In 2017 there were 30 separate active shootings in the United States, the largest number ever recorded by the FBI during a one-year period.1 With so many attacks occurring, it can become easy to believe that nothing can stop an active shooter determined to commit violence. “The offender just snapped” and “There’s no way that anyone could have seen this coming” are common reactions that can fuel a collective sense of a “new normal,” one punctuated by a sense of hopelessness and helplessness. Faced with so many tragedies, society routinely wrestles with a fundamental question: can anything be done to prevent attacks on our loved ones, our children, our schools, our churches, concerts, and communities?
There is cause for hope because there is something that can be done. In the weeks and months before an attack, many active shooters engage in behaviors that may signal impending violence. While some of these behaviors are intentionally concealed, others are observable and — if recognized and reported — may lead to a disruption prior to an attack. Unfortunately, well-meaning bystanders (often friends and family members of the active shooter) may struggle to appropriately categorize the observed behavior as malevolent. They may even resist taking action to report for fear of erroneously labeling a friend or family member as a potential killer. Once reported to law enforcement, those in authority may also struggle to decide how best to assess and intervene, particularly if no crime has yet been committed.
By articulating the concrete, observable pre-attack behaviors of many active shooters, the FBI hopes to make these warning signs more visible and easily identifiable. This information is intended to be used not only by law enforcement officials, mental health care practitioners, and threat assessment professionals, but also by parents, friends, teachers, employers and anyone who suspects that a person is moving towards violence.
Key Findings of the Phase II Study
- The 63 active shooters examined in this study did not appear to be uniform in any way such that they could be readily identified prior to attacking based on demographics alone.
- Active shooters take time to plan and prepare for the attack, with 77% of the subjects spending a week or longer planning their attack and 46% spending a week or longer actually preparing (procuring the means) for the attack.
- A majority of active shooters obtained their firearms legally, with only very small percentages obtaining a firearm illegally.
- The FBI could only verify that 25% of active shooters in the study had ever been diagnosed with a mental illness. Of those diagnosed, only three had been diagnosed with a psychotic disorder.
- Active shooters were typically experiencing multiple stressors (an average of 3.6 separate stressors) in the year before they attacked.
- On average, each active shooter displayed 4 to 5 concerning behaviors over time that were observable to others around the shooter. The most frequently occurring concerning behaviors were related to the active shooter’s mental health, problematic interpersonal interactions, and leakage of violent intent.
- For active shooters under age 18, school peers and teachers were more likely to observe concerning behaviors than family members. For active shooters 18 years old and over, spouses/domestic partners were the most likely to observe concerning behaviors.
- When concerning behavior was observed by others, the most common response was to communicate directly to the active shooter (83%) or do nothing (54%). In 41% of the cases the concerning behavior was reported to law enforcement. Therefore, just because concerning behavior was recognized does not necessarily mean that it was reported to law enforcement.
- In those cases where the active shooter’s primary grievance could be identified, the most common grievances were related to an adverse interpersonal or employment action against the shooter (49%).
- In the majority of cases (64%) at least one of the victims was specifically targeted by the active shooter.
This reference aid draws on CTIIC’s experience promoting interagency situational awareness and information sharing during previous significant cyber events—including cyber threats to elections. It provides a guide to cyber threat terms and related terminology issues likely to arise when describing cyber activity. The document includes a range of cyber-specific terms that may be required to accurately convey intelligence on a cyber threat event and terms that have been established by relevant authorities regarding technical infrastructure for conducting elections.
CTIIC will adhere to this terminology guide in future documents related to cyber threats to US elections and recommends use by others in the interest of consistency and clear communication.
Please note that this reference aid is not intended to address terminology related to political or other noncyber aspects of influence or interference involving elections, nor is it intended to be a comprehensive guide to cyber threat terminology.
Describing What’s Happened: Common Terms
The following terms are central to accurately describing cyber threat activity but are often used differently. CTIIC recommends their use be accompanied by definitions and any necessary context for nontechnical readers.
Indicates that a cyber actor has attempted to degrade, destroy, disrupt, manipulate, or otherwise detrimentally affect the operation of a system or network. However, manipulation or deletion of data solely for the purpose of hiding one’s tracks is not considered an attack. Some reports use “attack” and “exploit” synonymously, drawing in part on the cryptanalysis sense of “attack”—the use of a technical approach to defeat a security measure. The dual usage can cause confusion, especially for nontechnical readers, if the context does not fully explain the type of malicious cyber activity that occurred.
Indicates that a victim system has installed malware, connected to a malicious Internet Protocol address, or provided a cyber actor unauthorized access to collect data or execute commands.
