8bb63006b6
- Merged C00145 into C00178. Deleted C00145 - Updated text in C00144 - Added warning label to C000139 - Merged C00137 into C00149. Deleted C00137 - Moved C00090 to TA07 - Updated text in C00211 - Updated text in C00030 - Merged C00158 into C00073. Deleted C00158 - Merged C00102 into C00101. Deleted C00102 - Merged C00089 into C00101. Deleted C00089 - Added note to C00200 - Merged C00194 into C00174. Deleted C00194 - Merged C00151 into C00190. Deleted C00151 - Updated text in C00182 - Added warning to C00122 - Updated text in C00211 - Updated text in C00030 - Merged C00215 into C00012. Deleted C00215 - Merged C00214 into C00012. Deleted C000214 - Merged C00196 into C00012. Deleted C000196 - Updated text in C00111 - Merged C00167 into C00026. Deleted C00167 - Added warning to C00056 - Updated text in C00172 - Merged C00171 into C00107. Deleted C00171 - Updated text in C00103 - Merged C00110 into C00195. Deleted C00110 - Updated text in C00117 - Merged C00193 into C00188. Deleted C00193 - Merged C00204 into C00188. Deleted C00204 - Moved C00217 to detections F00094
AMITT Disinformation Tactics, Techniques and Processes (TTP) Framework
AMITT (Adversarial Misinformation and Influence Tactics and Techniques) is a framework designed for describing and understanding disinformation incidents. AMITT is part of work on adapting information security (infosec) practices to help track and counter misinformation, and is designed to fit existing infosec practices and tools.
AMITT's style is based on the MITRE ATT&CK framework; STIX templates for AMITT objects are available in the AMITT_CTI repo - these make it easy for AMITT data to be passed between ISAOs and similar bodies using standards like TAXI.
What's in this folder
AMITT DOCUMENTATION:
- AMITT_GUIDES: AMITT user guides, design guides, and more detailed TTP documentation.
- AMITT_HISTORY: earlier models and reports.
AMITT FRAMEWORKS:
- AMITT Red Team Framework - Disinformation creator TTPs, listed by tactic stage. This is the classic "AMITT Framework" that's bundled with MISP. The clickable version is for rapidly creating lists of TTPs.
- AMITT Blue Team Framework - Disinformation responder TTPs, listed by tactic stage. These are countermeasures, listed by the earliest tactic stages they're likely to be used in.
AMITT OBJECTS: all the entities used to create the Red Team and Blue Team frameworks:
- Phases: higher-level groupings of tactics, created so we could check we didn't miss anything
- Tactics: stages that someone running a misinformation incident is likely to use
- Techniques: activities that might be seen at each stage
- Tasks: things that need to be done at each stage. In Pablospeak, tasks are things you do, techniques are how you do them.
- Counters: countermeasures to AMITT TTPs.
- Actors: resources needed to run countermeasures
- Response types: the course-of-action categories we used to create counters
- Metatechniques: a higher-level grouping for countermeasures
- Incidents: incident descriptions used to create the AMITT frameworks
There's a directory for each of these, containing a datasheet for each individual entity (e.g. technique T0046 Search Engine Optimization). There's also a directory generated_csvs containing any CSV files we generate from the above tables.
UPDATING AMITT
MAJOR CHANGES Any major changes to AMITT models are agreed on by CogSecCollab, then added by the AMITT design authorities - currently SJ Terp and Pablo Breuer.
MINOR CHANGES YOU, yes, you, CAN ADD INFORMATION TO ANY AMITT OBJECT FILE
- The details above "DO NOT EDIT ABOVE THIS LINE" are generated and will be overwritten every time we run the update code; anything you write above that line will be lost
- The details below "DO NOT EDIT ABOVE THIS LINE" are saved every time we run the update code. You can safely add notes below that line.
We love any and all suggestions for improvements, comments and offers of help - either reach out to us using this google form, or if you're comfortable with Github, add to this repo's issues list or fork the repo with corrections. (We're also going back through the original issues list)
Using the Raw Data file
AMITT is open source. If you want to do your own thing with AMITT data, these will help:
-
all the master data for it is in directory AMITT_MASTER_DATA. Look for the AMITT_TTPs_MASTER.xlsx spreadsheet. This contains disinformation creators' tactics, techniques, tasks, phases, and counters.
-
The AMITT TTP Guide has more detailed information on each technique.
-
The code to create all the HTML datasheets is in directory HTML_GENERATING_CODE: you'll need generate_amitt_ttps.py and all the template files.
If you have your own version of this repository and update AMITT_TTPs_MASTER.xlsx, typing "python generate_amitt_ttps.py" will update all the files above from it.
Who's Responsible for AMITT
-
CogSecCollab maintains and updates the AMITT family of models: AMITT-STIX, the AMITT Red framework (of disinformation creation), and the AMITT Blue framework (of disinformation countermeasures and mitigations). We've used AMITT in the CTI League's Covid19 responses, and tested it in trials with NATO, the EU, and several other countries' disinformation units. Pablo Breuer and SJ Terp are the current design authorities for the AMITT models.
-
MisinfosecWG, aka the Credibility Coalition's Misinfosec working group created the original AMITT frameworks. The Red Framework was started in December 2018, and refined in a Credibility Coalition Misinfosec seminar; the Blue Framework was started as a collection of potential disinformation countermeasures, at a Coalition Misinfosec seminar in November 2019. CogSecCollab is the nonprofit that spun out of MisinfosecWG.
-
Everyone who contributes to AMITT (and there are many of you). Thank you to everyone who contributes to AMITT, and has contributed to AMITT over the years.
-
You. Thank you for being here.
AMITT is licensed under CC-BY-4.0