Using AMITT and ATT&CK frameworks

Editor's Notes

• #2: I’m SJ Terp - I lead CogSecCollab, a global volunteer organization dedicated to disinformation response. We build disinformation response tooling and processes, do framework and counter disinformation trainings, and help set up disinformation response groups. One of the things we do is adapt risk management and infosec processes and tools to counter disinformation and other digital harms. Today I’m talking about the AMITT ATT&CK-based frameworks.
• #3: We started by socializing the idea of there being three layers of security: physical - e.g. access to the building; cyber - e.g. computers and computer networks, and cognitive - brains and human networks, e.g. communities and countries.
• #4: There are many actors in this space. We hear a lot about threat actors - these are at different scales, with different capabilities and motivations. They’re learning from each other, and they often interact - for instance, we see t-shirt sellers picking up geopolitical narratives.
• #5: But there are also response actors in this space. These are also at different scales, with different motivations, capabilities, and connections. Our work is on how best to join these together into a coordinated rapid response. And to do this, we’re borrowing the idea of a Security Operations Center or SOC - a coordinating unit, focussed on cognitive security, connected to other disinformation SOCs. These organizations are starting to exist. This won’t be the same for everyone, so we’re designing operations for different sizes of organization, from ISAO sized down to small teams embedded in an information security unit, to independent teams, with connections to a response network, maybe as information providers or responders.
• #6: We’re mapping hundreds of teams around the world, looking for response capabilities and gaps. We’re a volunteer group, so CogSecCollab is specifically interested in other volunteer teams, but we know we’re part of a larger ecosystem, and part of my current consultancy work is helping UNDP set up disinformation response across different types of group in its pilot country. We need to remember respect. The way we connect people needs to respect the groups, the subjects of disinformation, and the accounts and groups being investigated. Disinformation is a joined-up problem, and we’re not going to counter it effectively without a joined-up response.
• #7: Stealing from SOCs again, these SOCs do three basic things. Risk mitigation: SOCs work ahead of time to reduce the risk of disinformation. CogSecCollab has trialled a lot of this, for example doing risk assessments and running disinformation Red Team exercises all last year. Operations: SOCs work in real time to counter ongoing operations. This is tactical work, that we’re starting to see more teams doing. Enablement: And they do the infrastructure work that helps them do the other two tasks. Teams like GEC do this too.
• #8: Here are some Disinformation SOC high-level activities. This is what we used in the CTI League disinformation team. Inform and Neutralise are operational response activities: communicating and countering with the techniques and connections available. The CTI League disinformation team did this for Covid19 disinformation across countries last year, and CogSecCollab ran teams during and after the 2020 US elections. Prevent and Support are risk reduction. FiveBy are releasing a report I wrote with them on pivoting their existing tech risk reduction work and narrative management capabilities to disinformation use. CSC does this too. Clearinghouse is Enablement.  CogSecCollab added disinformation data to the CTI League’s infosec clearing houses last year.
• #9: Almost every team benefits from data engineering, but another part of enablement is having a common lexicon, and models to rapidly share alerts with.  Here are the high-level entities that we model - - Disinformation creators have longer-term campaigns (e.g. destabilise French politics).  - They create incidents (e.g. a short burst of messages around a specific topic or event), based on narratives, which are the stories that we tell ourselves about who we are, who we belong to, who we don’t belong to and what is happening in the world around us.  - Narratives are the level that most disinformation works at.  - But as responders, what we generally see are the artefacts: the messages, the images, the accounts, the relationships and groups.
• #10: And this is the first infosec technology CogSecCollab has adapted: the STIX standards for information sharing, used by ISACs to share alert data.  At the campaign level, we have threat actors and campaigns.  At the incident level, we have incidents, and the techniques used by all actors - both threat actors (the blue boxes), and response actors (the green boxes) in this diagram. We have narratives - these might be part of multiple incidents and campaigns.  And we have the artifacts connected to incidents and campaigns.  STIX has other objects, including indicators and vulnerabilities, that we're also adapting for disinformation alongside other groups.
• #11: This is the AMITT Red framework: the disinformation version of MITRE ATT&CK that we built to model the stages and techniques in disinformation creation.  Looking at this from the top to the bottom, the first line is operational phases, then the blue boxes are “tactic stages”, links in the disinformation kill chain. The kill chain is different: we tried to fit it to the existing one, but it didn’t cover every part of disinformation. The grey boxes are the TTPs (tactic, technique, or procedure) that allow you to complete each stage. TTPs are behaviors that we can view examples and counters for, and the Cognitive Security Intelligence Centre is adding indicators to this. AMITT Red is deliberately similar to the ATT&CK TTP framework, so you can use all ATT&CK-compatible tools with it.
• #12: This is the AMITT Blue framework: it contains 160 countermoves to the campaign and incident techniques that we analysed with AMITT Red.  We used information operations frameworks to create this, specifically the classifications Deny, Disrupt:, Degrade, Deceive:, Destroy, and Deter - for each tactic stage and Red technique. We’ve partnered with counter-disinformation groups like RealityTeam.org who use targeted counter messaging and metrics to push away disinformation narratives. And we’re currently cleaning this matrix up.
• #13: This is one of the tools we've adapted: MISP is open-source and commonly used for infosec information sharing.  It’s used by CERTs and intelligence agencies, and integrates with most CTI platforms. AMITT models now ship with every MISP open-source system.
• #14: AMITT red and blue are also being used by the European Union for describing disinformation,  by the creators of the BadNewsGame and Harmony Square for gaming out disinformation responses, by other teams around the world, and we've tried them with NATO, several countries, and are talking with MITRE. And here is one of the other things we do: analysing which parts of disinformation response we can automate, using AMITT as a guide.