56 строки
2.2 KiB
Markdown
56 строки
2.2 KiB
Markdown
# Counter C00197: remove suspicious accounts
|
|
|
|
* **Summary**: Standard reporting for false profiles (identity issues). Includes detecting hijacked accounts and reallocating them - if possible, back to original owners.
|
|
|
|
* **Playbooks**: Playbook 1: Create a standard reporting format and method for social platforms for reporting false accounts.
|
|
Playbook 2:
|
|
- Is the account compromised?
|
|
- Is it known to be associated with threat actors
|
|
- common/random name
|
|
- Names violate terms of service
|
|
- Dormant account
|
|
- Change of country IP
|
|
- Social network growth patterns (number of friends etc)
|
|
- Evidence of linguistic artifacts (multiple fingerprints, terms/idiosyncrasies )
|
|
- Community vs. narrative vs. individuals
|
|
Playbook 3: Report suspected bots.
|
|
- Report ToS violations.
|
|
- In all playbooks the platform must force user verification, credential reset and enable MFA. Suspend the account if it cannot be verified.
|
|
Playbook 1: Use sites like https://haveibeenpwned.com to detect compromised and at risk user accounts.
|
|
Playbook 2: Monitor for unusual account usage (use of VPN, new geographic location, unusual usage hours, etc).
|
|
Playbook 3: Detect sudden deviation in user sentiment such as suddenly dropping hashtags linked to extremist content.
|
|
Playbook 4: Purchase "likes", "retweets" and other vehicles which identify a bot and/or hijacked account. Ban the account.
|
|
Playbook 5: Detect hijacked account and spam their posts. "OP is a known disinformation bot. http://link.to.proof[.]com"
|
|
|
|
* **Metatechnique**: M005 - removal
|
|
|
|
* **Resources needed:** R003 - money
|
|
|
|
* **Belongs to tactic stage**: TA03
|
|
|
|
|
|
| Actors | Sectors |
|
|
| ------ | ------- |
|
|
| [A004 activist](../actors/A004.md) | Civil Society |
|
|
| [A031 social media platform adminstrator](../actors/A031.md) | Social Media Company |
|
|
|
|
|
|
|
|
| Counters these Tactics |
|
|
| ---------------------- |
|
|
|
|
|
|
|
|
| Counters these Techniques |
|
|
| ------------------------- |
|
|
| [T0009 Create fake experts](../techniques/T0009.md) |
|
|
| [T0007 Create fake Social Media Profiles / Pages / Groups](../techniques/T0007.md) |
|
|
| [T0011 Hijack legitimate account](../techniques/T0011.md) |
|
|
|
|
|
|
|
|
| Seen in incidents |
|
|
| ----------------- |
|
|
|
|
|
|
DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW |