Understanding the Convergence Between Online and Real-World Threats

What happens online sometimes manifests as a real-world threat. Real-world threats are typically planned, referenced or originated online. Understanding the convergence between online behavior and real-world actions is increasingly important in the corporate security field. Here’s how security professionals can think about identifying and understanding threats in a society that increasingly straddles the virtual and physical worlds.

Listen to the noise, but understand the signals

There’s no shortage of angry chatter online. Indeed, without outrage and anger, the internet would be a much quieter place. But malicious actors, whether they’re targeting an event, a company/institution they dislike, or specific people, can be distinguished from the typical online chatter. The more information we have on suspected threats, the better our understanding of the malicious actor and their intent.

By running online searches—both persistent and intermittent—for relevant keywords, phrases, and topics that relate to threats and vulnerabilities, analysts can identify potentially malicious actors. That same search capability can also be used to provide valuable context. Such deep dives in order to understand the malicious actor and their context is similar to the nuts and bolts of investigative work. Consequently, each case is different. However, some commonalities are worth mentioning.

To begin, it’s important to understand where the conversation is taking place. Yes, some malicious actors openly discuss their plans and views on popular social media platforms. But increasingly, those conversations are shifting to the deep and dark web. For example, the gunman who attacked a synagogue in Pittsburgh last year spoke openly and often on Gab, a message board frequented by extremists. A persistent search for anti-Semitic threats would certainly yield results on popular social media platforms, but arguably that same conversation on a deep or dark web message board that’s popular with extremists should raise a red flag for a security analyst.

Once a potential threat is identified, search is also a valuable tool for fleshing out key details about the person or people in question. For example, an analyst can determine who that person regularly engages with online and whether their posts contain information that makes their threats more or less credible. Additionally, a detailed investigation into the online behavior of a potential threat can also clarify their connection to the target. Are they a malcontent who spews hate broadly, or do their online conversations fixate on a specific individual, institution or company? Do they have insider knowledge about the target, or do they appear to be reliant on publicly available information?

Lastly, it’s important for security analysts to determine how, if at all, the potential threat intersects with a real-world target. Here, NFL commissioner Roger Goodell provides a vivid example. Goodell is a lightning rod for online anger, especially during the NFL postseason. But both law enforcement and NFL security can use location to assess the veracity of each threat. After all, a threat who shares menacing plans or views online without moving toward the target probably isn’t as significant as a threat who changes their physical location to be in proximity of a real-world target. Consequently, NFL security can monitor the vocal chorus of fans who routinely express outrage at Goodell while focusing on the much smaller subset who take real-world actions that put them on an intercept course with the target.

The best defense is multi-pronged

Unfortunately for corporate security teams, a given target can have any number of vulnerabilities. An airline security team, for example, can monitor its brand’s online persona, track references to key executives and look for mentions of specific company locations. But airlines also work with numerous vendors to perform maintenance, food service, cleaning, and a range of other services. Each one of these vendors represents a vulnerability to the airline. Of course, in this regard, airlines aren’t any different from the vast majority of corporations today.

One way for companies to maximize their security is to insist that their vendors also direct resources to understand the convergence between online and real-world threats. A firm that provides food service to an airline, for example, might not be a household name, but given its proximity to well-known brands, that vendor should be searching the deep and dark web for conversations about their business. Ideally, each vendor in a supply chain will directly or indirectly employ search technology and share information throughout the chain to better understand potential threats.

Why convergence matters

We tend to think of security in terms of the worst case scenario. A threat that goes undetected results in the loss of life or property. Obviously, all security professionals want to avoid these catastrophic outcomes. But understanding the convergence between online and real-world threats isn’t just about avoiding the worst case scenarios, it’s about building a more effective holistic security operation.

From a planning perspective, a clearer understanding of the convergence of online and real-world threats can inform decisions about where to deploy resources in the short run and where to invest in countermeasures for the long term. A security team at a power plant, for example, might choose to invest in drone countermeasures even when there’s no credible threat because they’re seeing a proliferation of drone video footage of their installation posted on the deep and dark web. Conversely, that same power plant might choose to ratchet down their response to local protestors because a better understanding of those online conversations indicates a low propensity to violence.

Understanding the convergence of online and real-world threats also puts the security team in a better position to advise clients about the actions they need to take in advance of a threat. Canceling an event or closing an installation comes with costs that can be especially burdensome if the threat lacks credibility. Along similar lines, actions taken in response to perceived threats can have reputational costs as well.

Ultimately, there’s no such thing a crystal ball. But the more we know about the convergence between online and real-world threats, the better off we are in a noisy, scary world. Because while the number of threats is disproportionately lower than the volume of menacing posts on the deep and dark web, it’s our understanding of that online context that safeguards our companies, locations, events and people.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.