ISAO strategic planning blueprint against misinformation

1. ISAO Strategic Planning Blueprint
against Misinformation ISAO
KEVIN MANSON, CHRIS BLASK, SARA “SJ” TERP, PABLO BREUER
December 10th 2019
!1

2. MIS / DISINFORMATION
deliberate promotion… of false, misleading or mis-attributed information
focus on creation, propagation, consumption of misinformation online
We are especially interested in misinformation designed to change beliefs in a
large number of people
!2

3. EVOLUTION OF INFORMATION
3

4. 4
EVOLUTION OF INFORMATION

5. WESTPHALIAN SOVEREIGNTY
Each nation has sovereignty over its own territory
and domestic affairs
Principal of non-interference in another country’s
domestic affairs
Each state is equal under international law
5

6. NATIONAL INSTRUMENTS OF INFLUENCE
…and how to influence other nation-states.
Diplomatic Informational Military Economic
Resources available in pursuit of national objectives…
6

7. BUSINESS INSTRUMENTS OF INFLUENCE
Business Deals &
Strategic
Partnerships
PR and Advertising Mergers and
Acquisitions
R&D and Capital
Investments
7
Resources available in pursuit of corporate objectives…

8. INFORMATION THREATS
Democracy
• Require common political knowledge
• Who the rulers are
• Legitimacy of the rulers
• How government works
• Draw on contested political knowledge to solve
problems
• Vulnerable to attacks on common political
knowledge
Autocracy
• Actively suppress common political knowledge
• Benefit from contested political knowledge
• Vulnerable to attacks on the monopoly of
common political knowledge
8

9. MOST CYBERSPACE OPERATIONS ARE BASED ON INFLUENCE
Force an adversary to make a decision or take an
action based on:
• Information I hide
• Information I give
• Information I change
• Information I deny/degrade
• Information I destroy
Enable my decisions based upon knowing yours
“Operations to convey selected information and indicators to audiences to influence their
emotions, motives, and objectives reasoning, and ultimately the behavior of governments,
organizations, groups, and individuals”
9

10. THE NEED
The only defense against the world is a
thorough knowledge of it.
- John Locke
10

11. COMBINING DIFFERENT VIEWS OF DISINFORMATION
• Information security (Gordon, Grugq, Rogers)
• Information operations / influence operations (Lin)
• A form of conflict (Singer, Gerasimov)
• [A social problem]
• [News source pollution]
!11

12. MISINFOSEC COMMUNITIES
● Industry
● Academia
● Media
● Community
● Government
● Infosec
!12

13. COMPONENTWISE UNDERSTANDING AND RESPONSE
• Lingua Franca across communities
• Defend/countermove against reused techniques, identify gaps in attacks
• Assess defence tools & techniques
• Plan for large-scale adaptive threats (hello, Machine Learning!)
!13

14. DOING IT AT SCALE
• Computational power
• Speed of analysis
• Lack of framework
• Systems theory and emergence of
characteristics
• Cognitive friction
• Cognitive dissonance
https://www.visualcapitalist.com/wp-content/uploads/2018/05/
internet-minute-share2.jpg
14

15. CONNECTING MISINFORMATION ‘LAYERS’
!15
Campaigns
Incidents
Narratives
Artifacts
attacker
defender

16. ORGANISATIONS
16

17. BUILDING AN ISAO
!17
• Goals
• Organisation
• Sharing rules
• Tools
• Security / Compliance
• Improve
https://www.x-isac.org/publication.html

18. WHO: CS-ISAO SHARING
● Sustained by CS-ISAO Members & Sponsors
● Supported by The International Association of Certified ISAOs (IACI)
● Connects Cognitive Security Domain Public- and Private-Sector Stakeholders
○ Private-Sector Organizations
○ Government (US - Federal, State/Local/Tribal/ Territorial (SLTT), International)
○ Critical Infrastructure Owners/Operators
○ Other Communities-of-Interest, Public, Disinformation Initiatives/Programs/ Organizations,
Social Medial Organizations, Traditional Media, Relevant Technology and Security
Companies, Civil Society Groups, Researchers/SMEs
● Led by the Private Sector, in Cooperation, Coordination and Collaboration with
Government

19. WHY: CS-ISAO GOALS
VISION: defend and protect truth and the freedom of expression without harm
MISSION: Accelerating Cognitive Security Resilience by
• advancing the capacity and capability to share cognitive security
disinformation intelligence, and to
• create, disseminate and apply the countermeasures, tools, technologies,
best practices and education to protect the global information ecosystem

20. WHAT: CS-ISAO MISSION SUPPORT
• Facilitate a Culture of Cognitive Security
• Sustainable Global Infrastructure to Defend and Protect the Information Ecosystem (IE), Integrated with
and Aligned to Physical and Cyber Security
• Connect Public and Private Sector Stakeholders
• Move from Reactive to Proactive Security Resilience
• Shared Knowledge - understanding human behavior (psychological factors)
• Operationalizing - collaborative capacities and capabilities, best practices, standards, policies, tools
and technologies to define, disseminate, maintain and apply fundamental cognitive models to defend IE
• Align Functional Roles and Responsibilities
• Feed into a centralized operations system: identify cognitive security ecosystem activities, evaluate risk
and design effective response strategies.