Indicates that a malicious actor has conducted additional activities on a compromised system, such as collecting data, deploying more malware, or establishing persistent access. Some documents—within both the IC and the private sector—use exploited and compromised synonymously. In practice, however, cyber actors may compromise more accounts and systems than they exploit, in part because of the availability of tools to automate the process of compromising vulnerable systems. Distinguishing whether and how an actor has made use of a compromised system—whenever available intelligence allows—aids in understanding the impact and implications of the malicious cyber activity.
Scanning a system involves attempting to identify the security vulnerabilities the system may have by sending it specific network traffic and observing its responses. The definition is reasonably specific but can cause confusion—and potentially undue alarm—if it is assumed to include follow-on attempts to exploit any vulnerabilities discovered. Scanning is extremely common on the Internet but may have only a modest success rate, and cyber actors therefore scan far more systems than they actually affect.
A cyber actor’s targeting of a particular victim can refer to any aspect of the actor’s attempts to select a system to conduct operations against, learn about, find vulnerabilities, gain access, or conduct other malicious activities. The term also connotes an attempt at conducting malicious cyber activity, without indicating the degree of success an actor achieved. We recommend greater specificity and clarification of the specific usage whenever available intelligence allows.
The prevention of cyber action by credibly demonstrating the ability and willingness to deny benefits or impose costs to convince the adversary that restraint will result in better outcomes than will confrontation.
A set of processes and measures to detect, monitor, protect, analyze, and defend against network infiltrations. See Cyber Security.
Activities initiated by the threat actor that temporarily negatively alter or prevent the operation of the victim’s network.
The manipulation, disruption, denial, degradation, or destruction of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.
The intentional clandestine acquisition of information from targeted networks without altering the information or affecting users’ access.
The use of cyber operations to shape the perceptions or behavior of targeted audiences while maintaining plausible deniability.
An umbrella term to describe cyber attack, cyber espionage, cyber influence, or cyber defense, and intrusions or activities with unknown intent.
A global domain within the information environment consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
The protection of information systems against unauthorized access to or modification of information contained therein, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. Also known as network security. See Cyber Defense.
Cyber operations or noncyber actions (intentional or accidental) that compromise the confidentiality, integrity, reliability, or availability of digital devices, systems, networks, or data.
Cyber Threat Intelligence
The collection, processing, analysis, and dissemination of information from all sources of intelligence on foreign actors’ cyber programs, intentions, capabilities, research and development, tactics, operational activities and indicators, and their impact or potential effects on US national security interests. Cyber threat intelligence also includes information on cyber threat actor information systems, infrastructure, and data; and network characterization or insight into the components, structures, use, and vulnerabilities of foreign cyber program information systems.
Awareness of blockchain has soared in recent years with the emergence of cryptocurrencies, but the technology has existed for much longer. The linking of blocks, containing cryptographic functions of transactions and data, means that tampering with their contents becomes increasingly difficult as the chain grows – this concept was exploited for document timestamping applications more than a decade before cryptocurrencies became reality. In many implementations, blocks are confirmed by, and stored at, many nodes in different locations, providing a high degree of data integrity. There are, however, many challenges for applying blockchain technologies in tactical networks, particularly due to the constraints of the platforms, the limited bandwidth available among them, and the impact of network partitioning. In this report, the development and principles of blockchains are presented, along with an overview of their weaknesses and vulnerabilities. There is a huge level of interest in this technology across many sectors, and this is reflected in the breadth of the referenced material. Weaknesses in design and implementation can make blockchains vulnerable to attack, and their interfaces are particularly at risk. A range of possible applications in tactical networks is explored, from supply chain management, to network management and application data immutability. Finally, a simple blockchain architecture for mobile tactical networks is developed, to illustrate the potential and challenges of this technology. Overall, it is clear that blockchain technology provides a potential avenue for solving some problems in the tactical network context, but it is not yet clear whether it is the best such solution.
The key feature of blockchain technology is data integrity in a trustless environment: transaction or data records included on the blockchain are timestamped, cryptographically protected and stored by many distributed nodes, reducing the risk of total loss. For a sufficiently long blockchain, with a large number of nodes, the records can be considered immutable, in the sense that any tampering will be evident. This integrity can be exploited in different ways to enhance the robustness and resilience of tactical networks, and some of these are discussed in Section 5.1.
Smart contracts, described in Section 3.2, also provide opportunities for robust resource management in tactical networks, particularly in complex operational conditions where many users interact in the electromagnetic (EM) spectrum. Possible applications of blockchain to resource management are discussed in Section 5.2.
Tactical environments pose particular challenges for the introduction of blockchain technology, as devices are constrained in size, weight and power, and there are physical limitations on node connectivity. These challenges are considered in Section 5.3.
