有料盒子APP

DISARM is an open-source, threat-informed, and community-driven tool based on ATT&CK. Because of its widespread adoption and detailed frameworks (Red for offense and Blue for defense), we have chosen to use DISARM as our model for counter-disinformation operations.

DISARM Red, which was developed first, describes 鈥渁ll the things that an incident creator will need to do to create, run, and assess the effectiveness of a disinformation incident.鈥� DISARM Blue seeks to provide a toolkit of detection tactics and countermeasures.

DISARM Red is broken down into four phases: Plan, Prepare, Execute, and Assess. Under each of the four are a number of tactics which a threat actor will implement. Phases are further broken down into tactics, then techniques, and finally tasks. Like ATT&CK, DISARM鈥檚 grid is to show tactic stages left to right sequentially, so 鈥渢he further left that a tactic is ... the earlier that it鈥檚 likely to be met by an incident creator.鈥�

DISARM Blue听articulates procedures to detect and counter specific tactics in the Red framework. By its own description, DISARM is a work in progress, with much left to do. Yet to be assessed are which detections and counters are most effective against which tactics or in defense of which target audiences. This is an area where cognitive modeling may have a significant impact, which we plan to address in the future. While Red is a thorough outline of the phases and TTPs of a disinformation campaign, Blue remains relatively unstructured, more of a toolbox for defenders.听

What counter-disinformation frameworks have lacked thus far is an actionable model for implementing continuous operations. Instead of looking to cybersecurity kill chains, we propose using a threat-hunting model to detect and defeat disinformation campaigns.

Continuous operations have been modeled in other realms, perhaps most famously in U.S. Air Force Col. John Boyd鈥檚 OODA (Observe-Orient-Decide-Act) loop. Others, such as the intelligence cycle (intelligence requirements, planning and direction, collection, processing, analysis and production, and dissemination), are designed to build upon one another; the outcome of one intelligence cycle feeds the next. The terrorist attack cycle brings us closer to the more fluid model that countering disinformation requires. It begins with target selection, then moves to surveillance, planning, rehearsal, and execution before escape and exploitation. This not only most closely mirrors the order of a disinformation campaign, but much like disinformation, the steps do not have to be taken in order. The threat actor can step back and reevaluate, skip steps to expedite, and/or spin off other campaigns at various points.

At 有料盒子APP, we have found success using the threat-hunting model to detect active threats in the cyber domain. Based on DISARM Red鈥檚 phases (Plan, Prepare, Execute, and Assess), we seek to apply a threat-hunting methodology in the following corollary phases: Hypothesis, Collection and Analysis, Trigger, Investigation and Response, and Follow Up:

• In the Hypothesis phase, based on the contemporary understanding of the threat landscape, the counter-disinformation operator conducts target audience analysis and postulates potential adversarial courses of action.
• This is followed by the Collection and Analysis phase, in which information is gathered and assessed to support or refute the proposed hypotheses. A clear difference here between traditional cyber threat hunting and disinformation threat hunting is the former is focused on the internal networks of the organization involved. Still, the latter is not just inward looking but also looks outward to the global information environment, including cyberspace, social media, and beyond.
• These first two phases should be continuous until phase three, the Trigger. This is when the execution of a disinformation campaign is detected, and the counter-team swings into action.
• What gets triggered is the start of phase four, the Investigation and Response. The investigation is ideally expedited and informed by the first two phases. The key in this phase is a rapid response; not only to the disinformation itself but also sources, methods, and goals must be attributed to the threat actor as quickly as possible to identify and deploy counternarratives before the false one can take hold.
• Finally, the loop closes with the Follow Up phase, where lessons learned, TTPs identified, and damage assessed inform the next round of hypotheses. Much like disinformation itself, this cycle is constant, fluid, and self-reinforcing.

The DISARM framework, given its current traction and detailed attacker and defender tactics, techniques, detections, and counters, serves as a practical playbook for the Disinformation Threat Hunt model, and its basis in the familiar MITRE ATT&CK framework enables the most rapid and effective widespread adoption. Disinformation Threat Hunt also aligns with U.S. Cyber Command鈥檚 2018 vision of 鈥�,鈥� which acknowledges that, like information, cyberspace is 鈥渁 fluid environment of constant contact and shifting terrain,鈥� and therefore, our defenses must be aligned accordingly.

A framework to counter mis-, dis-, and malinformation (MDM) can only be as effective as an operator鈥檚 ability to implement it. The model must be fluid, cyclical, and persistent, just like the threats we seek to counter. We hope security teams will gain value from this new approach.