuming. Today’s EP teams need to aggregate data in real-time from as many sources as possible to stay on top of critical threats.

No one platform offers a complete solution. The new executive protection strategy must involve monitoring multiple platforms and hundreds of aggregated sources simultaneously.

Importance of geofencing and geotagged data

When your executive is attending an event and there are security concerns about the route or facility, a location-based discovery tool is an indispensable resource. Location-based platforms like Flashpoint Physical Security Intelligence (PSI) provide the ability to draw a geofence around a modified route. Using Flashpoint PSI’s geofencing capability, your executive protection services team can map out the event’s route days in advance and establish a running search to monitor the route for potential trouble. 24/7 monitoring allows the team to attend to multiple other tasks feeling secure that the system will trigger a notification if anything concerning is posted online around the route or event.

Reducing blind spots for security services

Location-based tools like Flashpoint PSI provide executive protection services teams with real-time actionable intelligence and around-the-clock monitoring, enhancing their ability to detect and monitor potential threats to their clients and assets to a much greater extent than ever before. The range and scope of its search capabilities combine raw data from multiple sources with geographic data to ensure that the content is relevant to a specific geographical location or route. 

Amazon spends $1.6 million a year to protect its CEO, Jeff Bezos.

This might seem like a hefty security budget, but it’s a small price to pay considering the level of risk high-profile executives face today.

VIPs not only confront physical security risks at home and abroad, but are also highly targeted in their digital lives. Social media plays a large role in hosting executive-targeted attacks, and the C-suite is increasingly vulnerable to business email compromises (BECs), breaches, and other cyber threats.

Using online data is essential for securing executives, whether mitigating non-targeted threats along a travel route or dealing with a CEO’s personally identifiable information (PII) breach online. 

Knowing how and where to find this information can make a huge difference in how quickly a security team contains an active threat, and their ability to prevent future attacks.

How to protect executives with online data

1. Search social media

A quick Google search for an executive’s name gives security teams a lot of useful information: How high-profile are they? Are they received positively or negatively by the public, and how does this vary in different parts of the world?

However, Google only goes so far. Not all data relevant to an executive’s protection strategy is searchable in Google. A typical search engine limits a team’s ability to find specific data based on location, image, and key content indicators like violence, especially in other languages. Sourcing this information in situations where quick responses are necessary is nearly impossible with a tool like Google or Bing.

Open-source intelligence tools like Flashpoint enable security teams to aggregate public content across multiple providers and filter data relevant to their VIP’s security. This is extremely helpful, especially since public safety threats spread on social media faster than other outlets and even word of mouth. For example, security teams can search for geotagged posts along an executive’s travel route indicating crisis situations, and get alerts as soon as key content is published. This provides on-the-ground security with more context on the situation and re-routes the executive efficiently.

Finding executive protection data doesn’t always require mainstream social networks like Twitter. Less regulated social networks are populated with radicalized communities where executive threats can be more targeted and explicit. Security teams can use Flashpoint to find instances of an executive’s name across a variety of niche social networks in a violent or threatening context. 

Social media searches can also identify less critical threats, such as bad executive press. Aggregating this information can help organizations formulate a PR strategy or public response.

2. Search deep and dark web networks

Executives also face a constant barrage of cyber threats. Adversaries increasingly target executives, both to exploit their high net worth and broad data access. Threat actors are also realizing the value of security vulnerabilities typical to the C-suite.

For example, executives often rely on assistants to manage their emails and financial transactions. This means that threat actors don’t necessarily need to hard hack a company’s systems to steal data or an executive’s financial credentials—they just need to know how to convincingly impersonate an executive and request this data from the right people. This is known as a business email compromise (BEC), one of the most costly cyber attacks today according to the FBI.

Unindexed sites on the deep and dark web contain valuable evidence of BECs and other executive-targeted cyberthreats. These can include: 

• An executive’s personally identifiable information (PII). This data often appears on paste sites as a dox (a targeted PII breach as form of harassment). It’s also early evidence of a larger data breach affecting an entire organization. 

* PII breaches also give attackers the information they need to create convincing phishing emails. Executive doxxes often include PII for immediate family members, implicating their physical and digital security as well.

• Strategy discussions targeted at exploiting executives. Attackers often use anonymized websites on the deep and dark web to recruit or strategize executive-targeted phishing attacks, sextortion, and other harassment campaigns.
• Sale of an executive’s financial data. Dark web marketplaces are used for selling financial account information. Executive accounts are highly valued on these markets.

3. Monitor routines and digital footprints

Humans (executives included) are creatures of habit. Security teams should be well-informed about an executive’s digital and real-world routines. Do they always Tweet before heading to work in the morning? Or about the vacation they are about to take?

Individually, online posts may be harmless—but attackers are skilled at piecing together an individual’s online profile to exploit their identity. For example, an attacker could connect details about an executive’s life, and use that information in a phishing email to sound more convincing. Having a close awareness of an executive’s physical whereabouts also puts them physically more at risk.

Many social media users publicly post information that they don’t realize could be exploited by cybercriminals. Capturing the image of an ID card, the inside of a facility, or even a pet could be all an attacker needs to gain system access or answer a security question (e.g. what is your favorite pet’s name?). Security teams should keep tabs on what information executives and their family members are posting on social media and monitor that content for potential risks.

Neglecting online sources for executive threat data can have disastrous implications. BEC scams and other common executive-targeted threats can lead to large-scale data breaches. According to a 2019 IBM report, these breaches cost global organizations an average of USD $3.92 million, eroding public trust and company reputation along the way. Suddenly, Amazon’s security budget doesn’t seem so extravagant.

