2020 12 nyu-workshop_cog_sec
Download as PPTX, PDF1 like445 views
The document outlines frameworks for understanding and countering disinformation, specifically through the AMITT and STIX models, presented at the NYU Computational Disinformation Symposium. It discusses the layers of security (physical, cyber, cognitive) alongside strategic planning for attack and defense against disinformation campaigns. Additionally, it emphasizes information sharing, incident response, and mitigation strategies for combating disinformation threats.
2020 12 nyu-workshop_cog_sec
- 1. AMITT and Disinformation Frameworks SJ Terp and Dr. Pablo Breuer ThreeT.consulting / CogSecCollab.org NYU Computational Disinformation Symposium, December 15th 2020 1
- 2. DISINFORMATION LAYER MODEL: PYRAMID 2 Campaigns Incidents Narratives Artifacts
- 5. DISINFORMATION OBJECT MODELS: ACTOR, BEHAVIOUR, CONTENT AND NARRATIVES IN AMITT STIX ACTOR BEHAVIOUR CONTENT NARRATIVE
- 6. AMITT AUTOMATION Planning Preparation Execution Evaluation https://cogsec-collab.org/ Planning Preparation Execution Evaluation Attack Defense
- 7. AMITT and Disinformation Frameworks @bodaceacat @ngree_h0bit ThreeT.consulting / CogSecCollab.org 7
- 8. THREE LAYERS OF SECURITY PHYSICAL SECURITY CYBER SECURITY COGNITIVE SECURITY
- 9. Disinformation Objects (STIX Extension) Disinformation STIX Description Level Infosec STIX Report communication to other responders Communication Report Campaign Longer attacks (Russia’s interference in the 2016 US elections is a “campaign”) Strategy Campaign Incident Shorter-duration attacks, often part of a campaign Strategy Intrusion Set Course of Action Response Strategy Course of Action Identity Actor (individual, group, organisation etc): creator, responder, target, useful idiot etc. Strategy Identity Threat actor Incident creator Strategy Threat Actor Attack pattern Technique used in incident (see framework for examples) TTP Attack pattern Narrative Malicious narrative (story, meme) TTP Malware Tool bot software, APIs, marketing tools TTP Tool Observed Data artefacts like messages, user accounts, etc Artefact Observed Data Indicator posting rates, follow rates etc Artefact Indicator Vulnerability Cognitive biases, community structural weakness etc Vulnerability Vulnerability 9https://github.com/cogsec-collaborative/amitt_cti
- 10. COGNITIVE SECURITY SOCS: PROTOTYPES 10 years ago: Disaster Data Today: Disinformation • Covid19Activation • Covid19Disinformation • CTI League Disinformation • CogSecCollab • Threet
- 11. COGSEC SOC ACTIVITIES • Inform: Summarise and share information about ongoing incidents • Neutralise: Disinformation incident response: triage, takedown, escalation. • Prevent: Collate disinformation indicators of compromise (IoCs) and vulnerabilities; supply to organisations. • Support: Assess the possibility of direct attack, and ways to be ready for that. • Clearinghouse: Collate and share incident data, including with organizations focusing on response and countercampaigns. 11
- 12. Sharing: MISP Threat Intelligence Platform • Threat sharing standard with large community • EU funded (ENISA, CIRCL) • ISAC, ISAO, CERTs, CSIRTs • NATO, Military, Intelligence • Fortune 500’s • Open data standards • MISP Core, STIX • Connections • API push/pull • Email • Anomali ThreatStream, ThreatConnect, OSQuery 12
- 13. Plandemic as an AMITT Framework diagram 13
- 14. Other MISP Disinformation Objects • taxonomies ● DFRLab Dichotomies of Disinformation ● NATO Disinformation Taxonomy (WIP) • objects • forged-document, publication, etc. • twitter-post, facebook-post, reddit-post, etc. • twitter-group, facebook-group, reddit- subreddit, etc • twitter-account, facebook-account, reddit- account, etc. • relationships • authored-by • relates-to, etc. 14
- 15. Response: Mitigations and Countermeasures DECEIVE DENYDESTROY DETER DEGRADEDISRUPT DETECT
- 16. AMITT Response Catalogs 16 ● Deny: stop them getting in ● Disrupt: interrupt them ● Degrade: slow them down ● Deceive: divert them ● Destroy: damage them ● Deter: discourage them https://github.com/cogsec-collaborative/amitt_counters
Editor's Notes
- #2: Framing thoughts about the AMITT set of disinformation models, and lessons we’ve learned from using them in CogSecCollab and the CTI League. Notes: Four years ago, I was looking for ways to help fight the new problem of mass online disinformation. The answer is the process triangle: people, process, technology, culture, but mostly the answer is people: build communities of responders with the skills, tools and common language to counter disinformation, and work out ways to connect them up safely. Those people have included the AppNexus people who trawled through advertising data, the Hackers who met at Sofwerx and red-teamed responses and mitigations, the Misinfosec groups and Credibility Coalition standards team, the CogSec Collab and the CTI League disinformation team that’s spent much of this year countering Covid19 disinformation. We’ve shared our toolset with teams in NATO, the European Union and several other countries including the US and Canada (love you Canada!) and handed our ATT&CK-inspired model over to MITRE, built a bunch of things, got a lot of things into common language. Here’s some of how we think.
