mirror of
https://github.com/DISARMFoundation/DISARMframeworks.git
synced 2024-12-20 21:34:17 -05:00
24 KiB
24 KiB
DISARM Detections:
disarm_id | name | summary | metatechnique | tactic | responsetype |
---|---|---|---|---|---|
F00001 | Analyse aborted / failed campaigns | Examine failed campaigns. How did they fail? Can we create useful activities that increase these failures? | TA01 Strategic Planning | D01 | |
F00002 | Analyse viral fizzle | We have no idea what this means. Is it something to do with the way a viral story spreads? | TA01 Strategic Planning | D01 | |
F00003 | Exploit counter-intelligence vs bad actors | TA01 Strategic Planning | D01 | ||
F00004 | Recruit like-minded converts "people who used to be in-group" | TA01 Strategic Planning | D01 | ||
F00005 | SWOT Analysis of Cognition in Various Groups | Strengths, Weaknesses, Opportunities, Threats analysis of groups and audience segments. | TA01 Strategic Planning | D01 | |
F00006 | SWOT analysis of tech platforms | TA01 Strategic Planning | D01 | ||
F00007 | Monitor account level activity in social networks | TA02 Objective Planning | D01 | ||
F00008 | Detect abnormal amplification | TA15 Establish Assets | D01 | ||
F00009 | Detect abnormal events | TA15 Establish Assets | D01 | ||
F00010 | Detect abnormal groups | TA15 Establish Assets | D01 | ||
F00011 | Detect abnormal pages | TA15 Establish Assets | D01 | ||
F00012 | Detect abnormal profiles, e.g. prolific pages/ groups/ people | TA15 Establish Assets | D01 | ||
F00013 | Identify fake news sites | TA15 Establish Assets | D01 | ||
F00014 | Trace connections | for e.g. fake news sites | TA15 Establish Assets | D01 | |
F00015 | Detect anomalies in membership growth patterns | I include Fake Experts as they may use funding campaigns such as Patreon to fund their operations and so these should be watched. | TA15 Establish Assets | D01 | |
F00016 | Identify fence-sitters | Note: In each case, depending on the platform there may be a way to identify a fence-sitter. For example, online polls may have a neutral option or a "somewhat this-or-that" option, and may reveal who voted for that to all visitors. This information could be of use to data analysts. In TA08-11, the engagement level of victims could be identified to detect and respond to increasing engagement. | TA15 Establish Assets | D01 | |
F00017 | Measure emotional valence | TA15 Establish Assets | D01 | ||
F00018 | Follow the money | track funding sources | TA15 Establish Assets | D01 | |
F00019 | Activity resurgence detection (alarm when dormant accounts become activated) | TA15 Establish Assets | D01 | ||
F00020 | Detect anomalous activity | TA15 Establish Assets | D01 | ||
F00021 | AI/ML automated early detection of campaign planning | TA15 Establish Assets | D01 | ||
F00022 | Digital authority - regulating body (united states) | TA15 Establish Assets | D01 | ||
F00023 | Periodic verification (counter to hijack legitimate account) | TA15 Establish Assets | D01 | ||
F00024 | Teach civics to kids/ adults/ seniors | TA15 Establish Assets | D01 | ||
F00025 | Boots-on-the-ground early narrative detection | TA05 Microtargeting | D01 | ||
F00026 | Language anomoly detection | TA05 Microtargeting | D01 | ||
F00027 | Unlikely correlation of sentiment on same topics | TA05 Microtargeting | D01 | ||
F00028 | Associate a public key signature with government documents | TA06 Develop Content | D01 | ||
F00029 | Detect proto narratives, i.e. RT, Sputnik | TA06 Develop Content | D01 | ||
F00030 | Early detection and warning - reporting of suspect content | TA06 Develop Content | D01 | ||
F00031 | Educate on how to identify information pollution | Strategic planning included as innoculating population has strategic value. | TA06 Develop Content | D01 | |
F00032 | Educate on how to identify to pollution | DUPLICATE - DELETE | TA06 Develop Content | D01 | |
F00033 | Fake websites: add transparency on business model | TA06 Develop Content | D01 | ||
F00034 | Flag the information spaces so people know about active flooding effort | TA06 Develop Content | D01 | ||
F00035 | Identify repeated narrative DNA | TA06 Develop Content | D01 | ||
F00036 | Looking for AB testing in unregulated channels | TA06 Develop Content | D01 | ||
F00037 | News content provenance certification. | Original Comment: Shortcomings: intentional falsehood. Doesn't solve accuracy. Can't be mandatory. Technique should be in terms of "strategic innoculation", raising the standards of what people expect in terms of evidence when consuming news. | TA06 Develop Content | D01 | |
F00038 | Social capital as attack vector | Unsure I understood the original intention or what it applied to. Therefore the techniques listed (10, 39, 43, 57, 61) are under my interpretation - which is that we want to track ignorant agents who fall into the enemy's trap and show a cost to financing/reposting/helping the adversary via public shaming or other means. | TA06 Develop Content | D01 | |
F00039 | standards to track image/ video deep fakes - industry | TA06 Develop Content | D01 | ||
F00040 | Unalterable metadata signature on origins of image and provenance | TA06 Develop Content | D01 | ||
F00041 | Bias detection | Not technically left of boom | TA07 Channel Selection | D01 | |
F00042 | Categorise polls by intent | Use T00029, but against the creators | TA07 Channel Selection | D01 | |
F00043 | Monitor for creation of fake known personas | Platform companies and some information security companies (e.g. ZeroFox) do this. | TA07 Channel Selection | D01 | |
F00044 | Forensic analysis | Can be used in all phases for all techniques. | TA08 Pump Priming | D01 | |
F00045 | Forensic linguistic analysis | Can be used in all phases for all techniques. | TA08 Pump Priming | D01 | |
F00046 | Pump priming analytics | TA08 Pump Priming | D01 | ||
F00047 | trace involved parties | TA08 Pump Priming | D01 | ||
F00048 | Trace known operations and connection | TA08 Pump Priming | D01 | ||
F00049 | trace money | TA08 Pump Priming | D01 | ||
F00050 | Web cache analytics | TA08 Pump Priming | D01 | ||
F00051 | Challenge expertise | TA09 Exposure | D01 | ||
F00052 | Discover sponsors | Discovering the sponsors behind a campaign, narrative, bot, a set of accounts, or a social media comment, or anything else is useful. | TA09 Exposure | D01 | |
F00053 | Government rumour control office (what can we learn?) | TA09 Exposure | D01 | ||
F00054 | Restrict people who can @ you on social networks | TA09 Exposure | D01 | ||
F00055 | Verify credentials | TA09 Exposure | D01 | ||
F00056 | Verify organisation legitimacy | TA09 Exposure | D01 | ||
F00057 | Verify personal credentials of experts | TA09 Exposure | D01 | ||
F00058 | Deplatform (cancel culture) | *Deplatform People: This technique needs to be a bit more specific to distinguish it from "account removal" or DDOS and other techniques that get more specific when applied to content. For example, other ways of deplatforming people include attacking their sources of funds, their allies, their followers, etc. | TA10 Go Physical | D01 | |
F00059 | Identify susceptible demographics | All techniques provide or are susceptible to being countered by, or leveraged for, knowledge about user demographics. | TA10 Go Physical | D01 | |
F00060 | Identify susceptible influencers | I assume this was a transcript error. Otherwise, "Identify Susceptible Influences" as in the various methods of influences that may work against a victim could also be a technique. Nope, wasn't a transcript error: original note says influencers, as in find people of influence that might be targetted. | TA10 Go Physical | D01 | |
F00061 | Microtargeting | TA10 Go Physical | D01 | ||
F00062 | Detect when Dormant account turns active | TA11 Persistence | D01 | ||
F00063 | Linguistic change analysis | TA11 Persistence | D01 | ||
F00064 | Monitor reports of account takeover | TA11 Persistence | D01 | ||
F00065 | Sentiment change analysis | TA11 Persistence | D01 | ||
F00066 | Use language errors, time to respond to account bans and lawsuits, to indicate capabilities | TA11 Persistence | D01 | ||
F00067 | Data forensics | D01 | |||
F00068 | Resonance analysis | a developing methodology for identifying statistical differences in how social groups use language and quantifying how common those statistical differences are within a larger population. In essence, it hypothesises how much affinity might exist for a specific group within a general population, based on the language its members employ | D01 | ||
F00069 | Track Russian media and develop analytic methods. | To effectively counter Russian propaganda, it will be critical to track Russian influence efforts. The information requirements are varied and include the following: • Identify fake-news stories and their sources. • Understand narrative themes and content that pervade various Russian media sources. • Understand the broader Russian strategy that underlies tactical propaganda messaging. | D01 | ||
F00070 | Full spectrum analytics | ALL | D01 | ||
F00071 | Network analysis Identify/cultivate/support influencers | Local influencers detected via Twitter networks are likely local influencers in other online and off-line channels as well. In addition, the content and themes gleaned from Russia and Russia-supporting populations, as well as anti-Russia activists, likely swirl in other online and off-line mediums as well. | D01 | ||
F00072 | network analysis to identify central users in the pro-Russia activist community. | It is possible that some of these are bots or trolls and could be flagged for suspension for violating Twitter’s terms of service. | D01 | ||
F00073 | collect intel/recon on black/covert content creators/manipulators | Players at the level of covert attribution, referred to as “black” in the grayscale of deniability, produce content on user-generated media, such as YouTube, but also add fear-mongering commentary to and amplify content produced by others and supply exploitable content to data dump websites. These activities are conducted by a network of trolls, bots, honeypots, and hackers. | D01 | ||
F00074 | identify relevant fence-sitter communities | brand ambassador programmes could be used with influencers across a variety of social media channels. It could also target other prominent experts, such as academics, business leaders, and other potentially prominent people. Authorities must ultimately take care in implementing such a programme given the risk that contact with U.S. or NATO authorities might damage influencer reputations. Engagements must consequently be made with care, and, if possible, government interlocutors should work through local NGOs. | D01 | ||
