As security personnel working in a protective operations role, we are tasked to do everything we can to keep our protectees safe.
By far the best method to accomplish this goal is to adopt a predictive, preventative strategy for protecting clients based on the tenets of Detect, Deter, and Defend. To effectively employ these tenets, we need some very specific soft and hard skills. In the protective operations world, the “soft” skills are sometimes referred to as Protective Intelligence (PI) while in other security disciplines they are referred to as situational and tactical awareness skills. If we are unable to prevent or avoid an attack, we need to have some expertise in specific “hard” skills such as use of firearms and security driving so that we can survive an ambush.
Terrorist Attack Cycle
There have been significant studies done to understand how assailants plan and then conduct their attacks. The result of this research is a basic blueprint for how most attacks are conducted. This blueprint is called the Terrorist Attack Cycle, and, over time, it has proven to be very effective in helping us understand and counter the steps commonly used by terrorists and criminals when they plan and execute an attack (read kidnapping, assault, assassination, etc.) against an individual or individuals. Examining each step of the attack cycle is a useful way to identify and examine the tactics and tradecraft required to complete each step.
Threat Environment and Security Plan Analysis
Before specifically addressing the Terrorist “Attack Cycle” we need to conduct two critically important assessments. The first assessment is a thorough review of the current threat environment for the protectee; specifically, to determine who are the adversaries and then learn the Tactics, Techniques, and Procedures (TTPs) they employ. We call this area of study Assailant Methodology and only by acquiring this information can we can realistically plan and prepare to detect and avoid or defend against possible ambushes. For example, some assailants specialize in kidnappings while others are known to be very adept at assassinations.
Once we understand who is most likely to attack our protectee and the tactics they would employ, we need to assess how our protectee’s security stacks up against the likely attack methodology. Specifically, we are looking for vulnerabilities in our security plans in relation to the common tactics/tradecraft used by our most likely attackers.
The Attack Cycle
Using the data collected during our two assessments we are now ready to effectively address the “Attack Cycle”. The attack cycle is often described as having 6 to 8 steps depending upon the sophistication of the attackers. We will be using a 7-step attack cycle as this allows us to focus on specific aspects most useful for protective operations. The 7 steps include Initial Target Selection, Surveillance, Attack Planning, Additional Surveillance/Rehearsal, Pre-Attack Deployment, Attack, and Escape.
At the beginning of the attack cycle, the assailant must decide on a target (Initial Target Selection). In many cases, they have multiple potential targets, so they need to gather data about these targets (Surveillance), plan the attack based on information gathered during the surveillance phase (Attack Planning), assemble the team and conduct additional surveillance and possibly a rehearsal (Surveillance/Attack Rehearsal), assemble at the attack site (Pre-Attack Deployment), conduct the Attack, then Escape.
It is very important that we do not interpret the concept of the attack cycle too literally. Every threat element is different, and their training, skills, and resources affect the way they approach the planning and execution of an attack. Also, different types of attacks require different degrees of planning and preparation.
Protective Intelligence and Hard Skills
There are a variety of activities, strategies and skills that security personnel can use to exploit the weaknesses in the assailant’s attack cycle. This includes Route Planning and Analysis, Surveillance Detection and Counter-Surveillance, Attack Recognition, and Countering the Surprise Factor. The last element, Evasive Action, will require the use of hard skills (firearms, tactical security driving, etc.) by security personnel to be effective.
Route Analysis is the tactical examination of our environment from the point of the view of an attacker looking for potential attack sites, chokepoints, or any hazards which may cause our protectee harm or impact our ability to move the protectee from one location to another securely. Potential attack sites provide the enemy with the ability to control our movements, provides them with cover and concealment, and leaves them with potential escape routes. The actual location where we feel the attacker would stage or initiate the attack (where the most firepower would be used) is called the “X”.
