In our estimation, the analysis of disinformation is lagging about 10 years behind the field of Cyber Threat Intelligence (CTI). Despite the widespread acknowledgment that disinformation is a major threat, we lack the frameworks and governance to adequately address the threat.
In plain terms: Knowing about a threat has only limited value. Established, structured analytical frameworks would offer far more value, to understand the threat in depth and take appropriate actions.
Dissecting Disinformation: What Exactly Are We Missing?
Just as CTI evolved, so the analysis of disinformation is evolving (slowly). The capability gaps are being filled by CTI-equivalent frameworks, such as those shown in the table below.
Table 1: Analytical frameworks developed for CTI, and their disinformation equivalents
Still see a gap? That’s where an equivalent should exist for the Pyramid of Pain, relevant to disinformation analysis. We’re going to attempt to fill that gaping hole.
Introducing the New Pyramid of Pain
Figure 1: The proposed disinformation Pyramid of Pain (left) alongside the CTI Pyramid of Pain (right)
Here’s the rationale for how we stacked our disinformation pyramid:
Its placement at the top implies that if it’s disrupted, it would inflict the most ‘pain’ on the adversary. Because if the overarching narrative isn’t credible to the adversary’s target audience, then the information operation is a bust – virtually from inception. Narratives have varying credibility lifecycles, in the minds of the mass audience. For example, up until recently, linking a disinformation campaign to an alien government conspiracy was a sure way to discredit the campaign; but with the recent US congressional hearings on the subject, alien conspiracy is now a viable vehicle for disinformation (again).
This category comes in a hot second in terms of the most impactful activities a defender can target. It refers to fundraising activities that keep a disinformation organisation in business. Researchers tend to agree that disinformation is inexpensive to produce, but not free; it takes time, resources, and commitment. Cutting off a source of disinformation, such as InfoWars, from its funding source inflicts pain on the adversaries.
Tactics, Techniques, and Procedures (TTPs):
These are transplanted directly from the CTI Pyramid of Pain. The thinking behind this is that threat actors easily adapt elements of their operations that sit lower in the Pyramid of Pain, but those that sit higher (e.g. TTPs) are harder to adapt when countered by a defender.
The usernames, identities, and handles the adversary uses to publish disinformation – on social media or other platforms – are often a key element of a campaign. Disruption that erases these personas, such as deplatforming, can be particularly painful for adversaries.
Domain Name System (DNS):
This category encapsulates the role played by surface-web domains (e.g. the websites of InfoWars or QAnon) in the spread of disinformation. The CTI pyramid categories of IP Addresses and Domain Names are combined into the single category of DNS, because the ‘pivot’ between those categories is not as important for disinformation as it is for CTI.
These are manifestos, hashtags, memes, and other artifacts associated with the tactical implementation of a disinformation campaign. They are all analogous to the hash values within the CTI pyramid. Narrative artifacts are disposable and easily replaced by the adversary.
The Principle Behind the Pyramid
Whether this model for a disinformation version of the Pyramid of Pain will gain traction is totally secondary to our call for an equivalent model. The CTI Pyramid of Pain is one of the cornerstones of the CTI industry; combined with other frameworks, such as the Diamond Model, it’s shifted the field of CTI from a ‘nice-to-have’ to a ‘must-have’ component of modern cyber-security practice.
By acknowledging the pyramid-shaped gap in the burgeoning field of disinformation analysis, we’ve at least accelerated the development of this field – even by just a little.