Measuring Offensive Cyber Effects with Brand Monitoring: The MARBLE Framework

The National Cyber Force’s Responsible Cyber Power in Practice frames the challenge of measuring effect as one of linking damage to a piece of technology to wider impacts on an adversary’s ability to achieve objectives. This is particularly true for those adversarial actors involved in ransomware and cybercrime. The issue of measurement becomes more complex still when we consider the actors against whom an operation might be undertaken and how measuring effect is shaped by the nature of the target.

Operations against cybercriminal groups, state-sponsored hacking collectives and advanced persistent threat actors each require different conceptions of effect and, in turn, different yardsticks. The Measuring Awareness, Recognition and Brand Loss Effects (MARBLE) framework aims to guide the measurement of effects of offensive cyber operations by proposing three stages of data analysis at different levels of abstraction. However, rather than focusing on measuring the impact on technical systems, MARBLE provides guidance on measuring impact of an operation upon a cybercriminal group’s branding and perception.

MARBLE applies specifically to the measurement of operational effectiveness where cybercriminal groups are targeted. It draws on lessons learned from Operation Cronos, undertaken by the National Crime Agency and partners to disrupt LockBit, in which operational impact was measured not on the basis of technical degradation or denial, but the perception of the target. In other words – is the brand of the actor in question compromised as a result of an operation?

Why Branding?

MARBLE draws on the marketing concept of brand monitoring to assess impact of an operation on a cybercriminal organisation. Brands are mechanisms that drive trust in a given organisation by its members, customers, victims and so on. In order for a group to retain trust from those members, customers and victims, its brand must be treated with care and stewarded well. Naturally, this makes brands a useful target for operations to undermine or degrade trust.

Branding is a critical consideration for cybercriminals. In the World Economic Forum’s 2024 Disrupting Cybercrime Networks white paper, Virtual Routes’ Max Smeets details that, as a mechanism for driving trust, a cybercriminal organisation’s branding is, much like a licit commercial organisation, tested in every transaction it makes.

In order to function, cybercriminal groups must convince their victims they are trustworthy and will follow through on ransomware payments leading to the recovery of the victim’s data. They must convince their members they are a worthwhile investment of their time. They must convince customers that their information won’t be exposed. Each time a victim is dealt with, a negotiation takes place for the reputation of the organisation. Failing to do so risks deterring future victims from engaging, future customers from procuring their services, and ultimately undermines their reputation as a threat. In the case of Operation Cronos, an offensive operation targeting the LockBit ransomware collective, the credibility of both the group’s leadership and the stability of the interpersonal relationships among the group’s membership were eroded.

Targeting brand rather than specific actors (in other words, leadership of a group) enables an operation’s effectiveness to be insulated from the challenges of targeting a distributed group; that is, the amorphous nature of the group’s membership. Personalities are fluid in these groups, with membership being subject to change at a moment’s notice with little enduring affiliation compared to, say, a rival military. The distinction between insiders and affiliates is similarly fluid, as is how individuals within either category perceive their own role.

Framework Overview

Each phase of the framework equates discussion and sentiment with brand confidence. In keeping with this focus, each phase occurs continuously both during and after an operation in a cyclical fashion, shifting between differing levels of abstraction. These mirror the micro, meso and macro levels of an organisation’s market orientation in conventional marketing theory. Micro-level analysis occurs internally to a single firm, meso-level analysis to the industry and professional norms in which that firm is situated, and macro-level to national, political, and economic factors. MARBLE has been structured to mirror these same levels. Instead of a firm, however, it focuses on cybercriminal groups.

MARBLE involves a three-phased shift from micro, to meso, to macro-level effects. Phase 1 concerns the identification of short-term damage to a cybercriminal group’s branding. This occurs in the immediate aftermath of an operation being conducted and is designed to capture any sense of shock within the target group. Application of pressure might include identifying decreased activity on a Telegram group used by members of the target organisation, or mapping keywords or sentiment analysis in group chats, to identify how discussion trends change immediately following an operation.

Phase 2 follows by mapping brand impacts at a meso-level. That is, moving beyond an immediate sense of shock to damage to the wider group dynamic. Personnel within the target organisation may be blamed or disagree with each other. Social bonds begin to break down. Industry insiders may see conflict and begin to spread word to their professional networks or readers. The metrics here shift from focusing on key words and activity to specific actors within those groups: members may shift across different group chats on specific platforms, for example. Phase 2 also involves an expansion of data sites to include coverage by industry publications and on specific intelligence feeds.

Phase 3, occurring at the macro-level, is essential for two reasons. In the first instance, it concerns the destruction of credibility of the target through a wholly compromised brand based on the perception outside of it. This might include the group’s current or former victims, as well as with its peers. Decreased engagement with other cybercriminal groups indicates a loss of trust or confidence in the target group among its peers. Similarly, decreases in ransomware payments – while an imperfect metric due to reliance upon self-reporting in many cases – could indicate a similar loss of trust and credibility among victims.

While each phase occurs at different levels of abstraction, it could equally be conceived that public discussion of a group being compromised would influence new pressure upon the group at a micro level. As such, MARBLE is designed to operate cyclically: upon the conclusion of Phase 3, the destruction of credibility of the target in turn forms a new wave of pressure upon the group, leading us to return to Phase 1.

Measurement of each variable and at each stage is both continuous and cyclical. Brand monitoring involves a continuous and proactive risk monitoring posture, informed by collection and analysis of data relating to mentions in both social and legacy media on an ongoing basis. While the staged progression of the model evokes the structure of a kill-chain framework, the process reflects both a procedure to be repeated, and an ongoing zooming in and out of the scope of analysis.

Finally, a brief note on tooling. Frameworks such as DISARM, which provide analysts with a means to categorise and map TTPs, rather than broader impact, can be operationalised through web browser plugins or other tools. MARBLE might be operationalised in a similar way, combining browser plugins, open-source intelligence tools, as well as more conventional marketing software such as Hootsuite. Marketing software is targeted towards brand management and can be integrated with specific platforms to track brand performance at a range of levels of abstraction.

Conclusion and Future

The framework proposed here is an early iteration of a means to measure impact through brand monitoring for a range of adversary groups. While this paper proposes a version applicable to cybercrime organisations, future modifications or iterations of the framework could be applied to APTs and state-sponsored hacking collectives, for example. It also provides a scaffold for assessing how durable, or non-durable, operations targeting brand such as Cronos can be.

A reconfiguration of MARBLE to account for state-sponsored adversaries might, at Phase 3, include analysis of how a given state’s media ecosystem was responding to the adversary being targeted. In turn, this opens up a wider set of questions. The success of operations like Cronos in compromising both the technical infrastructure and the branding infrastructure of cybercriminals should in turn invite a consideration of focus. Impacts upon the perception of an actor might be framed as a new terrain for offensive cyber, just as information operations were framed upon early applications alongside cyber operations in warfare. However, cognition – and by extension, branding – cannot be damaged in isolation. MARBLE, then, is not a replacement for offensive cyber capability targeting technical infrastructure. It offers an alternative means to measure the impact of that capability upon perception.

© RUSI, 2026.

The views expressed in this Cyber Effects Perspectives are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.