TrapWire Interview Series Part 2 – Seeing the world through the eyes of a surveillant: TrapWire’s Red Team

Interviewer

It sounds like there are a lot of different targets that you have conducted surveillance against — from hard targets to soft sites. 

Of the hundreds of government, private sector, and critical infrastructure sites across the country that have engaged your services in this area— can you talk about what that was like and by whom your teams were detected during some of these exercises?

Mike Chang 

Well one, it’s a very risky operation. Normally when we are doing it, there are only one or two people at the facility who are cognizant that we are doing this type of activity. Of course, we carry what we call our “ Get Out of Jail Free” letters, so that if we’re detained by security or law enforcement, we explain exactly what we’re doing and they look at the letter and they can make their phone calls. 

Personally, I’ve been detained at three different facilities when conducting this type of operation. And normally, just like the threats, it’s when I become complacent in what I’m doing that I get caught. So, I become very comfortable in the environment. Because when we first approach a site, we approach that site just like any other bad actor would.  For example, we don’t have IDs to get on-site. We only have Virginia driver’s licenses or Texas driver’s licenses or North Carolina driver’s licenses. That’s all we have, just like the bad guys. And so, we have to be able to get on to the site to conduct our reconnaissance and surveillance and probing operations.  

Our first job is to get into that facility. We start with online intelligence collection. And then, using that intelligence, we combine it with our ground operation. Quite often you get more and more comfortable on a site and get this sense that nobody is seeing you or watching you, nobody cares. You become complacent as an operator. And every time I’ve fallen into that mode, I have gotten caught. And at times, I’ve been thrown against the wall at gunpoint or in a patrol car in handcuffs. That’s happened a couple of times, which is actually a good reaction, right? We want security law enforcement to be able to detect this type of operation and stop you if that does happen. 

Interviewer

When you’ve been caught, would you then have to go back and try and do the test a different way to see if you can get through, or perhaps have someone else on your team go since you might be recognized? Is there a plan B? 

Mike Chang 

We continue our operations. Even though we’ve been caught, we explain to them what we are doing and their reactions vary. Sometimes they say well, okay, we understand that you guys are testing us… now get out of here. Or they say okay, guys, go ahead and do your operations. 

Of course now it’s no longer “real world” because security and law enforcement there know that they’re being tested. But usually at that point, we have collected enough intelligence on the location to complete our assessment. And, what we do from that point is we take all of that information and we present it to the stakeholders. And again, this not a “gotcha” type of assessment, but rather an opportunity to show them “Hey, this is how I operated left a boom. This is how threats perceive you. And this is how they’ll run their operations against you.” 

We then take all that data and turn it into a customized training program for each client. We conduct what’s called operational training programs. Our flagship program is called Attack and Crime Prevention and Surveillance Detection. And if a client site had us do an attack planning and surveillance Red Team, we customize their training program with all of our findings so that not just your chiefs or deputy chiefs see the results of our assessment, but every single officer, every single guard, every single security officer sees the results of our assessment and sees what we saw on the ground.  Once they are aware of their vulnerabilities to these types of operations and exactly how they will be conducted, it is much more difficult for a real threat actor to conduct such activities and get away with it in the future.

Interviewer

How many people are on the planning team typically? I think you said it’s usually a group of people that would sub in and out, so they don’t get recognized. 

Mike Chang  

At that particular facility, we had two on the ground, and I joined the team later in the operation. So, a total of three covering that particular facility.  The number of personnel involved tends to emulate the threat we are portraying, whether terrorist, criminal, hostile intelligence organization, etc.  

In this instance, the initial team did their pre-attack planning and on-ground surveillance, and then I came in. The week that I had chosen to be on ground was during a family event at this campus, which was at a larger federal government facility.  And so the week begins with what’s called a family day, where family members come on board to the campus. They get to see where the students live. They don’t get to see the students yet, but they get to see where they live, where they train and all of that stuff. So basic ID checks are done. I just went with the flow and come in on board as a family member, without telling them my “family member’s” name. I go into all the living quarters and all the facilities with the tour groups and family groups. And I just blended into the environment. As a result, I was able to build upon what my team had collected already. And I’m also there to correct any information they may have gotten wrong or different from what I was observing.

