Brief Reverse Engineering Work On FIMI A3
Melvin Amey
We're building value and opportunity by investing in cybersecurity, analytics, digital solutions, engineering and science, and consulting. Our culture of innovation empowers employees as creative thinkers, bringing unparalleled value for our clients and for any problem we try to tackle.
Empower People to Change the World
DISARM is an open-source, threat-informed, and community-driven tool based on ATT&CK. Because of its widespread adoption and detailed frameworks (Red for offense and Blue for defense), we have chosen to use DISARM as our model for counter-disinformation operations.
DISARM Blue articulates procedures to detect and counter specific tactics in the Red framework. By its own description, DISARM is a work in progress, with much left to do. Yet to be assessed are which detections and counters are most effective against which tactics or in defense of which target audiences. This is an area where cognitive modeling may have a significant impact, which we plan to address in the future. While Red is a thorough outline of the phases and TTPs of a disinformation campaign, Blue remains relatively unstructured, more of a toolbox for defenders.
What counter-disinformation frameworks have lacked thus far is an actionable model for implementing continuous operations. Instead of looking to cybersecurity kill chains, we propose using a threat-hunting model to detect and defeat disinformation campaigns.
This blog series is brought to you by Booz Allen DarkLabs. Our DarkLabs is an elite team of security researchers, penetration testers, reverse engineers, network analysts, and data scientists, dedicated to stopping cyber attacks before they occur.
A team at Meta created the Online Operations Kill Chain framework to address the lack of standard taxonomies for information operations and cybersecurity operations. Defenders need a common language that bridges these areas because attackers can use both kinds of threats (e.g., in social engineering in the supply chain). The Online Operations Kill Chain is designed to be platform agnostic and applied to cyberattacks, influence operations, online fraud, human trafficking, and terrorist recruitment, with a particular focus on the elements meant to influence humans.
This model has 10 phases: Acquiring Assets, Disguising Assets, Gathering Information, Coordinating and Planning, Testing Platforms and Defenses, Evading Detection, Indiscriminate Engagement, Targeted Engagement, Compromising Assets, and Enabling Longevity. (Like ATT&CK, the model is described as modular because not every operator goes through every phase.)
This framework has the same weaknesses as the Social Media Kill Chain. That said, the Information Operations Kill Chain stands out for acknowledging that disrupting one campaign in a long-term operation is only one step, and the entire operation would need to be disrupted in multiple parts of the kill chain to stop the overall threat, and this could take multiple human generations to accomplish.
We hope this overview helps cybersecurity and cognitive security professionals build a shared understanding of these models and emerging threats. As the Online Operations Kill Chain authors have astutely pointed out, modern campaigns seamlessly weave between both categories. Not bringing the groups together leaves defenders who subscribe to only one of the categories at a significant disadvantage.
bcf7231420