In a world of continuous information operations where adversaries aren’t bound by convention, organizations need a better way to detect and defeat disinformation campaigns. High-level disinformation “kill chains” hark back to a cyber model from a dozen years ago: They aren’t designed for proactive threat hunting. Cyber threat-hunting teams, meanwhile, rely on the newer, more nuanced MITRE ATT&CK Framework to characterize cyberattack tactics, techniques, and procedures (TTPs): Now, the cognitive security community has an opportunity to follow suit by adopting a threat-hunting model informed by the DISARM Framework.
DISARM is a widely accepted tool for fighting disinformation. The European Union and the United States recently adopted DISARM as a “common standard for exchanging structured threat information” on foreign information manipulation and interference (FIMI). Furthermore, DISARM is based on ATT&CK, so it similarly catalogs adversarial TTPs. DISARM is detailed enough to support proactive threat hunting against distinct disinformation campaigns with defined goals that are key elements of persistent and constantly evolving disinformation operations.
We’ve assembled this primer to introduce security practitioners to our proposed new method of using threat hunting informed by DISARM to detect and defeat disinformation campaigns. The FAQ format is designed to make the primer accessible to a wide range of practitioners with varying knowledge levels.