DISARMframeworks/generated_pages/detections_index.md
Sara-Jayne Terp 22abaf93d8 Copy AMITT repository, clean up and rebrand
Took a copy of the current AMITT github repository - we'll be updating this and merging the SPICE branch back in
Rebranded to DISARM
Moved generated pages to their own folder, to make looking at the repository less confusing
2022-01-29 11:34:46 -05:00

24 KiB
Raw Blame History

DISARM Detections:

disarm_id name summary metatechnique tactic responsetype
F00001 Analyse aborted / failed campaigns Examine failed campaigns. How did they fail? Can we create useful activities that increase these failures? TA01 Strategic Planning D01
F00002 Analyse viral fizzle We have no idea what this means. Is it something to do with the way a viral story spreads? TA01 Strategic Planning D01
F00003 Exploit counter-intelligence vs bad actors TA01 Strategic Planning D01
F00004 Recruit like-minded converts "people who used to be in-group" TA01 Strategic Planning D01
F00005 SWOT Analysis of Cognition in Various Groups Strengths, Weaknesses, Opportunities, Threats analysis of groups and audience segments. TA01 Strategic Planning D01
F00006 SWOT analysis of tech platforms TA01 Strategic Planning D01
F00007 Monitor account level activity in social networks TA02 Objective Planning D01
F00008 Detect abnormal amplification TA03 Develop People D01
F00009 Detect abnormal events TA03 Develop People D01
F00010 Detect abnormal groups TA03 Develop People D01
F00011 Detect abnormal pages TA03 Develop People D01
F00012 Detect abnormal profiles, e.g. prolific pages/ groups/ people TA03 Develop People D01
F00013 Identify fake news sites TA03 Develop People D01
F00014 Trace connections for e.g. fake news sites TA03 Develop People D01
F00015 Detect anomalies in membership growth patterns I include Fake Experts as they may use funding campaigns such as Patreon to fund their operations and so these should be watched. TA03 Develop People D01
F00016 Identify fence-sitters Note: In each case, depending on the platform there may be a way to identify a fence-sitter. For example, online polls may have a neutral option or a "somewhat this-or-that" option, and may reveal who voted for that to all visitors. This information could be of use to data analysts.

In TA08-11, the engagement level of victims could be identified to detect and respond to increasing engagement.

TA03 Develop People D01
F00017 Measure emotional valence TA03 Develop People D01
F00018 Follow the money track funding sources TA03 Develop People D01
F00019 Activity resurgence detection (alarm when dormant accounts become activated) TA04 Develop Networks D01
F00020 Detect anomalous activity TA04 Develop Networks D01
F00021 AI/ML automated early detection of campaign planning TA04 Develop Networks D01
F00022 Digital authority - regulating body (united states) TA04 Develop Networks D01
F00023 Periodic verification (counter to hijack legitimate account) TA04 Develop Networks D01
F00024 Teach civics to kids/ adults/ seniors TA04 Develop Networks D01
F00025 Boots-on-the-ground early narrative detection TA05 Microtargeting D01
F00026 Language anomoly detection TA05 Microtargeting D01
F00027 Unlikely correlation of sentiment on same topics TA05 Microtargeting D01
F00028 Associate a public key signature with government documents TA06 Develop Content D01
F00029 Detect proto narratives, i.e. RT, Sputnik TA06 Develop Content D01
F00030 Early detection and warning - reporting of suspect content TA06 Develop Content D01
F00031 Educate on how to identify information pollution Strategic planning included as innoculating population has strategic value. TA06 Develop Content D01
F00032 Educate on how to identify to pollution DUPLICATE - DELETE TA06 Develop Content D01
F00033 Fake websites: add transparency on business model TA06 Develop Content D01
F00034 Flag the information spaces so people know about active flooding effort TA06 Develop Content D01
F00035 Identify repeated narrative DNA TA06 Develop Content D01
F00036 Looking for AB testing in unregulated channels TA06 Develop Content D01
F00037 News content provenance certification. Original Comment: Shortcomings: intentional falsehood. Doesn't solve accuracy. Can't be mandatory.

Technique should be in terms of "strategic innoculation", raising the standards of what people expect in terms of evidence when consuming news.

TA06 Develop Content D01
F00038 Social capital as attack vector Unsure I understood the original intention or what it applied to. Therefore the techniques listed (10, 39, 43, 57, 61) are under my interpretation - which is that we want to track ignorant agents who fall into the enemy's trap and show a cost to financing/reposting/helping the adversary via public shaming or other means. TA06 Develop Content D01
F00039 standards to track image/ video deep fakes - industry TA06 Develop Content D01
F00040 Unalterable metadata signature on origins of image and provenance TA06 Develop Content D01
F00041 Bias detection Not technically left of boom TA07 Channel Selection D01
F00042 Categorize polls by intent Use T00029, but against the creators TA07 Channel Selection D01
F00043 Monitor for creation of fake known personas Platform companies and some information security companies (e.g. ZeroFox) do this. TA07 Channel Selection D01
F00044 Forensic analysis Can be used in all phases for all techniques. TA08 Pump Priming D01
F00045 Forensic linguistic analysis Can be used in all phases for all techniques. TA08 Pump Priming D01
F00046 Pump priming analytics TA08 Pump Priming D01
F00047 trace involved parties TA08 Pump Priming D01
F00048 Trace known operations and connection TA08 Pump Priming D01
F00049 trace money TA08 Pump Priming D01
F00050 Web cache analytics TA08 Pump Priming D01
F00051 Challenge expertise TA09 Exposure D01
F00052 Discover sponsors Discovering the sponsors behind a campaign, narrative, bot, a set of accounts, or a social media comment, or anything else is useful. TA09 Exposure D01
F00053 Government rumour control office (what can we learn?) TA09 Exposure D01
F00054 Restrict people who can @ you on social networks TA09 Exposure D01
F00055 Verify credentials TA09 Exposure D01
F00056 Verify organisation legitimacy TA09 Exposure D01
F00057 Verify personal credentials of experts TA09 Exposure D01
F00058 Deplatform (cancel culture) *Deplatform People: This technique needs to be a bit more specific to distinguish it from "account removal" or DDOS and other techniques that get more specific when applied to content.

For example, other ways of deplatforming people include attacking their sources of funds, their allies, their followers, etc.