More physical security threats also involved some level of cyber activity, whether it’s dark web users planning a swatting attack at an executive’s residence—or a Twitter user posting about a bomb threat in the vicinity of a VIP’s travel route.

It’s no longer enough for corporate security to rely on Google, news feeds, and on-the-ground personnel exclusively for their executive protection strategy. Specialized threat intelligence tools are the future of corporate security—their executives, personnel, and global reputation depend on it.

Why are executives increasingly targeted by cybercriminals, and how are data discovery tools mitigating and preventing executive security risks?

Executive security strategies once prioritized physical safety — but keeping VIPs protected is also now an issue of equipping teams with advanced online data access.

As more executives attend public events and travel globally, this means aggregating public social media content to detect physical security risks in specific areas. Data discovery tools give security teams this information faster than manually searching networks, following news feeds, and even relying on on-the-ground personnel. 

Beyond physical security risks, the C-suite is also increasingly susceptible to cyberattacks as their digital footprints increase. Executive protection teams need information security tools that improve digital risk profiling, detect actionable cyber threats quickly, and establish preventative risk management strategies. 

Threat actors increasingly target executives

According to a Verizon report, executives became 12 times more likely to be targeted in online social incidents, and 9 times more likely to be targeted in a data breach between 2018-2019. But attackers aren’t necessarily getting better at hard hacking systems—they’re learning where to exploit human vulnerabilities. 

Executives have little time to assess suspicious content in their inboxes or stay up-to-date with current cyber risks and best practices. They often rely on assistants or other administrative staff, who are even less informed about digital risks, to handle their emails and financial transactions.

Cyber criminals know this and are taking advantage of it. Between 2016-2019, business email compromises (BEC) tripled in frequency and cost organizations USD $3 billion. BEC scammers impersonate executives via email, requesting internal staff to complete transactions leaving money or data in the attacker’s control. According to the FBI, this form of social engineering costs organizations more than any other type of fraud.

Executives tend to have access to more data and internal systems and a higher net worth than other personnel, making them valuable targets. As the Verizon report suggests, criminals are likely to continue increasing their efforts to access this payoff. In addition to BECs, some other threats include targeting executives with phishing emails, sextortion campaigns, SIM jacking, and selling their stolen financial data on the dark web.

Success stories: Protecting executives with online data

You might be wondering what data discovery for executive protection looks like in the real world. Here are a few examples of how Flashpoint PSI has leveraged corporate digital risk management and physical security strategies. Cases are anonymized to protect client identity.

Breached data

Doxxing is the act of breaching an individual’s personally identifiable information (PII) on the web for malicious purposes. CEOs and other high-level executives are often targeted as a form of online harassment or hacktivism. 

Doxxes are typically published on unindexed surface and dark websites like Pastebin and DeepPaste, and can include the individual’s home address, phone numbers, emails, SSN, social media handles, financial data, and family members’ PII. Doxxed information can be used to leverage other attack strategies, like BEC scams.

A large retailer used Flashpoint PSI to uncover threats targeting both executives and store locations. By searching for the organization’s name in combination with “dox” as keywords, the company’s security HQ was alerted to the following post:

This dox was targeted at one of the company’s HR Managers and included their home address, email, phone number, social media handles, and employer details for both the target and their immediate family members.

The company can use this information to notify affected individuals and take security precautions—such as requesting content removal on Pastebin, changing phone numbers, and protecting the target’s home and whereabouts with private security. They can also investigate where this information was obtained, and secure any vulnerable databases.

Social media threats

Social media is a valuable source of public information about potential executive threats. These can occur both on mainstream, moderated sources like Twitter, as well as more niche, unregulated networks. For example, a disgruntled former employee or anti-capitalist extremist could directly threaten an executive on these networks. Whether or not these threats are genuine, they must be taken seriously by security teams.

A multinational online retailer partnered with Flashpoint to monitor executive risks and event locations. Their security team saved and filtered searches within the Platform to find content indicating violent sentiment towards executive names. The organization was alerted to a CEO-targeted death threat posted online.

With this information, the team could assess other public content by this user to get more context on the situation, notify the CEO’s security detail, and take extra precautions to ensure their safety. If necessary, organizations can also involve law enforcement to investigate specific incidents.

Travel Risk Management

Organizations are investing in global business travel more than ever. Travel risk management is a growing industry, leveraging technology to keep executives and other personnel safe abroad. It’s no longer enough to develop effective response strategies—security teams must also monitor online data closely as events unfold and prevent executives from encountering threats. 

A security consultant firm used the Platform to reinforce a client’s travel risk management strategy. The firm was able to locate crisis-related content in Cairo, where the executive was traveling. The firm received a flood of notifications related to a fire and was able to verify its exact location using public geotagged Snapchat data before the event was reported on news feeds. On-the-ground staff was notified to avoid the area, and the executive safely continued with their plans.

Enterprise risk management teams are quickly evolving as executive attack surfaces increase. These cases highlight how executive protection services are responsible for monitoring both on-the-ground security and increased digital risks and breaches.

Executive security teams are better able to detect and de-escalate risks on both fronts with access to relevant data from social media networks and unindexed areas of the web. This information provides on-the-ground situational awareness wherever VIPs are located, as well as executive-targeted cyber attacks and other online threats.

Open-source intelligence platforms are crucial for gathering and filtering this information as the volume of online threat data increases. Executive protection teams can spend more time responding to real risks than sorting irrelevant data. Finding and containing actionable incidents is usually the priority for executive protection teams—threat assessment tools also keep security teams, executives, and other staff informed so they know what risks to expect and how to identify and prevent them on an organizational level.