- #3: We need good models to describe and share disinformation information quickly. One way we looked at disinformation was from the viewpoints of attacker and defender. Disinformation creators have longer-term campaigns (e.g. destabilise French politics). They create incidents (e.g. a short burst of messages around a specific topic or event), based on narratives, which are the stories that we tell ourselves about who we are, who we belong to, who we don’t belong to, what’s happening in the world. These rely on artefacts: disinformation messages, images, accounts, relationships and groups. As responders, what we generally see are the artifacts, and we work up from there. Notes: Misinfosec moved the conversation around disinformation from artefacts to incidents and narratives. Narratives are the level that most disinformation works at.
- #4: We’ve adopted and adapted principles, processes, and tools from information security. One of these is STIX - the message format used by ISAOs and other infosec bodies to rapidly share information. We added two constructs: narrative and incident. The pyramid layers are outlined in pink here. Objects include threat actors and campaigns; incident objects including the techniques used by both the incident creator and defender, artifacts including observations and accounts, and other objects that we could use to describe an incident, including reports, tools, indicators, infrastructure and vulnerability. Note: Diagram created with IdahoLab’s STIG tool.
- #5: We labelled the techniques. These re part of the AMITT TTP (tactics, techniques, procedures) framework. Looking at this from the top to the bottom, the first line is operational phases, then the blue boxes are “tactic stages”, links in the disinformation kill chain, and the grey boxes are the TTPs that allow you to complete each stage. This reads from left to right: the tactic stages to the left typically happen earlier than the ones to the right - the purple and red colouring shows left and right of “boom”, the point at which disinformation activities are exposed to the public. This is deliberately similar to the ATT&CK TTP framework, so you can use all ATT&CK-compatible tools with it. We have a corresponding set of TTPs for defence, also available in the AMITT github repo. Notes In the AMITT framework repo, you can click on a technique and get details about what it is, who uses it, and which counters are available for it. The AMITT framework was built to be practical. We need to be able to translate our findings into an actionable story.
- #6: Here’s the STIX example, showing the links between it and narrative-based, and socio-technical models (e.g. Francois’ Actor, Behaviour, Content).
- #7: And finally, Pablo extended our work to look at which parts can be automated using machine learning and AI. red is difficult to automate, yellow is possible, and green has the greatest automation possibilities, bearing in mind that for most systems, you’ll still need a human in the loop (HITL). Notes: This part presented at the 2020 New York AI Summit.
- #8: Four years ago, I was looking for ways to help fight the new problem of mass online disinformation. The answer is the process triangle: people, process, technology, culture, but mostly the answer is people: build communities of responders with the skills, tools and common language to counter disinformation, and work out ways to connect them up safely. Those people have included the AppNexus people who trawled through advertising data, the Hackers who met at Sofwerx and red-teamed responses and mitigations, the Misinfosec groups and Credibility Coalition standards team, the CogSec Collab and the CTI League disinformation team that’s spent much of this year countering Covid19 disinformation. We’ve shared our toolset with teams in NATO, the European Union and several other countries including the US and Canada (love you Canada!) and handed our ATT&CK-inspired model over to MITRE, built a bunch of things, got a lot of things into common language. Here’s some of how we think.
- #9: [Images: human mindset by Lagot Design from the Noun Project]
- #10: STIX is the sharing standard used by ISACs and ISAOs We added two objects to STIX for disinformation: incident, and narrative. We didn’t need to change anything else. This was the first step toward threat informed defence in the influence operation space. Building STIX objects for disinformation enables us to model actors and their TTPs. STIX compliments MISP and ensures we’re able to transmit data across all threat intelligence platforms.
