Cognitive Security Operations Centers (CogSOCs)
Written with SJ Terp
Security operations centers (SOCs) are units that work on infosecurity operations, including people, processes, technology, and culture. SOCs typically monitor systems, detect threats to those systems, and handle security incidents within them.
A cognitive security operations center, or ‘CogSOC,’ can be used to defend against digital harms in the information ecosystem. CogSOCs are a relatively new and emergent phenomenon. Given the complexity, scale, and severity of the threat posed by misinformation, disinformation, and malinformation (MDM), CogSOCs are needed to understand where to best place detection, response, and mitigation resources in order to reduce attack surfaces, vulnerabilities, and the potential losses that stem from targeted and non-targeted MDM.
What Do CogSOCs Do?
A CogSOC’s three main functions include enablement, risk mitigation, and real time operations.
Enablement comprises the infrastructure work that enables risk mitigation and operations, including training, coordination, data engineering, and managing information frameworks.
Risk mitigation reduces the risk of disinformation. This often happens before incidents occur, and includes risk assessments, vulnerability patching, building resilience, as well as disinformation simulations, red teaming, and exercises. In the future, this may also include checking compliance to disinformation insurance and legal operations.
Operations involve real-time, tactical work to counter ongoing operations, which usually happens in response to incidents. This includes incident response (discovering, investigating, and responding to risks) and research (risk intelligence and deeper investigations).
What Do CogSOCs Look Like?
As mentioned above, CogSOCs are still relatively new and emergent. Their operations can span a range of sizes, from an Information Sharing and Analysis Organization (ISAO) to a small team embedded in a traditional infosec SOC, or an independent team with connections to a response network.
Smaller units can work across the organization that contains them by providing analysis and actionable insights to legal teams, communications teams, social platforms, or trust and safety professionals depending on the threat. For example, disinformation that qualifies as defamation and is attributable may require legal action, while other threats may require response from a communications team that can utilize multiple channels to counter corrupted narratives.
These smaller units can come in multiple configurations. They can exist entirely independently, that is, with no interaction with the infosec SOC. They can also work closely with the infosec SOC as an equal partner or embed into its infrastructure.
Larger units, such as a cognitive ISAO, have also been explored for various regions and industry verticals, such as healthcare. In a capacity similar to an infosec ISAO, cognitive ISAOs can work directly with organizations and/or their SOCs to feed them relevant information that enables them to work more effectively and efficiently.
CogSOC Enablement
CogSOC enablement activities include creating a common lexicon and shareable models, and also data engineering. This helps CogSOC participants rapidly and repeatably share alerts and information across units, organizations, and languages.
The high level entities that can be modeled include artifacts, narratives, incidents, and campaigns. Campaigns are high-level objects, usually representing the characteristics and activities of an Advanced Persistent Manipulator. MDM creators often have longer-term campaigns, for example, destabilizing the politics of a target region.
Narratives — which are stories that shape people’s sense of identity and belonging, and also beliefs and behavior — serve as the basis for incidents, such as short bursts of messages around a specific topic or event. Though narratives comprise the strategic level for most MDM campaigns, defenders generally only see the artifacts, including messages, images, accounts, relationships, and groups.
To model these MDM entities, the DISARM foundation has adopted and adapted principles, processes, and tools from the infosec community. A primary one of these tools is STIX, which is the message format used by ISAOs and other infosec bodies to rapidly share information.
DISARM has added two constructs to the traditional STIX file format, namely, narratives and incidents. Threat actors and campaigns have their own objects. Incidents also have objects including techniques used by both the incident creator and defender. Artifacts also include objects such as observations, accounts, and hashtags. Other objects that can be used include reports, tools, indicators, infrastructure, and vulnerabilities.
The STIX file below groups objects according the the Pyramid of MDM entities shown above:
STIX files can also show links between actors, behavior, content and narratives, along the lines of socio-technical models, such as those of Camille Francois:
CogSOC Risk Mitigation — Assessment and Response
The information ecosystem has been significantly transformed over the past few decades by the internet. Today, it includes social media such as Facebook, Whatsapp, Twitter, Youtube, Telegram, and other platforms, in addition to traditional media such as newspapers, radio, and TV, as well as the transfer of information by word of mouth.
Today’s threat landscape includes a variety of actors with varied motivations, ranging from private organizations with financial motivations, who may seek to discredit a competitive brand, to nations with geo-political aims, such as manipulating faith communities and undermining public trust in democratic institutions.
The vectors of attack are as varied as the wide range of actors and media-types available. One example is hijacked narratives, in which an existing narrative is imbued with malign or corrupted discourse. Another is information transfer across platforms and media-types. Examples of this include Whatsapp to Facebook, Facebook to Whatsapp, as well as social media to traditional media, social media to word of mouth, and vice versa.
Confronted with the overwhelming complexity of both today’s information ecosystem and threat landscape, a necessary first step toward effective risk mitigation involves creating and using a catalog of incident creator behaviors. By understanding the TTPs that threat actors use, CogSOC professionals can both build resilience before an MDM campaign occurs and prepare response procedures to mitigate the effect of MDM campaigns once they occur.
To advance a common lexicon that enables MDM defenders, DISARM has developed red and blue frameworks that model attacker and defender TTPs in an analogous fashion to the MITRE ATT&CK Framework and D3FEND Matrix. The red framework models operational and tactical stages in an MDM kill chain, with relevant TTPs mapped below these stages. The blue framework maps counter-moves to incident creator TTPs, taking inspiration from information operation frameworks including classifications such as Deny, Disrupt, Degrade, Deceive, Destroy, and Deter.
A selection of attacker (i.e., incident creators) and defender (i.e., responder) techniques are provided below, and the DISARM frameworks in their current iterations are linked here.
CogSOC Real-time Operations
CogSOC real-time operations have been demonstrated publicly by private companies and nonprofits who share their research in open forums. Team T5 provides an example of a private firm using the DISARM framework in their analysis of video-based Chinese information operations surrounding XinJiang and Hongkong.
From a practical perspective, resource allocation is key to enabling efficient and effective CogSOC operations. Teams can tag incidents, needs, and groups with labels from the DISARM framework. Teams can also build collaboration mechanisms to reduce lost tips and repeat collection. Anticipating and designing plans of action for potential future surges is also key.
Another crucial aspect of enabling CogSOC operations is automating repetitive jobs to reduce the load on humans. This can include the use of tools such as unsupervised machine learning for anomaly detection to identify narratives that are being amplified inorganically. The use of automation by responders is especially important, as incident creators take full advantage of automation techniques such as botnets to disseminate their campaigns.
What CogSOC real-time operations look like will evolve as the practice of countering MDM continues to mature. Given the scope and severity of the problem, it is plausible that there will be a time when CogSOCs become as prevalent as cybersecurity SOCs. As with cyber-attacks, the threat of MDM is pervasive and asymmetric, and so the act of countering these threats will take a considerable amount of resources and coordination to achieve success, as well as a common language that unites the community of responders.
