18 KiB
18 KiB
AMITT Detections:
| id | name | summary | metatechnique | tactic | responsetype |
|---|---|---|---|---|---|
| F00001 | Analyse aborted / failed campaigns | TA01 Strategic Planning | D1 Detect | ||
| F00002 | Analyse viral fizzle | TA01 Strategic Planning | D1 Detect | ||
| F00003 | Exploit counter-intelligence vs bad actors | TA01 Strategic Planning | D1 Detect | ||
| F00004 | Recruit like-minded converts "people who used to be in-group" | TA01 Strategic Planning | D1 Detect | ||
| F00005 | SWOT Analysis of Cognition in Various Groups | TA01 Strategic Planning | D1 Detect | ||
| F00006 | SWOT analysis of tech platforms | TA01 Strategic Planning | D1 Detect | ||
| F00007 | Monitor account level activity in social networks | TA02 Objective Planning | D1 Detect | ||
| F00008 | Detect abnormal amplification | TA03 Develop People | D1 Detect | ||
| F00009 | Detect abnormal events | TA03 Develop People | D1 Detect | ||
| F00010 | Detect abnormal groups | TA03 Develop People | D1 Detect | ||
| F00011 | Detect abnormal pages | TA03 Develop People | D1 Detect | ||
| F00012 | Detect abnormal profiles, e.g. prolific pages/ groups/ people | TA03 Develop People | D1 Detect | ||
| F00013 | Identify fake news sites | TA03 Develop People | D1 Detect | ||
| F00014 | Trace connections | for e.g. fake news sites | TA03 Develop People | D1 Detect | |
| F00015 | Detect anomalies in membership growth patterns | I include Fake Experts as they may use funding campaigns such as Patreon to fund their operations and so these should be watched. | TA03 Develop People | D1 Detect | |
| F00016 | Identify fence-sitters | Note: In each case, depending on the platform there may be a way to identify a fence-sitter. For example, online polls may have a neutral option or a "somewhat this-or-that" option, and may reveal who voted for that to all visitors. This information could be of use to data analysts.
In TA08-11, the engagement level of victims could be identified to detect and respond to increasing engagement. |
TA03 Develop People | D1 Detect | |
| F00017 | Measure emotional valence | TA03 Develop People | D1 Detect | ||
| F00018 | Follow the money | track funding sources | TA03 Develop People | D1 Detect | |
| F00019 | Activity resurgence detection (alarm when dormant accounts become activated) | TA04 Develop Networks | D1 Detect | ||
| F00020 | Detect anomalous activity | TA04 Develop Networks | D1 Detect | ||
| F00021 | AI/ML automated early detection of campaign planning | TA04 Develop Networks | D1 Detect | ||
| F00022 | Digital authority - regulating body (united states) | TA04 Develop Networks | D1 Detect | ||
| F00023 | Periodic verification (counter to hijack legitimate account) | TA04 Develop Networks | D1 Detect | ||
| F00024 | Teach civics to kids/ adults/ seniors | TA04 Develop Networks | D1 Detect | ||
| F00025 | Boots-on-the-ground early narrative detection | TA05 Microtargeting | D1 Detect | ||
| F00026 | Language anomoly detection | TA05 Microtargeting | D1 Detect | ||
| F00027 | Unlikely correlation of sentiment on same topics | TA05 Microtargeting | D1 Detect | ||
| F00028 | Associate a public key signature with government documents | TA06 Develop Content | D1 Detect | ||
| F00029 | Detect proto narratives, i.e. RT, Sputnik | TA06 Develop Content | D1 Detect | ||
| F00030 | Early detection and warning - reporting of suspect content | TA06 Develop Content | D1 Detect | ||
| F00031 | Educate on how to identify information pollution | Strategic planning included as innoculating population has strategic value. | TA06 Develop Content | D1 Detect | |
| F00032 | Educate on how to identify to pollution | DUPLICATE - DELETE | TA06 Develop Content | D1 Detect | |
| F00033 | Fake websites: add transparency on business model | TA06 Develop Content | D1 Detect | ||
| F00034 | Flag the information spaces so people know about active flooding effort | TA06 Develop Content | D1 Detect | ||
| F00035 | Identify repeated narrative DNA | TA06 Develop Content | D1 Detect | ||
| F00036 | Looking for AB testing in unregulated channels | TA06 Develop Content | D1 Detect | ||
| F00037 | News content provenance certification. | Original Comment: Shortcomings: intentional falsehood. Doesn't solve accuracy. Can't be mandatory.
Technique should be in terms of "strategic innoculation", raising the standards of what people expect in terms of evidence when consuming news. |
TA06 Develop Content | D1 Detect | |
| F00038 | Social capital as attack vector | Unsure I understood the original intention or what it applied to. Therefore the techniques listed (10, 39, 43, 57, 61) are under my interpretation - which is that we want to track ignorant agents who fall into the enemy's trap and show a cost to financing/reposting/helping the adversary via public shaming or other means. | TA06 Develop Content | D1 Detect | |
| F00039 | standards to track image/ video deep fakes - industry | TA06 Develop Content | D1 Detect | ||
| F00040 | Unalterable metadata signature on origins of image and provenance | TA06 Develop Content | D1 Detect | ||
| F00041 | Bias detection | Not technically left of boom | TA07 Channel Selection | D1 Detect | |
| F00042 | Categorize polls by intent | Use T00029, but against the creators | TA07 Channel Selection | D1 Detect | |
| F00043 | Monitor for creation of fake known personas | TA07 Channel Selection | D1 Detect | ||
| F00044 | Forensic analysis | Can be used in all phases for all techniques. | TA08 Pump Priming | D1 Detect | |
| F00045 | Forensic linguistic analysis | Can be used in all phases for all techniques. | TA08 Pump Priming | D1 Detect | |
| F00046 | Pump priming analytics | TA08 Pump Priming | D1 Detect | ||
| F00047 | trace involved parties | TA08 Pump Priming | D1 Detect | ||
| F00048 | Trace known operations and connection | TA08 Pump Priming | D1 Detect | ||
| F00049 | trace money | TA08 Pump Priming | D1 Detect | ||
| F00050 | Web cache analytics | TA08 Pump Priming | D1 Detect | ||
| F00051 | Challenge expertise | TA09 Exposure | D1 Detect | ||
| F00052 | Discover sponsors | Discovering the sponsors behind a campaign, narrative, bot, a set of accounts, or a social media comment, or anything else is useful. | TA09 Exposure | D1 Detect | |
| F00053 | Government rumour control office (what can we learn?) | TA09 Exposure | D1 Detect | ||
| F00054 | Restrict people who can @ you on social networks | TA09 Exposure | D1 Detect | ||
| F00055 | Verify credentials | TA09 Exposure | D1 Detect | ||
| F00056 | Verify organisation legitimacy | TA09 Exposure | D1 Detect | ||
| F00057 | Verify personal credentials of experts | TA09 Exposure | D1 Detect | ||
| F00058 | Deplatform (cancel culture) | *Deplatform People: This technique needs to be a bit more specific to distinguish it from "account removal" or DDOS and other techniques that get more specific when applied to content.
For example, other ways of deplatforming people include attacking their sources of funds, their allies, their followers, etc. |
TA10 Go Physical | D1 Detect | |
| F00059 | Identify susceptible demographics | All techniques provide or are susceptible to being countered by, or leveraged for, knowledge about user demographics. | TA10 Go Physical | D1 Detect | |
| F00060 | Identify susceptible influencers | I assume this was a transcript error. Otherwise, "Identify Susceptible Influences" as in the various methods of influences that may work against a victim could also be a technique. Nope, wasn't a transcript error: original note says influencers, as in find people of influence that might be targetted. | TA10 Go Physical | D1 Detect | |
| F00061 | Microtargeting | TA10 Go Physical | D1 Detect | ||
| F00062 | Detect when Dormant account turns active | TA11 Persistence | D1 Detect | ||
| F00063 | Linguistic change analysis | TA11 Persistence | D1 Detect | ||
| F00064 | Monitor reports of account takeover | TA11 Persistence | D1 Detect | ||
| F00065 | Sentiment change analysis | TA11 Persistence | D1 Detect | ||
| F00066 | Use language errors, time to respond to account bans and lawsuits, to indicate capabilities | TA11 Persistence | D1 Detect | ||
| F00067 | Data forensics | I00029,I00045 | |||
| F00068 | Resonance analysis | ||||
| F00069 | Track Russian media and develop analytic methods. | ||||
| F00070 | Full spectrum analytics | ALL | |||
| F00071 | Network analysis Identify/cultivate/support influencers | ||||
| F00072 | network analysis to identify central users in the pro-Russia activist community. | ||||
| F00073 | collect intel/recon on black/covert content creators/manipulators | ||||
| F00074 | identify relevant fence-sitter communities | ||||
| F00075 | leverage open-source information | ||||
| F00076 | Monitor/collect audience engagement data connected to “useful idiots” | ||||
| F00077 | Model for bot account behavior | TA03 Develop People | |||
| F00078 | Monitor account level activity in social networks | TA03 Develop People | |||
| F00079 | Network anomaly detection | TA05 Microtargeting | |||
| F00080 | Hack the polls/ content yourself | TA07 Channel Selection | |||
| F00081 | Need way for end user to report operations | TA09 Exposure | |||
| F00082 | Control the US "slang" translation boards | TA11 Persistence | |||
| F00083 | Build and own meme generator, then track and watermark contents | TA11 Persistence | |||
| F00084 | Track individual bad actors | TA03 Develop People | |||
| F00085 | detection of a weak signal through global noise | ||||
| F00086 | Outpace Competitor Intelligence Capabilities | TA02 Objective planning | |||
| F00087 | metatechnique | Improve Indications and Warning | |||
| F00088 | metatechnique | Revitalize an “active measures working group,” | |||
| F00089 | daylight | target/name/flag "grey zone" website content | TA04 Develop Networks | ||
| F00090 | metatechnique | Match Punitive Tools with Third-Party Inducements | TA01 Strategic Planning | ||
| F00091 | metatechnique | Partner to develop analytic methods & tools | |||
| F00092 | daylight | Warn social media companies about an ongoing campaign (e.g. antivax sites). | I00002 | TA09 |