aca100b364
Framework updates: - TA08 added text "Used for preparation before broader release, and as message honing." - TA10 change name from "Go Physical" to "Drive Offline Activity" - T0004 change name from "Competing Narratives" to "Devise Competing Narratives" - T0005 convert into a tactic stage, TA13. Change name from "Center of Gravity Analysis" to "Conduct Center of Gravity Analysis" - T0006 rename from "Create Master Narratives" to "Develop Narrative Concepts". nb narratology: can't create master narratives - can only latch onto them - T0011 change name from "Hijack legitimate account" to "Compromise legitimate account" - T0065. Create new technique "use physical broadcast capabilities" under TA04 - T0014. Rename from "Create funding campaigns" to "Prepare fundraising campaigns". Exited text to reflect that this new name allows the possibility of either creating a new one, or revitalizing an existing one. - T0015 rename from "Create hashtag" to "Create hashtags". Change text to mention hashtag groups. - T0017 rename from "Promote online funding" to "Conduct Fundraising Campaigns" - T0018 rename from "Paid targeted ads" to "Purchase advertisements" - T0026 rename from "Create fake research" to "create pseudoscientific or disingenuous research" Page and file updates: - Added MITRE, FIU, and SPICE to DISARM's history - reran github page generator - reran sqlite generator |
||
---|---|---|
CODE | ||
DISARM_DOCUMENTATION | ||
DISARM_MASTER_DATA | ||
generated_files | ||
generated_pages | ||
images | ||
visualisations | ||
.DS_Store | ||
LICENSE.md | ||
README.md |
DISARM Disinformation TTP (Tactics, Techniques and Procedures) Framework
DISARM is a framework designed for describing and understanding disinformation incidents. DISARM is part of work on adapting information security (infosec) practices to help track and counter disinformation and other information harms, and is designed to fit existing infosec practices and tools.
DISARM's style is based on the MITRE ATT&CK framework. STIX templates for DISARM objects are available in the DISARM_CTI repo - these make it easy for DISARM data to be passed between ISAOs and similar bodies using standards like TAXII.
What's in this folder
DISARM DOCUMENTATION:
- DISARM_DOCUMENTATION: DISARM user guides, design guides, and more detailed TTP documentation.
- DISARM_HISTORY: earlier models and reports.
DISARM FRAMEWORKS:
- DISARM Red Team Framework - Disinformation creator TTPs, listed by tactic stage. This is the classic "DISARM Framework" that's bundled with MISP. The clickable version is for rapidly creating lists of TTPs.
- DISARM Blue Team Framework - Disinformation responder TTPs, listed by tactic stage. These are countermeasures, listed by the earliest tactic stages they're likely to be used in.
DISARM OBJECTS: all the entities used to create the Red Team and Blue Team frameworks:
- Phases: higher-level groupings of tactics, created so we could check we didn't miss anything
- Tactics: stages that someone running a misinformation incident is likely to use
- Techniques: activities that might be seen at each stage
- Tasks: things that need to be done at each stage. In Pablospeak, tasks are things you do, techniques are how you do them.
- Counters: countermeasures to DISARM TTPs.
- Actors: resources needed to run countermeasures
- Response types: the course-of-action categories we used to create counters
- Metatechniques: a higher-level grouping for countermeasures
- Incidents: incident descriptions used to create the DISARM frameworks
There's a directory for each of these, containing a datasheet for each individual entity (e.g. technique T0046 Search Engine Optimization). There's also a directory generated_files containing any files (CSVs, sqlite etc) we generate from the above tables.
Updating DISARM
Major changes: Any major changes to DISARM models are agreed on by the DISARM Foundation.
Minor changes: We love any and all suggestions for improvements, comments and offers of help - reach out to us using this google form. (We're also going back through earlier issues lists: AMITT issues list and Misinfosec issues list)
Using your own datasets: DISARM is open source. If you want to do your own thing with DISARM data, these will help:
-
all the master data for DISARM is in directory DISARM_MASTER_DATA. Look for the DISARM_FRAMEWORKS_MASTER.xlsx spreadsheet. This contains disinformation creators' tactics, techniques, tasks, phases, and counters.
-
The DISARM TTP Guide has more detailed information on each technique.
-
The code to create all the HTML datasheets is in directory CODE: you'll need generate_DISARM_pages.py and all the template files.
If you have your own version of this repository and update DISARM_FRAMEWORKS_MASTER.xlsx, typing "python generate_DISARM_pages.py" will update all the files above from it.
Who's Responsible for DISARM
-
DISARM Foundation maintains and updates the DISARM family of models: DISARM-STIX, the DISARM Red framework (of disinformation creation), and the DISARM Blue framework (of disinformation countermeasures and mitigations).
-
MITRE, FIU, and CogSecCollab teams worked to merge the AMITT and SPICE framework models together to create the DISARM frameworks. Created a new foundation to maintain and manage DISARM.
-
MITRE and FIU forked the AMITT RED model to create the SPICE framework.
-
CogSecCollab maintained and updated the original AMITT models. We've used DISARM in the CTI League's Covid19 responses, and tested it in trials with NATO, the EU, and several other countries' disinformation units. Pablo Breuer and are the current design authorities for the DISARM models.
-
MisinfosecWG, aka the Credibility Coalition's Misinfosec working group created the original DISARM frameworks. The Red Framework was started in December 2018, and refined in a Credibility Coalition Misinfosec seminar; the Blue Framework was started as a collection of potential disinformation countermeasures, at a Coalition Misinfosec seminar in November 2019. CogSecCollab is the nonprofit that spun out of MisinfosecWG.
-
Everyone who contributes to DISARM (and there are many of you). Thank you to everyone who contributes to DISARM, and has contributed to DISARM over the years.
-
You. Thank you for being here.
DISARM is licensed under CC-BY-4.0