chg: [disarm] New Version 1.4 of Red Framework

pull/949/head
Christophe Vandeplas 2024-03-15 16:32:49 +01:00
parent 5218a996d9
commit 2b12224aa9
No known key found for this signature in database
GPG Key ID: BDC48619FFDC5A5B
6 changed files with 297 additions and 249 deletions

View File

@ -580,7 +580,7 @@
"meta": {
"external_id": "C00034",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Friction"
],
@ -606,7 +606,7 @@
"meta": {
"external_id": "C00036",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Targeting"
],
@ -632,7 +632,7 @@
"meta": {
"external_id": "C00040",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Verification"
],
@ -658,7 +658,7 @@
"meta": {
"external_id": "C00042",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Countermessaging"
],
@ -684,7 +684,7 @@
"meta": {
"external_id": "C00044",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Friction"
],
@ -710,7 +710,7 @@
"meta": {
"external_id": "C00046",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Targeting"
],
@ -736,7 +736,7 @@
"meta": {
"external_id": "C00047",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deceive",
"metatechniques:Data Pollution"
],
@ -762,7 +762,7 @@
"meta": {
"external_id": "C00048",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deter",
"metatechniques:Daylight"
],
@ -788,7 +788,7 @@
"meta": {
"external_id": "C00051",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Resilience"
],
@ -814,7 +814,7 @@
"meta": {
"external_id": "C00052",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Targeting"
],
@ -840,7 +840,7 @@
"meta": {
"external_id": "C00053",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Cleaning"
],
@ -874,7 +874,7 @@
"meta": {
"external_id": "C00056",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Friction"
],
@ -900,7 +900,7 @@
"meta": {
"external_id": "C00058",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Removal"
],
@ -926,7 +926,7 @@
"meta": {
"external_id": "C00059",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Verification"
],
@ -978,7 +978,7 @@
"meta": {
"external_id": "C00062",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Countermessaging"
],
@ -1056,7 +1056,7 @@
"meta": {
"external_id": "C00067",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Targeting"
],
@ -1296,7 +1296,7 @@
"meta": {
"external_id": "C00077",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Targeting"
],
@ -1608,7 +1608,7 @@
"meta": {
"external_id": "C00093",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deter",
"metatechniques:Resilience"
],
@ -2448,7 +2448,7 @@
"meta": {
"external_id": "C00133",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Removal"
],
@ -2474,7 +2474,7 @@
"meta": {
"external_id": "C00135",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Removal"
],
@ -2816,7 +2816,7 @@
"meta": {
"external_id": "C00155",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Removal"
],
@ -2898,7 +2898,7 @@
"meta": {
"external_id": "C00160",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Resilience"
],
@ -2954,7 +2954,7 @@
"meta": {
"external_id": "C00162",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Targeting"
],
@ -3084,7 +3084,7 @@
"meta": {
"external_id": "C00172",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Removal"
],
@ -3270,7 +3270,7 @@
"meta": {
"external_id": "C00189",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Destroy",
"metatechniques:Daylight"
],
@ -3348,7 +3348,7 @@
"meta": {
"external_id": "C00197",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Removal"
],
@ -3430,7 +3430,7 @@
"meta": {
"external_id": "C00203",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Friction"
],
@ -3728,5 +3728,5 @@
"value": "Strengthen Trust in social media platforms"
}
],
"version": 1
"version": 2
}

View File

@ -189,7 +189,7 @@
"meta": {
"external_id": "F00008",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -214,7 +214,7 @@
"meta": {
"external_id": "F00009",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -239,7 +239,7 @@
"meta": {
"external_id": "F00010",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -264,7 +264,7 @@
"meta": {
"external_id": "F00011",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -289,7 +289,7 @@
"meta": {
