Red Teaming and Detecting Terrorist ISR


Successful terrorist attacks require an understanding of the terrain, population and operational (geosocial) dynamics of the location targeted. As in the case of military operations, achieving success is dependent upon effective application of the ‘principles of special operations.’ These principles as identified by Admiral William McRaven, USN are surprise, speed, purpose, security, repetition, and simplicity.1
      Terrorists use intelligence, surveillance, and reconnaissance (ISR) to achieve these and mount a successful attack. Assessing terrorist reconnaissance and hostile intelligence activities (ISR) is an essential component of counterterrorism strategy.2 Red teaming can be a useful tool in understanding the vulnerability of specific targets and in developing a framework for detecting terrorist ISR against that target set. In order to conduct an effective counter-ISR red team assessment, it is essential to break down terrorist ISR into observable components. The major components are casing, reconnaissance, and surveillance. Casing (which is the term used by police for reconnaissance) includes reconnaissance (observation at a single point in time) and surveillance (an on-going observation/collection effort).

Recon I&W

Red team and actual indications and warning (I&W) efforts require a directed effort. Collection and perception can be directed through efforts to discern specific tactics, techniques and procedures (TTPs): also known as M.O.—modus operandi—and requests for information (RFIs): known as priority intelligence requirements (PIRs); essentially “watch for and report” among a range of intelligence officers or field personnel at potential targets. The utility of these observable indicators can be assessed and validated trough red team exercises and assessments. It is likely individual reconnaissance (recon) will be detected more frequently (either individually or as a component of systematic surveillance).
      Terrorist recon occurs within an “I&W Envelope,” that is, within a sequence of observable effects and activities conducted by the terrorists in preparation of an attack. This sequence of events corresponds with the terrorist “kill chain.” When seeking to understand the observed instances of actual or potential terrorist recon (known as a transaction) it is essential to go through a process of “discrimination,” including discerning which segment(s) of the kill chain the recon likely supports; considering the potential that the transaction is noise or deception; and considering whether it is an assessment of capability, a hoax, or social engineering.
      Recognition of terrorist behavior preceding an attack is similar to recognizing criminal casing and requires understanding the “signs of crime” since “Every crime is prefaced by some form of reconnaissance and familiarization, however short in time. Take a thief at this stage, if you can. It is in his interest as well as that of the public.”3 Recognizing these signs requires training, familiarization with the TTPs consistent with terrorist recon, and an understanding of target set involved. After all, “Perception is a primary attribute needed by police, but knowing what to watch for is something that has to be learned.”4 This perception involves a sequence of activities police, security, and operational staff can “watch for . . .”—essentially TTPs plus beat awareness.

Recon Phases and Discrimination

Terrorist reconnaissance can occur in five circumstances or phases (four pre-attack and one post-attack). These are conducted for specific purposes. Pre-attack, these include recon supporting: 1) target selection, 2) mission planning, 3) pre-execution (confirmation of conditions favorable to attack), and 4) refreshing a standing plan. Post-attack recon is essentially a “battle damage assessment.” All of these discrete recon phases can be conducted through physical or “virtual” means and increasingly involve a combination of both. Assessing specific discernable transactions and recognizing the action with a signature consistent with a specific recon phase can be informed through red team assessments and exercises. Other methods of building perception include reviewing terrorist manuals and publications, reviewing post-attack after action reports (AARs) and lessons learned. Many of these are accessible through open source (OSINT) exploitation.
      Casing/surveillance/recon are part of the terrorist’s operational “kill chain” or planning cycle.5 Discrimination among the various suspicious activity involved requires assessing suspicious activity reports for potential signatures consistent with casing or recon. The sequence of pre-attack planning may vary depending upon a group’s sophistication and the composition of the cell or individuals involved in planning, preparing for, or executing the prospective attack. Furthermore, the sequence may vary for attacks conducted by “lone actors.”6
      Specificity and sensitivity are key elements in signature discrimination. Factors involved are: geospatial (GEOINT)—activity and target (a baseline is needed)—and actor(s)—which include agents(s), operative(s), and exploited person(s). Discriminating among the various types of actors performing ISR requires social network analysis and/or human intelligence. Together assessment of GEOINT and actor(s) equals “geosocial” intelligence.
      Specific factors that aid in discrimination of recon phases include loiter time, persistence/repetition, and specificity. Additional information valuable to assigning a signature include the tools (cameras, video, sensors, etc. used during the recon, as well as the number of persons involved or observed).


Some form of pre-attack preparation usually precedes terrorist attacks. While the specific preparation may vary depending upon the group or individual(s) involves, their sophistication, the type of attack, and their capabilities, and strategic objectives, casing, reconnaissance, and surveillance (ISR) are components of target selection and attack preparation. The specific types of ISR and phases of recon involved can be informed by red team assessments and exercises.

Dr. John P. Sullivan served as a lieutenant with the Los Angeles Sheriff’s Department and was a founding member of the Los Angeles Terrorism Early Warning (TEW) group. He is an Instructor in the Safe Communities Institute (SCI) at the University of Southern California, an Adjunct Researcher on society and global crime at the VORTEX Research Group in Bogotá, Colombia and Member of the Scientific Advisory Board of the Global Observatory of Transnational Criminal Networks. His doctoral dissertation at the Open University of Catalonia looked at the impact of transnational organized crime on sovereignty.


  1. See William H. McRaven, SPEC OPS: Case Studies in Special Operations Warfare: Theory and Practice. Novato, CA: Presidio, 1995. []
  2. Kevin A O’Brien, “Assessing Hostile Reconnaissance and Terrorist Intelligence Activities,” The RUSI Journal, Vol. 153, Iss. 5, 2008; []
  3. David Powis, The Signs of Crime: A Field Manual for Police. New York: John Jay Press, 1977, p. 86. []
  4. Ibid, p. 197. []
  5. The “kill chain” is not necessarily linear. For discussion of the terrorist kill chain or “kill chain model” (KCM) see John P. Sullivan and Alain Bauer (eds.), Terrorism Early Warning: 10 Years of Achievement in Fighting Terrorism and Crime. Los Angeles, CA: Los Angeles Sheriff’s Department (December, 2008);[1].pdf. An alternative or complementary view is found in Chris Flaherty, Dangerous Minds: A Monograph on the Relationship between Beliefs-Behaviors-Tactics, OODA Loop, 7 September 2012;; especially Chapter 7 and ‘Figure 8: New Kill Chain Model’ at p. 65. []
  6. See Bart Schuurman, Edwin Bakker, Paul Gill, and Bouhana, “Lone Actor Terrorist Attack Planning and Preparation: A Data-Driven Analysis,” Journal of Forensic Sciences; []


Terms of Use

Please read.