有料盒子APP

Security teams looking to understand and characterize malign influence operations must pick from a range of different models aiming to do for disinformation what Lockheed Martin鈥檚 Cyber Kill Chain and MITRE鈥檚 ATT&CK Framework have done for cyber threats. Some tools feature 鈥渒ill chain鈥� in their names, and one looks especially like ATT&CK: DISARM has a grid that catalogs adversarial tactics, techniques, and procedures (TTPs) for disinformation campaigns. How do all these tools compare?

These competing models鈥� differences, similarities, pros, and cons are not always intuitive, especially when the names sound similar. We鈥檝e assembled this primer to help cybersecurity and cognitive security professionals build a shared awareness of these tools, including the advantages and disadvantages of specific models when countering tomorrow鈥檚 threats. It鈥檚 in the form of an FAQ, so you can start up top if you鈥檙e brand new to kill chains or jump in where appropriate based on your existing knowledge.

In any armed conflict, anticipating an opponent鈥檚 next move is crucial to effective counteraction. This principle led military thinkers to develop the 鈥溾�� concept for traditional warfare, a step-by-step attack process to identify the target, dispatch forces, launch an attack, and ultimately eliminate the target. This approach can detect and preempt aggressor actions through kinetic means. Also, it provides a common language for describing, strategizing against, and countering military threats. The cybersecurity community has long repurposed this idea.

introduced its Cyber Kill Chain framework in 2011 to allow defenders to track adversarial TTPs and to help them detect and thwart attacks at any point during the kill chain. The framework describes the process of a cyberattack in seven ordered steps: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives. An 鈥渋ntruder succeeds if, and only if, they can proceed through steps 1-6 and reach the final stage,鈥� Lockheed . This framework is still widely used, but lately, it鈥檚 been overshadowed by ATT&CK, which is not strictly linear and includes additional elements to express the nuances of a campaign.听

is the leading framework for characterizing cyberattacks. It was created in 2013 and first released in 2015. ATT&CK is updated biannually. In some ways, it resembles the Cyber Kill Chain but with greater nuance. Also, although the Cyber Kill Chain uses ordered phases to describe high-level adversary objectives, MITRE says ATT&CK tactics 鈥渁re unordered and may not all occur in a single intrusion because adversary tactical goals change throughout an operation.鈥� The unordered tactics are Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control (C2), Exfiltration, and Impact. Over the years, MITRE has expanded ATT&CK beyond enterprise networks to include mobile architecture, cloud, and industrial control systems (ICS).听

ATT&CK includes techniques such as and does not include nuance that would let an analyst map state-sponsored cyber-influence attacks designed to interfere with elections or social media threats intended to incite and . So various groups have sought to create frameworks depicting the elements of cyber-enabled influence campaigns. For now, there isn鈥檛 one leading framework for these threats with broad adoption on the scale of ATT&CK. But below, we鈥檒l discuss five frameworks to consider: They deal in varying degrees with cognitive threats.听

The framework combines elements from the Cyber Kill Chain and ATT&CK while adding a social engineering tactic. The framework describes cyberattacks in 18 tactical phases: Reconnaissance, Resource Development, Delivery, Social Engineering, Exploitation, Persistence, Defense Evasion, Command & Control, Pivoting, Discovery, Privilege Escalation, Execution, Credential Access, Lateral Movement, Collection, Exfiltration, Impact, and Objectives. (Like ATT&CK, this approach doesn鈥檛 require the tactics to be in this order.) The next model listed, the Online Operations Kill Chain, also integrates influence elements into a cyber framework鈥攂ut more broadly, beyond just social engineering.

A team at Meta created the Online Operations Kill Chain framework to address the lack of standard taxonomies for information operations and cybersecurity operations. Defenders need a common language that bridges these areas because attackers can use both kinds of threats (e.g., in social engineering in the supply chain). The Online Operations Kill Chain is designed to be platform agnostic and applied to cyberattacks, influence operations, online fraud, human trafficking, and terrorist recruitment, with a particular focus on the elements meant to influence humans.

This model has 10 phases: Acquiring Assets, Disguising Assets, Gathering Information, Coordinating and Planning, Testing Platforms and Defenses, Evading Detection, Indiscriminate Engagement, Targeted Engagement, Compromising Assets, and Enabling Longevity. (Like ATT&CK, the model is described as modular because not every operator goes through every phase.)

