Can Social Media Threat Monitoring Help Preempt Violence?

The March 2019 mosque shootings in Christchurch, New Zealand, especially the internet livestreaming of the first attack, has everyone talking about the use of social media threat monitoring to preempt violence. The idea isn't new. Law enforcement agencies and corporate security teams have used social media monitoring for years in their efforts to anticipate and thwart various attacks.

However, many decision-makers today are not fully aware of - or can account for - the complexities that affect the usefulness of social media monitoring as a security measure. If your organization is leaning toward monitoring social media threats to better protect people and facilities, here are some important things to consider before moving forward.

Wide, Deep and Murky Waters

When most people hear the term social media, they think of mainstream websites and platforms like Facebook, WhatsApp, Tumblr, etc. The reality is that social media is a vast online environment.

No one knows the exact number of social media sites, but recent research indicates that there were over 3.4 billion active social media users in 2018. Some attackers might be vocal on mainstream social media sites before an incident. However, just as many, if not more, could be active on obscure, anonymous forums where aggressive and potentially dangerous behaviors like cyber bullying, hacktivism and even terrorism tend to blossom, such as those frequented by so-called incel terrorists.

A fundamental challenge with social media monitoring, then, is knowing where to look and how to surface credible threats from amidst the overwhelming noise and chatter in time to prevent an incident.

Technology and Human Balance

The massive social media environment obviously calls for the help of automation to pick up threats in time to take action. But any automated monitoring system will only be as effective as the human experience that underpins and directs searches, validates results and when applicable, supports the pursuit of legal remedies.

What to look for in technology resources

• Sophisticated machine learning that can assimilate data from diverse sources and continually optimize search, find and alert features
• Ability to integrate with additional security measures, such as geofencing

What to look for in human expertise

• Firsthand investigative experience that translates into knowing where trends, patterns and shifts are developing
• Experience and insight to avoid pitfalls, such as those associated with “profiling” as well as faulty attributions that could result from stolen identities
• Ability to access critical data and resources, such as global law enforcement agencies
• Knowledge and experience supporting legal remedies, such as Digital Millennium Copyright Act takedown requests or other takedown requests relating to users or posts that violate a social media platform's terms of service
• Multilingual analysts to vet machine-generated alerts in a timely manner
• Linguists to aid in deciphering messages in vetted chat platforms

The failure to analyze machine-generated alerts can lead to a waste of investigative resources and public embarrassment. For example, an innocent man was arrested by law enforcement on suspicions of terrorism when a machine mistranslated “good morning” in a social media post as “attack them”; the post had not been reviewed by a native speaker of the original phrase.

How Threat Monitoring Neutralized a Smear Campaign

The following case demonstrates how human threat intelligence, sophisticated technology and close collaboration with organizations and counsel all converge to mitigate risk through social media threat monitoring.

A nonprofit organization's outside counsel learned of a threat to disrupt the nonprofit's annual day of charitable giving. Our initial assessment confirmed that threat actors were planning to hijack the client's social media campaign with highly contentious, hot-button rhetoric and images.

In collaboration with the client and their outside counsel, we developed a strategy to use multifaceted social media threat monitoring to prevent/minimize the effects of the potential cyber attack:

• Based on keywords identified during initial reconnaissance, monitor social media platforms and push curated social media alerts to the client.
• Conduct covert analysis to identify channels where threat actors were discussing tactics, techniques and procedures related to the cyber attack.
• Provide daily threat intelligence updates, including anticipated attack vectors, the estimated number of associated actors and the evolution of the operation.
• Work together with the client and counsel to proactively develop a plan of action for the day of the expected attack, including real-time threat analysis, social media takedown requests and onsite client support.

On the day of giving, over 40 takedown requests were made to various social media platforms based on threat actor activity. Over 20% were taken down by the social media platforms. In addition, proactively sharing the images and social media user names associated with the threat actor group led to the suspension of the accounts and effectively stopped the attack before it gained momentum.

Law Enforcement and Industry Association Resources

In addition to implementing a customized solution (or while evaluating social media threat monitoring options), we recommend reaching out to local law enforcement and/or their local fusion center. Fusion centers serve as primary focal points within a state or major urban area to receive, analyze, gather and share threat-related information among all levels of law enforcement. Because trends happen nationwide, fusion centers have the advantage of a wide view of threats.

Joining local business groups or local chapters of national/international cybersecurity or risk management organizations like the National Cyber-Forensics and Training Alliance (NCFTA), the Electronic Crimes Task Force (ECTF) and InfraGard is another way to keep current with persistent and new threats and to learn about best practices for mitigating risks.

Not a Panacea

Social media threat monitoring has its limitations, particularly those relating to privacy protections. For example, private channels are not open to monitoring by private security firms. Relying solely on social media monitoring for threat alerts could lead to a false sense of security.

Social media monitoring can provide critical information on threats, but organizations and their security teams are well advised to not lose sight of the forest for the trees. The usefulness of social media monitoring is best leveraged in a holistic risk management approach, one that incorporates diverse security strategies, including a range of cybersecurity measures.

Keith Wojcieszek (keith.wojcieszek@kroll.com) is associate managing director in Kroll's Cyber Risk practice, based in Washington, D.C. He joined Kroll from the United States Secret Service, where he served with distinction for 15 years.