The Cognitive Security Collaborative: The First 6 Months

Community, Deployments, Tools and what’s next

The Cognitive Security Collaborative: The First 6 Months

In 2019, the Misinfosec Slack group and Misinfosec Standards Working Group created bridges between the information operations, information security, data science and disinformation communities. We worked together, creating common vocabulary, processes, and a mapping onto disinformation needs of information security tools, techniques and processes that included the AMITT standard for describing disinformation incidents and ways to mitigate and counter them.

One Community

In January 2020, we merged into a single team: the Cognitive Security Collaborative(“Cogsec Collab”). We continued work on countering disinformation campaigns, with a focus on building the tools, processes, and networks needed to create an effective collective, distributed response to the large-scale, distributed, asymmetric threat that is modern disinformation. In short, we wanted to see if we could build a worldwide equivalent to the Baltic Elves by:

  • making it possible to build response groups for free,
  • sanely connecting together individual responses,
  • connecting community alerts to responders, and
  • connecting new response groups to the existing information security response system.

Our original goal was to focus on this work throughout 2020. We are working with NATO, RRM Canada, and other groups toward this end.

Active Deployments

In mid-March 2020, as COVID-19 disinformation incidents started to rise, we were asked to build a community-based disinformation team (similar to the crisis-mapping teams of the 2010s) to provide surge capacity in data gathering and initial analysis. In early April 2020 we were invited to lead the Disinformation team at the CTI League - a newly-formed community of cyber threat intelligence (CTI) experts, incident responders, and infosec industry experts working to neutralize cyber threats that exploit the COVID-19 pandemic. As a result, we pivoted from a focus on small-team management and Google Docs to building tools, process and structure for a group of 500 people representing information security, law enforcement, medical institutions, and ISP/media platforms. We’ve responded to dozens of incidents, ranging from medical scams to anti-lockdown protests.

As a result of this work, we are literally writing the book (“The Big Book of Disinformation Response”), on how to respond to disinformation at scale in real time. This is part of our goal to make processes and learnings available to other teams.


In order to focus on building the tools needed by the disinfo response groups we are fostering, we’ve handed over the AMITT Framework to the MITRE Corporation, to be managed alongside ATT&CK, their signature information security framework. We’re using the modifications we made to STIX and MISP to build sharable rapid reports of disinformation incidents that include AMITT markups of tactics, techniques, and counters.

We’ve extended MISP and its companion case-tracking software TheHive, to make them easier to use for disinformation reporting by adding new case workflow templates, new social media objects, and code to scrape and upload those objects to MISP using a single Slack bot command.
With MISP repurposed to store disinformation, we launched the first MISP disinformation sharing community, bringing together a global network of researchers to share influence operation intelligence. The Cognitive Security Collaborative MISP disinformation community is included by default in the MISP community release: access to it is available on request.

We started building data collection and data science toolkits to make responses faster and easier. We continue to research and improve these core assets. We work with, learn from, and teach, a growing number of Threat Intelligence teams.

The Next 6 Months

As the COVID-19 pandemic continues and new challenges emerge, we have set new goals for ourselves:

  • build a network of teams capable of responding to threats,
  • keep merging with the Threat Intelligence world,
  • continue building out the discipline of disinformation response by writing comprehensive documentation on countermeasures, narrative arcs, and disinformation response,
  • normalize the inclusion of disinformation response as the standard for the information security profession.

To further these goals, we have registered the Cognitive Security Collaborative as a non-profit organization and applied for 501(c)3 status in the United States. This gives us a legal entity to act as a long-term custodian of our shared tools and knowledge, as well as a financial conduit for shared infrastructure, hosting, and development grants.

SJ Terp

Data nerd, specializing in complex business and social problems.