A family event occurs on this campus in a large common area, – a very large rectangular area that is cordoned off.  All visitors must enter through a security station.

I arrived very early in the morning and parked my car just like any other family member. I’m also dressed like any other family member, and I proceed to the first security checkpoint. I am casing and collecting intelligence on all of the security aspects of checkpoint one. It’s very important because we had never attended a family event at this facility before. I’m the first person of our Red Team on the ground. I’m collecting all the intelligence we’d need to plan an attack: the number of security personnel present, the types of weapons they’re carrying, and the type of security technology they’re using. 

Then I move away, eventually to checkpoint two. I go around to checkpoint three, then checkpoint four — that takes me probably about an hour and a half. Then I make my way back to checkpoint one. So I’ve covered the entire perimeter of the event area. I’ve surveilled and cased all four checkpoints, now comes my time to go through a security checkpoint so I can go inside the perimeter. 

At this point, my bag has to go through an x-ray machine, and I have to step through a magnetometer just like at an airport. I keep my video camera active as I’m going through the security checkpoint. So it’s on the belt, it’s sitting on my camera bag, and it’s recording. The camera goes through the X-ray machine and I go through the magnetometer. I retrieve my bag, I go and buy a cup of hot chocolate because it’s really cold, and I walk around and I start looking at what we call “attack objectives,” which are specific areas that I’m going to plan to attack with my attack team. During this particular event, there were several HVTs (High Value Targets) on hand, including several important government officials sitting in the VIP area, and I’m getting good photography of them – as well as the overall crowd and choke points. I’m doing all my normal things. 

What I didn’t know was that when I moved from checkpoint one to checkpoint two, about two – hours prior, a support officer, who had been there to support the event – he wasn’t even part of the security team – observed me moving from checkpoint one to checkpoint two. And in his mind he’s thinking “that’s really strange,” because people don’t normally do that at our events. Normally, they come up to a checkpoint and are all “oohs” and “ahhs” because there are people carrying guns, which always gets attention as they snap a few pictures. But he told me later, “Nobody ever does what you did. Nobody goes from one checkpoint to another checkpoint. So I found that kind of weird. I watched you at checkpoint two, and then saw you move from there to checkpoint three, and that’s when I called it in.”  

So the entire time that I had been moving from checkpoint two all the way back to checkpoint one, roughly about an hour, they were surveilling me and I had no idea. And simply because this one support officer saw something out of the ordinary and decided to tell someone “Hey, you guys should look at that.”  

After I had taken some video and pictures of people in the crowds, I was walking to another area where crowds were gathering, when this security officer walks by me, he’s a quick reaction force and SWAT team member. He says, “Good morning.” I said, “Hey, good morning, how are you doing?” He says, “Great” and walks by me. I continue walking and about two steps later, I get a hand on my shoulder. I turn around and it’s him. He said, “Sir, good morning, again. I want to welcome you to our family event.” I say, “Great – thank you very much.” He goes, “Sir, I just want to ask you, are you here to see your son or your daughter participate in the event today? Maybe, perhaps, a niece or nephew?” And I said, “Yes, I am.” And he said “Well, sir, if you don’t mind me asking what group are they in?” I had come prepared, so I had a group number and I gave him the number. He goes, “Sir, thank you very much for answering my question. I very much appreciate it.” He takes out a program and he turns to that group number and says, “Sir, if you don’t mind, would you mind telling me your relative’s name?” And I didn’t have a name. So he said, “Sir, you’re gonna have to come with me.” He puts the program away, shoulders his rifle and he escorts me around a small building. There, an entire law enforcement detachment was waiting for me. And that’s where I ended up in handcuffs and in the back of a patrol car. 

My point in telling you this very long story is that this was all born out of a support officer who just saw something out of the ordinary and decided to report it. It was a simple action of See Something, Say Something in real life. And luckily, four months later, when I came back to do training for them, I was able to have that support officer in my class. I asked him before the class if he would stand up and tell his side of the story. And he did. 

