1

Managing the Threat: An Introduction to Surveillance Detection

The following report was compiled from various unclassified sources including press reports, government
websites, OSAC constituent interviews, and U.S Embassy reports.

May 12, 2010

EXECUTIVE SUMMARY

Pre-operational surveillance is a critical component for every terrorist or

criminal attack. Given that the purpose of hostile surveillance is to “The brother should draw a
observe, analyze security measures, patterns, and vulnerabilities of a
diagram of the area, the
potential target, surveillance can be the most visible step in the attack
planning process. Therefore, surveillance involves the most risk for streets, and the location
attackers. Surveillance detection programs are designed to exploit these which is the target of the
risks by creating a mechanism to detect pre-operational surveillance, information gathering. He
report sightings, and disrupt an attack. This report identifies attacker should describe its shape
vulnerabilities during pre-operational surveillance and then focuses on and characteristics. The
how a surveillance detection program can exploit those vulnerabilities. drawing should be realistic
so that someone who
The full program outlined in this report may not be conducive to all never saw the location
organizations. Parts of the program can be extracted and suited to the could visualize it”
needs of each organization’s security plan. Before developing a
surveillance detection program, organizations should ensure that their
program will be in legal accordance with host country laws. al-Qa'ida Training Manual

HOSTILE SURVEILLANCE

Pre-operational surveillance is critical to every attack. Terrorists began conducting pre-operational surveillance
over two years before the November 2008 Mumbai attacks took place. The coordinated, multi-target attacks
involved detailed planning and long-term hostile surveillance. On multiple occasions the terrorists entered at least
one of the Mumbai target locations and posed as a patron. Additionally, terrorists stayed at a hotel that was very
close and in the line of sight to the locations they planned to attack. In all, there were at least six surveillance trips
to the various attack targets.

Terrorists are not the only types of attackers who conduct surveillance. Criminals must also employ surveillance
tactics in order to carry out their crimes. In South Africa, home of this year’s World Cup, criminals have been
known to target passengers and tour groups upon arrival at O.R. Tambo International Airport in Johannesburg.
Typically, criminals receive word from inside operatives when “high value” individuals are exiting the airport
terminal. The victims are then followed and robbed at gunpoint upon arrival at their residence or hotel.

An attacker’s need for critical information about a target provides an opportunity for organizations to detect and
disrupt an attack. Surveillance detection is the process of detecting and reporting suspicious activities. By
interdicting through host country legal recourse, organizations can disrupt the attack planning process. Properly
executed, surveillance detection may identify suspicious behavior that supports interdiction. Interdiction results in
the mitigation or prevention of attacks. Once the actual attack has begun, organizations can do very little other
than react.

The contents of this unclassified presentation in no way represent the policies, views, or attitudes of the United States
Department of State, or the United States Government, except as otherwise noted (e.g., travel advisories, public
statements). The report presentation was compiled from various open sources and unclassified embassy reporting.
Please note that all OSAC products are for internal U.S. private sector security purposes only. Publishing or otherwise
distributing OSAC-derived information in a manner inconsistent with this policy may result in the discontinuation of
OSAC support.
 2

THE ATTACK CYCLE

A typical attack cycle is

comprised of eight stages.
Each stage in the attack cycle
demonstrates that terrorists
and criminals have to take
risks to successfully carry out
an attack. The white arrows
on the diagram to the right
indicate opportunities for
organizations to detect and
interdict a potential attack.

Target List - The first phase

of the attack cycle is to
compile a list of possible
targets.

Initial Surveillance Phase –

The second stage of the
attack cycle is the preliminary
surveillance stage, which may take minutes, weeks, or months, for the target to be selected. Usually, the first
group of operatives who survey a facility may not be as sophisticated as operatives later in the process who
conduct the attack. This may increase the chances of detecting surveillance early in the cycle.

Target Selection – Once the target is selected, more strategic operational planning begins, which entails more
sophisticated surveillance.

Attack Planning – During the planning stages of the attack cycle, the attackers will determine the specific attack
site and begin to plan the point of approach. Several case studies have demonstrated that a more sophisticated
surveillance team may be deployed to collect specific data points to support the attack’s specific modus operandi.
The attackers may use both fixed and mobile surveillance techniques to plan out a route to execute the operation.
All specific details about the area will be accounted for, such as the timing of stoplights, distances from the road to
the facility, and security measures in place.

