chg: [threat-actor-naming] first version based on initial analysis of

the threat-actor cluster in the MISP galaxy
pull/36/head
Alexandre Dulaunoy 2020-06-12 10:51:00 +02:00
parent a40043c9cf
commit 1baa435697
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
4 changed files with 76 additions and 45 deletions

View File

@ -80,27 +80,36 @@ practices defined in this document.
## Uniqueness ## Uniqueness
When choosing a threat actor name, uniqueness is a critical property. The threat actor name **MUST** be unique and not existing in different contexts. When choosing a threat actor name, uniqueness is a critical property. The threat actor name **MUST** be unique and not existing in different contexts. The name **MUST** not be a word from a dictionary which can be used in other contexts.
## Format ## Format
The name of the threat actor **SHALL** be composed of a single word. If there is multiple part like a decimal value such as a counter, the values **MUST** be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.
## Encoding ## Encoding
The name of the threat actor **MUST** be expressed in ASCII 7-bit. Assigning a localized name to a threat actor **MAY** create a set of ambiguity about different localized version of the same threat actor. The name of the threat actor **MUST** be expressed in ASCII 7-bit. Assigning a localized name to a threat actor **MAY** create a set of ambiguity about different localized version of the same threat actor.
## Don't confuse actor naming with malware naming ## Don't confuse actor naming with malware naming
The name of the threat actor **MUST NOT** be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups. The name of the threat actor **MUST NOT** be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.
## Directory ## Directory
# Examples # Examples
Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example : Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example:
- APT-1 - APT-1
- TA-505 - TA-505
The below threat actor names can be considered as example to not follow:
- GIF89a (Word also used for the GIF header)
- ShadyRAT (Confusion between the name and the tool)
- Group 3 (Common name used for other use-cases)
- ZooPark (Name is used to describe something else)
# Security Considerations # Security Considerations
Naming a threat actor could include specific sensitive reference to a case or an incident. Before releasing the naming, the creator Naming a threat actor could include specific sensitive reference to a case or an incident. Before releasing the naming, the creator

View File

@ -518,10 +518,11 @@
<h1 id="rfc.section.2.2"> <h1 id="rfc.section.2.2">
<a href="#rfc.section.2.2">2.2.</a> <a href="#uniqueness" id="uniqueness">Uniqueness</a> <a href="#rfc.section.2.2">2.2.</a> <a href="#uniqueness" id="uniqueness">Uniqueness</a>
</h1> </h1>
<p id="rfc.section.2.2.p.1">When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts.</p> <p id="rfc.section.2.2.p.1">When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts. The name MUST not be a word from a dictionary which can be used in other contexts.</p>
<h1 id="rfc.section.2.3"> <h1 id="rfc.section.2.3">
<a href="#rfc.section.2.3">2.3.</a> <a href="#format" id="format">Format</a> <a href="#rfc.section.2.3">2.3.</a> <a href="#format" id="format">Format</a>
</h1> </h1>
<p id="rfc.section.2.3.p.1">The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.</p>
<h1 id="rfc.section.2.4"> <h1 id="rfc.section.2.4">
<a href="#rfc.section.2.4">2.4.</a> <a href="#encoding" id="encoding">Encoding</a> <a href="#rfc.section.2.4">2.4.</a> <a href="#encoding" id="encoding">Encoding</a>
</h1> </h1>
@ -529,14 +530,14 @@
<h1 id="rfc.section.2.5"> <h1 id="rfc.section.2.5">
<a href="#rfc.section.2.5">2.5.</a> <a href="#don-t-confuse-actor-naming-with-malware-naming" id="don-t-confuse-actor-naming-with-malware-naming">Don't confuse actor naming with malware naming</a> <a href="#rfc.section.2.5">2.5.</a> <a href="#don-t-confuse-actor-naming-with-malware-naming" id="don-t-confuse-actor-naming-with-malware-naming">Don't confuse actor naming with malware naming</a>
</h1> </h1>
<p id="rfc.section.2.5.p.1">The name of the threat actor MUST NOT be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</p> <p id="rfc.section.2.5.p.1">The name of the threat actor MUST NOT be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</p>
<h1 id="rfc.section.2.6"> <h1 id="rfc.section.2.6">
<a href="#rfc.section.2.6">2.6.</a> <a href="#directory" id="directory">Directory</a> <a href="#rfc.section.2.6">2.6.</a> <a href="#directory" id="directory">Directory</a>
</h1> </h1>
<h1 id="rfc.section.3"> <h1 id="rfc.section.3">
<a href="#rfc.section.3">3.</a> <a href="#examples" id="examples">Examples</a> <a href="#rfc.section.3">3.</a> <a href="#examples" id="examples">Examples</a>
</h1> </h1>
<p id="rfc.section.3.p.1">Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example :</p> <p id="rfc.section.3.p.1">Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example:</p>
<p></p> <p></p>
<ul> <ul>
@ -544,6 +545,17 @@
<li>TA-505</li> <li>TA-505</li>
</ul> </ul>
<p> </p>
<p id="rfc.section.3.p.3">The below threat actor names can be considered as example to not follow:</p>
<p></p>
<ul>
<li>GIF89a (Word also used for the GIF header)</li>
<li>ShadyRAT (Confusion between the name and the tool)</li>
<li>Group 3 (Common name used for other use-cases)</li>
<li>ZooPark (Name is used to describe something else)</li>
</ul>
<p> </p> <p> </p>
<h1 id="rfc.section.4"> <h1 id="rfc.section.4">
<a href="#rfc.section.4">4.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a> <a href="#rfc.section.4">4.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>

View File

@ -68,15 +68,15 @@ Table of Contents
2.3. Format . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.3. Format . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 3 2.4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 3
2.5. Don't confuse actor naming with malware naming . . . . . 3 2.5. Don't confuse actor naming with malware naming . . . . . 3
2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 3 2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
7.1. Normative References . . . . . . . . . . . . . . . . . . 4 7.1. Normative References . . . . . . . . . . . . . . . . . . 4
7.2. Informative References . . . . . . . . . . . . . . . . . 4 7.2. Informative References . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction 1. Introduction
@ -140,10 +140,16 @@ Internet-Draft Recommendations on naming threat actors June 2020
When choosing a threat actor name, uniqueness is a critical property. When choosing a threat actor name, uniqueness is a critical property.
The threat actor name MUST be unique and not existing in different The threat actor name MUST be unique and not existing in different
contexts. contexts. The name MUST not be a word from a dictionary which can be
used in other contexts.
2.3. Format 2.3. Format
The name of the threat actor SHALL be composed of a single word. If
there is multiple part like a decimal value such as a counter, the
values MUST be separated with a dash. Single words are preferred to
ease search of keywords by analysts in public sources.
2.4. Encoding 2.4. Encoding
The name of the threat actor MUST be expressed in ASCII 7-bit. The name of the threat actor MUST be expressed in ASCII 7-bit.
@ -152,16 +158,10 @@ Internet-Draft Recommendations on naming threat actors June 2020
2.5. Don't confuse actor naming with malware naming 2.5. Don't confuse actor naming with malware naming
The name of the threat actor MUST NOT be assigned based on the tools The name of the threat actor MUST NOT be assigned based on the tools,
or techniques used by the threat actor. A notorious example in the techniques or patterns used by the threat actor. A notorious example
threat intelligence community is Turla which can name a threat actor in the threat intelligence community is Turla which can name a threat
but also a malware used by this group or other groups. actor but also a malware used by this group or other groups.
2.6. Directory
@ -170,16 +170,29 @@ Dulaunoy & Bourmeau Expires December 11, 2020 [Page 3]
Internet-Draft Recommendations on naming threat actors June 2020 Internet-Draft Recommendations on naming threat actors June 2020
2.6. Directory
3. Examples 3. Examples
Some known examples are included below and serve as reference for Some known examples are included below and serve as reference for
good practices in naming threat actors. The below threat actor names good practices in naming threat actors. The below threat actor names
can be considered good example : can be considered good example:
o APT-1 o APT-1
o TA-505 o TA-505
The below threat actor names can be considered as example to not
follow:
o GIF89a (Word also used for the GIF header)
o ShadyRAT (Confusion between the name and the tool)
o Group 3 (Common name used for other use-cases)
o ZooPark (Name is used to describe something else)
4. Security Considerations 4. Security Considerations
Naming a threat actor could include specific sensitive reference to a Naming a threat actor could include specific sensitive reference to a
@ -206,6 +219,13 @@ Internet-Draft Recommendations on naming threat actors June 2020
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
Internet-Draft Recommendations on naming threat actors June 2020
7.2. Informative References 7.2. Informative References
[MISP-P] Community, M., "MISP Project - Open Source Threat [MISP-P] Community, M., "MISP Project - Open Source Threat
@ -214,18 +234,6 @@ Internet-Draft Recommendations on naming threat actors June 2020
Authors' Addresses Authors' Addresses
Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
Internet-Draft Recommendations on naming threat actors June 2020
Alexandre Dulaunoy Alexandre Dulaunoy
Computer Incident Response Center Luxembourg Computer Incident Response Center Luxembourg
16, bd d'Avranches 16, bd d'Avranches
@ -256,14 +264,6 @@ Internet-Draft Recommendations on naming threat actors June 2020

View File

@ -61,10 +61,11 @@ practices defined in this document.</t>
</section> </section>
<section anchor="uniqueness" title="Uniqueness"> <section anchor="uniqueness" title="Uniqueness">
<t>When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts.</t> <t>When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts. The name MUST not be a word from a dictionary which can be used in other contexts.</t>
</section> </section>
<section anchor="format" title="Format"> <section anchor="format" title="Format">
<t>The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.</t>
</section> </section>
<section anchor="encoding" title="Encoding"> <section anchor="encoding" title="Encoding">
@ -72,7 +73,7 @@ practices defined in this document.</t>
</section> </section>
<section anchor="don-t-confuse-actor-naming-with-malware-naming" title="Don't confuse actor naming with malware naming"> <section anchor="don-t-confuse-actor-naming-with-malware-naming" title="Don't confuse actor naming with malware naming">
<t>The name of the threat actor MUST NOT be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</t> <t>The name of the threat actor MUST NOT be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</t>
</section> </section>
<section anchor="directory" title="Directory"> <section anchor="directory" title="Directory">
@ -80,13 +81,22 @@ practices defined in this document.</t>
</section> </section>
<section anchor="examples" title="Examples"> <section anchor="examples" title="Examples">
<t>Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example :</t> <t>Some known examples are included below and serve as reference for good practices in naming threat actors. The below threat actor names can be considered good example:</t>
<t> <t>
<list style="symbols"> <list style="symbols">
<t>APT-1</t> <t>APT-1</t>
<t>TA-505</t> <t>TA-505</t>
</list> </list>
</t> </t>
<t>The below threat actor names can be considered as example to not follow:</t>
<t>
<list style="symbols">
<t>GIF89a (Word also used for the GIF header)</t>
<t>ShadyRAT (Confusion between the name and the tool)</t>
<t>Group 3 (Common name used for other use-cases)</t>
<t>ZooPark (Name is used to describe something else)</t>
</list>
</t>
</section> </section>
<section anchor="security-considerations" title="Security Considerations"> <section anchor="security-considerations" title="Security Considerations">
@ -105,6 +115,7 @@ MUST review the name to ensure no sensitive information is included in the threa
<back> <back>
<references title="Normative References"> <references title="Normative References">
<?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?>
<reference anchor="MISP-G" target="https://github.com/MISP/misp-galaxy"> <reference anchor="MISP-G" target="https://github.com/MISP/misp-galaxy">
<front> <front>
<title>MISP Galaxy - Public repository </title> <title>MISP Galaxy - Public repository </title>
@ -112,7 +123,6 @@ MUST review the name to ensure no sensitive information is included in the threa
<date></date> <date></date>
</front> </front>
</reference> </reference>
<?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?>
</references> </references>
<references title="Informative References"> <references title="Informative References">
<reference anchor="MISP-P" target="https://github.com/MISP"> <reference anchor="MISP-P" target="https://github.com/MISP">