I can tell you numerous stories of where that’s happened to us as a team, where a small act that we think will appear innocent or normal, just sticks out to the people who live, work, and play in an environment. And it can’t get more visceral than when we are casing a school. When we are casing a school, and somebody sees us, it gets nasty, which is good, right? It’s great, you know, a parent coming up to my window and banging on my window saying, “Why did you just take a picture of my kid getting off the bus?” I was actually just filming the bus and the kid happened to get off right then. But that’s the type of reaction we want from people: when you see this type of activity, do something about it!. 

Interviewer

What is the process for using the TrapWire Red Team? Does an organization hire you directly to test their security teams and technology? 

Mike Chang  

A client will hire us to do attack planning and ground surveillance against their assets, which could be a protected individual with a security detail, or a large campus, or even an office building. Whatever their asset is, they ask us to do our attack planning and surveillance against that facility or asset. 

We normally begin with online and open-source intelligence gathering about the location, such as blueprints, diagrams, pictures, satellite photos, anything we can find online to familiarize ourselves with the site, especially if the site isn’t local to us. 

Then we will gather as much social media content as we can regarding that site or asset. If an employee who happens to work for their security team puts a lot of information about their job online, we gather that information. When we’re ready, we deploy the first team, who will go out and conduct an initial round of surveillance and intelligence collection against that target. From that point on, it gets more and more detailed, and more and more focused. Rather than focusing on the entire facility we start looking at specific locations we are going to attack, or where we’re going to steal sensitive information from (if that’s the goal), or identify mass casualty locations…whatever the goal is for that particular operation. If the goal is to kidnap a child from a Child Development Center or school, then that’s our focus. If it’s to plan a burglary or robbery of a secure facility, we’ll develop a plan for that. So it kind of differs depending on the type of asset and the threats they are likely to face.

Interviewer

When you are undercover on one of these red teams, are there different behaviors that you learn or you recommend in your training to look out for? When someone is asking you a question in a high-stress situation — do you watch to see if someone stutters, or displays unusual body language? Are there specific things that you recommend looking for, as well as make sure you yourself are not doing them to stand out?

Mike Chang  

What we tell officers who are conducting a field interview of a suspect is simple: listen to the answer. That’s the key; don’t just ask the question to ask the question, listen to their answer, and play off of it. If they say they’re a student, terrific. “That’s great. Thank you for answering my question. Would you mind showing me your student ID?” And when they claim they don’t have their ID with them, they left it in their apartment. “Okay, that’s, that’s okay…so what university are you enrolled in? What field of study? What’s your major? We just need to verify everything.” Find different ways of breaking down that cover to see if that cover is valid, or to see what that person’s reaction is going to be as you start to break down that cover.

Interviewer

I see. So as an investigator, it’s sometimes less about what you’re seeing and more on what you’re hearing if you’re able to break down into even deeper layers to try and crack a story. 

Mike Chang  

Right. And it’s because a cover in itself is designed to blend into the environment. 

Let me an example of a certain type of federal facility that I will not define beyond that— for security reasons— these types of facilities often have ongoing construction projects.  When I’m conducting surveillance at these facilities, I’m often dressed in my construction gear. I have a hard hat, which is perfectly clean and doesn’t have a union sticker or anything like that. I have a construction vest on, which is also perfectly clean. And I wear a button down shirt and dress slacks with casual shoes – all of which are bright and clean, and I’m carrying a clipboard with some papers on it. The appearance that I’m trying to give is that either I am a supervisor, or I’m an inspector. The inspector cover is what I prefer people think, because nobody wants to talk to the inspector, and inspectors are usually left alone to go about their business. People who do their work, they don’t want to talk to the inspector. That’s the appearance that I’m trying to give off – the feeling that I want people to leave me alone. 

During training, I tell security officers that when it comes to cover, people will often work very hard on their appearance and will have a few rehearsed responses to use with you. So when they actually speak, please listen to their answers carefully. Do they sound normal, relaxed? If not, then use what they’ve said and play off of it and see where that answer takes you. Because quite often it’ll take you in all sorts of different directions.

This is the wrap up of Seeing the World through the Eyes of a Surveillant: TrapWire’s Red Team with Mike Chang. In the next interview, Mike will dive into See Something, Say Something.