The main threats are terrorism and espionage, including cyber.




Environmental Activists v Power Station

In 2012, activists occupied two 300ft chimneys at a newly -constructed power station. At the time of the protest, the power station was in its commissioning phase and due to become operational later in the year.

The tools we have are people who care, and we are prepared to do something really really horrible

We planned the actions for about 3 to 4 months

Cost of Delay in £


  • Hostile – Environmental activists.
  • Target – A newly constructed gas-fired power station.
  • Method – Occupation
  • Impact – Delays in finishing the site cost £5m. The owners of the power station sought compensation but dropped the lawsuit following a petition in support of the activists. The protest cost the local police £200.000.
  • Use of Reconnaissance – The resulting court case revealed that the group planned assiduously. No Dash for Gas subsequently released a document on YouTube showing how they made use of the online reconnaissance, overhead imagery analysis, and covert on-site recces.


Anders Breivik v Norwegian Society

On 22nd of July 2011, Anders Breivik detonated a bomb outside a government building in Oslo before launching a firearms attack on a Labour Party camp on the island of Utoya.

People Killed


Reconnaissance Visits


  • Hostile – Anders Breivik, anti-Islam domestic extremist.
  • Target – Promoters of multiculturalism in Norwegian society.
  • Aim – Bring attention to his “cause”. Punish people he deemed responsible for multiculturalism.
  • Method – Car bomb and firearms attack.
  • Use of Reconnaissance – Extensive online research alongside 8 reconnaissance visits.


  • Fear of detection strongly hindered his reconnaissance efforts. He over estimated capacity of security forces to track and tackle him.
  • Discounted some targets because of a lack of knowledge on how to gain access.


Al Qaida v London Underground

At 08:50 on 7 July, 2005, British-born members of Al Qaida detonated 3 bombs on London Underground trains. An hour later, a fourth bomb exploded on a bus travelling through Tavistock square. London’s transportation system was one of three potential targets identified by Al Qaida operatives.




  • Hostile – Al Qaida
  • Target – London Underground
  • Aim – Inflict mass casualties to highlight their cause of creating an Islamic Caliphate and weakening Western culture.
  • Method – Suicide bombings on busy underground trains.
  • Use of Reconnaissance – Al Qaida operatives proposed three potential targets: the Bank of England, the G8 Summit in Scotland, and the London underground. Following hostile research, two potential targets were discounted. As the group were based outside London at times, it is also likely initial information gathering came from open source, online content.


Cyber Spies v Security Company

According to 2014 cyber attack statistics, Cyber Crime ranked at number one with 62.3%, followed by Hacktivism at 24.9%, Cyber Espionage coming in third at 10.2% and lastly Cyber Warfare at 2.5%.

In 2012, the CEO of a company producing security procedures became the victim of a spear-phishing attack conducted by a hostile state.





  • Hostile – State-sponsored hackers.
  • Target – Company producing security-related products.
  • Method – Social engineering plus hacking. Attackers researched the CEO. They used the information they discovered to write an email purporting to be from the school attended by the CEO’s children. When the CEO opened the PDF attachment to the email, it covertly installed malware giving the hostiles access to the company’s network.
  • Impact – Huge amounts of IP and technical product data stolen. Significant damage to the company’s share price, reputation, investment and future sales.
  • Use of Reconnaissance – Hackers working for the hostile state conducted online reconnaissance against the CEO and his company. They used the company’s website, and the CEO’s LinkedIn and Facebook accounts.


Fraud Ring v Global Financial Institutions


of large organisations experienced at least one cyber-security breach in the past year.

In June 2012, evidence emerged that a sophisticated fraud ring had manipulated electronic banking systems, siphoning funds from more than 60 financial institutions across Europe and America. The attack originated form a web server in a location with strong links to organised crime.



A money mule or sometimes referred to as a “smurfer” is a person who transfers money acquired illegally (e.g., stolen) in person, through a courier service, or electronically, on behalf of others.



  • Hostile – International Fraud Ring.
  • Target – Financial institutions across Europe, the United States and Latin America.
  • Aim – Steal money from the accounts of high net worth individuals.
  • Method – Spear phishing tactics to install malware. The attack allowed chip and pin authentication to be bypassed, and money to be transferred into “mule” accounts.
  • Impact – Between 51 Million and 1.7 Billion has been siphoned into mule accounts.
  • Use of Reconnaissance – Precise details of the attack are still being put together. But the fact that high net worth individuals were targeted and the complexity of the manipulating the online banking system strongly suggests online reconnaissance was employed.








Despite having very different objectives, hostiles are united by their approach to planning. They go through three stages:

1. Target Identification

From a list of potential targets (buildings, individuals, processes, organizations, events), one is chosen through reconnaissance – both online and at the physical location.

2. Detailed Planning

Online reconnaissance and recces of the physical location are used to confirm if an attack is viable. Necessary resources are identified and obtained at this time.

3. Confirmation

The moment of attack is preceded by some form of final confirmation (online and at the location) that everything is as expected. If it is not, a hostile may call off or abandon the attack.


  1. Target Identification
  2. Detailed Planning
  3. Confirmation

Online reconnaissance is key to a hostile’s planning right up to an attack taking place. Any indications that security is robust and hard to predict will therefore act as a deterrent throughout the whole process.




Hostile – Jane, 24, Activist

Location – Domestic Kitchen, Croydon

Aim – Gain access to a high-profile location and cause maximum disruption.


*Click on the images in the tabs below to enlarge.

Jane logs on to a remote IP address to hide her location.


At the potential target’s website, she looks at their photos, films, and floor-plans to identify entry points and possible problems.

tower-3On their events page she learns about public access to the building.







She also sees what the building’s security contractor reveals.

Jane’s notes #1:


  • 6 Guards on duty, bag scanners, metal detectors

She checks nearby transport link, and conducts a virtual recce of the perimeter.

tower reece1Tower reece2


Jane’s Notes #2:

  • Revolving doors = slow entry.  Use south entrance.
  • In view of CCTV.  Wear office clothes to blend in.
  • Well positioned cafe for physical reconnaissance.

She consults public reporting sites for additional information.







Further web searching throws up unexpected descriptions of the target’s security measures.








  • Approx. 10 minutes before police arrive.

Further web searching throws up unexpected descriptions of the target’s security measures.  In this case, a travel wiki.





Audio Text

While the objectives and methods of hostiles vary greatly. they have two important things in common:

  • They use online reconnaissance
  • They have a fear of failure

So what should be your aim? You should reinforce the idea, through your online communications, that if a hostile chooses your organization as the place to attack they will almost certainly fail.

There are lots of ways to do it. You can withhold information the hostile needs to finalise a plan. You can put doubt in their mind through positive stories about your scrutiny in the press. You can play on their paranoia that people are watching them by emphasising how you monitor website visitors.

But what’s most effective is the combination of these techniques – what we call ‘layering’. Spread your deterrence message across your online communications and it will feel to the hostile like they’re being confronted at every turn.


  • The threats to the UK’s national infrastructure and businesses are varied.
  • Hostile planning involves target identification, detailed planning and confirmation before an attack.
  • Online reconnaissance is used throughout the planning.
  • Intelligent communications (e.g. layering security messages) by your organisation can make a hostile think they will be unsuccessful if they are planning to attack you.