Counter C00197: remove suspicious accounts

Summary: Standard reporting for false profiles (identity issues). Includes detecting hijacked accounts and reallocating them - if possible, back to original owners.
Playbooks: Playbook 1: Create a standard reporting format and method for social platforms for reporting false accounts. Playbook 2:

Is the account compromised?
Is it known to be associated with threat actors
common/random name
Names violate terms of service
Dormant account
Change of country IP
Social network growth patterns (number of friends etc)
Evidence of linguistic artifacts (multiple fingerprints, terms/idiosyncrasies )
Community vs. narrative vs. individuals Playbook 3: Report suspected bots.
Report ToS violations.
In all playbooks the platform must force user verification, credential reset and enable MFA. Suspend the account if it cannot be verified. Playbook 1: Use sites like https://haveibeenpwned.com to detect compromised and at risk user accounts. Playbook 2: Monitor for unusual account usage (use of VPN, new geographic location, unusual usage hours, etc). Playbook 3: Detect sudden deviation in user sentiment such as suddenly dropping hashtags linked to extremist content. Playbook 4: Purchase "likes", "retweets" and other vehicles which identify a bot and/or hijacked account. Ban the account. Playbook 5: Detect hijacked account and spam their posts. "OP is a known disinformation bot. http://link.to.proof[.]com"

Actors	Sectors
A004 activist	Civil Society
A031 social media platform adminstrator	Social Media Company

Counters these Tactics

Counters these Techniques
T0009 Create fake experts
T0007 Create fake Social Media Profiles / Pages / Groups
T0011 Hijack legitimate account

Seen in incidents

DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW