DISINFOX: A Threat Intelligence sharing platform for disinformation incidents

Abstract

Cyber Threat Intelligence (CTI) has empowered cybersecurity teams worldwide by improving the quality and speed of their analysis for cybersecurity incidents through the establishment standards and specialized tools. These tools and frameworks facilitate correlation and collaboration across global communities, helping organizations stay informed about the evolving cyber threat landscape. Despite its success in cybersecurity, CTI has yet to be leveraged for the systematic exchange and management of knowledge about disinformation threats, which are often described in unstructured natural language. This thesis introduces DISINFOX, an open-source threat intelligence sharing platform designed to enable the interoperable exchange of disinformation incidents. DISINFOX adapts disinformation-related information to a CTI-compliant format by incorporating several key elements. First, it utilizes the DISARM framework, which provides a matrix similar to MITRE ATT&CK to characterize the tactics, techniques, and procedures (TTPs) of disinformation incidents. Second, a custom mapping codifies these TTPs along with other relevant information, such as actors and targeted countries, into the STIX2 standard. Finally, the platform integrates with OpenCTI to validate its interoperability, alongside a user-friendly, web-based frontend for visualizing, managing, and analyzing incidents. DISINFOX employs a modular, containerized architecture comprising four main components: a backend providing a RESTful API independent of other modules, a frontend serving as the ingestion entry point for disinformation incidents, a public API enabling other CTI solutions to extract incidents from the platform, and the DISINFOX OpenCTI connector that validates the interoperability of incidents within a mature CTI tool. The platform’s capabilities were validated through the modeling, storage, sharing, and consumption of over 100 disinformation incidents, demonstrating its technical feasibility. This work highlights the potential of using CTI concepts and tools to systematically combat disinformation threats.