MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [threat-actor-naming] first version based on initial analysis of 

the threat-actor cluster in the MISP galaxy
pull/36/head
Alexandre Dulaunoy 2020-06-12 10:51:00 +02:00
parent a40043c9cf
commit 1baa435697
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
4 changed files with 76 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
threat-actor-naming/raw.md
View File

@ -80,27 +80,36 @@ practices defined in this document.
## Uniqueness
When choosing a threat actor name, uniqueness is a critical property. The threat actor name **MUST** be unique and not existing in different contexts.
When choosing a threat actor name, uniqueness is a critical property. The threat actor name **MUST** be unique and not existing in different contexts. The name **MUST** not be a word from a dictionary which can be used in other contexts.
## Format
The name of the threat actor **SHALL** be composed of a single word. If there is multiple part like a decimal value such as a counter, the values **MUST** be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.
## Encoding
The name of the threat actor **MUST** be expressed in ASCII 7-bit. Assigning a localized name to a threat actor **MAY** create a set of ambiguity about different localized version of the same threat actor.
## Don't confuse actor naming with malware naming
The name of the threat actor **MUST NOT** be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.
The name of the threat actor **MUST NOT** be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.
## Directory
# Examples
Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example :
Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example:
- APT-1
- TA-505
The below threat actor names can be considered as example to not follow:
- GIF89a (Word also used for the GIF header)
- ShadyRAT (Confusion between the name and the tool)
- Group 3 (Common name used for other use-cases)
- ZooPark (Name is used to describe something else)
# Security Considerations
Naming a threat actor could include specific sensitive reference to a case or an incident. Before releasing the naming, the creator

18
threat-actor-naming/threat-actor-naming.html
View File

@ -518,10 +518,11 @@
<h1 id="rfc.section.2.2">
<a href="#rfc.section.2.2">2.2.</a> <a href="#uniqueness" id="uniqueness">Uniqueness</a>
</h1>
<p id="rfc.section.2.2.p.1">When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts.</p>
<p id="rfc.section.2.2.p.1">When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts. The name MUST not be a word from a dictionary which can be used in other contexts.</p>
<h1 id="rfc.section.2.3">
<a href="#rfc.section.2.3">2.3.</a> <a href="#format" id="format">Format</a>
</h1>
<p id="rfc.section.2.3.p.1">The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.</p>
<h1 id="rfc.section.2.4">
<a href="#rfc.section.2.4">2.4.</a> <a href="#encoding" id="encoding">Encoding</a>
</h1>
@ -529,14 +530,14 @@
<h1 id="rfc.section.2.5">
<a href="#rfc.section.2.5">2.5.</a> <a href="#don-t-confuse-actor-naming-with-malware-naming" id="don-t-confuse-actor-naming-with-malware-naming">Don't confuse actor naming with malware naming</a>
</h1>
<p id="rfc.section.2.5.p.1">The name of the threat actor MUST NOT be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</p>
<p id="rfc.section.2.5.p.1">The name of the threat actor MUST NOT be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</p>
<h1 id="rfc.section.2.6">
<a href="#rfc.section.2.6">2.6.</a> <a href="#directory" id="directory">Directory</a>
</h1>
<h1 id="rfc.section.3">
<a href="#rfc.section.3">3.</a> <a href="#examples" id="examples">Examples</a>
</h1>
<p id="rfc.section.3.p.1">Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example :</p>
<p id="rfc.section.3.p.1">Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example:</p>
<p></p>
<ul>
@ -544,6 +545,17 @@
<li>TA-505</li>
</ul>
<p> </p>
<p id="rfc.section.3.p.3">The below threat actor names can be considered as example to not follow:</p>
<p></p>
<ul>
<li>GIF89a (Word also used for the GIF header)</li>
<li>ShadyRAT (Confusion between the name and the tool)</li>
<li>Group 3 (Common name used for other use-cases)</li>
<li>ZooPark (Name is used to describe something else)</li>
</ul>
<p> </p>
<h1 id="rfc.section.4">
<a href="#rfc.section.4">4.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>

