Like all the other stuff in The Online Operations Kill Chain, Phase5: Testing Platform Defenses was drafted by senior people inside the largest of social networks. Leading a small group into a conflict environment is radically different in terms of what one can expect to accomplish, but there is merit in learning what’s on the mind of a theater level platform person watching an operation shaping up against their platform.

So without further delay, let the creeping up begin …

Attention Conservation Notice:

This is pretty core stuff, but if you’re a real hip marketing wiz that can A/B test messaging while singing karaoke you can probably skip it.

Phase 5 Verbatim:

Some operations test the limits of online detection and enforcement by sending a range of content with varying degrees of violation and observing which ones are detected.

For example, the Russian military intelligence unit that targeted Hillary Clinton’s presidential campaign servers in 2016 sent test spearphishing emails as part of its preparation.62 Hacking groups may upload their own malware to an antivirus data website like VirusTotal to see if it would be detected. Operations that exchange or post violating content, such as hate speech or sexually explicit imagery, may post variations of the same message to see which ones are detected automatically.

Examples of defense testing within the Online Operations Kill Chain:

• Sending phishing links to operation-controlled email accounts

• Posting A/B variations of violating images

• Posting A/B variations of violating texts

• Testing own malware using publicly available tools

• Posting spam at different rates from different accounts

Implications:

We have talked extensively about how to move around without being seen as well as steps to harden your presence against a reactive opponent. Implicit in #1 and #4 here are the use of phishing, or perhaps highly targeted spearphishing. That’s a line I would not cross without clear sanction from above – no violations of Title 18 § 1030 Fraud and related activity in connection with computers please. The experiences I’ve had at my level are that there are a couple dozen needs to defend against such things for every time someone says “sure wish we could get into X”. So don’t you do it, don’t ask someone else to do it, because that’d put you in line for a Title 18 § 371 Conspiracy charge, and don’t take the proceeds of an intrusion directly from the person who did it, because then you’re courting a Title 18 § 3 Accessory after the fact charge. Also stay far, far away from any use of credit cards obtain in this fashion, because that’s Title 18 § 1029 Fraud and related activity in connection with access devices.

I got familiar with this stuff back during the enfant terrible phase of Anonymous in 2011 – 2012. People got locked up, genuine folk heroes and ridiculous hucksters alike. I got involved in interpreting the take and had to duck a couple bullets with my name on them. The stuff I am sharing with you guys is … the goal is for you to be fairly effective, and to be DURABLE. Three half successes are of more use than one glorious hit that gets you thirty months in a federal camp.

I suppose there are people out there with specific marketing skills sets who are A/B testing both images and text. I’ve done stuff like that for political campaigns back when, but never for online conflict. It’s typical to just see a mob moving a certain direction, then observe them to see who is effective, who gets clipped by takedown requests, and who persists.

Conclusion:

If this is all brand new to you there will be great benefit in doing some of this stuff by hand at first, just pointing, clicking, looking, and pondering. But you should quickly progress to having more interests than there are hours in the day. If I’m doing anything substantial the flow usually looks like this:

• Doing all the things in Regarding Your Ass.

• Getting something in place for Situational Awareness.

• Review Stop Ingesting Crap and then do so, if I need facts.

That last one is a hard, hard lesson to learn. When there are structured intelligence operations, if the management believes that there is deception at work, they will insert a filter layer between collections and analysts. You might have an associate that’s slick enough to dispatch with orders to only pass on stuff they can validate, but that’s unusual. The bitter truth is simple – you can work on what’s real, or what’s being done to influence things, but you’re on thin ice if you’re trying to cover both areas. If you hear something wrong first, or worse it gets ground into you by the steady flickering of internet gaslight, even though you KNOW better, you might feel deeply uncomfortable in acting on only proven facts.

There is an unappreciated duty in the world – that of the wingman, of the top cover for a working group. Everybody effective needs this and far too few actually get it. But if you’re trying to ease into things, and you can take service with some group that’s in need but who lack the hands/eyes to do it, that’s a golden opportunity.