Strengthening Digital Resilience

The battle against Foreign Information Manipulation and Interference (FIMI) requires sophisticated tools and standards. The OASIS STIX (Structured Threat Information Expression) standard has been a cornerstone for sharing cyber threat intelligence, but until now, it hasn’t fully addressed the unique challenges of information manipulation campaigns.

What’s Happening?

In February 2025, the OASIS Open Project Defense Against Deception – Common Data Model (DAD-CDM) released a key findings document detailing their progress on extending the STIX standard to better model FIMI operations. Throughout 2024, the committee met 18 times to develop solutions that maintain the core structure of STIX while adapting it to address information manipulation threats.

The Core Approach

Rather than reinventing the wheel, the group focused on revising existing taxonomies and definitions while preserving STIX’s fundamental architecture. The guiding principle: don’t create new objects unless absolutely necessary when modifying existing properties would suffice.

Incident Modeling: Addressing the Gaps

Currently, STIX faces several limitations when dealing with FIMI incidents:

1. Investigation-driven vs. Event-driven:

Unlike the cyber world with its extensive telemetry systems, FIMI research relies heavily on investigations rather than automated event detection.

Example: Imagine comparing a home security system to a public health investigator.

Event-driven (Cyber): Your home security system automatically alerts you when a door opens unexpectedly. The system’s sensors detect the specific event (door opening), triggering an immediate notification to your phone.

Investigation-driven (Information Manipulation): In contrast, a public health investigator tracking the spread of rumors about contaminated water doesn’t get automatic alerts. Instead, they must actively monitor social media posts, community forums, and local news reports, looking for patterns like increased mentions of illness, questions about water safety, or claims about utility company cover-ups. The investigator must connect these dots through careful research since there’s no automated system flagging these related activities as part of a potential misinformation pattern.

2. Collaborative Response:

While cyber incidents are typically handled by the victim organization, FIMI incidents often require coordinated responses across multiple organizations.

Example: Consider how different organizations respond to different types of threats.

Cyber incident: When a bank detects unauthorized access to its customer database, the bank’s security team handles the incident. They might bring in specialized contractors, but ultimately, it’s the bank’s responsibility to fix the breach, notify affected customers, and strengthen their security.

Information manipulation incident: When misleading information about an upcoming infrastructure project spreads throughout a community, no single organization “owns” the problem. An effective response might require: local government officials to provide accurate timeline and budget information, the construction company to clarify their plans, community forums to host discussions, local media to fact-check claims, and social media platforms to prevent the spread of demonstrably false information. Without coordination between these diverse stakeholders, the response becomes fragmented and potentially ineffective at addressing community concerns based on inaccurate information.

3. Real-world Context:

In the FIMI landscape, real-world events frequently provide the context and opportunity for threat actors to launch manipulation campaigns.

Example: Think about how real-world events create opportunities for manipulation.

During a major natural disaster like a hurricane, threat actors might create and spread false information about relief efforts. The timing isn’t random – they deliberately disseminate fabricated stories claiming that aid organizations are misusing donations or that certain areas are being deliberately neglected when:

• Communities are vulnerable and desperate for information
• Communication infrastructure may be damaged or unreliable
• Emotions are running high among those affected and those wanting to help
• Traditional information verification channels may be disrupted
• People need to make quick decisions about evacuation, seeking assistance, or donating

The real-world event (the hurricane) provides both the context and the strategic timing that makes the manipulation more impactful and potentially harmful than it would be during normal circumstances. People seeking critical information become vulnerable to manipulation precisely because the stakes are so high at that moment.

The proposed extensions include new impact assessment tools specific to the public information environment, with properties for tracking reach, engagement, and harm metrics, plus enhanced relationship mapping to better understand how incidents target events or use specific channels and narratives.

Understanding the Actors

DAD-CDM identified significant limitations in how STIX currently represents the actors involved in FIMI operations. The proposed solution? Expand the existing Threat Actor object rather than creating new objects.

We propose thirteen additional Threat Actor object types:

1. Company
2. Diplomat
3. Entrepreneur
4. Expert
5. Government Unit Cell
6. Individual
7. Influencer
8. Journalist
9. Media
10. Offline Service Provider
11. Online Service Provider
12. Public Official
13. Researcher

Additionally, add new relationship types like “contract with” and “is sponsored by” to better capture the intricate connections between these actors.

What’s Next?

In our next post, we’ll explore the committee’s findings on Channels, Narratives, and Cyber Observables—three critical components for understanding and countering information manipulation campaigns.

Help Shape These Standards

The full Key Findings document is available on GitHub. We encourage security researchers, policy experts, and other professionals to review the proposed extensions and provide feedback. Your input will help strengthen our collective defense against deception.

Send us comments or submit potential changes to collaborate on this important initiative.