Threat Intelligence

How OpenCTI helps to fight disinformation and foreign interferences

May 21, 2023 5 min read

In the past year, our product and engineering teams worked closely with multiple companies, public agencies and non profit organizations to extend a bit the threat intelligence model to be able to properly address and modelize disinformation threats, campaigns and incidents.

FIMI Analysis Lifecycle

Foreign Information Manipulation and Interference (FIMI) — also often labelled as “disinformation” — is a growing political and security challenge for our democratic societies, affecting governments and citizens as well as private companies. The problem is global, complex and constantly evolving, also considering the increasing availability for everyone of content generation capabilities using AI tools.


Why carry out this adaptation effort?

We do not intend to turn OpenCTI into a generic intelligence platform but it is clear that Cyber intelligence and FIMI analysis are part of a common continuum. Some threat actors do have the ability to conduct campaigns in both fields and incidents can use mixed tactics, including for the most recent cybercrime nexus.

To protect universal values, democracy, freedoms and societies, a diverse range of actors has emerged who try to detect, understand and respond — the defender community. Providing this community with effective and adapted open source methods and tools is definitely part of the Filigran top priorities and DNA.

Pilot study — Key figures of findings across 100 FIMI incidents (source: EEAS Threat Report 2023)

In June 2022, Carnegie’s Partnership for Countering Influence Operations (PCIO) held a workshop during which it convened a group of high-level experts from civil society, industry, and government to take stock of best practices in the FIMI analyst community. Since there, Filigran has worked closely with major actors involved to deliver minimum viable products and models on top of the STIX 2.1 standard to ease on-going work to find agreement upon definitions and analytical standards for analysing and reporting on FIMI.

As the Cyber Threat Intelligence community, FIMI defenders need to be able to efficiently share and disseminate knowledge, and the OpenCTI platform is one of the most advanced and performant answer to this challenge.

Where we stand?

Data model

The first work released end of 2022 in the OpenCTI platform was the extension of the STIX 2.1 standard, in coordination with the DAD-CDM (Common Data Model for Defending Against Disinformation) subcommittee of the OASIS Open CTI Technical Committe.

OpenCTI STIX entity types used in the context of disinformation modelization

In OpenCTI, thoses entities are available to be used in the knowledge graph and can be mixed with Cyber Threat Intelligence entities such as campaigns, threat actors, intrusion sets, etc. Even the reasoning engine as well as the connectors able to extract information from unstructured documents have been enhanced to take into account this new paradigm.

All this work was performed keeping in mind 2 major requirements:

  • Minimize the number of extensions and evolutions of the STIX 2.1 model and anticipate work of the OASIS Open DAD-CDM subcommittee.
  • Allow organizations which are tracking both cyber and FIMI threats to get comprehensive and valuable outputs.
Relation “uses” between a Threat Actor and a Narrative

After multiple workshops and discussions with at least 10 different organizations globally, we came to a first modelization which respects the overall STIX 2.1 philosophy, the already existing taxomies and doctrines to store cyber threat intelligence pieces of knowledge and the requirements of FIMI defenders community.

Even if this is still on-going work, this model is already available in the platform and used by disinformation analysts in several public and private organizations, starting to be shared and discussed in training courses, workshops as well as high-level groups of experts.

High level FIMI knowledge ecosystem modelization

Taxonomy

In the context our work especially with Debunk.eu and the DISARM Fundation, we have also developed a connector to be able to add the DISARM TTPs Framework. The fundation is working closely with the MITRE Corporation and OASIS Open to continuously enhance the DISAM Kill Chain and the potential intersections with the cyber field.

DISARM Framework Kill Chain

The DISARM Framework connector is built on the same model as the MITRE Datasets and brings to the OpenCTI platform a new set of TTPs, kill chain phases and courses of action.

This framework then can be used to properly modelize incidents and generate automated countermeasures but also follow over time the evolution of threat actors while helping organizations to prioritize responses and investments to anticipate the next disinformation campaigns.

Combinations of TTPs and their frequency (source: EEAS Threat Report 2023)

What’s next?

As part of the OpenCTI strategic roadmap for 2023, we will continue to help research teams to be more efficient in producing threat intelligence knowledge, by developing more features to ease and speed-up knowledge creation in the platform:

  • Automated extraction using Natural Language Processing and neural networks.
  • Manual extraction using quick & add text highlighting and mapping features.
  • Dissemination process to generate reports and share them through various channels.

Using OpenCTI ensure quality datasets and knowledge subsystems as well as the ability to produce accurate key indicators over time, offering a comprehensive way even for decision makers to understand the FIMI field and the on-going trends.

FIMI Pilot Dashboard

Conclusion

This is just the beginning of a journey where we are about to tackle the major challenges of our industry, including the problem of hybrid threats and the future evolution of information war in the cyberspace.

Obviously, we still need help and inputs from the field to be able to carry on our work and continue to enhance native capabilities of the platform (and its associated ecosystem) so don’t hesitate to share your ideas and suggestions by joining our community!

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.