- #12: Prevent: For example, if we identify that a “Reopen $STATE” campaign is attempting to organize another “Operation Gridlock” incident, we can alert state, city, and county officials, as well as any hospitals in the target area. Support: We’ve seen few direct cognitive security attacks on medical facilities so far. We have seen attacks directed at high-profile medical individuals and general attacks. Example: For example, we could prepare resources that could be used in countering campaigns that target COVID-19 field hospitals. Inform includes flash alerts
- #13: CTI is tracking incidents using HIVE case tracking. It has a process for starting incidents that includes “is this relevant to Covid19, is it significant, are we the best team to do this, are there other teams likely to be working on this?” Cases also include persistent threats - groups, narratives, artefacts etc that are likely to appear in future incidents. [NB Observables in Hive are start observables only - most artefacts are stored in MISP or DKAN.] MISP is an open source threat intel platform - originally a malware information sharing platform, we’ve repurposed it as a misinformation sharing platform. MISP enables community driven, collaborative analysis and highly customizable sharing communities. It’s a permanent fixture of the CTI community, including national CERTs and intelligence agencies, due it’s high security, extensibility, and vibrant community. MISP can integrate with most CTI platforms via open data formats including STIX, CEF, and MISP, and provides easy methods of getting data in and out of the platform for non-technical consumers. MISP is EU funded through ENISA and CIRCL.
- #14: The example here is Plandemic Plandemic is a debunked conspiracy theory video which makes some false claims about the nature of COVID-19. We can map out this small, but successful, operation in the AMITT framework to help us understand what capabilities the actor has and potentially how they’re resourced. As with ATT&CK, we can use start building an understanding of actors capabilities over time. These models are easily distributed within the community to our EU and NATO partners.
- #15: MISP needed a new object set to cover disinformation and social media The AMITT Framework ships with MISP, to cover disinformation TTPs. We added other disinformation models to MISP as tags, including DFRlab’s dichotomies of disinformation taxonomy and the NATO Disinformation Taxonomy (a cutdown version of the DFRlab model, for sharing tactical information). We’ve also added several new MISP objects to store social media data for Facebook, Twitter, Reddit, YouTube, Parler, as well as generic objects such as blogs, microblogs, publications, and new-media. Here is an example of events tagged with both AM!TT Galaxy and DFRLab tags. We need our data to tell a story. Using MISP objects we’re able to represent the relationships between things. For example, who posted a blog post, who was mentioned in a news articles, who is the registered owner of a domain. Ultimately these are the things we’re aiming to build and share. Not a flat list of indicators, but a model of how the adversary operates and how we can identify them moving forward. Speeding it up: We’ve built custom integrations to help analysts work with information operations in MISP. Slack bots help our analysts get data into the platform faster. A one line Slack command saves users 10 minutes of work each use. The Slack bots use our open-source Python scripts to get data into MISP (using the MISP API) and we can similarly feeds MISP data from a CSV, other formats or even other platforms. MISP includes data enrichment modules and can additionally integrate with third-party microservices such as Cortex. Data enrichment on atomic artifacts such as DNS lookups, domain registrations, and usernames. Export results via ZMQ to data lake or additional services.
- #16: Those JP-13 descriptions: Destroy: damage a system or entity so badly that it cannot perform any function or be restored to a usable condition without being entirely rebuilt. Deter: discourage. We added Deter to the list as a potentially useful category too. Deny: prevent the adversary from accessing and using critical information, systems, and services. Deceive: cause a person to believe what is not true. military deception seeks to mislead adversary decision makers by manipulating their perception of reality. Disrupt: break or interrupt the flow of information. Degrade: reduce the effectiveness or efficiency of adversary command and control or communications systems, and information collection efforts or means. (Detect: discover or discern the existence, presence, or fact of an intrusion into information systems. We included Detect because that’s what everyone was doing - looking, not reacting, and we wanted them to get that out of their systems.)
- #17: Mostly, when people think about cognitive security, they look at platforms, public and government as responders. But as we catalogued counters, we found many types of people, resources and groups who could help, and work on how they could help. One group CogSecCollab has supported is the information sharing and analysis organisations, the ISAOs and cyber Interpols. These already share infosec information for critical sectors in the USA, and we helped stand up (and suggested the name for) one that shares cognitive security information to all the other ISAOs and ISACs: the CS-ISAO (Cognitive Security ISAO). CogSecCollab got interrupted by Covid19, but open-sourced our countermeasures lists. It has ideas… We originally built that countermeasures list using a seed list, a workshop, lots of postits and the list of AMITT tactic stages. This created a classic courses of action matrix, and gave us a lot to think about. We took the list of potential responders, the AMITT tactics list, the JP-13 list of effects (Detect, Deny etc), and a roomful of experts, and built a disinformation courses of action matrix. We’ve built out theory and examples for effects-based, tactic-based and doctrine-based countermeasures. For Covid19, we’re using effects-based only at the moment: reporting to law enforcement, reporting to platforms, registrars etc. We ran an exercise and cleanup that produced over 200 different ways to counter or mitigate disinformation incidents. The list items above are JP-13 response types, and a rough grouping of the types of response possible, used to organise that list of countermeasures. We’re pretty proud of moving the community past talking about looking at disinformation incidents and their only real responses being botnet takedowns and educating people, to seeing “TTP” in lots of groups’ slidesets.