Posted by:

David Greenwood

David Greenwood, Chief of Signal

If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on for the full interactive viewing experience.

In this post I will introduce the DISARM frameworks for describing and understanding disinformation incidents.


“The deliberate attempt to influence perception and decision making by presenting information that is incomplete, incorrect, or out of context.”

Source: DISARM

Disinformation is a topic I’ve followed at surface level over recent years as it has become more prominent (at least in terms of media coverage).

Going a bit deeper into the world of disinformation I ran into concepts such as ‘IO’ (influence operations), ‘IMI’(information manipulation and interference), ‘FIMI’ (focusing on foreign ‘IMI’), ‘MDM’ (mis/dis/mal-information), ‘Information Disorder’, among other terms and spheres.

There’s a growing consensus that disinformation is important context for cyber threat intelligence.

The DISARM Framework in parts aims to provide a single knowledge-base for disinformation classifications.

In the way MITRE ATT&CK has provided a standard for contextual information about adversary tactics and techniques based on real-world observations, DISARM aims to do the same for disinformation.

DISARM is a set of frameworks for describing and understanding disinformation incidents.

Source: DISARM Framework Explorer

The frameworks are organised ways of describing and analysing disinformation behaviours.

DISARM has two main frameworks:

  1. DISARM Red: for describing incident creator behaviours to disinformation incidents
  2. DISARM Blue: to describe potential response behaviours to disinformation incidents

DISARM Red Framework

The disarm frameworks contain many object types, including tactic stages (steps in an incident), and techniques (activities at each tactic stage)… heavily inspired by ATT&CK. For example from the DISARM Red Framework;

  • Tactic: TA16 Establish Legitimacy
    • Technique: T0009 Create fake experts

On the DISARM Blue side there are tactic stages (steps in an incident) and countermeasures (to counter activities at each tactic stage). For example;

  • Tactic: TA06 Develop Content
    • Countermeasure: C00080 Create competing narrative

All the data for DISARM is open-source and can be found on the foundations GitHub page.

The DISARM_FRAMEWORKS_MASTER.xlsx spreadsheet where the framework data is held – this contains disinformation creators’ tactics, techniques, tasks, phases, and counters.

The DISARM TTP Guide has more detailed information on each technique.

The DISARM STIX2 Generator encodes the DISARM objects into the corresponding STIX2 objects.

git clone
python3 -m venv DISARM-STIX2
source DISARM-STIX2/bin/activate
pip3 install -r requirements.txt

This will generate a bundle that can be used with downstream products, like a TIP.

DISARM in ATT&CK Navigator

The bundle has also been crafted to work seamlessly with ATT&CK Navigator.

Work started on DISARM in 2017 and was launched in 2019, initially named AMITT. Whilst still a fledgling framework, it looks very promising to us! It is therefore very likely you will see something from us soon in this area.

Discuss this post

Signals Corps Slack

Never miss an update

Sign up to receive new articles in your inbox as they published.