Strengthening Digital Resilience
April 23, 2025
This is the second part of our series on the OASIS STIX Standards extension for Foreign Information Manipulation and Interference (FIMI). Read Part 1 here.
In our previous post, we covered how the Defense Against Deception – Common Data Model Technical Steering Committee (DAD-CDM TSC ) is thinking about how to address incident modeling and actor representation for FIMI operations. Now, let’s explore three additional critical areas: Channels, Narratives, and Cyber Observables.
Channels: Tracking Information Flow
One of the most significant gaps in the current STIX specification is its inability to adequately describe information channels. The TSC identified several challenges:
- Inconsistent descriptions of how information flows
- Variability in granularity leading to difficulty in comparative analysis
- Confusion over content sources, often deliberately created by malicious actors
Proposed Solutions
The TSC recommends creating a new “Channel” object, defined as “an immutable conduit for information that constrains its flow from point A to point B.” This could include everything from Telegram channels to Facebook pages to word-of-mouth communication.
They’ve also proposed a new “Media Outlet” object to model large media brands that reach audiences through multiple channels. For example, a state media organization might operate several websites, radio stations, and social media accounts—all representing different channels for the same outlet.
These improvements will enable analysts to map information pathways with precision and consistency.
Narratives: The Building Blocks of Manipulation
Narratives are central to information manipulation, yet the current STIX specification offers no structured way to describe them. The TSC defines a narrative as “a description of a sequence of events in the world,” which may be real, imagined, or of unknown status.
Proposed Solutions
The TSC is considering the following proposed additions:
- A new Narrative SDO (STIX Domain Object) with attributes for describing observed FIMI narratives
- New relationship types specific to narratives
- A coding handbook to ensure consistent identification and description of narratives
These tools will help analysts track narrative spread, infer threat actor motivations, and develop counter-narrative strategies.
Cyber Observables: Capturing Digital Content
The final challenge addressed by the committee involves representing content-related online observables. Current STIX objects like “files” can describe text, images, videos, and audio, but they don’t adequately address the containers of this content (posts, tweets, articles).
Proposed Solutions
The committee is exploring three options:
- Using channel object properties to describe containers and connecting them to file objects
- Developing the OpenCTI STIX extension for media content
- Introducing a new “Posting” object with sub-objects for different content types
Each approach offers different trade-offs between simplicity and precision.
Real-World Application: The UK Southport Riots
To illustrate how these extensions work together, the committee provided a case study of the July 2024 UK Southport riots. Their model tracked the sequence from the UK election through the Southport mass stabbing to the subsequent riots, capturing how real-world events and information manipulation interacted and escalated impact over time.
Join the Conversation
The full STIX FIMI Extensions document is available on GitHub. We need experts from cybersecurity, media studies, policy, and related fields to review these proposals and contribute their insights.
By collaborating on these standards, we can build more effective tools for detecting, analyzing, and countering information manipulation campaigns.
Send us comments or submit potential changes to help strengthen this important framework.
