The DISARM frameworks are designed for describing and understanding different parts of disinformation incidents, and are:
- DISARM-STIX for disinformation objects, including actors, behaviours, narratives and artifacts - this makes it easy for DISARM data to be passed between ISAOs and similar bodies using standards like TAXII.
- DISARM Red for disinformation creation behaviours
- DISARM Blue for disinformation countermeasure and mitigation behaviours.
DISARM is part of work on adapting information security (infosec) practices to help track and counter misinformation, and is designed to fit existing infosec practices and tools. To help with this, DISARM's style is based on the MITRE ATT&CK and STIX information security frameworks.
DISARM frameworks and data are available under a CC-BY-4.0 license - credit us (ideally also tell us about potentially useful changes), and you're free to use them. DISARM templates, datasets, and user guides are available in https://github.com/cogsec-collaborative/DISARM. If you're using other tools, DISARM is embedded in the MISP toolset, and STIX templates for DISARM objects are available in the DISARM_CTI repository.
DISARM ContributorsThe DISARM frameworks are a community effort:
- CogSecCollab maintains and updates We've used DISARM in the CTI League's Covid19 responses, and tested it in trials with NATO, the EU, and several other countries' disinformation units. Pablo Breuer and are the current design authorities for the DISARM models.
- The Credibility Coalition's Misinfosec working group, aka MisinfosecWG, created the original DISARM frameworks. The Red Framework was started in December 2018, and refined in a Credibility Coalition Misinfosec seminar; the Blue Framework was started as a collection of potential disinformation countermeasures, at a Coalition Misinfosec seminar in November 2019. CogSecCollab is the nonprofit that spun out of MisinfosecWG.
- Many other people have contributed to DISARM. Thank you.
Suggestions for DISARM framework changes can be made through a Googleform. Changes are then agreed between CogSecCollab and the DISARM design authorities - currently SJ Terp and Pablo Breuer.
What you're looking at here
You're looking at a work in progress. Eventually this message will be replaced with a pretty interface, but if you're here, it's good to say what's happening to get there.
We're working towards a set of functions for this app that include navigating a database of disinformation objects, being able to easily enter machine- and human-readable descriptions of misinformation and disinformation incidents, traverse through possibel behaviours as part of a red team exercise or simulation, and share machine-readable alerts with anyone connected to a information security system using the STIX message protocols.
But to get there, we have to do some things first. These include:
- Transfer all the DISARM framework objects in our master repository into a SQL database format (actually two - SQLite and Postgresql), formalising all the objects that were implicit in it (like playbooks), and normalising all the relationships between them. We're on this now
- Making all those database objects visible in here, so a priviledged user can create, view, update and delete them - and a non-priviledged user can view all the objects, and suggest new objects, updates, and deletions. Also working on this
- Separate data objects from framework objects. What this means in practice is that the framework objects are the ways you describe an incident - standards for things like incidents, actors, behaviours, artifacts; data objects are instances of these, e.g. the Blacktivist incident and the behaviour and artifacts seen in it. This part is done.
- Put all the DISARM standards and datasets into one place. We have ATT&CK-based standards, STIX-based standards, lists of groups, tools, examples, references etc; we also have a set of MISP disinformation data standards for low-level objects like images and social media posts / groups. We're putting them all in here, and making sure they line up
- Build more user-friendly interfaces for entering things like disinformation situation reports quickly. You can see the visual components of these if you look at the techniques and countermeasures objects - and there's a hidden page /textgrid that we're testing out interface types in (there's also a map interface, but that's going to take a while.
- Build connectors to tools like MISP - we already have DISARM frameworks embedded in it, and it would be useful to be able to send flash alerts about disinformation without filling in a *lot* of data fields