Hunting Cyber-Enabled Influence Operations

Modern information operations—ranging from memes and disinformation campaigns to hack-and-leak operations—are rapidly becoming a pivotal weapon for threat actors. Staying ahead of emerging threats demands a strong grasp of both theoretical and practical aspects. The training introduces a novel approach that bridges cyber threat intelligence with influence operation analysis.

This course will provide essential theoretical foundations, overview of current global threat landscape, and practical exercises based on recent real-world cases. Drawing on the advanced tools, techniques, and methodologies traditionally used to counter APTs, participants will gain a practical, hands-on guide to identifying, analyzing, and disrupting modern influence operations.

What you’ll get

  • Master key concepts of influence operations, disinformation campaigns, and hack-and-leak operations, and understand their distinct roles in modern information warfare.

  • Identify and analyze Cyber-enabled influence operations by leveraging proven cyber threat intelligence methodologies used to track nation-state advanced persistent threats (APTs).

  • Leverage advanced OSINT techniques to identify and investigate disinformation campaigns across social media platforms and web infrastructure.

  • Learn strategies to overcome common evasion tactics employed by adversaries, such as domain fronting, code obfuscation, and other techniques designed to obscure their activities.

  • Conduct infrastructure analysis to track and pivot across digital footprints, linking technical indicators to broader influence operation campaigns.

  • Gain hands-on experience through real-world case studies that bring theory into practice.

Outline

  • This part provides a foundational understanding of the history, actors, and tactics involved in cyber-enabled influence operations, setting the stage for practical investigations.

    Session - Lecture: A Brief History of Information Warfare and Cyber-enabled Influence Operations - 30 Minutes

    Traces the evolution of information warfare from traditional to digital domains, examining how cyber capabilities have transformed influence operations in modern conflict.

    - Information Warfare from Analog to Digital

    - Cyber-enabled Information Warfare And Influence Operations

    Session - Lecture: The Threat Landscape: Actors, Motivations, and Tactics - 1 Hours

    Explores the tools, tactics, and motivations of state and non-state actors in cyber-enabled influence operations.

    - The Cognitive Domain as the New Frontline

    - Why And How Threat Actors Use Cyber-enabled Influence Operations

    - Tools of the trade: Cyber attacks, Social Media Platforms, AI, Deepfakes, and Bots

    - State and Non-State Actors

    - Russia's use of Cyber-enabled Influence Operations

    - China's use of Cyber-enabled Influence Operations

    - Iran's use of Cyber-enabled Influence Operations

  • This part focuses on practical techniques for identifying, tracking, and analyzing cyber-enabled influence operations.

    Session - Lecture: Social Media as a Battlefield for Information Warfare - 30 Minutes

    Examines the role of social media in modern influence operations, including coordinated inauthentic behavior, memetic warfare, and notable case studies.

    - Introduction: The Evolution of Social Media as a Battleground

    - Cyber-enabled Social Influence Operations (CeSIO)

    - Defining CeSIO

    - Key Components of CeSIO

    - Coordinated Inauthentic Behaviour

    - Memetic Warfare

    Session - Lecture: AI-Powered Influence Operations : LLM, Deepfakes and Synthetic Media - 1 Hour

    Explores the role of AI in crafting influence operations, including deepfakes and synthetic media, and methods for detecting AI-generated content.

    - AI's Role in Crafting Cyber-enabled Influence Operations

    - Deepfakes and Synthetic Media

    - Detecting AI-Generated Content

    - Methods for Identifying AI-Created Text, Images, and Videos

    Session - Hands-On: Investigating Disinformation Networks - 2 Hours

    Provides a step-by-step guide to gathering intelligence from social networks, analyzing disinformation networks, and identifying fake accounts and trolls.

    - Introduction

    - Validating and Verifying Online Information

    - Identifying Fake Accounts and Trolls

    - Gathering Intelligence from Social Networks

    - Multi-Platform Operations

    - Multi-Language Operations

    - Conclusion

    Session - Lecture: Hack-And-Leak Operations - 30 Minutes

    Investigates the intersection of espionage and influence operations, focusing on the anatomy of hack-and-leak operations and how to analyze and verify them.