One critical aspect that security personnel should focus on are “Chokepoints”. These are areas that we are required to travel through when moving from one location to the other. Chokepoints can be the result of geographic features (bridges over river, parks), traffic patterns (only road between two points), or architectural features (buildings and structures) which restrict our movements. At a minimum, all movements have a chokepoint at the beginning of the movement (departure point) and at the end of the movement (arrival point).
Historical studies of assassinations and ambushes have shown that if the victims vary their routes and times (time and place unpredictable), the attack will most likely occur in one of the chokepoints. Route analysis, done correctly, will show us where we are vulnerable (ambush sites and chokepoints) and help us determine the most likely attack sites (i.e. the “X”). We can then pay more attention to these areas.
Protective Operations Surveillance Detection
To target our protectee, an attacker must know where we are and when we will be there. At a minimum, they must be aware of our presence early enough to prepare to act. While more sophisticated attackers can gather this data electronically, at some point all attackers must employ “eyes on” the target. Surveillance Detection (SD) in the protective operations world involves specific activities that help us determine if someone has us under surveillance.
Specifically, SD is done to determine if a hostile element is surveilling our protectee (or our security personnel) to collect information that will later be used to plan and execute an attack, assault, assassination, or kidnapping against our protectee. SD, as a skill set, is considered a critical defensive capability for modern protective teams. Within the Attack Cycle, there are usually three surveillance steps (Initial Target Selection, Post Target Selection, and Pre-attack Surveillance) that provide us with the best opportunities to detect hostile surveillance.
Thinking like the attacker, we need to find the most likely Surveillance Points near our protectee’s work, residence, along routes, near chokepoints and around all potentially viable ambush sites. We need to analyze potential surveillance points looking for the likely places where the Surveillants will be located and the possible methods they may use to blend in to their environments. For example, a local park across from the protectee’s residence may provide ample cover for a surveillant.
Once we have located likely surveillance points, we begin to look for correlation (i.e. movement by people or vehicles which corresponds to or is concurrent with our movements). Additionally, we need to look for some common mistakes made by the surveillants (unnatural movements or activities, staring, note-taking, photography, etc.). Upon discovery of some correlation or unusual activity, we need to immediately investigate. We can investigate using in-house capabilities covertly or overtly (using law enforcement to conduct interviews, arrests, site inspections, etc.).
Strategically, anytime we observe people in likely surveillance points, we must do a hard focus on them using our surveillance detection skills. Just being in the critical location should raise our suspicions about these people so we need to look for signs of surveillance (correlation of movement, mistakes, etc. and other surveillance behavior). If we observe any specific suspicious activity in these critical areas we need to respond (change our routes and times, post obvious security in the chokepoints, contact law enforcement, etc.).
Surveillance Detection (SD) is very effective against the initial surveillance step in an attack as untrained personnel are frequently used, and this surveillance takes place over a great deal of time. With sophisticated terrorist/criminal elements, SD is less effective against the final surveillance step (Post Target Selection) as they will most likely use trained/experienced personnel and this surveillance takes less time. We need to employ SD during every movement especially near chokepoints and potential ambush sites.
The Second Half of the Protective Intelligence and Hard Skills Equation
In the next section, we will focus on the other aspects of our counter ambush strategies; Counter-Surveillance vs Surveillance Detection, Attack Recognition, Countering the Surprise Factor, Evasive Action and Immediate Action Drills.
Counter-Ambush Tactics for Security Professionals – Part 1
By: Thomas Pecora
Thomas (Tom) Pecora is a former CIA Senior Security Officer who retired after 24 years of service protecting Agency personnel. He managed large security programs and operations in Africa, Latin America, Southeast Asia, Europe, the Middle East and in the war zones. He has over 29 years of experience in protective operations, crisis management, personnel/physical security, and counter-terrorism. As Director of Pecora Consulting Services, he provides security vulnerability and threat assessments, as well as personal safety and crime prevention/avoidance skills training.