October 2, 2023 | C4ISRNET

DISARMing cyber threats with ATT&CK: A winning combination

October 2, 2023 | C4ISRNET

DISARMing cyber threats with ATT&CK: A winning combination

In today’s tech-driven world, where democracies and societies teeter on a tightrope, the White House and the EU are joining forces to confront a common threat: foreign information manipulation and interference and disinformation, or FIMI.

To meet this challenge, they have begun using the Disinformation Analysis Risk Management, or DISARM, framework, to help coordinate their actions. The Biden administration recognizes how influence operations “threaten universal values, the functioning of democracies and the well-being of societies around the world.”

DISARM has a critical role to play in defusing the threat.

A recent Reuters article highlighted growing dangers from the convergence of artificial intelligence, cyberattacks and influence operations. AI empowers adversaries with sophisticated capabilities, enabling them to exert influence through techniques like customizing phishing emails, employing deep fakes, impersonating authority figures, or crafting complex social engineering campaigns, among others.

To comprehensively address these challenges, it is crucial to gain a holistic understanding of how adversaries manipulate and influence their targets.

Before taking action against FIMI and disinformation, the initial and crucial step is to identify them. Taking inspiration from the successful model of MITRE’s Adversarial Tactics, Techniques, and Common Knowledge, or ATT&CK, body of knowledge in the realm of cybersecurity, a similar approach has emerged to address influence operations.

It is the DISARM Framework, designed specifically for influence campaigns as opposed to cyberattacks. Both serve as open-source repositories, cataloging observed tactics and techniques. They facilitate forensic tagging, enabling data sharing, collaborative analysis, and efficient response coordination by pinpointing tactics and techniques in use.

Consider a scenario where a hacker gains initial access through a phishing campaign (ATT&CK tactic TA0001) and compromises a valid account (techniques: T1566and T1078). These tags provide a common language in a machine-readable format, facilitating the sharing of indications and warnings.

Furthermore, consistent use of these tags allow analysts, such as those at the commercial cyber intelligence company, Mandiant, to publish the lists of most prevalent tactics and techniques used in cyberattacks, which helps cybersecurity professional set priorities for fortifying defenses and allocating necessary resources.

Additionally, the tags facilitate the establishment of signatures for various attackers by profiling the tactics and techniques they employ. This profiling can be used for attribution purposes.

Similarly, by drawing from global cybersecurity best practices, DISARM provides influence tags that can empower stakeholders across diverse fields and sectors by enabling a shared understanding of influence campaigns. Expanding on the scenario where a hacker gains initial access through a phishing campaign and compromises a valid account, DISARM provides the tags that provide a more holistic understanding of the scenario.

For example, the hacker created fake research (technique T0019.001), appealing to a specific company (tactic TA05: Microtargeting), posted it to an inauthentic website (technique T0013) with testimonials from fake experts (technique T0009), and required contact information to email the fake research. Using the solicited contact information and knowing what research was of interest, the hacker was then able to craft a tailored phishing email resulting in the account compromise.

It is important to note that DISARM is still in its early stages of adoption across various industries. Notably, various papers, including those from NATO/EU’s Hybrid Center of ExcellenceEU Cybersecurity Agency, ENISA, and the EEAS Report on Foreign Information Manipulation and Interference, advocate for the widespread adoption of DISARM.

Given this widespread consensus, there is a clear acknowledgment that collaborative taxonomies like DISARM not only improve in-depth analysis and discourse but also foster a culture of collective learning and coordinated action.

Information and intelligence organizations, including entities like Information Sharing Analysis Centers more commonly referred to as ISACs, are encouraged to explore the integration of DISARM tagging into their operational procedures to augment the sharing of FIMI tactics and techniques.

As this framework continues to gain recognition, it holds the potential to evolve into the universal language for identifying and countering influence campaigns, akin to how ATT&CK has become the standard for addressing cyberattacks. Embracing the DISARM framework enables entities to establish a robust and unified language for sharing crucial indications and warnings regarding tactics and techniques employed in influence operations.

Dr. Georgianna Shea is the chief technologist of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies. Fahad Abdulrazzaq is an intern and cadet at West Point, the views expressed here are his own. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.