Bruce Schneier’s famous quote, “Amateurs hack systems, professionals hack people,” applies as much to influence operations as it does to phishing and other social engineering techniques.
Influence operations, broadly speaking, involve efforts to shape people’s beliefs or behaviors by wielding information in deceptive and manipulative ways. The line between influence operations and cyber operations can be blurry, as the two often overlap.
Cyber Operations vs Influence Operations
Cyber operations can be used to further influence operations, such as ‘hack and leak’ operations that steal and release compromising data in attempts to influence a target audience. Conversely, techniques often associated with influence operations can be used to further cyber operations. For example, photorealistic AI-generated media can be a form of social engineering to facilitate digital intrusion.
The Need for Structured Information Sharing
It is essential to have structured information sharing and common terminology to defend against ‘hybrid threats’ such as cyber-enabled influence and influence-enabled cyber operations. Think back to cybersecurity before Structured Threat Information eXpression (STIX). Cybersecurity professionals modeled the same behaviors in different ways, confusing communications. It was quite challenging to configure different software to exchange threat intelligence seamlessly.
Just as the cybersecurity community needed STIX, the community of professionals combating influence operations needs a common language to respond to information manipulation at machine speed. Enter the Defense Against Disinformation Common Data Model (DAD-CDM), an open project by OASIS Open that seeks to extend STIX to transform how people and machines combat information manipulation.
Why Extend STIX (Rather than Create Something from Scratch?)
Diagnosing a cyberattack and tracing an influence operation often involves identifying and analyzing the same indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). These technical and behavioral markers can directly overlap across cyber operations and influence operations. For example, an influence operation might use credential harvesting to hijack social media accounts to spread narratives. Understanding these common indicators and methodologies makes it possible to unravel the likely source and underlying infrastructure of an influence operation, opening the door to a range of possible response measures.
By enriching and extending STIX, DAD-CDM can build a bridge between efforts to counter cyberattacks and efforts to counter information manipulation, empowering the community of defenders to more effectively and efficiently counter hybrid threats. This means that the cybersecurity community stands to benefit from DAD-CDM as much as the community of professionals countering influence operations and other forms of information manipulation.
Putting DAD-CDM to Work
Let’s look at the Fronton botnet as an example. When the “Digital Revolution” hacktivist group first exposed this botnet of Internet of Things (IoT) devices, most analysts assumed its primary purpose was distributed denial of service (DDoS) attacks. The managed intelligence company, Nisos, however, dug deeper and found that Fronton could also orchestrate coordinated inauthentic behavior at scale. Threat actors could use Fronton’s dashboard to create vast networks of inauthentic accounts and leverage these accounts en masse to manipulate trends in social media.
Analysts cannot capture the full capabilities of the Fronton botnet using STIX alone. STIX currently allows analysts to model DDoS threats but does not allow analysts to model coordinated inauthentic behavior. In the future, however, DAD-CDM will extend STIX to allow analysts to model Fronton and other hybrid threats with higher degrees of fidelity.
Modeling information manipulation with DAD-CDM is more than just pedantry and technical plumbing. As it continues to mature, DAD-CDM can open the door to a range of novel use cases.
To name a few:
-
Threat analysts will be able to perform higher confidence attributions of influence operations.
-
Risk analysts will better understand brand reputation risks.
-
Information sharing and analysis centers (ISACs) will more seamlessly escalate awareness and facilitate response to hybrid threats.
-
Software developers will automate detection of behaviors associated with information manipulation.
Just as STIX substantially matured the field of cybersecurity, DAD-CDM will transform efforts to combat information manipulation. At a time when information manipulation threatens everything from election integrity to brand reputations, both the public and private sectors benefit significantly from this emerging field's maturation.