"external_id": "F00012",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -314,7 +314,7 @@
"meta": {
"external_id": "F00013",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -339,7 +339,7 @@
"meta": {
"external_id": "F00014",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -364,7 +364,7 @@
"meta": {
"external_id": "F00015",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -389,7 +389,7 @@
"meta": {
"external_id": "F00016",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -414,7 +414,7 @@
"meta": {
"external_id": "F00017",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -439,7 +439,7 @@
"meta": {
"external_id": "F00018",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -464,7 +464,7 @@
"meta": {
"external_id": "F00019",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -489,7 +489,7 @@
"meta": {
"external_id": "F00020",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -522,7 +522,7 @@
"meta": {
"external_id": "F00021",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -547,7 +547,7 @@
"meta": {
"external_id": "F00022",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -572,7 +572,7 @@
"meta": {
"external_id": "F00023",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -597,7 +597,7 @@
"meta": {
"external_id": "F00024",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -1916,7 +1916,7 @@
"meta": {
"external_id": "F00077",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -2066,7 +2066,7 @@
"meta": {
"external_id": "F00084",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -2186,7 +2186,7 @@
"meta": {
"external_id": "F00089",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -2290,7 +2290,7 @@
"meta": {
"external_id": "F00093",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -2361,5 +2361,5 @@
"value": "Fact checking"
}
],
"version": 1
"version": 2
}

View File

@ -94,7 +94,7 @@
"meta": {
"external_id": "T0007",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0007.md"
@ -189,7 +189,7 @@
"meta": {
"external_id": "T0010",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0010.md"
@ -248,56 +248,12 @@
"uuid": "39baec3d-f2ce-5fee-ba7d-3db7d6469946",
"value": "Cultivate Ignorant Agents"
},
{
"description": "Hack or take over legimate accounts to distribute misinformation or damaging content.",
"meta": {
"external_id": "T0011",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0011.md"
]
},
"related": [
{
"dest-uuid": "5481cc36-5af8-5ddf-bcb7-638d3be3f583",
"type": "blocked-by"
},
{
"dest-uuid": "14b886aa-c023-5a84-9605-e4a9cb22e4f4",
"type": "blocked-by"
},
{
"dest-uuid": "f8cab1cc-c87e-5338-90bc-18d071a01601",
"type": "detected-by"
},
{
"dest-uuid": "187285bb-a282-5a6a-833e-01d9744165c4",
"type": "detected-by"
},
{
"dest-uuid": "5012f883-a0ae-5181-bc69-d74b55b44d38",
"type": "detected-by"
},
{
"dest-uuid": "65634c12-ec5f-5a3c-b329-94d3dd84b58e",
"type": "detected-by"
},
{
"dest-uuid": "382e6c32-fb02-5c41-aba1-8161ed8a815e",
"type": "detected-by"
}
],
"uuid": "d05396d6-9701-5ce3-a6cd-abff224310ae",
"value": "Compromise Legitimate Accounts"
},
{
"description": "Create media assets to support inauthentic organisations (e.g. think tank), people (e.g. experts) and/or serve as sites to distribute malware/launch phishing operations.",
"meta": {
"external_id": "T0013",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0013.md"
@ -321,7 +277,7 @@
"meta": {
"external_id": "T0014",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.md"
@ -349,7 +305,7 @@
"meta": {
"external_id": "T0014.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.001.md"
@ -364,7 +320,7 @@
"meta": {
"external_id": "T0014.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.002.md"
@ -489,64 +445,6 @@
"uuid": "87208979-6982-53d5-ad0f-49cef659555c",
"value": "Purchase Targeted Advertisements"
},
{
"description": "Flood social channels; drive traffic/engagement to all assets; create aura/sense/perception of pervasiveness/consensus (for or against or both simultaneously) of an issue or topic. \"Nothing is true, but everything is possible.\" Akin to astroturfing campaign.",
"meta": {
"external_id": "T0019",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0019.md"
]
},
"related": [
{
"dest-uuid": "731ffe0e-0225-583e-9ef0-f39851b725c7",
"type": "blocked-by"
},
{
"dest-uuid": "fe5266c1-0af6-59f3-8a0a-f4e5b3f67513",
"type": "blocked-by"
},
{
"dest-uuid": "dae93cbd-eb65-5fb0-9d4e-4571ff54b6ff",
"type": "blocked-by"
}
],
"uuid": "cb7d7a14-6e5c-503c-84b8-4a49e69b2627",
"value": "Generate Information Pollution"
},
{
"description": "Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx",
"meta": {
"external_id": "T0019.001",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0019.001.md"
]
},
"related": [],
"uuid": "b2d72f4b-fa1f-5798-b075-f3f31320ce4d",
"value": "Create Fake Research"
},
{
"description": "Hashtag hijacking occurs when users “[use] a trending hashtag to promote topics that are substantially different from its recent context” (VanDam and Tan, 2016) or “to promote ones own social media agenda” (Darius and Stephany, 2019).",
"meta": {
"external_id": "T0019.002",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0019.002.md"
]
},
"related": [],
"uuid": "7452c88a-f6ed-52b6-8fe4-25273bb5bc69",
"value": "Hijack Hashtags"
},
{
"description": "Iteratively test incident performance (messages, content etc), e.g. A/B test headline/content enagagement metrics; website and/or funding campaign conversion rates",
"meta": {
@ -727,11 +625,11 @@
"value": "Online Polls"
},
{
"description": "Credibility in a social media environment is often a function of the size of a user's network. \"Influencers\" are so-called because of their reach, typically understood as: 1) the size of their network (i.e. the number of followers, perhaps weighted by their own influence); and 2) The rate at which their comments are re-circulated (these two metrics are related). Add traditional media players at all levels of credibility and professionalism to this, and the number of potential influencial carriers available for unwitting amplification becomes substantial. By targeting high-influence people and organisations in all types of media with narratives and content engineered to appeal their emotional or ideological drivers, influence campaigns are able to add perceived credibility to their messaging via saturation and adoption by trusted agents such as celebrities, journalists and local leaders.",
"description": "Influencers are people on social media platforms who have large audiences. \n\nThreat Actors can try to trick Influencers such as celebrities, journalists, or local leaders who arent associated with their campaign into amplifying campaign content. This gives them access to the Influencers audience without having to go through the effort of building it themselves, and it helps legitimise their message by associating it with the Influencer, benefitting from their audiences trust in them.",
"meta": {
"external_id": "T0039",
"kill_chain": [
"tactics:Conduct Pump Priming"
"tactics:Maximise Exposure"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0039.md"
@ -760,7 +658,7 @@
}
],
"uuid": "53e8c51b-c178-5429-8cee-022c6741cc91",
"value": "Bait Legitimate Influencers"
"value": "Bait Influencer"
},
{
"description": "Campaigns often leverage tactical and informational asymmetries on the threat surface, as seen in the Distort and Deny strategies, and the \"firehose of misinformation\". Specifically, conspiracy theorists can be repeatedly wrong, but advocates of the truth need to be perfect. By constantly escalating demands for proof, propagandists can effectively leverage this asymmetry while also priming its future use, often with an even greater asymmetric advantage. The conspiracist is offered freer rein for a broader range of \"questions\" while the truth teller is burdened with higher and higher standards of proof.",
@ -1011,7 +909,7 @@
"value": "Dox"
},
{
"description": "Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect.",
"description": "Flooding sources of information (e.g. Social Media feeds) with a high volume of inauthentic content.\n\nThis can be done to control/shape online conversations, drown out opposing points of view, or make it harder to find legitimate information. \n\nBots and/or patriotic trolls are effective tools to achieve this effect.\n\nThis Technique previously used the name Flooding the Information Space.",
"meta": {
"external_id": "T0049",
"kill_chain": [
@ -1044,7 +942,7 @@
}
],