An example architecture for applying blockchain technology to support tactical operations is described in Section 5.4, taking into account the opportunities and challenges outlined thus far.
In this section, network nodes are considered to be the devices or platforms connected to the blockchain network; these are not (just) the radio interfaces themselves, but may be auxiliary equipment such as biometric devices, weapons or communication platforms.
5.4 Example tactical blockchain architecture
Based on the preceding, we propose an example architecture for a tactical blockchain system. The scenario we consider consists of a unit of dismounted soldiers, each carrying several devices connected on a personal network: a weapon, a radio, a camera, a radio frequency (RF) sensor and a computer (similar to a smart phone), sharing a battery and a memory drive such as a flash card. The soldier is also considered a network component, as they are a source and sink of data, and their identity is confirmed using a networked biometric sensor such as a fingerprint or iris scanner. The other devices may be authenticated using a radio frequency identification (RFID) chip or imaging as described in Section 5.1.4; authentication will only be required if the networked component has been disconnected from the personal network and attempts to rejoin.
We assume that the weapon tracks the ammunition it uses, and records the amount remaining. The camera may be continually recording, but to limit memory usage, only a few seconds before and after the weapon is fired are retained. C2 and other messages, either digital voice or data to and from the computer, all passed via the radio, are recorded for post-action analysis. SA in the form of RF sensor data is sampled periodically, and transferred via the radio to other soldiers in the unit and recorded locally. These different sources of data all use the computer’s memory for storage; both the memory and battery usage are tracked.
We use blockchains to provide authentication and identification management for the soldiers and devices engaged in the operation, an auditing function to track cyber SA and C2, resource usage tracking, and a policy management function, which is used to support resource loading decisions across the unit. As noted in Section 5.3.6, the longer the blockchain, the stronger it is, so all these functions use the same blockchain within their cluster (Section 5.4.1).
This is a simplified scenario, intended to give insight into the potential application of blockchain technology in tactical networks. Note that, as discussed in Section 6, the fact that this technology might be used to address these problems does not mean it is the best choice. Note also that the exchange of transactions and blocks among the users is assumed to be secure.
In March 2018, an identified financial services corporation received a thumb drive infected with the bank credential-stealing Qakbot malware variant, targeting information from networked computers and financial institution web sites. The financial services corporation purchased bulk thumb drives from a US online retailer of computer hardware. The thumb drives were originally manufactured in China. According to FBI forensic analysis, the Qakbot malware was on the infected thumb drive before the drive arrived in the United States. Qakbot is extremely persistent and requires removal of all malware from every device. Failure to remove even one node of malware may result in re-infecting previously sanitized systems possibly costing the victim hundreds of thousands of dollars in malware removal and system downtime.
Qakbot is an information stealing worm—originally discovered in 2007 with a major update in 2017—that propagates through removable drives, network shares, and Web pages. The most common vector of intrusion for Qakbot is malicious attachments to phishing emails. Once executed, Qakbot spreads to other shared folders and uses Server Message Block (SMB) protocol to infect other machines. Qakbot has keylogging capabilities, and is able to propagate across network environments through a single instance within that network. It is capable of remaining on a device through the use of registry keys and by scheduling recurring tasks to run at timed intervals. Every device connected to the network and every piece of removable media which has been attached needs to be scanned for the malware and cleaned of the infection before it can be reconnected. The most recent updates in 2017 allows Qakbot to lock users out of the active directory, preventing them from being able to work. It also deploys malicious executables into network shares, registering them as services.
Cyber actors have the capability to infect devices with malware at nearly any point in the manufacturing process. The FBI has historically seen cases of infection with malware capable of stealing credentials, gathering data on the users of a computer or network, dropping other types of malware, and serving as a “backdoor” into a secure network. It is difficult to know at which point the malware infection occurred or whether the infection was intentional, due to the international nature of hardware manufacturing.
To mitigate the threat of a potentially infected thumb drive, the following measures should be taken at a minimum:
Ensure the use of approved, trusted vendors for hardware purchases.
Scan all hardware, especially removable storage media, on an external system prior to its insertion into a network environment.
For signature-based intrusion detection systems, ensure that the hash value for known Qakbot variants are included. The MD5 value for the variant identified in this PIN was: ff0e3ec80faafd04c9a8b375be77c6b6. This hash value can change, so be prepared to use other advanced detection systems.
Users should protect themselves and organizations by practicing good browsing habits, ensuring they do not respond to or click on unsolicited email, and to not plug unknown USB devices into
If you don’t have the expertise to properly handle or identify potential cyber threats please seek out an expert who can provide the expertise needed to secure your organization.