When you’ve been caught, would you then have to go back and try and do the test a different way to see if you can get through, or perhaps have someone else on your team go since you might be recognized? Is there a plan B?
We continue our operations. Even though we’ve been caught, we explain to them what we are doing and their reactions vary. Sometimes they say well, okay, we understand that you guys are testing us… now get out of here. Or they say okay, guys, go ahead and do your operations.
Of course now it’s no longer “real world” because security and law enforcement there know that they’re being tested. But usually at that point, we have collected enough intelligence on the location to complete our assessment. And, what we do from that point is we take all of that information and we present it to the stakeholders. And again, this not a “gotcha” type of assessment, but rather an opportunity to show them “Hey, this is how I operated left a boom. This is how threats perceive you. And this is how they’ll run their operations against you.”
We then take all that data and turn it into a customized training program for each client. We conduct what’s called operational training programs. Our flagship program is called Attack and Crime Prevention and Surveillance Detection. And if a client site had us do an attack planning and surveillance Red Team, we customize their training program with all of our findings so that not just your chiefs or deputy chiefs see the results of our assessment, but every single officer, every single guard, every single security officer sees the results of our assessment and sees what we saw on the ground. Once they are aware of their vulnerabilities to these types of operations and exactly how they will be conducted, it is much more difficult for a real threat actor to conduct such activities and get away with it in the future.
How many people are on the planning team typically? I think you said it’s usually a group of people that would sub in and out, so they don’t get recognized.
At that particular facility, we had two on the ground, and I joined the team later in the operation. So, a total of three covering that particular facility. The number of personnel involved tends to emulate the threat we are portraying, whether terrorist, criminal, hostile intelligence organization, etc.
In this instance, the initial team did their pre-attack planning and on-ground surveillance, and then I came in. The week that I had chosen to be on ground was during a family event at this campus, which was at a larger federal government facility. And so the week begins with what’s called a family day, where family members come on board to the campus. They get to see where the students live. They don’t get to see the students yet, but they get to see where they live, where they train and all of that stuff. So basic ID checks are done. I just went with the flow and come in on board as a family member, without telling them my “family member’s” name. I go into all the living quarters and all the facilities with the tour groups and family groups. And I just blended into the environment. As a result, I was able to build upon what my team had collected already. And I’m also there to correct any information they may have gotten wrong or different from what I was observing.
A family event occurs on this campus in a large common area, – a very large rectangular area that is cordoned off. All visitors must enter through a security station.
I arrived very early in the morning and parked my car just like any other family member. I’m also dressed like any other family member, and I proceed to the first security checkpoint. I am casing and collecting intelligence on all of the security aspects of checkpoint one. It’s very important because we had never attended a family event at this facility before. I’m the first person of our Red Team on the ground. I’m collecting all the intelligence we’d need to plan an attack: the number of security personnel present, the types of weapons they’re carrying, and the type of security technology they’re using.
Then I move away, eventually to checkpoint two. I go around to checkpoint three, then checkpoint four — that takes me probably about an hour and a half. Then I make my way back to checkpoint one. So I’ve covered the entire perimeter of the event area. I’ve surveilled and cased all four checkpoints, now comes my time to go through a security checkpoint so I can go inside the perimeter.
At this point, my bag has to go through an x-ray machine, and I have to step through a magnetometer just like at an airport. I keep my video camera active as I’m going through the security checkpoint. So it’s on the belt, it’s sitting on my camera bag, and it’s recording. The camera goes through the X-ray machine and I go through the magnetometer. I retrieve my bag, I go and buy a cup of hot chocolate because it’s really cold, and I walk around and I start looking at what we call “attack objectives,” which are specific areas that I’m going to plan to attack with my attack team. During this particular event, there were several HVTs (High Value Targets) on hand, including several important government officials sitting in the VIP area, and I’m getting good photography of them – as well as the overall crowd and choke points. I’m doing all my normal things.
What I didn’t know was that when I moved from checkpoint one to checkpoint two, about two – hours prior, a support officer, who had been there to support the event – he wasn’t even part of the security team – observed me moving from checkpoint one to checkpoint two. And in his mind he’s thinking “that’s really strange,” because people don’t normally do that at our events. Normally, they come up to a checkpoint and are all “oohs” and “ahhs” because there are people carrying guns, which always gets attention as they snap a few pictures. But he told me later, “Nobody ever does what you did. Nobody goes from one checkpoint to another checkpoint. So I found that kind of weird. I watched you at checkpoint two, and then saw you move from there to checkpoint three, and that’s when I called it in.”
So the entire time that I had been moving from checkpoint two all the way back to checkpoint one, roughly about an hour, they were surveilling me and I had no idea. And simply because this one support officer saw something out of the ordinary and decided to tell someone “Hey, you guys should look at that.”
After I had taken some video and pictures of people in the crowds, I was walking to another area where crowds were gathering, when this security officer walks by me, he’s a quick reaction force and SWAT team member. He says, “Good morning.” I said, “Hey, good morning, how are you doing?” He says, “Great” and walks by me. I continue walking and about two steps later, I get a hand on my shoulder. I turn around and it’s him. He said, “Sir, good morning, again. I want to welcome you to our family event.” I say, “Great – thank you very much.” He goes, “Sir, I just want to ask you, are you here to see your son or your daughter participate in the event today? Maybe, perhaps, a niece or nephew?” And I said, “Yes, I am.” And he said “Well, sir, if you don’t mind me asking what group are they in?” I had come prepared, so I had a group number and I gave him the number. He goes, “Sir, thank you very much for answering my question. I very much appreciate it.” He takes out a program and he turns to that group number and says, “Sir, if you don’t mind, would you mind telling me your relative’s name?” And I didn’t have a name. So he said, “Sir, you’re gonna have to come with me.” He puts the program away, shoulders his rifle and he escorts me around a small building. There, an entire law enforcement detachment was waiting for me. And that’s where I ended up in handcuffs and in the back of a patrol car.
My point in telling you this very long story is that this was all born out of a support officer who just saw something out of the ordinary and decided to report it. It was a simple action of See Something, Say Something in real life. And luckily, four months later, when I came back to do training for them, I was able to have that support officer in my class. I asked him before the class if he would stand up and tell his side of the story. And he did.
I can tell you numerous stories of where that’s happened to us as a team, where a small act that we think will appear innocent or normal, just sticks out to the people who live, work, and play in an environment. And it can’t get more visceral than when we are casing a school. When we are casing a school, and somebody sees us, it gets nasty, which is good, right? It’s great, you know, a parent coming up to my window and banging on my window saying, “Why did you just take a picture of my kid getting off the bus?” I was actually just filming the bus and the kid happened to get off right then. But that’s the type of reaction we want from people: when you see this type of activity, do something about it!.