mirror of
https://github.com/DISARMFoundation/DISARMframeworks.git
synced 2024-12-25 15:29:45 -05:00
1bc8d88b63
Changed from data held in excelfiles to data held in CSV files. This gives us a better view of what's changed in the datasets when we push them to git.
22 KiB
22 KiB
| 1 | disarm_id | name | metatechnique | summary | how_found | references | incidents | tactic | responsetype | notes | longname |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 2 | F00001 | Analyse aborted / failed campaigns | Examine failed campaigns. How did they fail? Can we create useful activities that increase these failures? | 2019-11-workshop | TA01 Strategic Planning | D01 | F00001 - Analyse aborted / failed campaigns | ||||
| 3 | F00002 | Analyse viral fizzle | We have no idea what this means. Is it something to do with the way a viral story spreads? | 2019-11-workshop | TA01 Strategic Planning | D01 | F00002 - Analyse viral fizzle | ||||
| 4 | F00003 | Exploit counter-intelligence vs bad actors | 2019-11-workshop | TA01 Strategic Planning | D01 | F00003 - Exploit counter-intelligence vs bad actors | |||||
| 5 | F00004 | Recruit like-minded converts "people who used to be in-group" | 2019-11-workshop | TA01 Strategic Planning | D01 | F00004 - Recruit like-minded converts "people who used to be in-group" | |||||
| 6 | F00005 | SWOT Analysis of Cognition in Various Groups | Strengths, Weaknesses, Opportunities, Threats analysis of groups and audience segments. | 2019-11-workshop | TA01 Strategic Planning | D01 | F00005 - SWOT Analysis of Cognition in Various Groups | ||||
| 7 | F00006 | SWOT analysis of tech platforms | 2019-11-workshop | TA01 Strategic Planning | D01 | F00006 - SWOT analysis of tech platforms | |||||
| 8 | F00007 | Monitor account level activity in social networks | 2019-11-workshop | TA02 Objective Planning | D01 | F00007 - Monitor account level activity in social networks | |||||
| 9 | F00008 | Detect abnormal amplification | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00008 - Detect abnormal amplification | |||||
| 10 | F00009 | Detect abnormal events | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00009 - Detect abnormal events | |||||
| 11 | F00010 | Detect abnormal groups | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00010 - Detect abnormal groups | |||||
| 12 | F00011 | Detect abnormal pages | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00011 - Detect abnormal pages | |||||
| 13 | F00012 | Detect abnormal profiles, e.g. prolific pages/ groups/ people | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00012 - Detect abnormal profiles, e.g. prolific pages/ groups/ people | |||||
| 14 | F00013 | Identify fake news sites | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00013 - Identify fake news sites | |||||
| 15 | F00014 | Trace connections | for e.g. fake news sites | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00014 - Trace connections | ||||
| 16 | F00015 | Detect anomalies in membership growth patterns | I include Fake Experts as they may use funding campaigns such as Patreon to fund their operations and so these should be watched. | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00015 - Detect anomalies in membership growth patterns | ||||
| 17 | F00016 | Identify fence-sitters | Note: In each case, depending on the platform there may be a way to identify a fence-sitter. For example, online polls may have a neutral option or a "somewhat this-or-that" option, and may reveal who voted for that to all visitors. This information could be of use to data analysts. In TA08-11, the engagement level of victims could be identified to detect and respond to increasing engagement. | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00016 - Identify fence-sitters | ||||
| 18 | F00017 | Measure emotional valence | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00017 - Measure emotional valence | |||||
| 19 | F00018 | Follow the money | track funding sources | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00018 - Follow the money | ||||
| 20 | F00019 | Activity resurgence detection (alarm when dormant accounts become activated) | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00019 - Activity resurgence detection (alarm when dormant accounts become activated) | |||||
| 21 | F00020 | Detect anomalous activity | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00020 - Detect anomalous activity | |||||
| 22 | F00021 | AI/ML automated early detection of campaign planning | 2019-11-workshop | TA15 Establish Social Assets | D01 | Automated Detection of Campaign | F00021 - AI/ML automated early detection of campaign planning | ||||
| 23 | F00022 | Digital authority - regulating body (united states) | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00022 - Digital authority - regulating body (united states) | |||||
