AMITT/counters/C00197.md

Counter C00197: remove suspicious accounts

• Summary: Standard reporting for false profiles (identity issues). Includes detecting hijacked accounts and reallocating them - if possible, back to original owners.

• Playbooks: Playbook 1: Create a standard reporting format and method for social platforms for reporting false accounts. Playbook 2:

• Is the account compromised?
• Is it known to be associated with threat actors
• common/random name
• Names violate terms of service
• Dormant account
• Change of country IP
• Social network growth patterns (number of friends etc)
• Evidence of linguistic artifacts (multiple fingerprints, terms/idiosyncrasies )
• Community vs. narrative vs. individuals Playbook 3: Report suspected bots.
• Report ToS violations.
• In all playbooks the platform must force user verification, credential reset and enable MFA. Suspend the account if it cannot be verified. Playbook 1: Use sites like https://haveibeenpwned.com to detect compromised and at risk user accounts. Playbook 2: Monitor for unusual account usage (use of VPN, new geographic location, unusual usage hours, etc). Playbook 3: Detect sudden deviation in user sentiment such as suddenly dropping hashtags linked to extremist content. Playbook 4: Purchase "likes", "retweets" and other vehicles which identify a bot and/or hijacked account. Ban the account. Playbook 5: Detect hijacked account and spam their posts. "OP is a known disinformation bot. http://link.to.proof[.]com"

• Metatechnique: M005 - removal

• Resources needed: R003 - money

• Belongs to tactic stage: TA03

Counters these Tactics

Counters these Techniques
T0007 Create fake Social Media Profiles / Pages / Groups
T0011 Hijack legitimate account

Seen in incidents

DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW