c11e9d06ad
Added framework objects: - Added technique T0066 "Degrade adversary" to TA02 - Added technique T0067 "Plan to discredit credible sources" to TA02 - Added technique T0068 "respond to breaking news event" to TA02 - Added technique T0069 "respond to active crisis" to TA02 - Added technique T0070 "Analyze existing communities" to TA02 - Added technique T0071 "Find echo chambers" to TA13 - Added technique T0072 "Segment audiences" to TA13 Added STIX generator from repo DISARM-stix2, and added code to generate github files, databases, and STIX from the same Jupyter notebook. |
||
---|---|---|
CODE | ||
DISARM_DOCUMENTATION | ||
DISARM_MASTER_DATA | ||
generated_files | ||
generated_pages | ||
images | ||
visualisations | ||
.DS_Store | ||
LICENSE.md | ||
README.md |
DISARM Disinformation TTP (Tactics, Techniques and Procedures) Framework
DISARM is a framework designed for describing and understanding disinformation incidents. DISARM is part of work on adapting information security (infosec) practices to help track and counter disinformation and other information harms, and is designed to fit existing infosec practices and tools.
DISARM's style is based on the MITRE ATT&CK framework. STIX templates for DISARM objects are available in the DISARM_CTI repo - these make it easy for DISARM data to be passed between ISAOs and similar bodies using standards like TAXII.
What's in this folder
DISARM DOCUMENTATION:
- DISARM_DOCUMENTATION: DISARM user guides, design guides, and more detailed TTP documentation.
- DISARM_HISTORY: earlier models and reports.
DISARM FRAMEWORKS:
- DISARM Red Team Framework - Disinformation creator TTPs, listed by tactic stage. This is the classic "DISARM Framework" that's bundled with MISP. The clickable version is for rapidly creating lists of TTPs.
- DISARM Blue Team Framework - Disinformation responder TTPs, listed by tactic stage. These are countermeasures, listed by the earliest tactic stages they're likely to be used in.
DISARM OBJECTS: all the entities used to create the Red Team and Blue Team frameworks:
- Phases: higher-level groupings of tactics, created so we could check we didn't miss anything
- Tactics: stages that someone running a misinformation incident is likely to use
- Techniques: activities that might be seen at each stage
- Tasks: things that need to be done at each stage. In Pablospeak, tasks are things you do, techniques are how you do them.
- Counters: countermeasures to DISARM TTPs.
- Actors: resources needed to run countermeasures
- Response types: the course-of-action categories we used to create counters
- Metatechniques: a higher-level grouping for countermeasures
- Incidents: incident descriptions used to create the DISARM frameworks
There's a directory for each of these, containing a datasheet for each individual entity (e.g. technique T0046 Search Engine Optimization). There's also a directory generated_files containing any files (CSVs, sqlite etc) we generate from the above tables.
Updating DISARM
Major changes: Any major changes to DISARM models are agreed on by the DISARM Foundation.
Minor changes: We love any and all suggestions for improvements, comments and offers of help - reach out to us using this google form. (We're also going back through earlier issues lists: AMITT issues list and Misinfosec issues list)
Using your own datasets: DISARM is open source. If you want to do your own thing with DISARM data, these will help:
-
all the master data for DISARM is in directory DISARM_MASTER_DATA. Look for the DISARM_FRAMEWORKS_MASTER.xlsx spreadsheet. This contains disinformation creators' tactics, techniques, tasks, phases, and counters.
-
The DISARM TTP Guide has more detailed information on each technique.
-
The code to create all the HTML datasheets is in directory CODE: you'll need generate_DISARM_pages.py and all the template files.
If you have your own version of this repository and update DISARM_FRAMEWORKS_MASTER.xlsx, typing "python generate_DISARM_pages.py" will update all the files above from it. If you want to update the DISARM github file, DISARM databases, and DISARM STIX bundle at the same time, run file generate_DISARM_pages.ipynb from Jupyter.
Who's Responsible for DISARM
-
DISARM Foundation maintains and updates the DISARM family of models: DISARM-STIX, the DISARM Red framework (of disinformation creation), and the DISARM Blue framework (of disinformation countermeasures and mitigations).
-
MITRE, FIU, and CogSecCollab teams worked to merge the AMITT and SPICE framework models together to create the DISARM frameworks. Created a new foundation to maintain and manage DISARM.
-
MITRE and FIU forked the AMITT RED model to create the SPICE framework.
-
CogSecCollab maintained and updated the original AMITT models. We've used DISARM in the CTI League's Covid19 responses, and tested it in trials with NATO, the EU, and several other countries' disinformation units. Pablo Breuer and are the current design authorities for the DISARM models.
-
MisinfosecWG, aka the Credibility Coalition's Misinfosec working group created the original DISARM frameworks. The Red Framework was started in December 2018, and refined in a Credibility Coalition Misinfosec seminar; the Blue Framework was started as a collection of potential disinformation countermeasures, at a Coalition Misinfosec seminar in November 2019. CogSecCollab is the nonprofit that spun out of MisinfosecWG.
-
Everyone who contributes to DISARM (and there are many of you). Thank you to everyone who contributes to DISARM, and has contributed to DISARM over the years.
-
You. Thank you for being here.
DISARM is licensed under CC-BY-4.0