TA10 Go Physical D01
F00059 Identify susceptible demographics All techniques provide or are susceptible to being countered by, or leveraged for, knowledge about user demographics. TA10 Go Physical D01
F00060 Identify susceptible influencers I assume this was a transcript error. Otherwise, "Identify Susceptible Influences" as in the various methods of influences that may work against a victim could also be a technique. Nope, wasn't a transcript error: original note says influencers, as in find people of influence that might be targetted. TA10 Go Physical D01
F00061 Microtargeting TA10 Go Physical D01
F00062 Detect when Dormant account turns active TA11 Persistence D01
F00063 Linguistic change analysis TA11 Persistence D01
F00064 Monitor reports of account takeover TA11 Persistence D01
F00065 Sentiment change analysis TA11 Persistence D01
F00066 Use language errors, time to respond to account bans and lawsuits, to indicate capabilities TA11 Persistence D01
F00067 Data forensics D01
F00068 Resonance analysis a developing methodology for identifying statistical differences in how social groups use language and quantifying how common those statistical differences are within a larger population. In essence, it hypothesizes how much affinity might exist for a specific group within a general population, based on the language its members employ D01
F00069 Track Russian media and develop analytic methods. To effectively counter Russian propaganda, it will be critical to track Russian influence efforts. The information requirements are varied and include the following: • Identify fake-news stories and their sources. • Understand narrative themes and content that pervade various Russian media sources. • Understand the broader Russian strategy that underlies tactical propaganda messaging. D01
F00070 Full spectrum analytics ALL D01
F00071 Network analysis Identify/cultivate/support influencers Local influencers detected via Twitter networks are likely local influencers in other online and off-line channels as well. In addition, the content and themes gleaned from Russia and Russia-supporting populations, as well as anti-Russia activists, likely swirl in other online and off-line mediums as well. D01
F00072 network analysis to identify central users in the pro-Russia activist community. It is possible that some of these are bots or trolls and could be flagged for suspension for violating Twitters terms of service. D01
F00073 collect intel/recon on black/covert content creators/manipulators Players at the level of covert attribution, referred to as “black” in the grayscale of deniability, produce content on user-generated media, such as YouTube, but also add fear-mongering commentary to and amplify content produced by others and supply exploitable content to data dump websites. These activities are conducted by a network of trolls, bots, honeypots, and hackers. D01
F00074 identify relevant fence-sitter communities brand ambassador programs could be used with influencers across a variety of social media channels. It could also target other prominent experts, such as academics, business leaders, and other potentially prominent people. Authorities must ultimately take care in implementing such a program given the risk that contact with U.S. or NATO authorities might damage influencer reputations. Engagements must consequently be made with care, and, if possible, government interlocutors should work through local NGOs. D01
F00075 leverage open-source information significant amounts of quality open-source information are now available and should be leveraged to build products and analysis prior to problem prioritization in the areas of observation, attribution, and intent. Successfully distinguishing the gray zone campaign signal through the global noise requires action through the entirety of the national security community. Policy, process, and tools must all adapt and evolve to detect, discern, and act upon a new type of signal D01
F00076 Monitor/collect audience engagement data connected to “useful idiots” Target audience connected to "useful idiots rather than the specific profiles because - The active presence of such sources complicates targeting of Russian propaganda, given that it is often difficult to discriminate between authentic views and opinions on the internet and those disseminated by the Russian state. D01
F00077 Model for bot account behavior Bot account: action based, people. Unsure which DISARM techniques. TA03 Develop People D01
F00078 Monitor account level activity in social networks All techniques benefit from careful analysis and monitoring of activities on social network. TA03 Develop People D01
F00079 Network anomaly detection TA05 Microtargeting D01
F00080 Hack the polls/ content yourself Two wrongs don't make a right? But if you hack your own polls, you do learn how it could be done, and learn what to look for TA07 Channel Selection D01
F00081 Need way for end user to report operations TA09 Exposure D01
F00082 Control the US "slang" translation boards TA11 Persistence D03
F00083 Build and own meme generator, then track and watermark contents TA11 Persistence D05
F00084 Track individual bad actors TA03 Develop People D01
F00085 detection of a weak signal through global noise Gray zone threats are challenging given that warning requires detection of a weak signal through global noise and across threat vectors and regional boundaries.Three interconnected gray zone elements characterize the nature of the activity: Temporality: The nature of gray zone threats truly requires a “big picture view” over long timescales and across regions and functional topics. Attribution: requiring an “almost certain” or “nearly certain analytic assessment before acting costs time and analytic effort Intent: judgement of adversarial intent to conduct gray zone activity. Indeed, the purpose of countering gray zone threats is to deter adversaries from fulfilling their intent to act. While attribution is one piece of the puzzle, closing the space around intent often means synthesizing multiple relevant indicators and warnings, including the states geopolitical ambitions, military ties, trade and investment, level of corruption, and media landscape, among others.
F00086 Outpace Competitor Intelligence Capabilities Develop an intelligence-based understanding of foreign actors motivations, psychologies, and societal and geopolitical contexts. Leverage artificial intelligence to identify patterns and infer competitors intent TA02 Objective planning D01
F00087 Improve Indications and Warning United States has not adequately adapted its information indicators and thresholds for warning policymakers to account for gray zone tactics. Competitors have undertaken a marked shift to slow-burn, deceptive, non-military, and indirect challenges to U.S. interests. Relative to traditional security indicators and warnings, these are more numerous and harder to detect and make it difficult for analysts to infer intent. D01
F00088 Revitalize an “active measures working group,” Recognize campaigns from weak signals, including rivals intent, capability, impact, interactive effects, and impact on U.S. interests... focus on adversarial covert action aspects of campaigning. D01
F00089 target/name/flag "grey zone" website content "Gray zone" is second level of content producers and circulators, composed of outlets with uncertain attribution. This category covers conspiracy websites, far-right or far-left websites, news aggregators, and data dump websites TA04 Develop Networks D01
F00090 Match Punitive Tools with Third-Party Inducements Bring private sector and civil society into accord on U.S. interests TA01 Strategic Planning D01
F00091 Partner to develop analytic methods & tools This might include working with relevant technology firms to ensure that contracted analytic support is available. Contracted support is reportedly valuable because technology to monitor social media data is continually evolving, and such firms can provide the expertise to help identify and analyze trends, and they can more effectively stay abreast of the changing systems and develop new models as they are required TA01 Strategic Planning D01
F00092 daylight Warn social media companies about an ongoing campaign (e.g. antivax sites). Anyone with datasets or data summaries can help with this TA09 Exposure D01
F00093 S4d detection and re-allocation approaches S4D is a way to separate out different speakers in text, audio. M004 - friction TA03 Develop People D01
F00094 Registries alert when large batches of newsy URLs get registered together M003 - daylight TA07 Channel Selection D01
F00095 Fact checking Process suspicious artifacts, narratives, and incidents TA09 Exposure D01