diff --git a/threat-actor-naming/raw.md b/threat-actor-naming/raw.md
index 30cfe1f..60414df 100755
--- a/threat-actor-naming/raw.md
+++ b/threat-actor-naming/raw.md
@@ -80,27 +80,36 @@ practices defined in this document.
## Uniqueness
-When choosing a threat actor name, uniqueness is a critical property. The threat actor name **MUST** be unique and not existing in different contexts.
+When choosing a threat actor name, uniqueness is a critical property. The threat actor name **MUST** be unique and not existing in different contexts. The name **MUST** not be a word from a dictionary which can be used in other contexts.
## Format
+The name of the threat actor **SHALL** be composed of a single word. If there is multiple part like a decimal value such as a counter, the values **MUST** be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.
+
## Encoding
The name of the threat actor **MUST** be expressed in ASCII 7-bit. Assigning a localized name to a threat actor **MAY** create a set of ambiguity about different localized version of the same threat actor.
## Don't confuse actor naming with malware naming
-The name of the threat actor **MUST NOT** be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.
+The name of the threat actor **MUST NOT** be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.
## Directory
# Examples
-Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example :
+Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example:
- APT-1
- TA-505
+The below threat actor names can be considered as example to not follow:
+
+- GIF89a (Word also used for the GIF header)
+- ShadyRAT (Confusion between the name and the tool)
+- Group 3 (Common name used for other use-cases)
+- ZooPark (Name is used to describe something else)
+
# Security Considerations
Naming a threat actor could include specific sensitive reference to a case or an incident. Before releasing the naming, the creator
diff --git a/threat-actor-naming/threat-actor-naming.html b/threat-actor-naming/threat-actor-naming.html
index 5884944..f90b660 100644
--- a/threat-actor-naming/threat-actor-naming.html
+++ b/threat-actor-naming/threat-actor-naming.html
@@ -518,10 +518,11 @@
-When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts.
+When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts. The name MUST not be a word from a dictionary which can be used in other contexts.
+The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.
@@ -529,14 +530,14 @@
-The name of the threat actor MUST NOT be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.
+The name of the threat actor MUST NOT be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.
-Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example :
+Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example:
@@ -544,6 +545,17 @@
- TA-505
+
+The below threat actor names can be considered as example to not follow:
+
+
+
+- GIF89a (Word also used for the GIF header)
+- ShadyRAT (Confusion between the name and the tool)
+- Group 3 (Common name used for other use-cases)
+- ZooPark (Name is used to describe something else)
+
+
4. Security Considerations
diff --git a/threat-actor-naming/threat-actor-naming.txt b/threat-actor-naming/threat-actor-naming.txt
index efc214d..9ac20a4 100644
--- a/threat-actor-naming/threat-actor-naming.txt
+++ b/threat-actor-naming/threat-actor-naming.txt
@@ -68,15 +68,15 @@ Table of Contents
2.3. Format . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 3
2.5. Don't confuse actor naming with malware naming . . . . . 3
- 2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
7.1. Normative References . . . . . . . . . . . . . . . . . . 4
- 7.2. Informative References . . . . . . . . . . . . . . . . . 4
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
+ 7.2. Informative References . . . . . . . . . . . . . . . . . 5
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
@@ -140,10 +140,16 @@ Internet-Draft Recommendations on naming threat actors June 2020
When choosing a threat actor name, uniqueness is a critical property.
The threat actor name MUST be unique and not existing in different
- contexts.
+ contexts. The name MUST not be a word from a dictionary which can be
+ used in other contexts.
2.3. Format
+ The name of the threat actor SHALL be composed of a single word. If
+ there is multiple part like a decimal value such as a counter, the
+ values MUST be separated with a dash. Single words are preferred to
+ ease search of keywords by analysts in public sources.
+
2.4. Encoding
The name of the threat actor MUST be expressed in ASCII 7-bit.
@@ -152,16 +158,10 @@ Internet-Draft Recommendations on naming threat actors June 2020
2.5. Don't confuse actor naming with malware naming
- The name of the threat actor MUST NOT be assigned based on the tools
- or techniques used by the threat actor. A notorious example in the
- threat intelligence community is Turla which can name a threat actor
- but also a malware used by this group or other groups.
-
-2.6. Directory
-
-
-
-
+ The name of the threat actor MUST NOT be assigned based on the tools,
+ techniques or patterns used by the threat actor. A notorious example
+ in the threat intelligence community is Turla which can name a threat
+ actor but also a malware used by this group or other groups.
@@ -170,16 +170,29 @@ Dulaunoy & Bourmeau Expires December 11, 2020 [Page 3]
Internet-Draft Recommendations on naming threat actors June 2020
+2.6. Directory
+
3. Examples
Some known examples are included below and serve as reference for
good practices in naming threat actors. The below threat actor names
- can be considered good example :
+ can be considered good example:
o APT-1
o TA-505
+ The below threat actor names can be considered as example to not
+ follow:
+
+ o GIF89a (Word also used for the GIF header)
+
+ o ShadyRAT (Confusion between the name and the tool)
+
+ o Group 3 (Common name used for other use-cases)
+
+ o ZooPark (Name is used to describe something else)
+
4. Security Considerations
Naming a threat actor could include specific sensitive reference to a
@@ -206,6 +219,13 @@ Internet-Draft Recommendations on naming threat actors June 2020
DOI 10.17487/RFC2119, March 1997,
.
+
+
+Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
+
+Internet-Draft Recommendations on naming threat actors June 2020
+
+
7.2. Informative References
[MISP-P] Community, M., "MISP Project - Open Source Threat
@@ -214,18 +234,6 @@ Internet-Draft Recommendations on naming threat actors June 2020
Authors' Addresses
-
-
-
-
-
-
-
-Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
-
-Internet-Draft Recommendations on naming threat actors June 2020
-
-
Alexandre Dulaunoy
Computer Incident Response Center Luxembourg
16, bd d'Avranches
@@ -256,14 +264,6 @@ Internet-Draft Recommendations on naming threat actors June 2020
-
-
-
-
-
-
-
-
diff --git a/threat-actor-naming/threat-actor-naming.xml b/threat-actor-naming/threat-actor-naming.xml
index 3cf4722..6ffe22c 100644
--- a/threat-actor-naming/threat-actor-naming.xml
+++ b/threat-actor-naming/threat-actor-naming.xml
@@ -61,10 +61,11 @@ practices defined in this document.
-When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts.
+When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts. The name MUST not be a word from a dictionary which can be used in other contexts.
+The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.
@@ -72,7 +73,7 @@ practices defined in this document.
-The name of the threat actor MUST NOT be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.
+The name of the threat actor MUST NOT be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.
@@ -80,13 +81,22 @@ practices defined in this document.
-Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example :
+Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example:
APT-1
TA-505
+The below threat actor names can be considered as example to not follow:
+
+
+GIF89a (Word also used for the GIF header)
+ShadyRAT (Confusion between the name and the tool)
+Group 3 (Common name used for other use-cases)
+ZooPark (Name is used to describe something else)
+
+
@@ -105,6 +115,7 @@ MUST review the name to ensure no sensitive information is included in the threa
+
MISP Galaxy - Public repository
@@ -112,7 +123,6 @@ MUST review the name to ensure no sensitive information is included in the threa
-