Social Media Campaigns as Part of a Threat Hunting Initiative
The process for creating a social media strategy from the ground up is fairly straightforward. The first thing anyone should do before starting is understood the basics of social media: what platforms your target population visits most, the basics of what each platform’s purpose is, and how threat actors use these for malicious purposes. You should also formulate a clear picture of the target or victims of any malicious activity. Defining the victim will also help in formulating the goals and objectives of the program. Once you understand the basics and have set your goals and objectives, the rest should come easily.
There are two key strategic approaches to consider: Basic monitoring (victim-focused); and, Advanced monitoring (threat-focused). These two strategies can provide good general direction on how to approach your social media monitoring program. Different threats, such as cyber espionage, cyber bullying, and cyber theft, will factor into how you shape your goals and objectives for the monitoring program.
In any monitoring program, there should be a clear chain of command for reporting information. The eyes and ears of the operation are the Social Media Monitors, who observe the media platforms and report any attacks or malicious action. Monitors should report to some form of management that can make decisions on actions and disseminate the information to other parties. If the information reported is malicious and meets predefined criteria, management should report it to a designated law enforcement liaison. The management team should also communicate regularly with the victim or target organizations or individuals.
Planning and Setup Phase
Setting a monitoring strategy is the most time consuming and intensive part of the process, and also the key to ensuring a smooth operation down the road. Good communication between management, the victim or target (or whomever you are going to monitor), and the social media monitors is important. When you receive the task of monitoring social media, make sure you have a good idea of what accounts you will be monitoring, what threats to look for, and how to handle each situation that you may come across. Being well prepared before starting will make the job much easier to carry out and yield productive results.
Basic Monitoring Strategy
The first step in setting up any monitoring strategy (regardless of how in-depth it will be) should be to establish parameters within which the social media monitors operate – accounts to watch, platforms to use, and what approaches to take with threat actors. Sometimes, a potential victim or target of a malicious campaign may be international and have language-specific accounts for each country, and sometimes your victims may be part of a protected community (such as children under 13 years old); all of these and other factors should be taken into consideration when designing the program. Clients may also use multiple platforms (Facebook, Twitter, Instagram, etc.) to cover a wider audience.
When identifying accounts to watch, you need to consider multinational accounts. Then with each of these entities, there are multiple platforms to watch (Facebook and Twitter being most common). So to manage the long list of accounts and platforms to monitor, approach it by platform rather than an organization to simplify the monitoring. Going platform by platform, you will be able to create an account on each and you should be able to follow and identify and observe the organizations in your feed – which are of the greatest interest, given your target victim and their monitoring goals and objectives.
Advanced Monitoring Strategy
For a more in-depth social media monitoring strategy, there are a few precautions to take on top of the Basic process. The general idea behind the in-depth (Advanced) strategy is identifying key threat actors (whether they are groups or specific people) and monitoring their social media presence on top of the client’s accounts. However, sophisticated threat actors may post fake links and are able to identify who is monitoring their accounts, so monitors should find tools that protect their identity and computer systems. Some basic protections to take while monitoring threat actors include a sandboxed browser, an Internet Protocol (IP) obscurer plug-in for your browser, and a client spoofer. These will help protect your identity and prevent any malicious attacks against your computer system.
When monitoring threat actors, you should utilize an anonymous account with a name not connected to yourself in any way. This adds another layer of protection to prevent threat actors from identifying you. This anonymous account is also useful for some collection activities described later. To create an anonymous profile, use multiple random name generators and combine names. Only maintain one anonymous name to simplify it, but you can use more than one if you feel it’s necessary. With every social media platform, the one common factor in account creation is having an email, so that’s a good base for creating your anonymous profile. Any email provider will work for this.
The final part of setting up an advanced social media monitoring strategy involves establishing lines of communication for reporting any attacks or intelligence gathered, as well as a uniform document to report it. Establish reporting channels early on so that when/if you find something of interest, operational efficiencies is achievable when it comes time to report potential malicious activity.
The same goes for having a uniform reporting document: it keeps operations efficient and consistent. Table-1 provides a listing of some of the top social media sites used for monitoring programs.
The process we had for notification during one social media campaign was that a designated primary contact was alerted to our findings. This primary contact then labeled it “of concern” and requested that we fill out a formal report with all pieces of information found. Once the report was complete, it went back to a designated contact that checked it and sent it further along the chain to relevant parties. If it was deemed to have law enforcement relevance or be a matter of national security, the report was appropriately escalated.
