Disinformation is the new kid on the block of the threat and risk analysis community. Tricky to define and challenging to anticipate multiple frameworks are being developed to help analyse the disinformation capabilities of malicious actors. The Disarm framework offers a structure similar to the lauded MITRE ATT&CK framework. Charity Wright, of Recorded Future’s Diamond Model of Influence Operations, provides another example with a more ‘meta’ framework alternative.
Many of these are frameworks-in-progress. Their creators have been playing catch-up since disinformation analysis entered the broader field of threat/geopolitical analysis (relatively recently).
Within this context, allow us to weigh in on the utility of frameworks. Can they really help you assess an adversary’s capability to launch disinformation campaigns? Below we consider frameworks’ weak and strong points, and offer our own jumping-off point.
Assessing Capability: Why It’s an Analytical Challenge
Capability is one of the four elements of Wright’s Diamond Model of Influence Operations (shown below). Think of it as the adversary’s overall capacity to achieve their operational goals.
Figure 1: Wright’s Diamond Model of Influence Operations
Twenty years of Cyber Threat Intelligence (CTI) practice has shown that assessing an adversary’s capability – in a convincing and measurable way – isn’t easy. Can you discern who’s more capable: the threat actors behind the ‘Stuxnet’ malware or those in the ‘Conti’ ransomware group? Is ‘Black Energy’ better malware than ‘Citadel’? These are just two questions in a quarry that CTI practitioners have been digging away at for years, with no real sign of a resolution.
Why is assessing capability so difficult? In our opinion, the answer lies in the assessment’s highly subjective nature. Stuxnet is certainly more technically complex than malware used by Conti, but Conti has been arguably more successful than the Stuxnet operators in achieving goals (getting filthy rich). So you could make a convincing argument that Conti’s members have a more sophisticated capability than the Stuxnet operators.
Of course, there’s a counter-argument: The Stuxnet operators had a far higher technical bar to leap, managing to disrupt the Iranian nuclear programme. Surely that’s a point in favour of Stuxnet being more capable?
Buchanan’s Framework: An Air of Sophistication
We think one of the best attempts to assess adversary capability was proposed by Ben Buchanan, in his paper The Legend of Sophistication in Cyber Operations. Just one of Buchanan’s many insightful points is the benefit to applying six factors to capability assessments: sourcing, usage, networking, testing, persistence, and OPSEC.
Each factor of Buchanan’s model encompasses categories indicating levels of sophistication, from low to high. For example, under ‘sourcing’, the ‘malware’ category ranges from ‘purchased’ or ‘open source’ at the low end of the sophistication scale to ‘custom built’ at the other end. Obviously the more sophisticated the adversary is then the more chance they have of achieving their mission objective.
We’ll leave readers to explore Buchanan’s work by themselves. In the meantime, we’ll nod to it as an influence on Elemendar’s own scale for assessing a disinformation operator’s capability.
When Does Sophistication Breed Disinformation?
The table below showcases seven factors we have deemed the most useful for describing a potential disinformation actor’s capability. Each factor presents considerations to help discern the overall sophistication of a threat actor.
Figure 2: Elemendar’s scale of capability to assess threat actors’ capability to further disinformation campaigns
The scale shown in Figure 2 is another one of those frameworks-in-progress, but could prove useful to the CTI community for development and experimentation. Although basic, it offers points we’ve found critical in assessing capability when it comes to disinformation.
The scale can be enhanced by defining the spectrum between unsophisticated and highly sophisticated. The extremes are often the easiest points to discern, but in murkier mid-levels of sophistication, much more ‘heavy lifting’ analysis is needed. To take the exercise further, you could break down any of the seven key factors, forming categories and sub-categories in their own right.
It’s a starting point, just as Buchanan’s scale is, within the field of CTI. The end point? Ideally, a comprehensive scale that lets you quickly assess capability, to sniff out the smoke of disinformation before it starts to burn.