TA11 "Persist in the Information Environment"
Belongs to phase P03 Execute
Summary: Persist in the Information Space refers to taking measures that allow an operation to maintain its presence and avoid takedown by an external entity. Techniques in Persist in the Information Space help campaigns operate without detection and appear legitimate to the target audience and platform monitoring services. Influence operations on social media often persist online by varying the type of information assets and platforms used throughout the campaign.
| TA11 Tasks | ||
| disarm_id | name | summary |
| TK0023 | retention | retention |
| TK0024 | customer relationship | customer relationship |
| TK0025 | advocacy/ zealotry | advocacy/ zealotry |
| TK0026 | conversion | conversion |
| TK0027 | keep recruiting/prospecting | keep recruiting/prospecting |
| TK0041 | OPSEC for TA11 | OPSEC for TA11 |
| TA11 Techniques | ||
| disarm_id | name | summary |
| T0059 | Play the long game | Play the long game refers to two phenomena: 1. To plan messaging and allow it to grow organically without conducting your own amplification. This is methodical and slow and requires years for the message to take hold 2. To develop a series of seemingly disconnected messaging narratives that eventually combine into a new narrative. |
| T0060 | Continue to Amplify | continue narrative or message amplification after the main incident work has finished |
| T0128 | Conceal People | Conceal the identity or provenance of a campaign account and people assets to avoid takedown and attribution. |
| T0128.001 | Use Pseudonyms | An operation may use pseudonyms, or fake names, to mask the identity of operation accounts, publish anonymous content, or otherwise use falsified personas to conceal identity of the operation. An operation may coordinate pseudonyms across multiple platforms, for example, by writing an article under a pseudonym and then posting a link to the article on social media on an account with the same falsified name. |
| T0128.002 | Conceal Network Identity | Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organization. |
| T0128.003 | Distance Reputable Individuals from Operation | Distancing reputable individuals from the operation occurs when enlisted individuals, such as celebrities or subject matter experts, actively disengage themselves from operation activities and messaging. Individuals may distance themselves from the operation by deleting old posts or statements, unfollowing operation information assets, or otherwise detaching themselves from the operation’s timeline. An influence operation may want reputable individuals to distance themselves from the operation to reduce operation exposure, particularly if the operation aims to remove all evidence. |
| T0128.004 | Launder Accounts | Account laundering occurs when an influence operation acquires control of previously legitimate online accounts from third parties through sale or exchange and often in contravention of terms of use. Influence operations use laundered accounts to reach target audience members from an existing information channel and complicate attribution. |
| T0128.005 | Change Names of Accounts | Changing names of accounts occurs when an operation changes the name of an existing social media account. An operation may change the names of its accounts throughout an operation to avoid detection or alter the names of newly acquired or repurposed accounts to fit operational narratives. |
| T0129 | Conceal Operational Activity | Conceal the campaign's operational activity to avoid takedown and attribution. |
| T0129.001 | Conceal Network Identity | Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organization. |
| T0129.002 | Generate Content Unrelated to Narrative | An influence operation may mix its own operation content with legitimate news or external unrelated content to disguise operational objectives, narratives, or existence. For example, an operation may generate "lifestyle" or "cuisine" content alongside regular operation content. |
| T0129.003 | Break Association with Content | Breaking association with content occurs when an influence operation actively separates itself from its own content. An influence operation may break association with content by unfollowing, unliking, or unsharing its content, removing attribution from its content, or otherwise taking actions that distance the operation from its messaging. An influence operation may break association with its content to complicate attribution or regain credibility for a new operation. |
| T0129.004 | Delete URLs | URL deletion occurs when an influence operation completely removes its website registration, rendering the URL inaccessible. An influence operation may delete its URLs to complicate attribution or remove online documentation that the operation ever occurred. |
| T0129.005 | Coordinate on encrypted/closed networks | Coordinate on encrypted/ closed networks |
