Summary

The Adversarial Misinformation and Influence Tactics and Techniques framework enables analysts to quickly describe adversarial disinformation. AM!TT is to misinfosec as MITRE ATT&CK© is to infosec.

AM!TT is a product of the Credibility Coalition’s Misinfosec Working Group (MisinfosecWG). They can be found here.

I very slightly modified the MITRE ATT&CK Navigator to work with AM!TT.

The AM!TT Navigator can be found here.

Misinformation

Growing up in the 90’s it was always self-evident to me that the Internet would invoke a New Rennaissance. With unfettered access to knowledge the world would collectively ratchet toward Truth. With the right data we would no longer observe through a darkened lens. The Internet was going to unite the whole world.

Yikes.

Two and change decades later, if united it’s in bondage. Confused by divisive politics. Bizarrely acting against our own interests. Indulging the reputable experts of partisan media outlets and echo-chamber shitposters. Unlimited mobile data plans didn’t deliver a golden age of DIY polymaths—it delivered us into the uncanny valley of the information age.

What happened?

Humans. For thousands of years cultures all over the world have been united in holding dear stupid beliefs. Now we just do it in 4G. So there was some naive optimism on our part, that’s for sure. The Internet won’t fix our problems for us, and if we’re not careful it could backfire in spectacular ways.

Misinfosec

Misinfosec is the intersection of information security and misinformation. It’s got a great name too.

Infosec is about protecting secrets. Misinfosec is about protecting (and disrupting) narratives.

For a long time children have been dying of awful diseases. Science rolled a d20 and vaccines were conjured forth and everyone thought they were pretty great. Within a couple generations some forgot just how shitty meningitis and measles are and decided they knew better than those darned elitist science wizards. So now measles is a thing again. Thank you for coming to my Ted talk.

Hardly typical infosec material, but the vaccines-cause-programmers crowd is very much an information security failing. Sure that information that might not be Confidential, but it’s Integrity and Availability are important to public health and national security no less.

An adversary might target a narrative integral to the proper functioning of our society. Voting matters. If they influences enough Blues not vote, they swing the election Red.

Not all campaigns are obvious and most do not target elections. If an adversary influences enough people to believe in a Bad Idea, it takes resources away from real work, and sows discord between the population.

How can we counter adversarial narratives? Berate their feeble reasoning on social media? Divide and distract the useful idiots? Shitpost harder, better, faster, stronger?

Yes.

But like all things, first you’ve got to get organized.

AM!TT

The Adversarial Misinformation and Influence Tactics and Techniques framework.

AM!TT is to misinfosec as MITRE ATT&CK is to infosec. From an operational perspective there’s a lot of overlap between them but together these complementary frameworks provide the means to build high-fidelity descriptions of adversarial disinformation incidents.

As with ATT&CK, the matrix is read left to right as each Tactic progresses through the attack life-cycle. Each Tactic is a group of Techniques which are focused on the creation and dissemination of misinformation. Techniques describe mid-level concepts rather than specific implementations. For example, “T0026 - Create Fake Research” tells us that fake research should be published, but nothing about how to generate fake research, where to publish it nor what resonates with a target audience.

AM!TT Navigator

sed -i 's/ATT&CK/AM!TT/g'

I very slightly modified the MITRE ATT&CK Navigator to work with AM!TT. This involved converting the AM!TT xlsx file to a STIX2 file compatible with the navigator, adding a couple variables to handle the AM!TT STIX file, and changing the ATT&CK branding. MITRE did all the hard work.

The Navigator is useful allowing us quickly build and export layers representing actors and their campaigns, encoded in an easy to grok colour coded chart.

Using layers, we can visualize how tactics and techniques differ between actors, or the differences in techniques between campaigns and in consideration of target selection.

I’ve included the MITRE pre-ATT&CK matrix in the AM!TT Navigator. Most of the phases and techniques are appropriate (planning, backstopping, etc.) while specific technical implementations have been removed. These should soon be be updated to better reflect misinfosec language.

The AM!TT Navigator can be found here.

Closing Thoughts

AM!TT’s going to be huge. Machines aren’t getting dumber. Everything from national security to brand management is going to need to get on board monitoring and countering adversarial misinformation. This is a project to keep a close eye on.

AM!TT is publicly released, but still in it’s infancy. I expect there will be major revisions as more folks get involved in the project. Such has been the case for MITRE ATT&CK, which is now in the process of transitioning to 2.0, and is expected to deliver higher fidelity implementations in technology.

What I want to see next from AM!TT are high fidelity content descriptions which draw on the fundamental theories of psychology, philosophy, the social science and economics. This would probably best be represented in a distinct matrix (like the pre-attack).

I’ll be attending MITRE ATT&CKcon next week. If anyone wants to chat about this or misinfosec in general just drop me a DM on Twitter.