F00075 | leverage open-source information | significant amounts of quality open-source information are now available and should be leveraged to build products and analysis prior to problem prioritisation in the areas of observation, attribution, and intent. Successfully distinguishing the grey zone campaign signal through the global noise requires action through the entirety of the national security community. Policy, process, and tools must all adapt and evolve to detect, discern, and act upon a new type of signal | D01 | ||
F00076 | Monitor/collect audience engagement data connected to “useful idiots” | Target audience connected to "useful idiots rather than the specific profiles because - The active presence of such sources complicates targeting of Russian propaganda, given that it is often difficult to discriminate between authentic views and opinions on the internet and those disseminated by the Russian state. | D01 | ||
F00077 | Model for bot account behaviour | Bot account: action based, people. Unsure which DISARM techniques. | TA15 - Establish Assets | D01 | |
F00078 | Monitor account level activity in social networks | All techniques benefit from careful analysis and monitoring of activities on social network. | TA15 - Establish Assets | D01 | |
F00079 | Network anomaly detection | TA05 Microtargeting | D01 | ||
F00080 | Hack the polls/ content yourself | Two wrongs don't make a right? But if you hack your own polls, you do learn how it could be done, and learn what to look for | TA07 Channel Selection | D01 | |
F00081 | Need way for end user to report operations | TA09 Exposure | D01 | ||
F00082 | Control the US "slang" translation boards | TA11 Persistence | D03 | ||
F00083 | Build and own meme generator, then track and watermark contents | TA11 Persistence | D05 | ||
F00084 | Track individual bad actors | TA15 - Establish Assets | D01 | ||
F00085 | detection of a weak signal through global noise | Grey zone threats are challenging given that warning requires detection of a weak signal through global noise and across threat vectors and regional boundaries.Three interconnected grey zone elements characterise the nature of the activity: Temporality: The nature of grey zone threats truly requires a “big picture view” over long timescales and across regions and functional topics. Attribution: requiring an “almost certain” or “nearly certain analytic assessment before acting costs time and analytic effort Intent: judgement of adversarial intent to conduct grey zone activity. Indeed, the purpose of countering grey zone threats is to deter adversaries from fulfilling their intent to act. While attribution is one piece of the puzzle, closing the space around intent often means synthesising multiple relevant indicators and warnings, including the state’s geopolitical ambitions, military ties, trade and investment, level of corruption, and media landscape, among others. | |||
F00086 | Outpace Competitor Intelligence Capabilities | Develop an intelligence-based understanding of foreign actors’ motivations, psychologies, and societal and geopolitical contexts. Leverage artificial intelligence to identify patterns and infer competitors’ intent | TA02 Objective planning | D01 | |
F00087 | Improve Indications and Warning | United States has not adequately adapted its information indicators and thresholds for warning policymakers to account for grey zone tactics. Competitors have undertaken a marked shift to slow-burn, deceptive, non-military, and indirect challenges to U.S. interests. Relative to traditional security indicators and warnings, these are more numerous and harder to detect and make it difficult for analysts to infer intent. | D01 | ||
F00088 | Revitalise an “active measures working group,” | Recognise campaigns from weak signals, including rivals’ intent, capability, impact, interactive effects, and impact on U.S. interests... focus on adversarial covert action aspects of campaigning. | D01 | ||
F00089 | target/name/flag "grey zone" website content | "Grey zone" is second level of content producers and circulators, composed of outlets with uncertain attribution. This category covers conspiracy websites, far-right or far-left websites, news aggregators, and data dump websites | TA15 Establish Assets | D01 | |
F00090 | Match Punitive Tools with Third-Party Inducements | Bring private sector and civil society into accord on U.S. interests | TA01 Strategic Planning | D01 | |
F00091 | Partner to develop analytic methods & tools | This might include working with relevant technology firms to ensure that contracted analytic support is available. Contracted support is reportedly valuable because technology to monitor social media data is continually evolving, and such firms can provide the expertise to help identify and analyse trends, and they can more effectively stay abreast of the changing systems and develop new models as they are required | TA01 Strategic Planning | D01 | |
F00092 | daylight | Warn social media companies about an ongoing campaign (e.g. antivax sites). Anyone with datasets or data summaries can help with this | TA09 Exposure | D01 | |
F00093 | S4d detection and re-allocation approaches | S4D is a way to separate out different speakers in text, audio. | M004 - Friction | TA15 - Establish Assets | D01 |
F00094 | Registries alert when large batches of newsy URLs get registered together | M003 - Daylight | TA07 Channel Selection | D01 | |
F00095 | Fact checking | Process suspicious artefacts, narratives, and incidents | TA09 Exposure | D01 |