| T0129.006 | Deny involvement | Without "smoking gun" proof (and even with proof), incident creator can or will deny involvement. This technique also leverages the attacker advantages outlined in "Demand insurmountable proof", specifically the asymmetric disadvantage for truth-tellers in a "firehose of misinformation" environment. |
| T0129.007 | Delete Accounts/Account Activity | Deleting accounts and account activity occurs when an influence operation removes its online social media assets, including social media accounts, posts, likes, comments, and other online artifacts. An influence operation may delete its accounts and account activity to complicate attribution or remove online documentation that the operation ever occurred. |
| T0129.008 | Redirect URLs | An influence operation may redirect its falsified or typosquatted URLs to legitimate websites to increase the operation's appearance of legitimacy, complicate attribution, and avoid detection. |
| T0129.009 | Remove Post Origins | Removing post origins refers to the elimination of evidence that indicates the initial source of operation content, often to complicate attribution. An influence operation may remove post origins by deleting watermarks, renaming files, or removing embedded links in its content. |
| T0129.010 | Misattribute Activity | Misattributed activity refers to incorrectly attributed operation activity. For example, a state sponsored influence operation may conduct operation activity in a way that mimics another state so that external entities misattribute activity to the incorrect state. An operation may misattribute their activities to complicate attribution, avoid detection, or frame an adversary for negative behavior. |
| T0130 | Conceal Infrastructure | Conceal the campaign's infrastructure to avoid takedown and attribution. |
| T0130.001 | Conceal Sponsorship | Concealing sponsorship aims to mislead or obscure the identity of the hidden sponsor behind an operation rather than entity publicly running the operation. Operations that conceal sponsorship may maintain visible falsified groups, news outlets, non-profits, or other organizations, but seek to mislead or obscure the identity sponsoring, funding, or otherwise supporting these entities. Influence operations may use a variety of techniques to mask the location of their social media accounts to complicate attribution and conceal evidence of foreign interference. Operation accounts may set their location to a false place, often the location of the operation’s target audience, and post in the region’s language |
| T0130.002 | Utilize Bulletproof Hosting | Hosting refers to services through which storage and computing resources are provided to an individual or organization for the accommodation and maintenance of one or more websites and related services. Services may include web hosting, file sharing, and email distribution. Bulletproof hosting refers to services provided by an entity, such as a domain hosting or web hosting firm, that allows its customer considerable leniency in use of the service. An influence operation may utilize bulletproof hosting to maintain continuity of service for suspicious, illegal, or disruptive operation activities that stricter hosting services would limit, report, or suspend. |
| T0130.003 | Use Shell Organizations | Use Shell Organizations to conceal sponsorship. |
| T0130.004 | Use Cryptocurrency | Use Cryptocurrency to conceal sponsorship. Examples include Bitcoin, Monero, and Etherium. |
| T0130.005 | Obfuscate Payment | Obfuscate Payment |
| T0131 | Exploit TOS/Content Moderation | Exploiting weaknesses in platforms' terms of service and content moderation policies to avoid takedowns and platform actions. |
| T0131.001 | Legacy web content | Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it's hard to remove or unlikely to be removed. |
| T0131.002 | Post Borderline Content | Post Borderline Content |
| TA11 Counters | ||
| disarm_id | name | summary |
| C00131 | Seize and analyse botnet servers | Take botnet servers offline by seizing them. |
| C00138 | Spam domestic actors with lawsuits | File multiple lawsuits against known misinformation creators and posters, to distract them from disinformation creation. |
| C00139 | Weaponise youtube content matrices | God knows what this is. Keeping temporarily in case we work it out. |
| C00143 | (botnet) DMCA takedown requests to waste group time | Use copyright infringement claims to remove videos etc. |
| TA11 Detections | ||
| disarm_id | name | summary |
| F00062 | Detect when Dormant account turns active | |
| F00063 | Linguistic change analysis | |
| F00064 | Monitor reports of account takeover | |
| F00065 | Sentiment change analysis | |
| F00066 | Use language errors, time to respond to account bans and lawsuits, to indicate capabilities | |
| F00082 | Control the US "slang" translation boards | |
| F00083 | Build and own meme generator, then track and watermark contents | |