Tools and Techniques for Cognitive Security

in #cogsec5 months ago (edited)

CogSec (Cognitive Security) Collaborative

1. Tools and Techniques for Cognitive Security

Slide1.png
Tools and Techniques for Cognitive Security

by SJ Terp & Roger Johnstone
CanSecWest, March 18th 2020

2. Who are These people?

Slide2.png

SJ Terp, Pablo Breuer, Grant Dobbe, grugq, Roger Johnston, CogSec Collab Community

3. CogSec Collab: Roots

Slide3.png

Credibility Coalition - m!s!nfosec

  • Industry
  • Academia
  • Media
  • Community
  • Infosec

4. CogSec Collab: 2020 Mission

Slide4.png

  • bring together information security researchers, data scientists and other subject-matter experts.
  • to create and improve resources
  • for the defense of the cognitive domain

5. CogSec Collab: 2020 Milestones

Slide5.png

  • Milestone 1: April 2020
    • AM!TT Counters; Who, What, How
    • AM!TT Playbook PoC
  • Milestone 2: July 2020
    • AM!TT Playbook; Public, Social Media, ISPs, Government
    • Tooling; Threat Intelligence
  • Milestone 3: October 2020
    • AM!TT Playbook; refine
    • Tooling
    • Data Sets

6. COGSEC COLLAB: END USERS

Slide6.png
Who uses this stuff anyway?

7. RESPONSE ACTORS

Slide7.png

  • Platform
  • Government
  • Elves
  • Public
  • Influencer
  • Media
  • Nonprofit
  • Educator
  • Corporation

8. Elf Communities and Playbooks

Slide8.png

9. INFORMATION SHARING NETWORKS

Slide9.png

10. DISINFORMATION LANDSCAPE

Slide10.png

The Only defense against the world is a thorough knowledge of it.

-- John Locke

11. DISINFORMATION

Slide11.png

deliberate promotion... of false, misleading or mis-attributed information

focus on creation, propagation, consumption of misinformation online

We are especially interested in misinformation designed to change beliefs in a large number of people

12. DISINFORMATION 'LAYERS'

Slide12.png

13. NATIONAL INSTRUMENTS OF INFLUENCE

Slide13.png
Resources available in pursuit of national objectives...

Diplomatic, Informational, Military, Economic

...and how to influence other nation-states.

14. BUSINESS INSTRUMENTS OF INFLUENCE

Slide14.png
Resources available in pursuit of corporate objectives...

Business Deals & Strategic Partnerships, PR and Advertising, Mergers and Acquisitions, R&D and Capital Investments

15. DESCRIBING DISINFORMATION

Slide15.png

AM!TT and other models of WTF is happening

16. AM!TT FRAMEWORK

Slide16.png
Adversarial Misinformation and Influence Tactics and Techniques = (AM!TT)

  • Credibility Coalition Misinfosec Working Group
  • AM!TT is a framework for understanding organized communication attacks

17. AM!TT FRAMEWORK

Slide17.png

18. AM!TT - T0010

Slide18.png

19. AM!TT - T0010

Slide19.png
IRA IN GHANA: DOUBLE DECEIT
Cultivate Ignorant Agents

  • "EBLA" NGO local staff
  • Attempt to co-opt US influencers

20. DISINFORMATION COUNTERMEASURES

Slide20.png
Moving from admiring the problem to action

21. MITIGATIONS AND COUNTERMEASURES

Slide21.png

Countermeasures are that form of military science that, by the employment of devices and/or techniques, is designed to impair the operational effectives of enemy activity. Countermeasures can be active or passive and can be deployed preemptively or reactively.

-- JP 3-13.1, Information Operations - Joint Chiefs of Staff

22. FINDING COUNTERMEASURES

  • Existing
  • Tactic-based
  • Technique-based
  • Doctrine-based

23. EXISTING COUNTERS

Slide23.png

24. TACTIC-BASED: COURSES OF ACTION MATRIX

Slide24.png

| AM!TT Phase           | Detect | Deny | Disrupt | Degrade | Deceive | Destroy | Deter |
| --------------------- | ------ | ---- | ------- | ------- | ------- | ------- | ----- |
| Strategic Planning    |        |      |         |         |         |         |       |
| Objective Planning    |        |      |         |         |         |         |       |
| Develop People        |        |      |         |         |         |         |       |
| Develop Networks      |        |      |         |         |         |         |       |
| Microtargeting        |        |      |         |         |         |         |       |
| Develop Content       |        |      |         |         |         |         |       |
| Channel Selection     |        |      |         |         |         |         |       |
| Pump Priming          |        |      |         |         |         |         |       |
| Exposure              |        |      |         |         |         |         |       |
| Go Physical           |        |      |         |         |         |         |       |
| Persistence           |        |      |         |         |         |         |       |
| Measure Effectiveness |        |      |         |         |         |         |       |

25. EFFECTS

Slide25.png

  • Detect: find them
  • Deny: stop them getting in
  • Disrupt: interrupt them
  • Degrade: slow them down
  • Deceive: divert them
  • Destroy: damage them
  • Deter: discourage them

26. ORGANISING COUNTERMEASURES

Slide26.png

27. DOCTRINE-BASED COUNTERMEASURES

Slide27.png

"A disinformation campaign is made up of resources and infrastructure and operates over time, with them as a universal scarcity."

-- Grugq

28. CRITICAL ELEMENTS

Slide28.png

  • Resources
  • Infrastructure
  • Execution
  • Time

29. DOCTRINE-BASED COUNTERMEASURES

Slide29.png

Critical ElementDetectDenyDisruptDegradeDeceiveDestroyDeter
Resources
Infrastructure
Execution
Time
  • resource exhaustion
  • cost-effectiveness
  • time constraints

30. DOCTRINE-BASED COUNTERMEASURES


IRA IN GHANA: DOUBLE DECEIT

  • Resources
    • Staff ~16
    • Audience ~338k
    • Mobile D
      Slide44.png
      evices
  • Infrastructure
    • NGO
    • Operator Content Pool
    • Twitter Analytics
  • Execution
    • T0007, T0010, T0015, T0055, T0013
    • T0014, T0018, T0021, T0030, T0039
    • T0042, T0053
  • Time
    • Direct Engagement
    • No Automation + Bots
    • 'Audience Building' Phase

31. PLAYBOOKS

Slide31.png

32. RP_0003_fake_engagement

Slide32.png

33. THREAT INTELLIGENCE TOOLS AND TECHNIQUES

Slide33.png
things we borrowed from infosec

34. OASIS STIX™ 2

Slide34.png

  • AM!TT needed a standard for data exchange
    • Relationships + Rich language
    • Extensible
    • Intelligence Sharing (ISACs & ISAOs)
    • Integration with community tooling
  • AM!TT is now available as a STIX 2.0 bundle

35. STIX AMITT

Slide35.png

Misinformation STIXDescriptionLevelInfosec STIX
Reportcommunication to other respondersCommunicationReport
CampaignLonger attacks (Russia's interference in the 2016 US elections is a "campaign")StrategyCampaign
IncidentShorter-duration attacks, often part of a campaignStrategyIntrusion Set
Course of ActionResponseStrategyCourse of Action
IdentityActor (individual, group, organisation etc): creator, responder, target, useful idiot etc.StrategyIdentity
Threat actorIncident creatorStrategyThreat Actor
Attack patternTechnique used in incident (see framework for examples)TTPAttack patter
NarrativeMalicious narrative (story, meme)TTPMalware
Toolbot software, APIs, marketing toolsTTPTool
Observed Dataartefacts like messages, user accounts, etcArtefactObserved Data
Indicatorposting rates, follow rates, etcArtefactIndicator
VulnerabilityCognitive biases, community structural weakness etcVulnerabilityVulnerability

https://github.com/cogsec-collaborative/amitt_cti

36. AM!TT + MITRE ATT&CK® Navigator

Slide36.png

  • Navigation of STIX formatted data
  • Visualization
  • Red + Blue team planning
  • Exportable layers

https://www.cogsec-collab.org/project/amitt_navigator/

37. IRA IN GHANA: DOUBLE DECEIT

Slide37.png

38. MISP - Open Source Threat Intelligence Platform

Slide38.png

  • Store and share structured data
  • Enrichment + Automation
  • Open + Extensible
  • ISAO + ISAC + Elves

https://www.misp-project.org/

39. AM!TT + MISP

Slide39.png

  • MISP Misinformation Galaxy containing AM!TT Framework definitions

40. AM!TT + MISP

Slide40.png

41. AM!TT + MISP

Slide41.png

  • AM!TT Techniques Galaxy
  • DFRLab Dichotomies of Disinformation Taxonomy
  • MISP Objects
    • forged-document
    • blog, meme-image

42. AM!TT + MISP

Slide42.png

  • MISP Event Graph
    • blog
    • microblog
    • forged-document
    • person
    • user-account

43. OpenCTI - OPEN THREAT INTELLIGENCE PLATFORM

Slide43.png

  • STIX 2.0
  • Knowledge Graph
  • Report based
  • MISP integration

https://www.opencti.io

44. AM!TT + OpenCTI

45. NEXT: AM!TT + Atomic Threat Coverage

  • Done: AM!TT Techniques
  • Next: AM!TT Counters
  • Playbooks are assembled from sets of counters
  • Markdown, Confluence, API, ...

https://github.com/atc-project/atomic-threat-coverage

46. COMMUNITY TOOLS AND TECHNIQUES


things we borrowed from data science

47. CogSec Collaborative - AM!TT m!s!nfosec

Join the Elves

CogSec Collaborative helps communities counter disinformation.

48. THANK YOU


CogSec Collab
https://www.cogsec-collab.org
@bodaceacat
@VV_X_7

#cogsect #informationwar #deepdives #5gw #mitre #misp #attack #infosec
5 months ago in #cogsec by
$14.05
  • Past Payouts $14.05
  • - Author $7.04
  • - Curators $7.01
190 votes
Reply 3
Sort:  
  • Trending
    • [-]
     5 months ago (edited) 

    Fascinating and inspirational examination and consideration of how to free our minds and prevent Machiavellian manipulation of humanity, avoid the malevolent hazards inherent to Space Age technology, and enable absolute freedom prophesied millennia ago, or suffer the twisted hellscapes madmen willing to commit any atrocity intend.

    Thanks!

    [-]
     5 months ago  

    Thanks 2 u too!

    $0.02
    • Past Payouts $0.02
    • - Author $0.01
    • - Curators $0.01
    1 vote
    Reply
    [-]
     5 months ago  

    Congratulations @aagabriel! You have completed the following achievement on the Hive blockchain And have been rewarded with New badge(s)

    You distributed more than 36000 upvotes.
    Your next target is to reach 37000 upvotes.

    You can view your badges on your board and compare yourself to others in the Ranking
    If you no longer want to receive notifications, reply to this comment with the word STOP

    $0.00
      Reply