Toward interoperable representation and sharing of disinformation incidents in cyber threat intelligence
Felipe Sánchez González, Javier Pastor-Galindo, José A. Ruipérez-Valiente
TL;DR
This work addresses the lack of interoperable sharing for disinformation incidents within CTI ecosystems by adopting the DISARM framework to model disinformation tactics, mapping these models to STIX2, and implementing a distributed exchange called DISINFOX. The authors validate an end-to-end, CTI-compatible flow with a dataset of over 100 DISARM-modeled incidents and demonstrate integration through a dedicated OpenCTI connector, enabling joint analysis with conventional cyber threat intelligence. Key contributions include a principled framework selection (DISARM), a concrete STIX2 codification scheme for disinformation incidents, and a modular, open-source DISINFOX platform for ingestion, storage, and CTI consumption. The work advances practical interoperability between disinformation threat intelligence and existing CTI tools, with future work aimed at automation, dataset expansion, broader platform integration, and alignment with emerging standards such as DAD-CDM.
Abstract
A key countermeasure in cybersecurity has been the development of standardized computational protocols for modeling and sharing cyber threat intelligence (CTI) between organizations, enabling a shared understanding of threats and coordinated global responses. However, while the cybersecurity domain benefits from mature threat exchange frameworks, there has been little progress in the automatic and interoperable sharing of knowledge about disinformation campaigns. This paper proposes an open-source disinformation threat intelligence framework for sharing interoperable disinformation incidents. This approach relies on i) the modeling of disinformation incidents with the DISARM framework (MITRE ATT&CK-based TTP modeling of disinformation attacks), ii) a custom mapping to STIX2 standard representation (computational data format), and iii) an exchange architecture (called DISINFOX) capable of using the proposed mapping with a centralized platform to store and manage disinformation incidents and CTI clients which consume the gathered incidents. The microservice-based implementation validates the framework with more than 100 real-world disinformation incidents modeled, stored, shared, and consumed successfully. To the best of our knowledge, this work is the first academic and technical effort to integrate disinformation threats in the CTI ecosystem.