Governments, tech companies, researchers and platforms lack a common framework to analyze different types of online operations - not only cyber attacks and influence operations, but the wide range of online threats, from mass harassment to hate organizations and fraud. The existing frameworks are primarily designed to analyze a single threat activity, but online operations are amorphous, and do not always fit neatly into a single violation type. Analyzing any of these operations through a threat-specific framework carries the risk of missing other important segments of their activity and siloing defense efforts.
To fill this gap, at Meta, we have developed our own Online Operations Kill Chain - a framework that is designed to be applied to a wide range of online operations. The Online Operations Kill Chain describes the steps that threat actors go through to acquire a foothold online, disguise their assets, evade detection, study and engage their targets, and maintain persistence in the face of enforcement by any one defender. As investigators at a tech platform, we apply it to analyze and compare online operations, find defense gaps that might be exploited, and identify the biggest opportunities for disruptions across a wide range of threats so our security teams don’t operate in silos.
In addition to leveraging this kill chain framework inside Meta across cyber espionage, influence operations, and other threats, we have designed it with the open-source community in mind. Because of an increasing number of online threats targeting multiple mediums online, we believe this kill chain can be effectively applied to inform and operationalize collaboration across our industry and the researcher community. By speaking the same language and operating a common threat taxonomy, we can better analyze the threat landscape and spot vulnerabilities in our collective defenses so we can increase friction for these threats, no matter their nature, across the internet.
In this talk, we will describe the links in the chain and how to apply it to a range of different types of threats. It is our hope that a common framework for investigators across platforms, in the open-source community, and within democratic institutions will enable more effective collaboration to analyze, describe, compare and disrupt online operations.