    - Links Between Espionage And Influence Operations

    - Anatomy of a Hack-And-Leak Operation

    - Leak Ecosystems

    - Verifying Hack-And-Leaks

    Session - Lecture: Attribution - 30 Minutes

    Discusses the importance of attribution in influence operations, the attribution process, and methods for identifying false flag operations.

    - Definition

    - The Attribution Process

    - Why Attribution Matters

    - Levels of Attribution Confidence

    - Attribution Methods

    - False Flag Operations

  • This part introduces advanced techniques for infrastructure analysis and pivoting, providing attendees with the skills to uncover hidden connections in cyber-enabled influence operations.

    Session - Lecture: Infrastructure Analysis - 1 Hour and 30 Minutes

    Explores the anatomy of web infrastructure and provides detailed technical guidance on analyzing web infrastructure used in influence operations.

    - Introduction

    - Purpose and Relevance in Cyber-enabled Influence Operations

    - Anatomy Of The Web

    - Web Application Technologies

    - Hypertext Transfer Protocol

    - Hypertext Markup Language

    - Domain Names and DNS

    - BulletProof Services

    - Analyzing Website Infrastructure

    - Domain Registration Information

    - Server Infrastructure

    - IP Address Location and Hosting Provider

    - Autonomous System (AS)

    - Server Software and Configuration

    - DNS Records and CNAME Redirects

    - Passive DNS

    - TLS/SSL certificates

    - Website Technologies

    - Digital Ad Libraries

    - Using Marketing Tools for Analysis

    - Backlink services

    - Common Evasion Tactics and Techniques

    - Domain Fronting and Cloaking

    - Traffic Distribution Systems (TDS)

    Session - Lecture: Pivoting - - 30 Minutes

    Explores methodologies for expanding investigations through tracing connections between different elements of an influence operation

    - Introduction

    - Pivoting Methodology

    - Pivoting Techniques

    - Shared Infrastructure Identifiers

    - IP/Subnet Correlation

    - DNS Correlation

    - SSL Certificate Relationships

    - Registrar and Name Server Connections

  • This part provides a real-world case study that ties together the concepts and techniques covered in the course, offering a practical example of how to analyze a cyber-enabled influence operation.

    Session - Hands-On: Introduction to Analyze a Real-World Threat - 30 Minutes

    Provides  preliminary analysis of a real-world influence operation, setting the stage for deeper investigation.

    - The Background

    - Preliminary Analysis

    Session - Hands-On: Infrastructure Analysis - 2 hours

    Demonstrates how to analyze the infrastructure behind an influence operation.

    - The Background

    - Stage 0: Social Media Gateway

    - Stage 1: Analyzing First Redirection and Metadata

    - Analyzing the HTTP Response

    - Stage 1 Recap

    - Stage 2: Analyzing Behind the Scenes

    - Decoding the script Section

    - Analyzing the Decoded JavaScript

    - Analyzing the External JavaScript

    - Stage 2 Recap

    - Stage 3: Final Destination

    - Conclusion

    Session - Hands-On: Pivoting - 1 hours

    Demonstrates how to use pivoting techniques to uncover an influence operation.

    - Revealing Infrastructure with Passive DNS

    - Step 1: Conducting the Passive DNS Lookup

    - Step 2: Analyzing the Results

    - Step 3: Compiling the Findings

    - Hunting for Campaign IDs

    - Identifying the Pivot Point

    - Step 1: Collecting Campaign IDs

    - Step 2: Strategic Insights from the Campaign IDs

    - Country Codes

    - Campaign Themes

    - Final Destination

    - Step 1: Choosing the Pivot Path

    - Step 2: Tracing Final Websites

    - Traffic Distribution System

    - Step 1: Identifying Suitable Pivot Points

    - Step 2: Reconnaissance for Tools and Services

    - Step 3: Analyzing Behavioral Data

    - Step 4: Verifying the Findings

    - Conclusion

    Session - Hands On: Creating a Threat Actor Profile - 30 minutes

    Concludes the case study by guiding attendees through the process of creating a detailed threat actor profile based on the findings.

    - Key Components of a Threat Actor Profile

    - Aliases and Naming Schemes

    - Motivation and Objectives

    - Targeting and Victims

    - Understanding and Documenting TTPs

    - Prepare Profiles for Different Stakeholders

Book a complimentary consultation to discuss your training needs