Perspectives

Beyond the Kill Chain - Hunting Disinformation Threats

man hunting disinformation

Introducing a threat-hunting model informed by DISARM

In a world of continuous information operations where adversaries aren’t bound by convention, organizations need a better way to detect and defeat disinformation campaigns. High-level disinformation “kill chains” hark back to a cyber model from a dozen years ago: They aren’t designed for proactive threat hunting. Cyber threat-hunting teams, meanwhile, rely on the newer, more nuanced MITRE ATT&CK Framework to characterize cyberattack tactics, techniques, and procedures (TTPs): Now, the cognitive security community has an opportunity to follow suit by adopting a threat-hunting model informed by the DISARM Framework.

DISARM is a widely accepted tool for fighting disinformation. The European Union and the United States recently adopted DISARM as a “common standard for exchanging structured threat information” on foreign information manipulation and interference (FIMI). Furthermore, DISARM is based on ATT&CK, so it similarly catalogs adversarial TTPs. DISARM is detailed enough to support proactive threat hunting against distinct disinformation campaigns with defined goals that are key elements of persistent and constantly evolving disinformation operations.

We’ve assembled this primer to introduce security practitioners to our proposed new method of using threat hunting informed by DISARM to detect and defeat disinformation campaigns. The FAQ format is designed to make the primer accessible to a wide range of practitioners with varying knowledge levels.

Are all disinformation models created equal?

No. In developing new models with different goals in mind, disinformation researchers and counter-disinformation operators have made design choices, including a series of trade-offs:

  • Aiming for quantitative rigor (i.e., MITRE ATT&CK) versus being qualitative rules of thumb
  • Targeting specific use cases (e.g., social media) versus being more platform agnostic
  • Trying to integrate the cyber and influence elements into a single framework versus keeping them separate

What are general problems with disinformation kill chains?

One problem is a “kill chain” model can perpetuate the idea that adversarial actions are linear. From the vantage point of victims or third-party observers, however, information operations typically don’t have defined beginnings and endings, and they’re distinctly non-linear: These operations adapt, evolve, build upon their own and others’ successes, and can even pick up the proverbial pieces of a failed campaign to construct a new one later.

Another problem is that kill chains aren’t designed to counter disinformation operations, which comprise multiple campaigns and, by their nature, apply many different TTPs to achieve interlocking and mutually supporting aims that in and of themselves may have different goals. Unlike operations in general, you can put an end to a campaign—if you move fast enough. Countering a campaign depends on identifying and attributing it as quickly as possible because false or misleading narratives rapidly become more and more difficult to dislodge. Kill chains tend to be more reactive than proactive, sacrificing critical time. As an alternative, we propose an aggressive threat-hunting model that can reclaim some of that time to enable the counter-disinformation operator to get inside the adversary’s information operation loop. This is why we propose the approach described below, informed by DISARM.

What are some drawbacks of particular kill chains?

Clint Watts’ Social Media Kill Chain recognizes the ongoing nature of disinformation as opposed to discrete disinformation incidents. Its main drawback is that it is narrowly focused on social media, which is only one of multiple disinformation vectors. This model focuses on advanced persistent manipulators (APMs), well-funded, highly skilled threat actors aiming to exploit vulnerabilities in public discourse and deceptively manipulate human cognition on social media platforms.

Bruce Schneier’s Information Operations Kill Chain takes a more expansive view, acknowledging that cybersecurity frameworks won’t map neatly onto counter-disinformation efforts. However, Schneier stops short of proposing concrete steps to detect and disrupt campaigns beyond basic ideas like ensuring common political knowledge and improving media literacy.

Meta’s Online Operations Kill Chain addresses “two key gaps” in counter-disinformation frameworks: the lack of a shared taxonomy and the specific nature of most frameworks to a particular type of campaign. But this model has two key gaps of its own:

  • It is “not designed to track activity that can only be hypothesized, such as an operation’s strategic goal.”
  • It’s only designed for tactical analysis of online operations: “It is not designed to analyze larger phenomena, such as organic social movements, or measure very large-scale vulnerabilities, such as the overall health of a body politic.”