70
threat-actor-naming/threat-actor-naming.txt
View File

@ -68,15 +68,15 @@ Table of Contents
2.3. Format . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 3
2.5. Don't confuse actor naming with malware naming . . . . . 3
2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 3
2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
7.1. Normative References . . . . . . . . . . . . . . . . . . 4
7.2. Informative References . . . . . . . . . . . . . . . . . 4
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
7.2. Informative References . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
@ -140,10 +140,16 @@ Internet-Draft Recommendations on naming threat actors June 2020
When choosing a threat actor name, uniqueness is a critical property.
The threat actor name MUST be unique and not existing in different
contexts.
contexts. The name MUST not be a word from a dictionary which can be
used in other contexts.
2.3. Format
The name of the threat actor SHALL be composed of a single word. If
there is multiple part like a decimal value such as a counter, the
values MUST be separated with a dash. Single words are preferred to
ease search of keywords by analysts in public sources.
2.4. Encoding
The name of the threat actor MUST be expressed in ASCII 7-bit.
@ -152,16 +158,10 @@ Internet-Draft Recommendations on naming threat actors June 2020
2.5. Don't confuse actor naming with malware naming
The name of the threat actor MUST NOT be assigned based on the tools
or techniques used by the threat actor. A notorious example in the
threat intelligence community is Turla which can name a threat actor
but also a malware used by this group or other groups.
2.6. Directory
The name of the threat actor MUST NOT be assigned based on the tools,
techniques or patterns used by the threat actor. A notorious example
in the threat intelligence community is Turla which can name a threat
actor but also a malware used by this group or other groups.
@ -170,16 +170,29 @@ Dulaunoy & Bourmeau Expires December 11, 2020 [Page 3]
Internet-Draft Recommendations on naming threat actors June 2020
2.6. Directory
3. Examples
Some known examples are included below and serve as reference for
good practices in naming threat actors. The below threat actor names
can be considered good example :
can be considered good example:
o APT-1
o TA-505
The below threat actor names can be considered as example to not
follow:
o GIF89a (Word also used for the GIF header)
o ShadyRAT (Confusion between the name and the tool)
o Group 3 (Common name used for other use-cases)
o ZooPark (Name is used to describe something else)
4. Security Considerations
Naming a threat actor could include specific sensitive reference to a
@ -206,6 +219,13 @@ Internet-Draft Recommendations on naming threat actors June 2020
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
Internet-Draft Recommendations on naming threat actors June 2020
7.2. Informative References
[MISP-P] Community, M., "MISP Project - Open Source Threat
@ -214,18 +234,6 @@ Internet-Draft Recommendations on naming threat actors June 2020
Authors' Addresses
Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
Internet-Draft Recommendations on naming threat actors June 2020
Alexandre Dulaunoy
Computer Incident Response Center Luxembourg
16, bd d'Avranches
@ -256,14 +264,6 @@ Internet-Draft Recommendations on naming threat actors June 2020

18
threat-actor-naming/threat-actor-naming.xml
View File

@ -61,10 +61,11 @@ practices defined in this document.</t>
</section>
<section anchor="uniqueness" title="Uniqueness">
<t>When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts.</t>
<t>When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts. The name MUST not be a word from a dictionary which can be used in other contexts.</t>
</section>
<section anchor="format" title="Format">
<t>The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.</t>
</section>
<section anchor="encoding" title="Encoding">
@ -72,7 +73,7 @@ practices defined in this document.</t>
</section>
<section anchor="don-t-confuse-actor-naming-with-malware-naming" title="Don't confuse actor naming with malware naming">
<t>The name of the threat actor MUST NOT be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</t>
<t>The name of the threat actor MUST NOT be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</t>
</section>
<section anchor="directory" title="Directory">
@ -80,13 +81,22 @@ practices defined in this document.</t>
</section>
<section anchor="examples" title="Examples">
<t>Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example :</t>
<t>Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example:</t>
<t>
<list style="symbols">
<t>APT-1</t>
<t>TA-505</t>
</list>
</t>
<t>The below threat actor names can be considered as example to not follow:</t>
<t>
<list style="symbols">
<t>GIF89a (Word also used for the GIF header)</t>
<t>ShadyRAT (Confusion between the name and the tool)</t>
<t>Group 3 (Common name used for other use-cases)</t>
<t>ZooPark (Name is used to describe something else)</t>
</list>
</t>
</section>
<section anchor="security-considerations" title="Security Considerations">
@ -105,6 +115,7 @@ MUST review the name to ensure no sensitive information is included in the threa
<back>
<references title="Normative References">
<?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?>
<reference anchor="MISP-G" target="https://github.com/MISP/misp-galaxy">
<front>
<title>MISP Galaxy - Public repository </title>
@ -112,7 +123,6 @@ MUST review the name to ensure no sensitive information is included in the threa
<date></date>
</front>
</reference>
<?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?>
</references>
<references title="Informative References">
<reference anchor="MISP-P" target="https://github.com/MISP">