Toward interoperable representation and sharing of disinformation incidents in cyber threat intelligence
Abstract
A key countermeasure in cybersecurity has been the development of standardized computational protocols for modeling and sharing cyber threat intelligence (CTI) between organizations, enabling a shared understanding of threats and coordinated global responses. However, while the cybersecurity domain benefits from mature threat exchange frameworks, there has been little progress in the automatic and interoperable sharing of knowledge about disinformation campaigns. This paper proposes an open-source disinformation threat intelligence framework for sharing interoperable disinformation incidents. This approach relies on i) the modeling of disinformation incidents with the DISARM framework (MITRE ATT&CK-based TTP modeling of disinformation attacks), ii) a custom mapping to STIX2 standard representation (computational data format), and iii) an exchange architecture (called DISINFOX) capable of using the proposed mapping with a centralized platform to store and manage disinformation incidents and CTI clients which consume the gathered incidents. The microservice-based implementation validates the framework with more than 100 real-world disinformation incidents modeled, stored, shared, and consumed successfully. To the best of our knowledge, this work is the first academic and technical effort to integrate disinformation threats in the CTI ecosystem.
Turn this paper into a full lesson
ArcXiv compiles a staged curriculum from this paper: 8-12 lessons across beginner → advanced, synthesised section guides, visuals, flashcards, a quiz, exercises, and on-demand deep dives per section. Grounded in the abstract, never invented.