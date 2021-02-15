A threatening social media post targeting an executive, employee, brand or other asset often has merit, and it is imperative to investigate the online accounts associated with the threat actor in the process of Risk Assessment. By mapping the social media accounts managed by the threat actor, you can create a more complete profile of the user and better assess the risk posed. It can also reveal the user’s real identity if they have attempted to remain anonymous.

We recently published a blog that focused on the importance of determining the location of a social media user, and the same goes for assessing a user’s behavior online through the content posted on their social media accounts. . Past activities, interactions, and anonymous accounts can all help determine the level of risk and can provide security teams with valuable information about whether or not to pursue mitigation measures.

As with any OSINT survey, it’s important to ask yourself the right questions. A good place to start is Why? This will allow exploration of the motivations of threat actors, which is a valuable context for threat assessment. Questions may include:

Is there any evidence that they claim to have been harmed by the asset that may have caused the posted threat?

Was this post the only mention of this asset or is there a history in their post activity that contains other mentions?

How familiar are they with this asset?

Is it in their post nature to post threatening content directed at other targets, or is this an outlier among harmless posts?

Does the history of their publications present evidence of extreme opinions?

Do they engage with other users who post similar content in support of target users’ ideologies?

Consider the example below of a user posting a threatening statement against a CEO of large companies, John Doe (revised and redacted).

Analyzing the post history of the known account of threat actors on the known platform is a good start in determining risk levels. Sometimes this will provide all the information needed to accurately assess the risks. In this case, it is not. However, this suggests that the user may have extreme opinions.

Although this information is not conclusive in itself, it shows that further investigation is warranted. The next step is to identify and analyze other social media accounts managed by the same actor. This can provide additional results that support a risk assessment with a high degree of confidence.

Finding additional social accounts can vary in difficulty. If the threat actor doesn’t provide links to their other profiles in their About sections or articles, careful attention to detail is needed to find the needles in the haystack.

One method of finding their accounts on other platforms is to do specific keyword searches in their posts. For example, if you are trying to find an account linked to a user who is on a different platform, a good place to start is to simply search for the name of the secondary platform (and its common variations) in the profile. original. This can produce false positives, but can also provide the secondary profile of users if they have linked it. At the very least, that will indicate whether they can own an account on the platform.

Some users may also share uploaded screenshots of posts from other platforms or forums, which may allow you to pivot your survey on that network. This was the case in the survey example above. The user

posted a screenshot of deleting an account on another platform. From here we know that:

They had a profile in the past, where evidence may still be present

They probably no longer use the platform

Examining unique usernames on other platforms is another useful method of mapping accounts belonging to the same threat actor. Cross-analyzing the posts and interactions with users on the newly discovered account can boost trust levels of accounts managed by the same user. Alternatively, the reverse discovery can occur. The newly discovered account can prove that it is directly related to the initially known profile of the threat actor.

Below is a post from an anonymous Twitter user, appreciated by the known profile of the threatening actor. If we can conclude that both profiles belong to the same person, the posting activity related to these accounts can provide valuable insight into the threat actor motivations.

Sometimes threat actors use an anonymous or burner account to target assets in parallel with operating their primary account. The possibility of these accounts being connected should be explored either through mentions, in following / follower lists, and with mutual connections, etc. Post history and linked account interactions should then be analyzed as part of your risk assessment.

In conclusion, investigating an account of threat actors on social networks and discovering their other profiles can be decisive in determining the risk of a potential threat. The mapping of accounts managed by the actor can lead to findings and the context that significantly modify the risk assessment. Evidence collected can also contribute to mitigation efforts for high-risk threats that target specific individuals, brands and other assets.

