Partnered with
DISARM Foundation.

Nearly a decade ago, a team of cybersecurity experts at the US National Security Agency (NSA) recognized the need for a common taxonomy to address fundamental cybersecurity questions, leading to the creation of the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework. This framework revolutionized the defender community by facilitating the categorization, combination, and sharing of threat intelligence, thereby enabling more timely and effective responses.

As adversaries have evolved, combining cyberattacks with disinformation, social engineering, and information manipulation to undermine democracies, the need for a similar taxonomy for influence operations became evident. The DISARM Framework was developed to meet this need, allowing defenders to share detailed information about threat actor behaviour and develop coordinated, targeted responses.

Nearly a decade ago, a team of cybersecurity experts at the US National Security Agency (NSA) recognized the need for a common taxonomy to address fundamental cybersecurity questions, leading to the creation of the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework. This framework revolutionized the defender community by facilitating the categorization, combination, and sharing of threat intelligence, thereby enabling more timely and effective responses.

As adversaries have evolved, combining cyberattacks with disinformation, social engineering, and information manipulation to undermine democracies, the need for a similar taxonomy for influence operations became evident. The DISARM Framework was developed to meet this need, allowing defenders to share detailed information about threat actor behaviour and develop coordinated, targeted responses.

The DISARM Foundation collaborates with a global community of partners to promote the adoption of the framework across government, civil society, and industry. DISARM is actively being used by the EU Agency for Cybersecurity, the European Commission, NATO’s Hybrid and StratCom Centers of Excellence, and the governments of the United States, Canada, France, the United Kingdom, and Lithuania. DISARM is also actively used by the EU Code of Practice on Disinformation signatories including Meta, Google, Microsoft, the Digital Forensics Research Lab, and the MITRE Corporation.

DISARM applies the ‘Red’ and ‘Blue’ approach from cybersecurity and MITRE ATT&CK. Adversarial behaviours are categorized as Red, while appropriate countermeasures, mapped to Red TTPs, are reflected in Blue. This dual approach helps us understand and act collectively.

The ‘understanding’ aspect involves how we search, identify, capture, categorize, and analyse data to comprehend threats. It also encompasses how we share this data and insights, essentially answering the ‘who, what, when, where, why, and how’ of threat intelligence.

The ‘acting’ aspect focuses on forming a collective view of necessary actions, understanding what each entity can do individually and collaboratively, and implementing proactive and reactive measures based on our shared understanding.

While significant progress has been made, much work remains, particularly in developing the Blue component. This includes building out ‘actor types’ and mapping them to Blue actions. The DISARM Foundation deeply appreciates the vital partnership and support of Arachne Digital and others in our Partner Programme as we continue this critical work.