"uuid": "ee7bc41a-9eb0-5732-924a-3885e1c3bee9",
"value": "Flooding the Information Space"
"value": "Flood Information Space"
},
{
"description": "Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it's easier to amplify existing content than create new/original content. Trolls operate where ever there's a socially divisive issue (issues that can/are be politicized).",
@ -1062,7 +960,7 @@
"value": "Trolls Amplify and Manipulate"
},
{
"description": "Take over an existing hashtag to drive exposure.",
"description": "Hashtags can be used by communities to collate information they post about particular topics (such as their interests, or current events) and users can find communities to join by exploring hashtags theyre interested in. \n\nThreat actors can flood an existing hashtag to try to ruin hashtag functionality, posting content unrelated to the hashtag alongside it, making it a less reliable source of relevant information. They may also try to flood existing hashtags with campaign content, with the intent of maximising exposure to users.\n\nThis Technique covers cases where threat actors flood existing hashtags with campaign content.\n\nThis Technique covers behaviours previously documented by T0019.002: Hijack Hashtags, which has since been deprecated. This Technique was previously called Hijack Existing Hashtag.",
"meta": {
"external_id": "T0049.002",
"kill_chain": [
@ -1074,7 +972,7 @@
},
"related": [],
"uuid": "885e8687-3598-5378-b0bf-f09b67c1696e",
"value": "Hijack Existing Hashtag"
"value": "Flood Existing Hashtag"
},
{
"description": "Automated forwarding and reposting refer to the proliferation of operation content using automated means, such as artificial intelligence or social media bots. An influence operation may use automated activity to increase content exposure without dedicating the resources, including personnel and time, traditionally required to forward and repost content. Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it's more \"popular\" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.",
@ -1151,6 +1049,21 @@
"uuid": "d8a87575-9e25-5e93-8bf6-8489fe70b864",
"value": "Inauthentic Sites Amplify News and Narratives"
},
{
"description": "Information Pollution occurs when threat actors attempt to ruin a source of information by flooding it with lots of inauthentic or unreliable content, intending to make it harder for legitimate users to find the information theyre looking for. \n\nThis subtechnique's objective is to reduce exposure to target information, rather than promoting exposure to campaign content, for which the parent technique T0049 can be used. \n\nAnalysts will need to infer what the motive for flooding an information space was when deciding whether to use T0049 or T0049.008 to tag a case when an information space is flooded. If such inference is not possible, default to T0049.\n\nThis Technique previously used the ID T0019.",
"meta": {
"external_id": "T0049.008",
"kill_chain": [
"tactics:Maximise Exposure"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.008.md"
]
},
"related": [],
"uuid": "0bf3d2c3-db36-5175-99b0-6c82ad078937",
"value": "Generate Information Pollution"
},
{
"description": "Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives.",
"meta": {
@ -1268,7 +1181,7 @@
"meta": {
"external_id": "T0065",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0065.md"
@ -1938,21 +1851,6 @@
"uuid": "ed3754e6-bc15-5cf0-8a4b-8737b3814225",
"value": "Develop AI-Generated Text"
},
{
"description": "Develop False or Altered Documents",
"meta": {
"external_id": "T0085.002",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.002.md"
]
},
"related": [],
"uuid": "5b0d1b23-0b48-5f67-8fb4-fe4430f30990",
"value": "Develop False or Altered Documents"
},
{
"description": "An influence operation may develop false or misleading news articles aligned to their campaign goals or narratives.",
"meta": {
@ -1968,6 +1866,66 @@
"uuid": "7bbdfe14-8294-54f7-9842-449f2db17a90",
"value": "Develop Inauthentic News Articles"
},
{
"description": "Produce text in the form of a document.",
"meta": {
"external_id": "T0085.004",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.004.md"
]
},
"related": [],
"uuid": "5f8303e9-4956-589a-a4c6-6b929143f460",
"value": "Develop Document"
},
{
"description": "Produce text content in the form of a book. \n\nThis technique covers both e-books and physical books, however, the former is more easily deployed by threat actors given the lower cost to develop.",
"meta": {
"external_id": "T0085.005",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.005.md"
]
},
"related": [],
"uuid": "c363e714-6b46-5f44-8446-ab88fa5974e9",
"value": "Develop Book"
},
{
"description": "Opinion articles (aka “Op-Eds” or “Editorials”) are articles or regular columns flagged as “opinion” posted to news sources, and can be contributed by people outside the organisation. \n\nFlagging articles as opinions allow news organisations to distinguish them from the typical expectations of objective news reporting while distancing the presented opinion from the organisation or its employees.\n\nThe use of this technique is not by itself an indication of malicious or inauthentic content; Op-eds are a common format in media. However, threat actors exploit op-eds to, for example, submit opinion articles to local media to promote their narratives.\n\nExamples from the perspective of a news site involve publishing op-eds from perceived prestigious voices to give legitimacy to an inauthentic publication, or supporting causes by hosting op-eds from actors aligned with the organisations goals.",
"meta": {
"external_id": "T0085.006",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.006.md"
]
},
"related": [],
"uuid": "a3c5ef63-020b-5dd9-b8b1-303d6e0d2201",
"value": "Develop Opinion Article"
},
{
"description": "Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx.\n\nThis Technique previously used the ID T0019.001",
"meta": {
"external_id": "T0085.007",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.007.md"
]
},
"related": [],
"uuid": "130f70c4-5c39-5284-b604-b4711c6c41b8",
"value": "Create Fake Research"
},
{
"description": "Creating and editing false or misleading visual artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include photographing staged real-life situations, repurposing existing digital images, or using image creation and editing technologies.",
"meta": {
@ -2164,22 +2122,7 @@
"value": "Obtain Authentic Documents"
},
{
"description": "Create inauthentic documents intended to appear as if they are authentic non-public documents. These documents can be \"leaked\" during later stages in the operation.",
"meta": {
"external_id": "T0089.002",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0089.002.md"
]
},
"related": [],
"uuid": "da4180d9-4829-5e8d-a0d0-c33bbd22fbc0",
"value": "Create Inauthentic Documents"
},
{
"description": "Alter authentic documents (public or non-public) to achieve campaign goals. The altered documents are intended to appear as if they are authentic can be \"leaked\" during later stages in the operation.",
"description": "Alter authentic documents (public or non-public) to achieve campaign goals. The altered documents are intended to appear as if they are authentic and can be \"leaked\" during later stages in the operation.",
"meta": {
"external_id": "T0089.003",
"kill_chain": [
@ -2198,7 +2141,7 @@
"meta": {
"external_id": "T0090",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.md"
@ -2213,7 +2156,7 @@
"meta": {
"external_id": "T0090.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.001.md"
@ -2228,7 +2171,7 @@
"meta": {
"external_id": "T0090.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.002.md"
@ -2243,7 +2186,7 @@
"meta": {
"external_id": "T0090.003",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.003.md"
@ -2258,7 +2201,7 @@
"meta": {
"external_id": "T0090.004",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.004.md"
@ -2273,7 +2216,7 @@
"meta": {
"external_id": "T0091",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.md"
@ -2288,7 +2231,7 @@
"meta": {
"external_id": "T0091.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.001.md"
@ -2303,7 +2246,7 @@
"meta": {
"external_id": "T0091.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.002.md"
@ -2318,7 +2261,7 @@
"meta": {
"external_id": "T0091.003",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.003.md"
@ -2333,7 +2276,7 @@
"meta": {
