Presentation on disinformation security operations centers, frameworks, and AMITT. Given to University of Maryland, May 2021

1. CogSOCs:
Distributed Defence Against Disinformation
SJ Terp and Dr. Pablo Breuer, CogSecCollab, 2021
1

2. Online Harm: Disinformation
“deliberate promotion… of false,
misleading or mis-attributed information
focus on online creation, propagation,
consumption of disinformation
We are especially interested in
disinformation designed to change beliefs
or emotions in a large number of people”
2

3. Three Layers of Security
PHYSICAL
SECURITY
CYBER
SECURITY
COGNITIVE
SECURITY

4. Disinformation Risk
Assessments and Risk
Management

5. Disinformation Risk Landscaping
Mis/disinformation is everywhere:
Where do you put your resources?
● Detection, mitigation, response
● People, technologies, time, attention
● Connections
Manage the risks, not the artifacts
● Attack surfaces, vulnerabilities, potential
losses / outcomes
● Risk assessment, reduction, remediation
● Risks: How bad? How big? Who to?

6. Disinformation Risk Assessment
Information
Landscape
• Information seeking
• Information sharing
• Information sources
• Information voids
Threat
Landscape
• Motivations
• Sources/ Starting points
• Effects
• Misinformation Narratives
• Hateful speech narratives
• Crossovers
• Tactics and Techniques
• Artifacts
Response
Landscape
• Monitoring organisations
• Countering organisations
• Coordination
• Existing policies
• Technologies
• etc

7. Working Together:
Cognitive Security
Operations Centres

8. Disinformation Actors
Persistent
Manipulators
Advanced teams
• Internet Research Agency
• China, Iran teams etc
For-profit website networks
• Antivax websites
• Pink slime sites
• “Stolen” US election sites
Nationstate media
• Sputnik
• Russia Today
Service
Providers
Disinformation as a Service
• Factories
• Ex-marketing, spam etc
Ad-Hoc paid teams
• EBLA Ghana
• PeaceData USA
Opportunists
Wares Sellers
• Clicks
• T-shirts
• Books etc.
Groups
• Conspiracy groups
• Extremists
Individuals
• Attention-seekers
• Jokers etc

9. Response Actors
Disinformation SOCs
Large actors
• ISAOs
• Platforms
• Other large actors
Event-specific
• War rooms
• Agencies
Disinformation
Teams
Disinformation “desk"
• In existing SOC
• Standalone unit
Investigators
• Journalists
• Academics
• Independent journalists
Other Responders
Policymakers
Law enforcement
Corporations
Influencers
Nonprofits
Educators
Individual researchers
Concerned citizens

10. Connect Response Efforts
Hundreds of groups, large
and small, working on
different pieces /
approaches
Help them identify and
connect with one another
Facilitate collaboration and
communication

11. CogSOC Top-level Activities
Risk Mitigation
Secure system
* Red teaming
* Simulations & exercises
* Vulnerability patching
* Building resilience
Check compliance
* compliance analysis
Enablement
Foundation work
* Training
* Coordination
* Data engineering
* Information frameworks
Real-time Operations
Incident response
* Discover
* Investigate
* Respond to threats
Research
* Risk intelligence
* Deeper investigations

12. Cognitive SOC:
Enablement

13. Frameworks and Standards
1
3
Campaigns
Incidents
Narratives
Artifacts

14. DISINFORMATION
OBJECT MODELS:
AMITT STIX
CAMPAIGN
INCIDENT
NARRATIVE
ARTIFACT

15. DISINFORMATION
OBJECT MODELS:
ACTOR,
BEHAVIOUR,
CONTENT AND
NARRATIVES IN
AMITT STIX
ACTOR
BEHAVIOUR
CONTENT
NARRATIVE

16. AMITT Red: Disinformation Framework

17. AMITT:
Technique
T0039

18. Response: Mitigations and Countermeasures
DECEIVE
DENY
DESTROY DETER
DEGRADE
DISRUPT
DETECT

19. Planning
Strategic
Planning
Objective
Planning
Preparation
Develop
People
Develop
Networks
Microtargeting
Develop
Content
Channel
Selection
Execution
Pump Priming Exposure
Prebunking
Humorous counter
narratives
Mark content with
ridicule / decelerants
Expire social media
likes/ retweets
Influencer disavows
misinfo
Cut off banking
access
Dampen emotional
reaction
Remove / rate limit
botnets
Social media amber
alert
Etc
Go Physical Persistence
Evaluation
Measure
Effectiveness
Have a
disinformation
response plan
Improve stakeholder
coordination
Make civil society
more vibrant
Red team
disinformation, design
mitigations
Enhanced privacy
regulation for social
media
Platform regulation
Shared fact checking
database
Repair broken social
connections
Pre-emptive action
against disinformation
team infrastructure
Etc
Media literacy
through games
Tabletop simulations
Make information
provenance
available
Block access to
disinformation
resources
Educate influencers
Buy out troll farm
employees / offer
jobs
Legal action against
for-profit
engagement farms
Develop compelling
counter narratives
Run competing
campaigns
Etc
Find and train
influencers
Counter-social
engineering training
Ban incident actors
from funding sites
Address truth in
narratives
Marginalise and
discredit extremist
groups
Ensure platforms are
taking down
accounts
Name and shame
disinformation
influencers
Denigrate funding
recipient / project
Infiltrate in-groups
Etc
Remove old and
unused accounts
Unravel Potemkin
villages
Verify project before
posting fund requests
Encourage people to
leave social media
Deplatform message
groups and boards
Stop offering press
credentials to
disinformation outlets
Free open library
sources
Social media source
removal
Infiltrate
disinformation
platforms
Etc
Fill information
voids
Stem flow of
advertising money
Buy more advertising
than disinformation
creators
Reduce political
targeting
Co-opt disinformation
hashtags
Mentorship: elders,
youth, credit
Hijack content
and link to
information
Honeypot social
community
Corporate research
funding full disclosure
Real-time updates to
factcheck database
Remove non-relevant
content from special
interest groups
Content moderation
Prohibit images in
political Chanels
Add metadata to
original content
Add warning labels
on sharing
Etc
Rate-limit
engagement
Redirect searches
away from disinfo
Honeypot: fake
engagement system
Bot to engage and
distract trolls
Strengthen
verification methods
Verified ids to
comment or
contribute to poll
Revoke whitelist /
verified status
Microtarget likely
targets with
counter
messages
Train journalists to
counter influence
moves
Tool transparency
and literacy in
followed channels
Ask media not to
report false info
Repurpose images
with counter
messages
Engage payload and
debunk
Debunk/ defuse fake
expert credentials
Don’t engage with
payloads
Hashtag jacking
Etc
DMCA takedown
requests
Spam domestic
actors with lawsuits
Seize and analyse
botnet servers
Poison monitoring
and evaluation
data
Bomb link shorteners
with calls
Add random links to
network graphs
AMITT Blue: Countermeasures Framework

20. Example: Counternarratives in Disinformation Space

21. Cognitive SOCs:
Real-time Operations

22. Pillars of a SOC
• People
• Enough people to make a difference, in time
• Enough connections / levers to make a difference
• Culture
• Safety processes: mental health and opsec
• Process
• Understand disinformation, understand threat response
• Fast, lightweight processes
• Technology
• Speed - supporting analysis, storage etc
• Sharing - get data to responders in ways they understand (whatever works)

23. ACTION
MONITORING
RESPONSIBLE FOR
CogSOC: Organisation Boundaries
Internet
Domains
Social Media
Platforms
Organization’s
Platforms
Lawmakers
Organization’s
Business Units
COG SOC
Infosec SOC
Organization’s
Communities
Media

24. COGSOC Internal Organization: Tiers
Tier1 Triage
• Scanning systems
• Triaging alerts
• Gathering data
• Starting tickets
Tier2 Incident
Response
• Analysis
• Remediation
• Tactical response
Tier3 SMEs
• Threat hunting
• Deep analysis
• Strategic response
Tier4 Management
• Business connections
• Plans, audits, organization
Tickets Responses Reports
Crisis Plan
Platform alerts
Social media
External alerts
Business Units
Partners &
Responders
Disinformation Knowledge
• Artifacts, narratives, actors,
segments etc
Specialist Knowledge
• Politics, industry, marketing etc

25. COGSOC: Connections and Configurations
Cognitive
ISAO
ISAC/
ISAO
Infosec
SOC
Comms
Legal
COG
SOC Trust&
Safety
Platform
ORG
Infosec
SOC
Comms
Legal
COG
Desk Trust&
Safety
Platform
Comms
Legal
COG
Desk
Trust&
Safety
Platform
ORG
ORG
ORG
ORG
ORG
ORG
ORG
COG
SOC

26. Resource Allocation and Measurement
● You can’t manage what you can’t measure
○ Backed by disinformation and response measurement
● Resource allocation and depletion on both sides
○ Strategic objectives
○ People, process, technology, time, money, attention, reach, etc
○ We can learn a lot from games
● Extending capacity
○ Surge capacity
○ Automation - using ML to take strain during times of heavy loads

27. CogSOC Coordination Goals
• Risk mitigation
• Prevent: Collate and share indicators and vulnerabilities.
• Support: Help potentially-targeted organisations prepare for incidents
• Enablement
• Clearinghouse: Collate and share incident data
• Operations
• Inform: Summarise and share information about ongoing incidents
• Neutralise: Respond to incidents: triage, takedown, escalation.
2
8

28. Practical: Country Risk
Assessment and Response
Design

29. Example Information Landscape
• Traditional Media
• Newspapers
• Radio - including community radio
• TV
• Social Media
• Facebook
• Whatsapp
• Twitter
• Youtube/ Telegram/ etc
• Others
• Word of mouth

30. Example Threat Landscape
• Motivations
• Geopolitics mostly absent
• Party politics (internal, inter-party)
• Actors
• Activities
• Manipulate faith communities
• discredit election process
• Discredit/discourage journalists
• Attention (more drama)
• Risks / severities
• Sources
• WhatsApp
• Blogs
• Facebook pages
• Online newspapers
• Media
• Routes
• Hijacked narratives
• Whatsapp to blogs, vice versa
• Whatsapp forwarding
• facebook to whatsapp
• Social media to traditional media
• Social media to word of mouth

31. Creator Behaviours
● T0007: Create fake Social Media Profiles /
Pages / Groups
● T0008: Create fake or imposter news
sites
● T0022: Conspiracy narratives
● T0023: Distort facts
● T0052: Tertiary sites amplify news
● T0036: WhatsApp
● T0037: Facebook
● T0038: Twitter

32. Example Response Landscape
(Needs / Work / Gaps)
Risk Reduction
● Media and influence
literacy
● information landscaping
● Other risk reduction
Monitoring
● Radio, TV, newspapers
● Social media platforms
● Tips
Analysis
● Tier 1 (creates tickets)
● Tier 2 (creates
mitigations)
● Tier 3 (creates reports)
● Tier 4 (coordination)
Response
● Messaging
○ prebunk
○ debunk
○ counternarratives
○ amplification
● Actions
○ removal
○ other actions
● Reach

33. Responder Behaviours
● C00009: Educate high profile influencers on best practices
● C00008: Create shared fact-checking database
● C00042: Address truth contained in narratives
● C00030: Develop a compelling counter narrative (truth based)
● C00093: Influencer code of conduct
● C00193: promotion of a “higher standard of journalism”
● C00073: Inoculate populations through media literacy training
● C00197: remove suspicious accounts
● C00174: Create a healthier news environment
● C00205: strong dialogue between the federal government and
private sector to encourage better reporting

34. Practical: Resource Allocation
• Tagging needs and groups with AMITT labels
• Building collaboration mechanisms to reduce lost tips and repeated collection
• Designing for future potential surges
• Automating repetitive jobs to reduce load on humans

35. THANK YOU
Sara-Jayne “SJ” Terp @bodaceacat
Dr. Pablo Breuer @Ngree_H0bit
https://cogsec-collab.org/
https://threet.consulting/
36