Dry Run/Rehearsal – The final stages of surveillance may include a dry run to the target. Traditionally, al-Qa'ida
has facilitated this phase with a different cell than the attack cell. However, homegrown cells may incorporate this
phase into their attack planning phase because they may already be familiar with the target’s environment. For
instance, ten days prior to the 2005 London tube bombings, terrorists conducted a dry run on the London
underground system.

Final Phase of Surveillance – The final surveillance stage is done more quickly to ensure the targeted person or
facility implemented no new deterrence measures.

Deployment/Target Identification – The attackers are deployed and en-route to the target.

Attack – This final stage is conducted when the attack is complete. The attack has a high probability of success
in the final stage of the assault. Failures at this stage are usually related to mechanics or timing.
BEST PRACTICES FOR SURVEILLANCE DETECTION PROGRAMS

The contents of this unclassified presentation in no way represent the policies, views, or attitudes of the United States
Department of State, or the United States Government, except as otherwise noted (e.g., travel advisories, public
statements). The report presentation was compiled from various open sources and unclassified embassy reporting.
Please note that all OSAC products are for internal U.S. private sector security purposes only. Publishing or otherwise
distributing OSAC-derived information in a manner inconsistent with this policy may result in the discontinuation of
OSAC support.
 3

Before organizations create, build, or enhance a surveillance detection program, they must first assess local laws
to ensure that their program is legal under local jurisdiction. Next, organizations should analyze their vulnerability,
a critical part of designing a surveillance detection program. The vulnerability analysis should focus on perceived
vulnerabilities of a facility, activity, or person; since terrorists and criminals will typically attack at the point they
perceive to be the weakest.

A “Red Zone” is a specific surveillance location, which is usually referred to as the operational area. Surveillance
is a very site specific activity that relies on an adequate view of a vulnerability and cover for the person conducting
the surveillance. The specific site that provides these two elements is referred to as a Red Zone.

It is important to note, that organizations should continue to study current trends and tactics implemented by
terrorists and criminals. Threats against facilities and personnel are constantly evolving and organizations should
continuously identify the possible vulnerabilities that may arise as terrorists and criminals change their tactics.

A successful surveillance detection program consists of three main components:

Detect - The main objective of a surveillance detection program is to detect and report pre-operational
surveillance directed against a facility. Pre-operational surveillance is the data collection phases of the attack
cycle and is indicated by the white arrows on the attack cycle diagram. It is critical to have formal procedures to
report sightings so action can be taken to interdict.

Report - Information-sharing initiatives with host governments are critical to the success of surveillance detection
programs. Pre-established methods to report hostile surveillance to local law enforcement are critical for
intervention. In addition, it is important to notify authorities of organization’s operations to avoid counter-
surveillance by authorities. Over the years, OSAC constituents have been caught in this precarious situation.
Additionally, organizations should make sure that developing a surveillance detection program is legal in the host
country.

Analyze - Analysis is the backbone of all surveillance detection programs. A critical component of surveillance
detection is to analyze and correlate reported data to identify trends, patterns, and repeated sightings.

Team Structures

There are several different types of team structures organizations can implement to manage their surveillance
detection programs. The team structure methods include formal, mobile, and in-country training teams. All three
methods can be used simultaneously or independently. Some organizations have designated surveillance
detection teams and others train and set up procedures for all employees to be able to detect and report
suspicion activities. Setting up surveillance detection teams can be a costly and resource intensive process.
Some OSAC constituents have set up formal teams in high threat countries where labor is not as costly, such as
Indonesia, Pakistan, and Kuwait. However, basic elements of surveillance detection can be applied across all
organizations regardless of their size.