Compared to the Unified Kill Chain, we believe this model provides a more integrated view of cyber threats and cyber-enabled influence threats. Also, it incorporates more influence elements. However, one of its weaknesses is dealing with campaigns where the leading actors don鈥檛 hide their identities but rather aim to be influencers鈥攆or example, the main 12 Covid-19 disinformation spreaders (鈥溾��). This weakness could be remedied in future updates.听

Some frameworks take a more qualitative approach to describing cyber-enabled influence threats: One example is Clint Watts鈥� . This model focuses on operators that Clint calls 鈥渁dvanced persistent manipulators鈥� (APMs). Like other advanced persistent threats (APTs), APMs are well-funded, highly skilled threat actors aiming to exploit vulnerabilities in public discourse and deceptively manipulate human cognition on online social media platforms. To achieve such objectives, APMs exploit vulnerabilities in public discourse and manipulate human cognition via deception.

This model includes seven phases: Staging (i.e., creating realistic personas), Reconnaissance, Targeting (in this case, finding the 鈥溾��), Mimicry, Content Placement, Amplification, and Mobilization (i.e., getting people to engage in specific 鈥渙ffline鈥� actions and behaviors). (Watts notes that APMs are less likely than hackers to work through a kill chain in sequence: 鈥淎PMs instead function as more of an assembly line, delivering layered, integrated activities to alter audience perceptions via one of two distinct models.鈥�)

The limitations of this kill chain are that it was explicitly made to describe and disrupt social media actions for APMs (not necessarily smaller actors), and it鈥檚 less quantifiable than other kill chains listed in this primer. But it鈥檚 one of the few kill chains for cyber-enabled influence threats that focuses on the adversarial end goal of getting people who are engaging with the campaign online to start engaging in 鈥渙ffline鈥� activities: This is important because the leading to mobilization is the real threat of cyber influence operations.

The is another more qualitative kill chain: It's based on 鈥渢he seven commandments鈥� that the Soviet Union traditionally used in disinformation campaigns. There are eight phases: Find the Cracks (i.e., the open debates with heated disagreements), Seed Distortion, Wrap the Narratives in Kernels of Truth, Build Audiences (this one is added from the original seven commandments), Conceal your hands, Cultivate Useful Idiots, Deny Everything, and Play the Long Game. (As with some other models, this model doesn鈥檛 require phases to always appear in one order.)

This framework has the same weaknesses as the Social Media Kill Chain. That said, the Information Operations Kill Chain stands out for acknowledging that disrupting one campaign in a long-term operation is only one step, and the entire operation would need to be disrupted in multiple parts of the kill chain to stop the overall threat, and this could take multiple human generations to accomplish.

The 鈥攚hich we previously highlighted here鈥攊s the most widely adopted framework for countering disinformation. It has supported operations for the European Union, the U.N., and NATO. What's more, the EU and the United States DISARM as part of a 鈥渃ommon standard on exchanging structured threat information鈥� on foreign information manipulation and interference (FIMI).

The DISARM framework was launched in 2019 based on ATT&CK and its use of the 鈥淪tructured Threat Information eXpression鈥� (STIX) grid style presentation to different phases and tactics. DISARM is broken down into two categories for Offense (Red) and Defense (Blue). Red was created first as a kill chain for disinformation capabilities. Next, Blue was created for countermeasures to such attacks. (Like ATT&CK, DISARM鈥檚 grid is to show tactic stages left to right sequentially, so 鈥渢he further left that a tactic is 鈥� the earlier that it鈥檚 likely to be met by an incident creator.鈥�)

Below is a simple list of DISARM Red鈥檚 top-level categories.听

Compared to other frameworks that address cyber-enabled influence operations, DISARM includes much greater detail on tactics. For instance, the entry includes different tactics, different counters to tactics, and different detection mechanisms. This is not to say that every entry gives the same level of detail鈥攎any are blank when clicking through, like this example for 鈥溾�� under TA07 Select Channels and Affordances鈥攂ut like ATT&CK, DISARM is intended to be updated as new techniques are discovered.

We hope this overview helps cybersecurity and cognitive security professionals build a shared understanding of these models and emerging threats. As the Online Operations Kill Chain authors have astutely pointed out, modern campaigns seamlessly weave between both categories. Not bringing the groups together leaves defenders who subscribe to only one of the categories at a significant disadvantage.

What鈥檚 more, although DISARM stands apart from the other frameworks evaluated, the weaknesses in different models are not necessarily disqualifiers: All the models discussed in this primer have the potential to be updated to be more inclusive.听