Table 1: Top Social Media Sites
| Social Media Site | URL | Key Purpose |
| https://www.facebook.com/ | Online social media and networking service | |
| YouTube | https://www.youtube.com/ | Video-sharing website |
| https://twitter.com/ | Online news and social networking service where users read short messages | |
| https://www.linkedin.com/ | Business and employment-oriented social networking service | |
| https://www.pinterest.com/ | Content sharing service with standard social networking as well | |
| Google+ | https://plus.google.com/ | An online social media and networking service by Google |
| Tumblr | https://www.tumblr.com/ | Microblogging and social networking website |
| https://www.instagram.com/ | Online mobile photo-sharing, video-sharing, and social networking service | |
| https://www.reddit.com/ | Social news aggregator, web content rating, and discussion website | |
| VK | https://vk.com/ | Largest European online social networking service, based in Russia |
| Flickr | https://www.flickr.com/ | Image hosting and video hosting web services suite |
| Vine | https://vine.co/ | Short-form video hosting service, mobile app discontinuing, now uploading to twitter |
| Meetup | https://www.meetup.com/ | Social networking portal that facilitates offline group meetings |
| Ask.fm | http://ask.fm/ | Social networking site where users can send each other questions |
| ClassMates | http://www.classmates.com/ | Social networking site to connect classmates |
Monitoring Phase
Once procedures are set, parameters are established, and accounts are created, it’s time to go operational. There are still some minor operational procedures to establish, but those are subject to change as monitoring goes on. The key idea to keep in mind here is that procedures and parameters may require adjustments and changes as you learn more about the social media environment and what threats your victim or target may face.
The first piece to figure out as you monitor your accounts is when to check them and how often. This requires some intensive monitoring first, which will allow you to figure out how much activity occurs on which platforms and which accounts. This factor also depends on how often a client may want updates, or how risky the industry is. If it’s a riskier industry, you will want to check it a lot more often to stay on top of threats. This factor should remain consistent to ensure the social media monitor catches threats as quickly as possible. Another method for monitoring accounts is setting keywords or particular actions that generate an alert.
When reading through news feeds, do not only look for people threatening the victim or target, but also what the target or victim was doing. This helps social media monitors understand the context for why threats may emerge. It also allows them to be ready in case the victim or target is in a high-risk area. Along with using the victim’s posts for context, check major news sources and more cyber-oriented sites for articles on cyber-attacks to identify any common methods a threat actor uses. One instance of this was articles reporting an uptick in the use of ransomware against public services. This was targeting US services, but it was a common method, so you should watch for people using it against the organizations you are monitoring.
Depending on your monitoring objectives and other parameters, you may also identify new client accounts to watch, or news sites to follow that can assist in monitoring. Automate and aggregate feeds to the extent possible. It is perfectly acceptable to continually add accounts and sites to your monitoring list because they can provide useful information. One caution here is that too many accounts may become burdensome for one individual to monitor. In our duties, the parameters and organizations focused on were in a very unique position.
Before getting into a more Advanced monitoring strategy, it is highly recommend everyone start with a Basic strategy first to get a feel for the environment and identify any gaps or potential hotspots. Once the basic strategy is underway and further monitoring is required, then the social media monitor and management should discuss further parameters and procedures for adding threat actors to your monitoring. One goal for monitors is to identify who the threat actors are that could target your client. This can prove difficult as threat actors have tools available to them to disguise their identity.
One limitation in monitoring threat actors is objectives preventing you from engaging in conversation with them. If this is the case, lurking and observing will still yield results. Monitors can lurk in and observe in chat rooms and forums to still gain valuable information. If social media monitors were to engage with threat actors, that would then be defined as a human intelligence operation. This brings new procedures and possibly legal aspects of a social media monitor to consider.
Reporting & Feedback Phase
When discovering information from an attack, or identifying an imminent attack, reporting should happen as quickly as possible. Verify your information and determine the source reliability to make sure this information is legitimate. Once that’s determined, you will want to report it up a chain of command and incorporate any feedback you receive into your report.
Periodically update managers of anything you see while monitoring. Some information to periodically report on includes any hashtag/phrases (e.g. #AnonOps) of interest to your campaign, new threat actors that emerge on topical issues, and any major news stories relating to your objectives. This is a good practice to adopt because it helps the social media monitoring team maintain regular communications with the manager, and also gives them good background information on the social media environment. The monitor may find something to be only worth reporting in a periodic report, but the manager could see it as beneficial to the overall operation and target/victim. The manager could then request the social media monitor to pursue that information more and see what comes out of it.
One thing to stress with pursuing something for further information is that sometimes you may find nothing. Do not think there is some obligation to produce information on the request when you may not see anything. Feeling that obligation to find information may produce irrelevant results that could mislead social media monitors and managers; what are characterized as “false-positives.” Another point for social monitoring teams to remember is to welcome feedback. Feedback is the most helpful tool you can have and will improve your monitoring operation significantly over time.
Conclusion
So you think you are ready to go out and begin your social media monitoring operation? Just remember to develop your plan, which starts with setting goals and objectives, based on the potential targeting of your victim set. Also, develop a basic understanding of social media relevant to your threat actor and victim demographics prior to establishing procedures. Ask yourself: have all involved parties been identified? Further, establish your reporting chain-of-command and escalation criteria for reporting to law enforcement. Be ready for what can be an intense setup period, and be adaptable to changing environments. Finally, remember to design your program so that you take account of the safety of your monitoring team members. There are techniques and tools for protecting your computer system and your identity when engaging with potential threat actors through the Internet.