I spoke recently at Disclosure — a conference started by Marc Rogers, bringing together interesting systems thinkers across information security. Last year, I spoke about how to adapt infosec to disinformation defense; this year about what the CogSecCollab leads have learnt from running the CTI League’s Disinformation response team.

我最近在揭露—由马克·罗杰斯(Marc Rogers)发起的会议，聚集了横跨信息安全领域的有趣的系统思想家。 去年，我谈到了如何使Infosec适应虚假信息防御。 今年有关CogSecCollab领导者的事情是从经营CTI联盟的虚假信息响应团队中学到的。

2020 is where cognitive security, the idea of treating disinformation as an infosec problem akin to malware, really caught on. First, let’s talk about definitions. Misinformation is false content. In disinformation, the content doesn’t have to be false — some of the best disinformation campaigns use mostly-true information twisted out of context, mis-attributed, inorganically amplified etc etc. What interests our teams are attempts at large-scale belief change or emotion change, that mislead people about the content or context of information.

2020年，认知安全(一种将虚假信息视为类似于恶意软件的信息安全问题)的想法真正流行起来。 首先，让我们谈谈定义。 错误信息是错误的内容。 在虚假信息中，内容不一定非要是虚假的-某些最佳虚假信息运动使用的是真实信息，这些信息是脱离上下文，扭曲，错误分配，无机放大等的。我们的团队感兴趣的是尝试大规模改变信仰或情绪变化，使人们误解信息的内容或上下文。

2020年：不是您奶奶的虚假信息生态系统 (2020: Not your Grandma’s Disinformation Ecosystem)

The League concentrates on Covid19-related disinformation. It’s useful to talk here about narratives, because there are far less narratives than messages, making them easier (especially with text-based machine learning techniques) to track. The League team keeps a list of hundreds of Covid19 narratives, bucketed into top-level categories from origin myths (‘escaped bioweapon’), covid isn’t serious, medical scams (covid cures including MMS and alcohol), resolution (‘country X has a cure already’), to crossover narratives. In 2020, we saw a lot of Covid19 crossover narratives, where existing groups like antivaxxers and hardcore rightwingers met and joined forces, and conspiracy theories were recycled and combined into new narratives. We loosely grouped crossover narratives into conspiracies (5G, antivax, depopulation, black helicopters), freedom rights (anti-stayathome, second amendment, immigration, etc), and geopolitics (covert and overt from China, Iran etc, “blue check” accounts), and expect this type of recycling to become normal.

联盟专注于Covid19相关的虚假信息。 在这里谈论叙事很有用，因为叙事比消息少得多，这使它们更易于跟踪(尤其是基于文本的机器学习技术)。 联赛团队保留数百项Covid19叙述，从起源神话(“逃脱生物武器”)分类为顶级类别，covid并不严重，医疗骗局(包括MMS和酒精在内的covid疗法)，解决方案(“ X国”已经有办法了”)，以交叉叙述。 在2020年，我们看到了许多Covid19跨界叙事，在其中，反vaxxers和铁杆右翼分子等现有组织汇聚一堂，并合力共谋，阴谋论被回收并结合到新的叙事中。 我们将跨界叙事大致分为阴谋(5G，antivax，人口减少，黑色直升机)，自由权利(反寄宿家庭，第二修正案，移民等)和地缘政治(来自中国，伊朗等的公开和秘密，“蓝色支票”帐户) )，并希望这种回收方式能够正常进行。

If you want to understand disinformation, you need to understand the motivations. Geopolitics (follow the countries), power gain (follow the divisions), financial gain (follow the money), attention seeking (follow the sharks, satire and other LOLs), and online discussion (follow the opinions, conspiracies, protest, nazis etc). In 2020, despite all the news about geopolitical disinformation, a lot of the disinformation we tracked was financially-motivated. In a lot of the incidents we tracked, we found people trying to make money — either originating, or attaching themselves to incidents. Etsy and Amazon shops selling t-shirts, more sophisticated sales operations selling “cures”, networks of websites selling advertising space. There are crossovers here too: we tracked one Covid19-related incident back to someone selling their book about 5G.

如果您想了解虚假信息，则需要了解动机。 地缘政治(跟随国家)，权力获取(跟随分裂)，经济收益(跟随金钱)，寻求关注(跟随鲨鱼，讽刺和其他LOL)和在线讨论(跟随意见，阴谋，抗议，纳粹分子等) )。 在2020年，尽管有关于地缘政治虚假信息的所有新闻，但我们跟踪的许多虚假信息都是出于经济动机。 在我们跟踪的许多事件中，我们发现人们试图赚钱，要么是发起事件，要么是自己对事件的执着。 Etsy和Amazon商店出售T恤，更复杂的销售业务出售“ cures”，网站网络销售广告空间。 这里也有交叉之处：我们将与Covid19相关的事件追溯到某人出售他们有关5G的书。

Money usually needs URLs. If you’re making money online, at some point you’re going to need a URL: the Etsy or Amazon shop, or your own domains that you can control sales through, sell advertising space on, collect user details to sell etc. An example of this is The NaturalNews network — interesting because it started as a healthcare misinformation site, then broadened out — for example, we found it amplifying the antifa on buses story this year; and useful because they track the zeitgeist of current disinformation. If you’re tracking disinformation, URLs become important because they help you find more of it: a URL is an entry point into a network, from which we can map out a network of domains, associated social media, linked disinformation campaigns etc. We’ve done well with tools like domaintools, backlink checkers, and Builtwith, finding related sites through registrations, google analytics, and advertising tags.

金钱通常需要URL。 如果您要在线赚钱，则有时需要一个URL：Etsy或Amazon商店，或您自己的域，您可以通过这些域来控制销售，出售广告空间，收集要出售的用户详细信息等。例如，NaturalNews网络-之所以有趣，是因为它最初是从医疗保健错误信息网站开始，然后扩大了范围。例如，我们发现它在今年扩大了公共汽车上的反fafa故事； 之所以有用，是因为它们跟踪了当前虚假信息的时代精神。 如果您要跟踪虚假信息，URL就会变得很重要，因为它们可以帮助您找到更多信息：URL是网络的入口点，我们可以从中映射出一个域网络，关联的社交媒体，链接的虚假信息活动等。使用domaintools，反向链接检查器和Builtwith之类的工具做得很好，可以通过注册，谷歌分析和广告标记查找相关站点。

Disinformation evolved in 2020. Some examples:

虚假信息在2020年演变。一些例子：

• We tracked WeWontStayHome because it was part of the wider Covid19 health incident. It was a small incident, but it seeded a much larger incident, OperationGridlock, later. We also saw this incident spread across countries and states. This was an early use of astroturfing: creating and populating a group for each state.
  我们跟踪WeWontStayHome，因为它是更广泛的Covid19健康事件的一部分。 这是一个小事件，但后来又引发了一个更大的事件，即OperationGridlock。 我们还看到此事件分布在各个国家和州。 这是草皮草的早期用途：为每个州创建并填充一个小组。
• When we created the AMITT framework for tracking disinformation techniques, we included “going physical” as a category because even though it was rare then, we thought it might become important. In 2020, a lot has gone physical, including “face mask exemption cards” — laminated cards intended to exempt their bearers from covid19 mask requirements in stores etc. We’ve seen a lot of homespun ideas, in this case a card with a long spiel, HIPAA misspelt etc, being picked up and productionized either for money, to support other campaigns or both (e.g. the main site that productized mask exemption cards takes PayPal donations, and collects user details). We’ve also seen this cross countries and communities, e.g. a more professional-looking mask exemption card in Canada, listing organizations targeting parents.
  当我们创建用于跟踪虚假信息技术的AMITT框架时，我们将“物理状态”归为一类，因为尽管当时很少见，但我们认为它可能变得很重要。 到2020年，已经出现了很多变化，包括“面罩豁免卡” —旨在免除其携带者在商店等方面对covid19面罩要求的层压卡等。 spiel，HIPAA misspelt等，是为了赚钱而投入生产的，以支持其他活动或两者同时进行(例如，生产面具免税卡的主要站点进行PayPal捐赠，并收集用户详细信息)。 我们还看到了这种跨国家和跨社区的情况，例如在加拿大，一张看起来更专业的口罩免税卡，列出了针对父母的组织。
• 2020 isn’t all bad: it’s a breakout year for countermeasures too, from the kPop fans flooding extremist hashtags with boy band images, to social media companies starting to take down content that isn’t just immediate threats to life. It’s also been a good year for homegrown countermeasures, like mask exemption override cards: laminated cards that ‘cancel’, game-style, mask exemption cards.
  2020年还不算坏：从kPop粉丝充斥着带有男孩乐队形象的极端话题标签到社交媒体公司开始撤消不仅仅是对生命的直接威胁的内容，这也是对策的突破年。 对于本土对策来说，今年也是丰收的一年，例如免面具免税卡：可“取消”，游戏风格的免面具免税卡的层压卡。
• Disinformation doesn’t exist in a vacuum: it’s part of an information space. If you just remove the disinformation, you leave vacuums, voids in the places where people search for information. People will still search: if you remove the wrong information, you need to have information or routes to information in ways that they can consume it, in the places that they want to consume it. Many good information teams emerged in 2020 — the League team has partnered with one of them, the RealityTeam, working out how they can rapidly deploy counter-narratives and information, in response to new incident narratives.
  虚假信息不存在于真空中：它是信息空间的一部分。 如果您只是删除虚假信息，则会在人们搜索信息的地方留下真空和空白。 人们仍然会搜索：如果您删除了错误的信息，则需要在他们想要使用的地方以他们可以使用的方式拥有信息或通往信息的路线。 2020年，出现了许多优秀的信息团队-联赛团队与其中之一-RealityTeam合作，研究他们如何快速部署反叙事和信息，以应对新的事件叙事。
• Some developing-world spam and marketing companies are pivoting to provide disinformation as a service — RecordedFuture did a good report on this, and the use of a fake NGO in Ghana to target African Americans was interesting. Disinformation is starting to get the attention of organized crime (there’s a UNODC report out on this soon), but the economics aren’t there yet: at the moment, ransomware is a better business model for large amounts of money, and businesses and principals are mostly caught up in disinformation campaigns rather than targets of it. Deepfake tech is still too complicated and expensive to massively scale, but it’s coming. We already have text, and the next evolution is to more video and voice. The likely business transition is from small specialized agencies, e.g. a boutique capability, then market expansion where disinformation becomes a commodity capability.
  一些发展中国家的垃圾邮件和营销公司正在努力提供虚假信息即服务-RecordedFuture对此做了很好的报道，在加纳使用假冒的非政府组织来针对非裔美国人很有趣。 虚假信息已开始引起有组织犯罪的注意(毒品和犯罪问题办公室即将对此进行报告)，​​但经济学尚不存在：目前，勒索软件对于大量资金，企业和本金来说是一种更好的商业模式。大多陷于虚假宣传运动中，而不是目标。 Deepfake技术仍然过于复杂且昂贵，无法大规模扩展，但它即将到来。 我们已经有了文字，下一个发展就是更多的视频和语音。 可能的业务过渡是从小型专业机构(例如，精品店能力)开始，然后是市场扩张，其中虚假信息变成一种商品能力。

That’s where we are in 2020, but CogSecCollab always looks ahead. We do this from a combination of responding to disinformation as a Blue Team (running a response plan, building playbooks, tracking campaigns, incidents, narratives and artifacts), and learning from examples by running weekly Red team exercises. Topics we’ve covered in those exercises include running a “disinformation as a service”/alternative marketing company, running a hostile social media platform, mixing disinformation with coordinated sensor spoofs, and extending an existing narrative (e.g. anti-medical safety). We learn a lot from these. Sometimes they give us a heads-up on likely next steps in disinformation campaigns (e.g. potential disinformation narratives as children went back to school); other times we gain insights into how and why disinformation creators operate the ways that they do.

那就是2020年的情况，但CogSecCollab始终遥遥领先。 为此，我们结合了对作为蓝队的虚假信息的响应(运行响应计划，构建剧本，跟踪战役，事件，叙述和文物)，以及通过每周进行一次红队演习来学习实例。 在这些练习中，我们涵盖的主题包括运营“以服务提供虚假信息” /替代性营销公司，运行敌对的社交媒体平台，将虚假信息与协调的传感器欺骗混合在一起，以及扩展现有的叙述(例如，抗医学安全性)。 我们从这些中学到很多东西。 有时，他们会提醒我们有关虚假信息运动可能采取的下一步措施(例如，儿童重返学校后可能出现的虚假信息叙述)； 其他时候，我们深入了解虚假信息创建者如何以及为何操作他们的行为方式。

2020年：认知安全如今已成真。 加入我们 (2020: Cognitive Security is real now. Join us)

Cognitive security is a rapidly growing domain that interacts with cyber and physical security, and includes things like information operations and disinformation. We look at this from a set of overlapping axes.

认知安全是一个快速增长的领域，它与网络和物理安全进行交互，并且包括诸如信息操作和虚假信息之类的事物。 我们从一组重叠的轴来看这件事。

Collaboration. “This isn’t a silver bullet problem, it’s a thousand-bullet problem” — Pablo Breuer. Disinformation is a distributed, heterogeneous problem. It needs a similar response, one that’s collaborative, heterogeneous and connected. Lots of different groups at lots of different scales, that have to work together, and we need to connect them, in a way that respects the groups, the subjects of disinformation, and the accounts and groups being investigated. Practically, that means privacy, sharing, and standards.

合作。 “这不是银弹问题，而是一千个子弹问题” – Pablo Breuer。 虚假信息是一个分布式的异构问题。 它需要类似的响应，即协作，异构和相互联系的响应。 许多不同规模的不同小组必须一起工作，我们需要以尊重小组，虚假信息的主体以及所调查的帐户和小组的方式将它们联系起来。 实际上，这意味着隐私，共享和标准。

Layers. We’ve written about this model before: Longer-term campaigns (antivax, destabilize national politics etc), containing shorter-term incidents (e.g. a burst of activity around a specific topic or event), based on narratives, (the stories we tell ourselves about who we are, who we belong to, who we don’t belong to, what’s happening in the world), which show up as artifacts: messages, images, accounts, groups, relationships.

图层。 我们之前已经写过关于该模型的文章：长期的运动(反抗，破坏国家政治稳定等)，包含基于叙述的短期事件(例如，围绕特定主题或事件的活动爆发)，(我们讲述的故事关于我们是谁，我们属于谁，我们不属于谁，世界上正在发生的事情的信息)，这些信息显示为工件：消息，图像，帐户，组，关系。

Threat intelligence Tasks. We’re doing threat intelligence — we want to find, predict and neutralize current and future threats.That rests on intelligence skills — assessing the situation picture using the five Ws (who, what, when, where, why, and how): what’s happening, with best guesses about origins and future moves; who’s involved (including attribution), why (intent), and how (tactics and techniques). For disinformation, this is usually OSINT (open source intelligence) — finding that situation picture using publicly-available data, supported by data science — finding patterns in big data that’s arriving fast across many channels (as Marc Rogers noted last year, the 3V volume, velocity, variety model is what makes modern disinformation tracking different). Attribution — working out who’s responsible for a disinformation incident — is hard. You don’t have full access to data, and there are incentives for people to obfuscate and hide who they are. At best, attribution is probabilistic, but even a hint can help us assess potential moves, and countermoves.

威胁情报任务。 我们正在进行威胁情报-我们希望找到，预测并消除当前和将来的威胁。这取决于情报技能-使用五个W(人，什么，何时，何地，为什么以及如何)来评估情况图：发生，对起源和未来走势有最好的猜测； 谁参与(包括归因)，原因(意图)以及方式(策略和技巧)。 对于虚假信息，通常是OSINT(开放源代码智能)-在数据科学的支持下使用可公开获取的数据查找情况图片-在跨多个渠道快速到达的大数据中查找模式(如Marc Rogers去年指出的，3V量，速度，变化模型使现代信息跟踪变得不同)。 归因(确定谁负责虚假信息事件)是很难的。 您没有对数据的完全访问权限，并且有诱使人们混淆和隐藏自己的身份。 归因充其量是概率性的，但即使是提示也可以帮助我们评估潜在的动作和反动作。

Analytic maturity. The data science ladder also applies to disinformation response: work ranges from assessing what’s happened (e.g. traditional statistical analysis), to predicting what might happen next (machine learning), to moves and countermoves in an interactive environment (applied game theory). Disinformation response has been moving up this ladder, and is currently around the prescriptive analytics point on it.

分析成熟度。 数据科学阶梯还适用于虚假信息响应：工作范围包括评估发生的事情(例如传统的统计分析)，预测接下来可能发生的事情(机器学习)，在交互环境中的移动和反移动(应用博弈论)。 虚假信息响应一直在这个阶梯上发展，并且目前围绕它的说明性分析点。

Response timescales. There are different team response timescales: strategic (weeks/months/years), issue-focussed work, e.g. long-form journalism exemplified by Stanford Internet Observatory, U Washington, Shorenstein Center, Bellingcat, DFRlab, Grafika and social media platforms; operational (days/weeks), project-focussed work that’s usually embedded with development teams working in AI/ML-based disinformation data and tool companies; tactical (hours/days), incident-focussed work, responding to disinformation as it happens, exemplified by the New York Times, CTI League, some of MLsec, and the crisismapping teams that cover disinformation. Each of these work differently. If you have hours, all you care about is stopping the flood of disinformation; if you have months, you can get into attribution, geopolitics and motives. In 2020, many of the strategic groups started responding faster and became more tactical.

响应时间表。 有不同的团队响应时间尺度：战略性(周/月/年)，以问题为中心的工作，例如斯坦福互联网天文台，华盛顿特区，肖恩斯坦中心，贝灵猫，DFRlab，格拉菲卡和社交媒体平台所代表的长篇新闻。 以项目为中心的运营(天/周)，以项目为中心的工作，通常嵌入在基于AI / ML的信息数据和工具公司中的开发团队中； 战术(小时/天)，以事件为中心的工作，对虚假信息进行响应，例如《纽约时报》，CTI联盟，一些MLsec和涵盖虚假信息的危机映射团队。 这些工作的方式各不相同。 如果您有几个小时，那么您所关心的就是停止大量虚假信息。 如果您有几个月的时间，则可以进入归因，地缘政治和动机。 2020年，许多战略组织开始更快地做出React，变得更具战术性。

虚假事件响应 (Disinformation Incident Response)

This isn’t a new problem: I’ve addressed it before. As a crisismapper, I set up procedures for data analysis and sharing in reaction to sudden-onset disaster events, set up and connected groups doing this around the world. These activities map to disinformation too.

这不是一个新问题：我之前已经解决过。 作为危机管理者，我建立了数据分析和共享程序，以应对突发性灾难事件，并在全球范围内建立和联系小组。 这些活动也映射到虚假信息。

We’re tracking Covid19 incidents through the CTI League disinformation team. The League is the first Global Volunteer emergency response Community that defends and neutralizes cybersecurity threats and vulnerabilities to the life-saving sectors, related to the current COVID-19 pandemic. The disinformation equivalents of the League’s main work are:

我们正在通过CTI联盟虚假信息团队跟踪Covid19事件。 联盟是第一个捍卫和消除与当前COVID-19大流行相关的救生领域的网络安全威胁和脆弱性的全球志愿者应急响应社区。 联盟主要工作的虚假信息等同于：

• Neutralize: Disinformation incident response: triage, takedown, escalation.

  中立：虚假信息事件响应：分类，删除，升级。

• Clearinghouse: Collate and share incident data, including with organizations focusing on response and counter-campaigns.

  信息交换所：整理并共享事件数据，包括与专注于响应和反活动的组织。

• Prevent: Collate disinformation indicators of compromise (IoCs) and vulnerabilities; supply to organizations.

  预防：整理危害(IoC)和漏洞的虚假信息指标； 供应给组织。

• Support: Assess the possibility of direct attack, and ways to be ready.

  支持：评估直接攻击的可能性以及准备方法。

The rest of this post is about the incident response part of that. To do this, we need the usual process triangle of people, process, technology and culture:

这篇文章的其余部分是关于事件响应部分的。 为此，我们需要人员，流程，技术和文化的通常流程三角形：

• Enough trained people (understand disinformation, understand threat response) to be able to respond fast enough and make a difference to an incident (that includes noticing incidents in time to respond)
  训练有素的人员(了解消息，理解威胁响应)能够足够快速地做出响应并对事件有所作为(包括及时注意到事件以做出响应)
• Enough ways to make a difference (including outbound connections)
  足够的方式有所作为(包括出站连接)
• Safety culture including mental health and OPSEC
  安全文化，包括精神健康和OPSEC
• Fast, lightweight response processes
  快速，轻量的响应过程
• Technology —to support and speed up analysis, storage etc
  技术—支持和加速分析，存储等
• Sharing technology — to get data to responders in ways they understand
  共享技术-以响应者理解的方式将数据传递给他们

CogSecCollab has been working on processes, tools, and training to support this. We started with the disinformation adaptations we made to threat intelligence tools (HIVE and D3PO for case tracking, MISP for intelligence sharing, and data tools for analysis support): the MISP work in particular is already shared with team in NATO, the EU and other countries. We’ve also been cleaning up the CTI League disinformation process manual, and are starting to share that with other groups for comment/ improvement; after that, we plan to share our team training courses (e.g. Data Science for Disinformation Response — a repurposed university course).

CogSecCollab一直致力于流程，工具和培训的支持。 我们从对威胁情报工具进行的虚假信息改编开始(用于案例跟踪的HIVE和D3PO，用于情报共享的MISP和用于分析支持的数据工具)：特别是MISP的工作已经与北约，欧盟和其他国家/地区的团队共享国家。 我们还一直在清理CTI联赛的虚假信息流程手册，并开始与其他小组分享该内容以进行评论/改进； 之后，我们计划分享我们的团队培训课程(例如，数据科学，以应对虚假信息，这是一门经过重新设计的大学课程)。

Almost four years ago, I started talking about the overlaps between disinformation, information security, machine learning, and military competition short of armed conflict, and used Boyd’s OODA diagram then. For Boyd, it was about understanding why some pilots were better at winning dogfights, couched in terms of interacting decision loops. In 2020, that’s still a useful way to think about the pieces we need in a response.

大约四年前，我开始谈论信息错误，信息安全，机器学习和没有武装冲突的军事竞争之间的重叠，然后使用博伊德的OODA图。 对于博伊德来说，这是要理解为什么有些飞行员在互动决策循环方面表现得更好，赢得了混战。 在2020年，这仍然是一种思考我们需要做出回应的有用方法。

观察：2020年追踪十年Covid19虚假信息 (Observe: 2020’s Decade of Tracking Covid19 Disinformation)

CTI gets feeds in from other groups, from its own monitoring and from its own members. Most alerts start with an artifact: an image, a URL, a piece of text. First, we have to decide whether to treat this as an incident. The three big questions we ask are about the potential harm from this incident, whether it’s disinformation, and whether we’re the best team to respond to it. For harm, we look at harms frameworks, and think about what the potential effects of an incident are, its size, coordination and targets. On disinformation, we ask where the falsehood is (e.g. is this misinformation or disinformation, are these fake groups, profiles, amplification etc), and whether it’s a different type of falsehood, e.g. phishing. On whether we’re the best team to respond, we ask if it’s in our area (e.g. covid19), whether other teams are already tracking and responding, if we have the resources to respond (this is long-haul work: burning out teams is bad), and do we have a reasonable chance of doing something useful about the incident. When assessing, we also look at the information we already have. For instance, we see a lot of repeat offenders, so we look for things like known medical scams. No team works alone, so even if an incident isn’t responded to, best efforts should be made to get alerts out, if needed.

CTI从其他组，其自己的监控人员和其成员那里获取提要。 大多数警报以工件开始：图像，URL，一段文本。 首先，我们必须决定是否将其视为事件。 我们要问的三个主要问题是有关此事件的潜在危害，是否是虚假信息以及我们是否是对此做出最佳React的团队。 对于伤害，我们研究伤害框架，并考虑事件的潜在影响是什么，事件的规模，协调和目标。 在虚假信息方面，我们询问虚假信息在哪里(例如，该虚假信息或虚假信息是这些假组，配置文件，放大等)，以及它是否是其他类型的虚假信息，例如网络钓鱼。 关于我们是否是最好的团队做出响应，我们询问它是否在我们所在的地区(例如covid19)，其他团队是否已经在跟踪和响应，我们是否有资源做出响应(这是长期工作：精疲力尽的团队是不好的)，那么我们是否有合理的机会对事件做一些有用的事情。 在评估时，我们还会查看我们已经拥有的信息。 例如，我们看到许多屡犯者，因此我们寻找诸如已知的医疗骗局之类的东西。 没有团队可以独自工作，因此即使事件没有得到响应，如果需要，也应尽最大努力发出警报。

Once we start an incident, our first job is to gather enough information to determine whether we should act, hand this information over to another party, stand down, or not act but keep a watch on this area. This is usually a mixture of artifact-based activity analysis, network analysis and fact-checking:

一旦开始发生事件，我们的第一项工作就是收集足够的信息，以确定我们是否应该采取行动，将此信息移交给另一方，下台还是不采取行动，但要在该区域进行监视。 这通常是基于工件的活动分析，网络分析和事实检查的混合：

• Activity analysis: Tracking artifacts (messages, images, urls, accounts, groups etc), e.g. finding artifact origins, tracking how an artifact moves across channels/groups etc, and finding related artifacts. Detecting AMITT Techniques, e.g. detecting computational amplification; detecting, tracking and analyzing narratives.
  活动分析：跟踪工件(消息，图像，URL，帐户，组等)，例如查找工件来源，跟踪工件在通道/组之间的移动方式等，并查找相关工件。 检测AMITT技术，例如检测计算放大； 检测，跟踪和分析叙述。
• Network detection: Finding inauthentic website networks (pinkslime). Finding inauthentic account and group networks (including botnets).
  网络检测：查找不真实的网站网络(pinklime)。 查找不真实的帐户和组网络(包括僵尸网络)。
• Credibility/ Verification: Fact-checking: verifying an article, image, video etc doesn’t contain disinformation. Source-checking: verifying a source (publisher, domain etc) doesn’t distribute disinformation.
  信誉/验证：事实检查：验证文章，图像，视频等不包含虚假信息。 来源检查：验证来源(发布者，域等)是否不会散布虚假信息。

(This is the incident-based tactical work. We also need monitoring work — spreader analysis — looking for infrastructure and accounts that are set up in advance of incidents, including sock puppet accounts “laundered” and left to mature).

(这是基于事件的战术工作。我们还需要监视工作-吊具分析-寻找在事件发生之前建立的基础结构和帐户，包括“洗过的并待到期的袜子木偶帐户”)。

Volume, Velocity, Variety: we can’t do that quickly enough with humans alone. We have to speed that up with machines, and here are some of the places that can be done.

体积，速度，多样性：仅靠人类，我们做不到那么快。 我们必须使用机器来加快速度，这是一些可以完成的地方。

• Graph analysis: finding super-spreaders, finding rumor origins, uncovering new artifacts, tracking movement over time
  图形分析：查找超级传播者，查找谣言来源，发现新工件，跟踪一段时间内的移动
• Text Analysis: finding themes, classifying text to narratives, clustering text to narratives, searching for similar text/narratives
  文本分析：查找主题，将文本分类为叙事，将文本聚类为叙事，搜索相似的文本/叙事
• Image, video, audio analysis: clustering images, searching for similar images, detecting shallowfakes.
  图像，视频，音频分析：对图像进行聚类，搜索相似图像，检测浅表伪造。

CogSecCollab / CTI League Disinfo have already been using graph and text analysis, and experimenting with ways to cluster images so we can minimise the number of times we expose humans to sometimes-difficult images. This matters because exposure is cumulative, and if we can avoid exposing someone to 100 near-identical difficult images or texts, that’s useful.

CogSecCollab / CTI League Disinfo已经开始使用图形和文本分析，并尝试对图像进行聚类的方法，以便我们可以最大程度地减少将人类暴露于有时很难成像的图像的次数。 这很重要，因为曝光是累积的，如果我们可以避免将某人暴露于100个几乎相同的困难图像或文字中，那将很有用。

东方：了解情况 (Orient: Getting the Situation Picture)

Here we come to sensemaking, or understanding what you observed, in context. This includes looking at what we’ve collected, to work out what’s happening and might happen across the whole incident. One way the League team does that is by analyzing the connections between incident objects, using MISP. MISP is an open source threat intelligence platform that we’ve repurposed from malware to disinformation (CogSecCollab runs the MISP disinformation community). MISP is built on STIX, the sharing standard used by ISACs and ISAOs. We extended this slightly for disinformation, adding object types for incidents and narratives, and using AMITT for the attack patterns (see https://github.com/cogsec-collaborative/amitt_cti).

在这里，我们来谈谈感官，或了解您在上下文中观察到的内容。 这包括查看我们收集的信息，以弄清整个事件中正在发生的事情和可能发生的事情。 联赛团队做到这一点的一种方法是使用MISP分析事件对象之间的联系。 MISP是一个开放源代码威胁情报平台，我们已将其从恶意软件转变为虚假信息(CogSecCollab运行MISP虚假信息社区)。 MISP基于STIX(ISAC和ISAO使用的共享标准)构建。 我们将其略微扩展为虚假信息，添加了事件和叙述的对象类型，并使用AMITT作为攻击模式(请参阅https://github.com/cogsec-collaborative/amitt_cti )。

We’ve talked about the AMITT Framework before. It’s how we break an incident into techniques that we can analyze and counter. AMITT is now embedded in MISP, and we’ve handed it over to MITRE to manage. We tick the AMITT boxes during observation. During Orient, we look at this diagram to work out what’s happening, how we might respond, and if we catch an incident early, which downstream techniques might be used in that incident too. (The example here is Plandemic — a debunked conspiracy theory video which makes some false claims about the nature of COVID-19. We mapped it in AMITT to help us understand what capabilities the actor has and potentially how they’re resourced.)

我们之前已经讨论过AMITT框架。 这就是我们如何将事件分解为可以分析和应对的技术。 AMITT现在已嵌入MISP中，我们已将其移交给MITER进行管理。 我们在观察期间在AMITT框上打勾。 在Orient期间，我们将查看此图以了解正在发生的事情，我们可能如何响应，以及如果我们提早发现某个事件，那么在该事件中也可以使用哪些下游技术。 (这里的示例是Plandemic，这是一个揭穿阴谋论的视频，对COVID-19的本质做出了一些错误的声明。我们在AMITT中对其进行了映射，以帮助我们了解演员的能力以及他们如何获得资源。)

What we get out of Orient is an incident report, containing a summary, narratives, techniques, artifacts and objects. We also get a MISP event that we can share with other groups either directly or by email, via their threat intelligence tools etc. We added a few other things to MISP for this: Object types for common social media platforms, and code to load these into MISP using single-line commands in Slack, because speed is everything in a tactical response; new relationship types, to make the graphs that users can traverse in MISP richer; and taxonomies (DFRLab’s Dichotomies of Disinformation, and a NATO-led tactical variant) to cover things like types of threat actor.