21. HOW: CS-ISAO SERVICE OFFERING
Identification Understanding Cognitive Security to identify and manage risks (people, assets,
data, technology, capabilities, policies/ laws/regulations, vulnerabilities, supply
chain) and identification of the adversarial domain
Protection Implementing safeguards to ensure integrity and availability of information
systems and assets – Ability to limit or contain impacts – Provide awareness
and education
Detection Monitoring, detecting and sharing Cognitive Security intelligence, trends,
threats, attacks and their impacts
Response Communication of countermeasures (executing response processes, analysis,
mitigation, benefitting from lessons learned
Recovery Maintaining resilience plans, restoring impacted information, systems and
assets, benefitting from lessons learned

22. TOOLS
All warfare is based on deception.
- Sun Tzu
All cyberspace operations are based on influence.
- Pablo Breuer
22

23. STAGE-BASED MODELS ARE USEFUL
RECON WEAPONIZE DELIVER EXPLOIT CONTROL EXECUTE MAINTAIN
Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Execution Collection Exfiltration
Command
and Control
!23

24. WE EXTENDED THE ATT&CK FRAMEWORK
!24

25. POPULATING THE FRAMEWORK: HISTORICAL ANALYSIS
• Campaigns
• e.g. Internet Research Agency, 2016 US elections
• Incidents
• e.g. Columbia Chemicals
• Failed attempts
• e.g. Russia - France campaigns
!25

26. HISTORICAL CATALOG: DATASHEET
• Summary: Early Russian (IRA) “fake news”
stories. Completely fabricated; very short lifespan.
• Actor: probably IRA (source: recordedfuture)
• Timeframe: Sept 11 2014 (1 day)
• Presumed goals: test deployment
• Artefacts: text messages, images, video
• Related attacks: These were all well-produced
fake news stories, promoted on Twitter to
influencers through a single dominant hashtag --
#BPoilspilltsunami, #shockingmurderinatlanta,
• Method:
1. Create messages. e.g. “A powerful explosion heard from
miles away happened at a chemical plant in Centerville,
Louisiana #ColumbianChemicals”
2. Post messages from fake twitter accounts; include handles
of local and global influencers (journalists, media,
politicians, e.g. @senjeffmerkley)
3. Amplify, by repeating messages on twitter via fake twitter
accounts
• Result: limited traction
• Counters: None seen. Fake stories were debunked very
quickly.
!26

27. TECHNIQUES
!27

28. FRAMEWORK (AMITT)
!28

29. TACTIC STAGES (AND PHASES)
Planning Strategic Planning
Objective Planning
Preparation Develop People
Develop Networks
Microtargeting
Develop Content
Channel Selection
Execution Pump Priming
Exposure
Go Physical
Persistence
Evaluation Measure
Effectiveness
!29

30. STIX AMITT
Misinformation STIX Description Level Infosec STIX
Report communication to other responders Communication Report
Campaign Longer attacks (Russia’s interference in the 2016 US elections is
a “campaign”)
Strategy Campaign
Incident Shorter-duration attacks, often part of a campaign Strategy Intrusion Set
Course of Action Response Strategy Course of Action
Identity Actor (individual, group, organisation etc): creator, responder,
target, useful idiot etc.
Strategy Identity
Threat actor Incident creator Strategy Threat Actor
Attack pattern Technique used in incident (see framework for examples) TTP Attack pattern
Narrative Malicious narrative (story, meme) TTP Malware
Tool bot software, APIs, marketing tools TTP Tool
Observed Data artefacts like messages, user accounts, etc Artefact Observed Data
Indicator posting rates, follow rates etc Artefact Indicator
Vulnerability Cognitive biases, community structural weakness etc Vulnerability Vulnerability
!30

31. STIX GRAPHS (THANKS, STIG!)
!31

32. INTELLIGENCE SHARING AND COORDINATION
!32

33. CURRENT WORK: MITIGATIONS AND COUNTERS
!33

34. NEXT
• Continue to grow the coalition of the willing
• Support the Cognitive Security ISAO
• Continue to build an alert structure (ISAC, US-CERT, Interpol, Industry, etc.)
• Continue to refine TTPs and framework
• More mitigations and counters
• STIX-based data science
• AMITT updates at misinfosec.org
!34