Formal Team – A formal team consists of a designated surveillance detection program with leadership and
oversight, coordination, analysis, and dedicated surveillance detection personnel. A surveillance detection team
may sometimes operate at an off-site location and minimizes physical presence at the targeted facility.
Procedures are established for the team to detect pre-operation surveillance, record biographical information,
report the sightings, and set up methods to provide suspicious incident reporting to local authorities or private
guards to interdict. Most formal teams have an off-site coordinator who inputs the information into a database to
correlate the sightings. This person also coordinates reports with the individual who has complete oversight, such
as the local security manager. Most organizations surveyed, use the same vetting process that they would use for
hiring of their local security personnel. Typically, organizations use formal surveillance teams in high threat
environments and at crucial infrastructure facilities.
The contents of this unclassified presentation in no way represent the policies, views, or attitudes of the United States
Department of State, or the United States Government, except as otherwise noted (e.g., travel advisories, public
statements). The report presentation was compiled from various open sources and unclassified embassy reporting.
Please note that all OSAC products are for internal U.S. private sector security purposes only. Publishing or otherwise
distributing OSAC-derived information in a manner inconsistent with this policy may result in the discontinuation of
OSAC support.
 4

Mobile – Some organizations also have mobile teams implemented, which can be deployed for short periods of
time at facility location. A mobile structure can be very useful in deploying a team on very short notice. However,
given their mobility, it may take several weeks to establish a base of operations. Organizations general use a
mobile structure to cultivate relationships with the local community in an effort to establish a formal method of
reporting. Most organizations report that mobile teams are usually used at facilities were internal staff have
reported a spike in sightings.

In-country Training – The concept of a surveillance detection program should be used among all hired staff.
Employees are the first line of defense and should know how to report suspicious behavior. Several
organizations have mandatory surveillance detection and counter-surveillance programs set up for employees
and family members in high threat regions. In addition, organizations have strategically set up formal methods to
detect, report information with employees who have a routine presence outside of the facility, such as
maintenance crews, local guards, drivers, and front lobby personnel.

Reporting Methods

Another important principle for developing a structured surveillance detection program is to define tripwires that
identify what actions to take during different types of suspicious or hostile surveillance. A surveillance detection
team does not interdict during suspicious incidents; therefore, it is important for the team and supervisors to have
well thought out plans of action when a program is created. The following is a few examples of how a surveillance
team might react and report to different sightings.

Suspicious (Non-Threatening) Activity – A non-threatening sighting may include a person loitering in the Red
Zone without a justified motive or may simply look out of place.

Action: In this sighting the team member should write down physical identification and behaviors
take a photo if possible. The information is then reported at a designated time such as shift-
change – possible interdiction may be necessary.

Hostile Surveillance Indicators – A hostile surveillance may include repeated sightings of a suspect in the Red
Zone who is paying specific attention to the target.

Action: The information should be reported immediately to the coordinator. The coordinator will
share the information with the local security manager and decide whether to have local authorities
or guard personnel interdict.

Overt Surveillance – During an overt surveillance, the suspect may be taking photos and/or notes of the facility.
The suspect may also be physically determining specific timings of lights, distances, and/or security personnel of
the facility to prepare for an attack.

Action: Immediately report the sighting to the surveillance coordinator and/or security manager to
have host government or guard staff interdict.

Imminent Significant Threat – A visible attack has been initiated.

Action: Implement organization’s emergency action plan. Organizations should already have an
established emergency number to alert imminent emergency at facility.

The contents of this unclassified presentation in no way represent the policies, views, or attitudes of the United States
Department of State, or the United States Government, except as otherwise noted (e.g., travel advisories, public
statements). The report presentation was compiled from various open sources and unclassified embassy reporting.
Please note that all OSAC products are for internal U.S. private sector security purposes only. Publishing or otherwise
distributing OSAC-derived information in a manner inconsistent with this policy may result in the discontinuation of
OSAC support.
 5

FURTHER INFORMATION

More information on surveillance tactics, trends, and incidents can be found at report links below or by contacting
OSAC’s Global Security Coordinator.

Terrorist Tactics: Street Vendors - The Perfect Surveillance Platform

India: Possible Surveillance Detected

The contents of this unclassified presentation in no way represent the policies, views, or attitudes of the United States
Department of State, or the United States Government, except as otherwise noted (e.g., travel advisories, public
statements). The report presentation was compiled from various open sources and unclassified embassy reporting.
Please note that all OSAC products are for internal U.S. private sector security purposes only. Publishing or otherwise
distributing OSAC-derived information in a manner inconsistent with this policy may result in the discontinuation of
OSAC support.