我们从Orient那里得到的是一份事件报告，其中包含摘要，叙述，技术，工件和对象。 我们还获得了一个MISP事件，我们可以直接或通过电子邮件，通过他们的威胁情报工具等与其他组共享。为此，我们还向MISP添加了一些其他功能：通用社交媒体平台的对象类型，以及加载这些对象的代码在Slack中使用单行命令进入MISP，因为速度是战术响应中的一切； 新的关系类型，使用户可以在MISP中遍历的图更加丰富； 和分类法(DFRLab的信息二分法，以及北约领导的战术变体)，涵盖了诸如威胁参与者类型之类的事情。

决定/采取行动：关于对策，缓解，韧性，协作，互动的选择 (Decide/Act: Options on Countermeasures, Mitigations, Resilience, Collaboration, Interaction)

After Orient, we Decide. In 2020, we stopped “admiring the problem”. Questions we now need to ask at the end of analysis include: What are our options? Should we act? Do we want to? What are the ways that we, and the people connected to us, could affect a disinformation incident?

东方之后，我们决定。 2020年，我们停止了“欣赏问题”。 在分析结束时，我们现在需要提出的问题包括：我们有哪些选择？ 我们应该采取行动吗？ 我们要吗？ 我们以及与我们联系的人们可以通过哪些方式影响虚假信息事件？

First, the who. Potential responders include the whole of society, including the infosec bodies already linked by the ISAOs and cyber Interpols. That’s platforms, law enforcement, government, elves (volunteer groups), the public, online and offline influencers, media, nonprofits, educators and corporations.

首先，谁。 潜在的响应者包括整个社会，包括由ISAO和网络刑警组织建立联系的信息安全机构。 那就是平台，执法部门，政府，精灵(志愿者团体)，公众，在线和离线影响者，媒体，非营利组织，教育者和公司。

And the what. In 2019, MisinfoSec worked on mitigations and countermeasures, building a course of action matrix from the AMITT tactic stages and a variant of the JP-3 list of effects: detect (find them), deny (stop them getting in), disrupt (interrupt them), degrade (slow them down), deceive (divert them), destroy (damage them), and deter (discourage them), or the TL;DR version: prevent access, break flow, add friction, honeypot, damage, and remove the incentives to create disinformation in the first place.

还有什么。 在2019年，MisinfoSec致力于缓解措施和对策，从AMITT战术阶段和JP-3效果清单的变体中建立了行动矩阵：发现(发现)，拒绝(阻止它们进入)，破坏(中断)或TL; DR版本：防止接触，破坏流动，增加摩擦力，蜜罐，损坏和首先消除制造虚假信息的动机。

CogSecCollab has built theory and examples for effects-based, tactic-based and doctrine-based countermeasures. The CTI League team is using effects-based counters: reporting to law enforcement, platforms, and registrars, with CogSecCollab helping to connect the RealityTeam counter-narratives group back to the CTI League.

CogSecCollab建立了基于效果，基于策略和基于理论的对策的理论和示例。 CTI League团队正在使用基于效果的计数器：向执法部门，平台和注册商报告，而CogSecCollab则帮助将RealityTeam反叙述小组与CTI League联系起来。

Having looked at options during Decide, it’s time to Act: make a change in the environment, and potentially start interacting with it. When you act in a disinformation space, you’re acting in an environment, with a lot of other humans and machines in. And what you can end up in is a multiplayer game, where you’re each acting in response to each other, and playing off against each others’ resources. Grugq, Pablo and myself have been working on this. But that’s for another discussion.

在“决定”期间研究了选项之后，该采取行动了：对环境进行更改，并可能开始与之交互。 当您在虚假信息空间中行动时，您就是在环境中行动，其中有许多其他人和机器。最终您会遇到的是多人游戏，每个人都在互相响应，并互相争夺资源。 Grugq，Pablo和我自己一直在努力。 但这是另一个讨论。

That was a quick spin around CTI League disinfo and CogSecCollab in 2020. You can learn more about the teams at https://cti-league.com/ and https://cogsec-collab.org/.

这是在2020年围绕CTI League Disinfo和CogSecCollabSwift发展的。您可以在https://cti-league.com/和https://cogsec-collab.org/上了解有关团队的更多信息。