This framework forfeits the advantages of informed prediction by ignoring the strategic goals and more significant phenomena.

What are the advantages of DISARM?

DISARM is an open-source, threat-informed, and community-driven tool based on ATT&CK. Because of its widespread adoption and detailed frameworks (Red for offense and Blue for defense), we have chosen to use DISARM as our model for counter-disinformation operations.

DISARM Red, which was developed first, describes “all the things that an incident creator will need to do to create, run, and assess the effectiveness of a disinformation incident.” DISARM Blue seeks to provide a toolkit of detection tactics and countermeasures.

DISARM Red is broken down into four phases: Plan, Prepare, Execute, and Assess. Under each of the four are a number of tactics which a threat actor will implement. Phases are further broken down into tactics, then techniques, and finally tasks. Like ATT&CK, DISARM’s grid is designed to show tactic stages left to right sequentially, so “the further left that a tactic is ... the earlier that it’s likely to be met by an incident creator.”

Phase One: Plan
  1. Plan Strategy
  2. Plan Objectives
  3. Target Audience Analysis
Phase Two: Prepare
  1.  Develop Narratives
  2.  Develop Content
  3. Establish Social Assets
  4. Establish Legitimacy
  5. Microtarget
  6. Select Channels and Affordances
Phase Three: Execute
  1. Conduct Pump Priming
  2. Deliver Content
  3. Maximize Exposure
  4. Drive Online Harms
  5. Drive Offline Activity
  6. Persist in the Information Environment
Phase Four: Assess
  1. Assess Effectiveness

DISARM Blue articulates procedures to detect and counter specific tactics in the Red framework. By its own description, DISARM is a work in progress, with much left to do. Yet to be assessed are which detections and counters are most effective against which tactics or in defense of which target audiences. This is an area where cognitive modeling may have a significant impact, which we plan to address in the future. While Red is a thorough outline of the phases and TTPs of a disinformation campaign, Blue remains relatively unstructured, more of a toolbox for defenders. 

How can a threat-hunting model and DISARM be combined to counter disinformation?

What counter-disinformation frameworks have lacked thus far is an actionable model for implementing continuous operations. Instead of looking to cybersecurity kill chains, we propose using a threat-hunting model to detect and defeat disinformation campaigns.

Continuous operations have been modeled in other realms, perhaps most famously in U.S. Air Force Col. John Boyd’s OODA (Observe-Orient-Decide-Act) loop. Others, such as the intelligence cycle (intelligence requirements, planning and direction, collection, processing, analysis and production, and dissemination), are designed to build upon one another; the outcome of one intelligence cycle feeds the next. The terrorist attack cycle brings us closer to the more fluid model that countering disinformation requires. It begins with target selection, then moves to surveillance, planning, rehearsal, and execution before escape and exploitation. This not only most closely mirrors the order of a disinformation campaign, but much like disinformation, the steps do not have to be taken in order. The threat actor can step back and reevaluate, skip steps to expedite, and/or spin off other campaigns at various points.

So then what does the counter-disinformation cycle look like?

At Booz Allen, we have found success using the threat-hunting model to detect active threats in the cyber domain. Based on DISARM Red’s phases (Plan, Prepare, Execute, and Assess), we seek to apply a threat-hunting methodology in the following corollary phases: Hypothesis, Collection and Analysis, Trigger, Investigation and Response, and Follow Up:

  • In the Hypothesis phase, based on the contemporary understanding of the threat landscape, the counter-disinformation operator conducts target audience analysis and postulates potential adversarial courses of action.
  • This is followed by the Collection and Analysis phase, in which information is gathered and assessed to support or refute the proposed hypotheses. A clear difference here between traditional cyber threat hunting and disinformation threat hunting is the former is focused on the internal networks of the organization involved. Still, the latter is not just inward looking but also looks outward to the global information environment, including cyberspace, social media, and beyond.
  • These first two phases should be continuous until phase three, the Trigger. This is when the execution of a disinformation campaign is detected, and the counter-team swings into action.
  • What gets triggered is the start of phase four, the Investigation and Response. The investigation is ideally expedited and informed by the first two phases. The key in this phase is a rapid response; not only to the disinformation itself but also sources, methods, and goals must be attributed to the threat actor as quickly as possible to identify and deploy counternarratives before the false one can take hold.
  • Finally, the loop closes with the Follow Up phase, where lessons learned, TTPs identified, and damage assessed inform the next round of hypotheses. Much like disinformation itself, this cycle is constant, fluid, and self-reinforcing.

The DISARM framework, given its current traction and detailed attacker and defender tactics, techniques, detections, and counters, serves as a practical playbook for the Disinformation Threat Hunt model, and its basis in the familiar MITRE ATT&CK framework enables the most rapid and effective widespread adoption. Disinformation Threat Hunt also aligns with U.S. Cyber Command’s 2018 vision of “persistent engagement,” which acknowledges that, like information, cyberspace is “a fluid environment of constant contact and shifting terrain,” and therefore, our defenses must be aligned accordingly.

A framework to counter mis-, dis-, and malinformation (MDM) can only be as effective as an operator’s ability to implement it. The model must be fluid, cyclical, and persistent, just like the threats we seek to counter. We hope security teams will gain value from this new approach.

Disinformation Threat Hunt Model

Based on DISARM Red (left), a proposed Disinformation Threat Hunt Model (right)

Incident Creator

Phase 1: Plan

TA01: Plan Strategy

TA02: Plan Objectives

TA13: Target Audience Analysis

 

Phase 2: Prepare

TA14: Develop Narratives

TA06: Develop Content

TA15: Establish Social Assets

TA16: Establish Legitimacy

TA05: Microtarget

TA07: Select Channels and Affordances

 

Phase 3: Execute

TA08: Conduct Pump Priming

TA09: Deliver Content

TA10: Drive Offline Activity

TA11: Persist in the Information Environment

 

Phase 4: Assess

TA12: Assess Effectiveness

 

 

 

 

 

 

Disinformation Hunter

Phase 1: Hypothesis

Anticipate Adversarial Strategy

Anticipate Adversarial Objectives

Anticipate Adversarial Narratives

Identify Potential Targets

Phase 2: Collection & Analysis

Identify Narratives

Identify Artifacts

Refute Legitimacy

Conduct Target Audience Analysis

Prepare Counternarratives                                                             

                                                                 

Phase 3: Trigger

Test Hypotheses

 

 

 

 

Phase 4: Investigation & Response

Deploy Counternarratives

Attribution

Expose Online Harms

Link Offline Activity to Online Narratives

Disrupt Adversary's Ability to Remain in the Environment

 

Phase 5: Follow Up

Catalog Information

Develop New Hypotheses

 

Get acquainted with your adversaries, defend some of the world’s most critical networks, and more.

Learn from the Tech Blog Series

Interested in Additional Technical Content?

This blog series is brought to you by Booz Allen DarkLabs. Our DarkLabs is an elite team of security researchers, penetration testers, reverse engineers, network analysts, and data scientists, dedicated to stopping cyber attacks before they occur.

This article is for informational purposes only; its content may be based on employees’ independent research and does not represent the position or opinion of Booz Allen. Furthermore, Booz Allen disclaims all warranties in the article's content, does not recommend/endorse any third-party products referenced therein, and any reliance and use of the article is at the reader’s sole discretion and risk.

Tags

Analytics Cybersecurity Innovation Solutions Technology

Related Insights

Article

Read More

Article
Article

Read More

Article
Article

Read More

Article
Article

Read More

Article
1 - 4 of 8