"external_id": "T0092",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.md"
@ -2348,7 +2291,7 @@
"meta": {
"external_id": "T0092.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.001.md"
@ -2363,7 +2306,7 @@
"meta": {
"external_id": "T0092.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.002.md"
@ -2378,7 +2321,7 @@
"meta": {
"external_id": "T0092.003",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.003.md"
@ -2393,7 +2336,7 @@
"meta": {
"external_id": "T0093",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.md"
@ -2408,7 +2351,7 @@
"meta": {
"external_id": "T0093.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.001.md"
@ -2423,7 +2366,7 @@
"meta": {
"external_id": "T0093.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.002.md"
@ -2438,7 +2381,7 @@
"meta": {
"external_id": "T0094",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.md"
@ -2453,7 +2396,7 @@
"meta": {
"external_id": "T0094.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.001.md"
@ -2468,7 +2411,7 @@
"meta": {
"external_id": "T0094.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.002.md"
@ -2483,7 +2426,7 @@
"meta": {
"external_id": "T0095",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0095.md"
@ -2498,7 +2441,7 @@
"meta": {
"external_id": "T0096",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.md"
@ -2513,7 +2456,7 @@
"meta": {
"external_id": "T0096.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.001.md"
@ -2528,7 +2471,7 @@
"meta": {
"external_id": "T0096.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.002.md"
@ -2554,7 +2497,7 @@
"value": "Create Personas"
},
{
"description": "Create other assets/dossier/cover/fake relationships and/or connections or documents, sites, bylines, attributions, to establish/augment/inflate crediblity/believability",
"description": "People may produce evidence which supports the persona they are deploying (T0097) (aka “backstopping” the persona).\n\nThis Technique covers situations where evidence is developed or produced as part of an influence operation to increase the perceived legitimacy of a persona used during IO, including creating accounts for the same persona on multiple platforms.\n\nThe use of personas (T0097), and providing evidence to improve peoples perception of ones persona (T0097.001), are not necessarily malicious or inauthentic. However, sometimes people use personas to increase the perceived legitimacy of narratives for malicious purposes.\n\nThis Technique was previously called Backstop Personas.",
"meta": {
"external_id": "T0097.001",
"kill_chain": [
@ -2566,7 +2509,7 @@
},
"related": [],
"uuid": "2341584c-3ca5-5d2e-85f8-2b9c4da81268",
"value": "Backstop Personas"
"value": "Produce Evidence for Persona"
},
{
"description": "Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda--for instance, click-based revenue--often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details.",
@ -2614,7 +2557,7 @@
"value": "Leverage Existing Inauthentic News Sites"
},
{
"description": "An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organisations, or state entities. An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entitys website or social media account. Typosquatting87 is the international registration of a domain name with purposeful variations of the impersonated domain name through intentional typos, top-level domain (TLD) manipulation, or punycode. Typosquatting facilitates the creation of falsified websites by creating similar domain names in the URL box, leaving it to the user to confirm that the URL is correct.",
"description": "An influence operation may prepare assets impersonating existing entities (both organisations and people) to further conceal its network identity and add a layer of legitimacy to its operation content. Existing entities may include authentic news outlets, public figures, organisations, or state entities. \n\nUsers will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. \n\nAn influence operation may use a wide variety of cyber techniques to impersonate a legitimate entitys website or social media account. \n\nThis Technique was previously called Prepare Assets Impersonating Legitimate Entities.",
"meta": {
"external_id": "T0099",
"kill_chain": [
@ -2626,22 +2569,7 @@
},
"related": [],
"uuid": "9758be4b-0f4d-5438-bc2a-567bffb8cd57",
"value": "Prepare Assets Impersonating Legitimate Entities"
},
{
"description": "Astroturfing occurs when an influence operation disguises itself as grassroots movement or organisation that supports operation narratives. Unlike butterfly attacks, astroturfing aims to increase the appearance of popular support for the operation cause and does not infiltrate existing groups to discredit their objectives.",
"meta": {
"external_id": "T0099.001",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.001.md"
]
},
"related": [],
"uuid": "2710c060-376c-5008-b7e8-791086382a2b",
"value": "Astroturfing"
"value": "Impersonate Existing Entity"
},
{
"description": "An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organisations, or state entities.",
@ -2658,6 +2586,66 @@
"uuid": "8eab0457-f145-56f7-aac6-d46ec8225570",
"value": "Spoof/Parody Account/Site"
},
{
"description": "A situation where a threat actor styles their online assets or content to mimic an existing organisation.\n\nThis can be done to take advantage of peoples trust in the organisation to increase narrative believability, to smear the organisation, or to make the organisation less trustworthy.",
"meta": {
"external_id": "T0099.003",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.003.md"
]
},
"related": [],
"uuid": "87a87abc-4860-51e5-a3cb-527d763dd7b1",
"value": "Impersonate Existing Organisation"
},
{
"description": "A situation where a threat actor styles their online assets or content to mimic an existing media outlet.\n\nThis can be done to take advantage of peoples trust in the outlet to increase narrative believability, to smear the outlet, or to make the outlet less trustworthy.",
"meta": {
"external_id": "T0099.004",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.004.md"
]
},
"related": [],
"uuid": "6d757126-920d-5bd3-8eeb-c555e9f6482e",
"value": "Impersonate Existing Media Outlet"
},
{
"description": "A situation where a threat actor styles their online assets or content to impersonate an official (including government officials, organisation officials, etc).",
"meta": {
"external_id": "T0099.005",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.005.md"
]
},
"related": [],
"uuid": "90a440e1-5618-5406-9ce3-2e61cf6c5e77",
"value": "Impersonate Existing Official"
},
{
"description": "A situation where a threat actor styles their online assets or content to impersonate an influencer or celebrity, typically to exploit users existing faith in the impersonated target.",
"meta": {
"external_id": "T0099.006",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.006.md"
]
},
"related": [],
"uuid": "c2714def-dd7a-5091-818a-0c219af8135f",
"value": "Impersonate Existing Influencer"
},
{
"description": "An influence operation may co-opt trusted sources by infiltrating or repurposing a source to reach a target audience through existing, previously reliable networks. Co-opted trusted sources may include: - National or local new outlets - Research or academic publications - Online blogs or websites",
"meta": {
@ -2869,7 +2857,7 @@
"value": "Mainstream Social Networks"
},
{
"description": "Dating Apps",
"description": "Dating App” refers to any platform (or platform feature) in which the ostensive purpose is for users to develop a physical/romantic relationship with other users.\n\nThreat Actors can exploit users quest for love to trick them into doing things like revealing sensitive information or giving them money.\n\nExamples include Tinder, Bumble, Grindr, Facebook Dating, Tantan, Badoo, Plenty of Fish, hinge, LOVOO, OkCupid, happn, and Mamba.",
"meta": {
"external_id": "T0104.002",
"kill_chain": [
@ -2881,7 +2869,7 @@
},
"related": [],
"uuid": "96b1a88b-ea2d-51ad-a473-1669e956d387",
"value": "Dating Apps"
"value": "Dating App"
},
{
"description": "Social networks that are not open to people outside of family, friends, neighbours, or co-workers. Non-work-related examples include Couple, FamilyWall, 23snaps, and Nextdoor. Some of the larger social network platforms enable closed communities: examples are Instagram Close Friends and Twitter (X) Circle. Work-related examples of private social networks include LinkedIn, Facebook Workplace, and enterprise communication platforms such as Slack or Microsoft Teams.",
