Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Ken Wolf: [00:01:42] Major tech companies, the kind of tech giants, as it were, are undertaking initiatives to try to eradicate extremist content from their platforms.
Dave Bittner: [00:01:51] That's Ken Wolf. He's a Senior Analyst at Flashpoint. The research we're discussing today is titled "An Analysis of Islamic State Propaganda Distribution."
Ken Wolf: [00:02:01] And we know that, historically, a lot of these big name platforms have been abused by these actors to upload and distribute their propaganda materials. So, our expectation going into this research was that, by conducting a frequency analysis of the domains that have been used for these distribution purposes, we would be able to start to identify new platforms or spaces that these actors might be moving into as, you know, kind of the big name platforms become more difficult for them to either access or abuse in the way that they have in the past.
Dave Bittner: [00:02:46] So, can you sort of take us through and give us a little bit of a lay of the land here? I mean, what extremist groups are we talking about, and what platforms did they frequent?
Ken Wolf: [00:02:56] You see a lot of the same platforms among different groups, but in this research, we focus specifically on ISIS, and the platforms that they're using for content distribution. Some of the major platforms that we've seen over time are, you know, they include big names like YouTube, Google, Twitter. The Internet Archive has been a big one, as well as kind of maybe some lesser known sites, paste sites like JustPaste.it.
Dave Bittner: [00:03:34] Now, what are the elements that attract them to one platform over another?
Ken Wolf: [00:03:40] That's a good question. We didn't specifically look into that in the course of this research. There were some assumptions that kind of went into it, and went into the analysis that was derived from the research. You know, you have to think about the resources that these guys have available to them, and the opportunity costs of using one platform over another. The platforms that are most commonly used, the assumption on our part was that those platforms either are easy for these propaganda distributors to either establish accounts, or they're kind of favorable in other ways, such as the longevity of the content that they upload to those platforms.
Dave Bittner: [00:04:38] One of the things that caught my eye in your research was the use of archive.org. I hadn't really thought about it before, but that sort of natural tension that's there, where part of Archive's mission is to, well, archive the things that were posted online. So, they would have a tendency to not delete things.
Ken Wolf: [00:04:59] Right. That's a tricky space. Archive.org's mission, you know, essentially to preserve the historic record of the Internet. And there's certainly value in that, and even when it comes to these types of materials, you know, accessibility to researchers and academia, military historians, you know, you can think of different scenarios and groups along those lines that would have, you know, kind of a net positive value from having access to this material. But we have seen, or at least the data here, the trends suggest that these actors are deliberately abusing the platform to their advantage.
Dave Bittner: [00:05:45] So take us through, what was the process that you went through for your research, and what were some of the key findings?
Ken Wolf: [00:05:52] Sure. We chose to look at these two forums that are, the membership of the forums are composed of ISIS members and ISIS supporters. And we know, through our monitoring, that when new propaganda materials are produced and uploaded to any number of hosting platforms, the links to those materials are shared within these forums, both for the membership to view those, but also to reshare outside of these platforms.
Ken Wolf: [00:06:33] So, with that understanding, we decided to look at the three year period beginning in January of 2015 and going through the end of December 2017. The process involved harvesting all of the URLs that had been shared within the forums during that period of time, kind of cleaning the data a bit, a lot of these URLs have been either reshared or, you know, the original posts in which they were shared have been reposted, things along those lines. So we had to do some deduplication so that we could be sure, you know, we're only counting each one one time.
Ken Wolf: [00:07:20] There was also a concern about shortened links and how they might distort the data, so we had to employ some scripts to kind of go through and expand all the shortened links, and also, you know, deduplicate those. And once we'd gone through those steps we basically had the set of URLs that we wanted to work with. From there, we extracted the domain names from each of those URLs, and then built out a frequency analysis going month by month through that three year period.
Dave Bittner: [00:08:03] And so, what were some of the trends that you saw?
Ken Wolf: [00:08:06] One of the most surprising findings was actually a trend that didn't exist, which was that we didn't really see new platforms emerging, especially moving into early and late 2017. What we do see is a lot of the same platforms in the top ten that have been used across this entire period of time. And those include some of the biggest names, YouTube, Google, you know, there were there were some others that started creeping up, you know, we see a little bit of Dropbox and some other similar platforms. But for the most part the top ten in 2015 were the same top ten in 2017.
Ken Wolf: [00:08:57] One of the other interesting trends that we saw in the data was we could actually identify a point in time during which the actors began to actively archive the materials that they had been uploading to paste sites. We saw that emerge in around April of 2016. And the evidence for that is I think pretty clear. You can see in the same posts in which a URL from a paste site were shared. There was also an accompanying URL from the Wayback Machine where they had, you know, what it looks like is uploaded the material, generated the paste page, immediately archived it, and then shared both links. So they, you know, effectively achieving, you know, persistent content that way.
Dave Bittner: [00:09:59] Taking advantage of archive.org to immediately have, I guess, what they're hoping is a permanent archive.
Ken Wolf: [00:10:07] Exactly.
Dave Bittner: [00:10:08] Yeah. Now, one of the things I noticed in your research was how Twitter made a brief appearance, it appears in 2015, but then kind of dropped off the list. And your research included a little chatter about that.
Ken Wolf: [00:10:23] Yes. So Twitter, you know, in the past was was a big platform for these guys to use. You know, it makes sense in a lot of ways. Materials, unless an account on Twitter is private, people even without having an account can typically view tweets and content of tweets. So that really gives, it creates a platform in which it's easy to distribute materials and reach, you know, multiple broad target audiences. But Twitter has also taken very active measures to both eradicate the extremist content from the platform and suspend the accounts that are associated with spreading that.
Ken Wolf: [00:11:19] Now, we don't know enough about the actual programs that Twitter has put into place, or the timelines when those were done, to really draw a correlation between the decrease that we see in these numbers. But there is there is anecdotal evidence that suggests their efforts have been effective and some of these are, as you mentioned, the discussions that we've referenced in the report. We actually pretty often see different members--whether it's within the forums, or on Telegram, or in other spaces--people calling for ISIS supporters to establish Twitter accounts and, you know, kind of do their part for them for the cause by distributing, you know, ISIS materials through those accounts.
Ken Wolf: [00:12:14] But I think this one quote that we included in the report kind of helps put into context the difficulties that they face. And that's, this was a forum member who was writing in Arabic responding to another member who was calling upon forum members to join Twitter. And this this member said, this task is impossible, I alone have had more than 120 accounts closed on Twitter, sometimes three accounts were closed in the same day, even though I was not as active as other accounts. What is the benefit of accounts that are closed an hour after they are opened? I think that kind of embodies the frustrations that ISIS and their supporters are facing in continuing to try to use Twitter as a platform for propaganda distribution.
Dave Bittner: [00:13:12] Another thing that your research noted that caught my eye was the use of services that are using blockchain, I guess for both the permanence of it and the distributed nature of it?
Ken Wolf: [00:13:24] Yeah, so that was interesting thing we came across a few months ago. It's fairly common to see these forum members discussing alternate platforms and trying to find other ways to, you know, establish a presence and get their materials out there. This service specifically came up, I think we said in January of this year, looking at a video hosting service called DTube, which uses a decentralized model, you know, some of the benefits that they mentioned were, you know, because of the distributed model there's not necessarily an admin who can delete materials the way that it can be done on YouTube. So they, you know, we're looking at this as an alternative basically to YouTube, and a way to maintain a permanent distribution of their videos.
Dave Bittner: [00:14:28] Now, in terms of the take-homes for you, the conclusions that you all came to, and then practical applications of your research, what can you share there?
Ken Wolf: [00:14:38] That's a really great question. I think that, you know, it was really insightful to see the way, or the extent to which, the same platforms continue to be used. You know, especially big name platforms which have been in the news a lot, and have received a lot of attention for the way that their own platforms have been abused by these actors. But, you know, they continue to be the most commonly used. We can't really use that to evaluate how effective their programs are without also taking into account how long materials stay active on those platforms, which is not something that was included in this research.
Ken Wolf: [00:15:28] So, you know, that gives us some different avenues for follow-on research that might help shed some better light on that. You know, overall, it really highlights the complexity of this problem, and how difficult it might actually be to tackle.
Dave Bittner: [00:15:48] Yeah, I mean, we often, you know, sort of talk about this game of whack-a-mole, you know, knocking things down and they pop back up again. But it seems like there's a real evolution here in these people's tactics for, I guess, even just the duplication of information so that, you know, they're uploading the main version but then immediately having a backup as well.
Ken Wolf: [00:16:17] Yeah, I think that's right. You know, they have shown themselves to be pretty resourceful and adaptive to a lot of the hurdles that they themselves have faced. And, you know, in addition to immediately archiving and creating backups of the materials, any given piece of propaganda is typically uploaded to, you know, five, ten, sometimes more sites at the same time. So they're uploading to many sites at once, with the assumption that at least some of those are probably going to flag it pretty quickly and delete it, but it will still be available on other platforms. Yeah they're definitely, I think, adaptive and resourceful.
Dave Bittner: [00:17:09] And I know that your research doesn't directly cover this, but what's your sense in terms of discoverability of this stuff? Is it easy, if this is what you're looking for, is it easy to search for and find it?
Ken Wolf: [00:17:21] I think that really depends upon the platform that it's been shared on. It is kind of easy to, you know, go to a search engine and combine certain keywords with some of these domains and actually find a lot of the material. You know, paste sites, even with archive.org, you can find a lot of the material pretty easily. Stuff that's being distributed over Google Drive, or Dropbox, or something along those lines, not as easy to find, just because that stuff's not indexed.
Dave Bittner: [00:18:02] Our thanks to Ken Wolf from Flashpoint for joining us. The title of the research paper is "An Analysis of Islamic State Propaganda Distribution." You can find it on the Flashpoint website.
Dave Bittner: [00:18:14] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.
Dave Bittner: [00:18:22] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:18:30] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.