| 24 | F00023 | Periodic verification (counter to hijack legitimate account) | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00023 - Periodic verification (counter to hijack legitimate account) | |||||
| 25 | F00024 | Teach civics to kids/ adults/ seniors | 2019-11-workshop | TA15 Establish Social Assets | D01 | F00024 - Teach civics to kids/ adults/ seniors | |||||
| 26 | F00025 | Boots-on-the-ground early narrative detection | 2019-11-workshop | TA05 Microtargeting | D01 | F00025 - Boots-on-the-ground early narrative detection | |||||
| 27 | F00026 | Language anomoly detection | 2019-11-workshop | TA05 Microtargeting | D01 | F00026 - Language anomoly detection | |||||
| 28 | F00027 | Unlikely correlation of sentiment on same topics | 2019-11-workshop | TA05 Microtargeting | D01 | F00027 - Unlikely correlation of sentiment on same topics | |||||
| 29 | F00028 | Associate a public key signature with government documents | 2019-11-workshop | TA06 Develop Content | D01 | F00028 - Associate a public key signature with government documents | |||||
| 30 | F00029 | Detect proto narratives, i.e. RT, Sputnik | 2019-11-workshop | TA06 Develop Content | D01 | F00029 - Detect proto narratives, i.e. RT, Sputnik | |||||
| 31 | F00030 | Early detection and warning - reporting of suspect content | 2019-11-workshop | TA06 Develop Content | D01 | F00030 - Early detection and warning - reporting of suspect content | |||||
| 32 | F00031 | Educate on how to identify information pollution | Strategic planning included as innoculating population has strategic value. | 2019-11-workshop | TA06 Develop Content | D01 | F00031 - Educate on how to identify information pollution | ||||
| 33 | F00032 | Educate on how to identify to pollution | DUPLICATE - DELETE | 2019-11-workshop | TA06 Develop Content | D01 | F00032 - Educate on how to identify to pollution | ||||
| 34 | F00033 | Fake websites: add transparency on business model | 2019-11-workshop | TA06 Develop Content | D01 | F00033 - Fake websites: add transparency on business model | |||||
| 35 | F00034 | Flag the information spaces so people know about active flooding effort | 2019-11-workshop | TA06 Develop Content | D01 | F00034 - Flag the information spaces so people know about active flooding effort | |||||
| 36 | F00035 | Identify repeated narrative DNA | 2019-11-workshop | TA06 Develop Content | D01 | F00035 - Identify repeated narrative DNA | |||||
| 37 | F00036 | Looking for AB testing in unregulated channels | 2019-11-workshop | TA06 Develop Content | D01 | F00036 - Looking for AB testing in unregulated channels | |||||
| 38 | F00037 | News content provenance certification. | Original Comment: Shortcomings: intentional falsehood. Doesn't solve accuracy. Can't be mandatory. Technique should be in terms of "strategic innoculation", raising the standards of what people expect in terms of evidence when consuming news. | 2019-11-workshop | TA06 Develop Content | D01 | F00037 - News content provenance certification. | ||||
| 39 | F00038 | Social capital as attack vector | Unsure I understood the original intention or what it applied to. Therefore the techniques listed (10, 39, 43, 57, 61) are under my interpretation - which is that we want to track ignorant agents who fall into the enemy's trap and show a cost to financing/reposting/helping the adversary via public shaming or other means. | 2019-11-workshop | TA06 Develop Content | D01 | F00038 - Social capital as attack vector | ||||
| 40 | F00039 | standards to track image/ video deep fakes - industry | 2019-11-workshop | TA06 Develop Content | D01 | F00039 - standards to track image/ video deep fakes - industry | |||||
| 41 | F00040 | Unalterable metadata signature on origins of image and provenance | 2019-11-workshop | TA06 Develop Content | D01 | F00040 - Unalterable metadata signature on origins of image and provenance | |||||
| 42 | F00041 | Bias detection | Not technically left of boom | 2019-11-workshop | TA07 Channel Selection | D01 | F00041 - Bias detection | ||||
| 43 | F00042 | Categorize polls by intent | Use T00029, but against the creators | 2019-11-workshop | TA07 Channel Selection | D01 | F00042 - Categorize polls by intent | ||||
| 44 | F00043 | Monitor for creation of fake known personas | Platform companies and some information security companies (e.g. ZeroFox) do this. | 2019-11-workshop | TA07 Channel Selection | D01 | F00043 - Monitor for creation of fake known personas | ||||
| 45 | F00044 | Forensic analysis | Can be used in all phases for all techniques. | 2019-11-workshop | TA08 Pump Priming | D01 | F00044 - Forensic analysis | ||||
| 46 | F00045 | Forensic linguistic analysis | Can be used in all phases for all techniques. | 2019-11-workshop | TA08 Pump Priming | D01 | F00045 - Forensic linguistic analysis | ||||
| 47 | F00046 | Pump priming analytics | 2019-11-workshop | TA08 Pump Priming | D01 | F00046 - Pump priming analytics | |||||
| 48 | F00047 | trace involved parties | 2019-11-workshop | TA08 Pump Priming | D01 | F00047 - trace involved parties | |||||
| 49 | F00048 | Trace known operations and connection | 2019-11-workshop | TA08 Pump Priming | D01 | F00048 - Trace known operations and connection | |||||
| 50 | F00049 | trace money | 2019-11-workshop | TA08 Pump Priming | D01 | F00049 - trace money | |||||
| 51 | F00050 | Web cache analytics | 2019-11-workshop | TA08 Pump Priming | D01 | F00050 - Web cache analytics | |||||
| 52 | F00051 | Challenge expertise | 2019-11-workshop | TA09 Exposure | D01 | F00051 - Challenge expertise | |||||
| 53 | F00052 | Discover sponsors | Discovering the sponsors behind a campaign, narrative, bot, a set of accounts, or a social media comment, or anything else is useful. | 2019-11-workshop | TA09 Exposure | D01 | F00052 - Discover sponsors | ||||
| 54 | F00053 | Government rumour control office (what can we learn?) | 2019-11-workshop | TA09 Exposure | D01 | F00053 - Government rumour control office (what can we learn?) | |||||
| 55 | F00054 | Restrict people who can @ you on social networks | 2019-11-workshop | TA09 Exposure | D01 | F00054 - Restrict people who can @ you on social networks | |||||
| 56 | F00055 | Verify credentials | 2019-11-workshop | TA09 Exposure | D01 | F00055 - Verify credentials | |||||
| 57 | F00056 | Verify organisation legitimacy | 2019-11-workshop | TA09 Exposure | D01 | F00056 - Verify organisation legitimacy | |||||
| 58 | F00057 | Verify personal credentials of experts | 2019-11-workshop | TA09 Exposure | D01 | F00057 - Verify personal credentials of experts | |||||
| 59 | F00058 | Deplatform (cancel culture) | *Deplatform People: This technique needs to be a bit more specific to distinguish it from "account removal" or DDOS and other techniques that get more specific when applied to content. For example, other ways of deplatforming people include attacking their sources of funds, their allies, their followers, etc. | 2019-11-workshop | TA10 Go Physical | D01 | F00058 - Deplatform (cancel culture) | ||||
| 60 | F00059 | Identify susceptible demographics | All techniques provide or are susceptible to being countered by, or leveraged for, knowledge about user demographics. | 2019-11-workshop | TA10 Go Physical | D01 | F00059 - Identify susceptible demographics | ||||
| 61 | F00060 | Identify susceptible influencers | I assume this was a transcript error. Otherwise, "Identify Susceptible Influences" as in the various methods of influences that may work against a victim could also be a technique. Nope, wasn't a transcript error: original note says influencers, as in find people of influence that might be targetted. | 2019-11-workshop | TA10 Go Physical | D01 | F00060 - Identify susceptible influencers | ||||
| 62 | F00061 | Microtargeting | 2019-11-workshop | TA10 Go Physical | D01 | F00061 - Microtargeting | |||||
| 63 | F00062 | Detect when Dormant account turns active | 2019-11-workshop | TA11 Persistence | D01 | F00062 - Detect when Dormant account turns active | |||||
| 64 | F00063 | Linguistic change analysis | 2019-11-workshop | TA11 Persistence | D01 | F00063 - Linguistic change analysis | |||||
| 65 | F00064 | Monitor reports of account takeover | 2019-11-workshop | TA11 Persistence | D01 | F00064 - Monitor reports of account takeover | |||||
| 66 | F00065 | Sentiment change analysis | 2019-11-workshop | TA11 Persistence | D01 | F00065 - Sentiment change analysis | |||||
| 67 | F00066 | Use language errors, time to respond to account bans and lawsuits, to indicate capabilities | 2019-11-workshop | TA11 Persistence | D01 | F00066 - Use language errors, time to respond to account bans and lawsuits, to indicate capabilities | |||||
| 68 | F00067 | Data forensics | 2019-11-search | I00029,I00045 | D01 | F00067 - Data forensics | |||||
| 69 | F00068 | Resonance analysis | a developing methodology for identifying statistical differences in how social groups use language and quantifying how common those statistical differences are within a larger population. In essence, it hypothesizes how much affinity might exist for a specific group within a general population, based on the language its members employ | 2019-11-search | Rand2237 | D01 | F00068 - Resonance analysis | ||||
| 70 | F00069 | Track Russian media and develop analytic methods. | To effectively counter Russian propaganda, it will be critical to track Russian influence efforts. The information requirements are varied and include the following: • Identify fake-news stories and their sources. • Understand narrative themes and content that pervade various Russian media sources. • Understand the broader Russian strategy that underlies tactical propaganda messaging. | 2019-11-search | Rand2237 | D01 | F00069 - Track Russian media and develop analytic methods. | ||||
| 71 | F00070 | Full spectrum analytics | 2019-11-workshop | ALL | D01 | F00070 - Full spectrum analytics | |||||
| 72 | F00071 | Network analysis Identify/cultivate/support influencers | Local influencers detected via Twitter networks are likely local influencers in other online and off-line channels as well. In addition, the content and themes gleaned from Russia and Russia-supporting populations, as well as anti-Russia activists, likely swirl in other online and off-line mediums as well. | 2019-11-search | Rand2237 | D01 | F00071 - Network analysis Identify/cultivate/support influencers | ||||
| 73 | F00072 | network analysis to identify central users in the pro-Russia activist community. | It is possible that some of these are bots or trolls and could be flagged for suspension for violating Twitter’s terms of service. | 2019-11-search | Rand2237 | D01 | F00072 - network analysis to identify central users in the pro-Russia activist community. | ||||
| 74 | F00073 | collect intel/recon on black/covert content creators/manipulators | Players at the level of covert attribution, referred to as “black” in the grayscale of deniability, produce content on user-generated media, such as YouTube, but also add fear-mongering commentary to and amplify content produced by others and supply exploitable content to data dump websites. These activities are conducted by a network of trolls, bots, honeypots, and hackers. | 2019-11-search | Rand2237 | D01 | F00073 - collect intel/recon on black/covert content creators/manipulators | ||||
| 75 | F00074 | identify relevant fence-sitter communities | brand ambassador programs could be used with influencers across a variety of social media channels. It could also target other prominent experts, such as academics, business leaders, and other potentially prominent people. Authorities must ultimately take care in implementing such a program given the risk that contact with U.S. or NATO authorities might damage influencer reputations. Engagements must consequently be made with care, and, if possible, government interlocutors should work through local NGOs. | 2019-11-search | Rand2237 | D01 | F00074 - identify relevant fence-sitter communities | ||||
| 76 | F00075 | leverage open-source information | significant amounts of quality open-source information are now available and should be leveraged to build products and analysis prior to problem prioritization in the areas of observation, attribution, and intent. Successfully distinguishing the gray zone campaign signal through the global noise requires action through the entirety of the national security community. Policy, process, and tools must all adapt and evolve to detect, discern, and act upon a new type of signal | 2019-11-search | Dalton19 | D01 | F00075 - leverage open-source information | ||||
| 77 | F00076 | Monitor/collect audience engagement data connected to “useful idiots” | Target audience connected to "useful idiots rather than the specific profiles because - The active presence of such sources complicates targeting of Russian propaganda, given that it is often difficult to discriminate between authentic views and opinions on the internet and those disseminated by the Russian state. | 2019-11-search | Rand2237 | D01 | F00076 - Monitor/collect audience engagement data connected to “useful idiots” | ||||
| 78 | F00077 | Model for bot account behavior | Bot account: action based, people. Unsure which DISARM techniques. | 2019-11-workshop | TA15 - Establish Social Assets | D01 | F00077 - Model for bot account behavior | ||||
| 79 | F00078 | Monitor account level activity in social networks | All techniques benefit from careful analysis and monitoring of activities on social network. | 2019-11-workshop | TA15 - Establish Social Assets | D01 | F00078 - Monitor account level activity in social networks | ||||
| 80 | F00079 | Network anomaly detection | 2019-11-workshop | TA05 Microtargeting | D01 | F00079 - Network anomaly detection | |||||
| 81 | F00080 | Hack the polls/ content yourself | Two wrongs don't make a right? But if you hack your own polls, you do learn how it could be done, and learn what to look for | 2019-11-workshop | TA07 Channel Selection | D01 | F00080 - Hack the polls/ content yourself | ||||
| 82 | F00081 | Need way for end user to report operations | 2019-11-workshop | TA09 Exposure | D01 | F00081 - Need way for end user to report operations | |||||
| 83 | F00082 | Control the US "slang" translation boards | 2019-11-workshop | TA11 Persistence | D03 | F00082 - Control the US "slang" translation boards | |||||
| 84 | F00083 | Build and own meme generator, then track and watermark contents | 2019-11-workshop | TA11 Persistence | D05 | F00083 - Build and own meme generator, then track and watermark contents | |||||
| 85 | F00084 | Track individual bad actors | 2019-11-workshop | TA15 - Establish Social Assets | D01 | F00084 - Track individual bad actors | |||||
| 86 | F00085 | detection of a weak signal through global noise | Gray zone threats are challenging given that warning requires detection of a weak signal through global noise and across threat vectors and regional boundaries.Three interconnected gray zone elements characterize the nature of the activity: Temporality: The nature of gray zone threats truly requires a “big picture view” over long timescales and across regions and functional topics. Attribution: requiring an “almost certain” or “nearly certain analytic assessment before acting costs time and analytic effort Intent: judgement of adversarial intent to conduct gray zone activity. Indeed, the purpose of countering gray zone threats is to deter adversaries from fulfilling their intent to act. While attribution is one piece of the puzzle, closing the space around intent often means synthesizing multiple relevant indicators and warnings, including the state’s geopolitical ambitions, military ties, trade and investment, level of corruption, and media landscape, among others. | 2019-11-search | Dalton19 | F00085 - detection of a weak signal through global noise | |||||
| 87 | F00086 | Outpace Competitor Intelligence Capabilities | Develop an intelligence-based understanding of foreign actors’ motivations, psychologies, and societal and geopolitical contexts. Leverage artificial intelligence to identify patterns and infer competitors’ intent | 2019-11-search | Hicks19 | TA02 Objective planning | D01 | F00086 - Outpace Competitor Intelligence Capabilities | |||
| 88 | F00087 | Improve Indications and Warning | United States has not adequately adapted its information indicators and thresholds for warning policymakers to account for gray zone tactics. Competitors have undertaken a marked shift to slow-burn, deceptive, non-military, and indirect challenges to U.S. interests. Relative to traditional security indicators and warnings, these are more numerous and harder to detect and make it difficult for analysts to infer intent. | 2019-11-search | Hicks19 | D01 | F00087 - Improve Indications and Warning | ||||
| 89 | F00088 | Revitalize an “active measures working group,” | Recognize campaigns from weak signals, including rivals’ intent, capability, impact, interactive effects, and impact on U.S. interests... focus on adversarial covert action aspects of campaigning. | 2019-11-search | Dalton19 | D01 | F00088 - Revitalize an “active measures working group,” | ||||
| 90 | F00089 | target/name/flag "grey zone" website content | "Gray zone" is second level of content producers and circulators, composed of outlets with uncertain attribution. This category covers conspiracy websites, far-right or far-left websites, news aggregators, and data dump websites | 2019-11-search | Rand2237 | TA15 Establish Social Assets | D01 | F00089 - target/name/flag "grey zone" website content | |||
| 91 | F00090 | Match Punitive Tools with Third-Party Inducements | Bring private sector and civil society into accord on U.S. interests | 2019-11-search | Hicks19 | TA01 Strategic Planning | D01 | F00090 - Match Punitive Tools with Third-Party Inducements | |||
| 92 | F00091 | Partner to develop analytic methods & tools | This might include working with relevant technology firms to ensure that contracted analytic support is available. Contracted support is reportedly valuable because technology to monitor social media data is continually evolving, and such firms can provide the expertise to help identify and analyze trends, and they can more effectively stay abreast of the changing systems and develop new models as they are required | 2019-11-search | Rand2237 | TA01 Strategic Planning | D01 | F00091 - Partner to develop analytic methods & tools | |||
| 93 | F00092 | daylight | Warn social media companies about an ongoing campaign (e.g. antivax sites). Anyone with datasets or data summaries can help with this | 2019-11-search | I00002 | TA09 Exposure | D01 | F00092 - daylight | |||
| 94 | F00093 | S4d detection and re-allocation approaches | M004 - friction | S4D is a way to separate out different speakers in text, audio. | 2019-11-workshop | TA15 - Establish Social Assets | D01 | F00093 - S4d detection and re-allocation approaches | |||
| 95 | F00094 | Registries alert when large batches of newsy URLs get registered together | M003 - daylight | grugq | TA07 Channel Selection | D01 | F00094 - Registries alert when large batches of newsy URLs get registered together | ||||
| 96 | F00095 | Fact checking | Process suspicious artifacts, narratives, and incidents | SJ | TA09 Exposure | D01 | F00095 - Fact checking |