@ -3173,7 +3161,7 @@
"meta": {
"external_id": "T0113",
"kill_chain": [
"tactics:Conduct Pump Priming"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0113.md"
@ -4787,7 +4775,67 @@
"related": [],
"uuid": "823c3b54-8eac-5772-8e1c-b7fd55bbe518",
"value": "Spread Hate"
},
{
"description": "Threat Actors may take over existing assets not owned by them through nefarious means, such as using technical exploits, hacking, purchasing compromised accounts from the dark web, or social engineering.",
"meta": {
"external_id": "T0141",
"kill_chain": [
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.md"
]
},
"related": [],
"uuid": "c863835c-366c-58c1-b405-68f632632540",
"value": "Acquire Compromised Asset"
},
{
"description": "Threat Actors can take over existing users accounts to distribute campaign content. \n\nThe actor may maintain the assets previous identity to capitalise on the perceived legitimacy its previous owner had cultivated.\n\nThe actor may completely rebrand the account to exploit its existing reach, or relying on the accounts history to avoid more stringent automated content moderation rules applied to new accounts.\n\nSee also [Mitre ATT&CKs T1586 Compromise Accounts](https://attack.mitre.org/techniques/T1586/) for more technical information on how threat actors may achieve this objective.\n\nThis Technique was previously called Compromise Legitimate Accounts, and used the ID T0011.",
"meta": {
"external_id": "T0141.001",
"kill_chain": [
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.001.md"
]
},
"related": [],
"uuid": "6c78a4cc-99ff-5dda-9fd2-0ed060b478ad",
"value": "Acquire Compromised Account"
},
{
"description": "Threat Actors may take over existing websites to publish or amplify inauthentic narratives. This includes the defacement of websites, and cases where websites personas are maintained to add credence to threat actors narratives.\n\nSee also [Mitre ATT&CKs T1584 Compromise Infrastructure](https://attack.mitre.org/techniques/T1584/) for more technical information on how threat actors may achieve this objective.",
"meta": {
"external_id": "T0141.002",
"kill_chain": [
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.002.md"
]
},
"related": [],
"uuid": "66c253b1-d644-5dca-9954-805693489ed4",
"value": "Acquire Compromised Website"
},
{
"description": "This technique, sometimes known as \"astroturfing\", occurs when an influence operation disguises itself as a grassroots movement or organisation that supports operation narratives. \n\nAstroturfing aims to increase the appearance of popular support for an evolving grassroots movement in contrast to \"Utilise Butterfly Attacks\", which aims to discredit an existing grassroots movement. \n\nThis Technique was previously called Astroturfing, and used the ID T0099.001",
"meta": {
"external_id": "T0142",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0142.md"
]
},
"related": [],
"uuid": "c52f5e7a-5a13-5859-9bb0-1620dec4dde2",
"value": "Fabricate Grassroots Movement"
}
],
"version": 1
"version": 2
}

View File

@ -40,7 +40,7 @@
"Assess Effectiveness",
"Target Audience Analysis",
"Develop Narratives",
"Establish Social Assets",
"Establish Assets",
"Establish Legitimacy",
"Maximise Exposure",
"Drive Online Harms"
@ -50,5 +50,5 @@
"namespace": "disarm",
"type": "disarm-countermeasures",
"uuid": "9a3ac024-7c65-5ac0-87c4-eaed2238eec8",
"version": 1
"version": 2
}

View File

@ -24,7 +24,7 @@
"Assess Effectiveness",
"Target Audience Analysis",
"Develop Narratives",
"Establish Social Assets",
"Establish Assets",
"Establish Legitimacy",
"Maximise Exposure",
"Drive Online Harms"
@ -34,5 +34,5 @@
"namespace": "disarm",
"type": "disarm-detections",
"uuid": "bb61e6f3-b2bd-5c7d-929c-b6f292ccc56a",
"version": 1
"version": 2
}

View File

@ -15,7 +15,7 @@
"Assess Effectiveness",
"Target Audience Analysis",
"Develop Narratives",
"Establish Social Assets",
"Establish Assets",
"Establish Legitimacy",
"Maximise Exposure",
"Drive Online Harms"
@ -25,5 +25,5 @@
"namespace": "disarm",
"type": "disarm-techniques",
"uuid": "a90f2bb6-11e1-58a7-9962-ba37886720ec",
"version": 1
"version": 2
}