mirror of https://github.com/MISP/misp-rfc
chg: [threat-actor-naming] first version based on initial analysis of
the threat-actor cluster in the MISP galaxypull/36/head
parent
a40043c9cf
commit
1baa435697
|
@ -80,17 +80,19 @@ practices defined in this document.
|
|||
|
||||
## Uniqueness
|
||||
|
||||
When choosing a threat actor name, uniqueness is a critical property. The threat actor name **MUST** be unique and not existing in different contexts.
|
||||
When choosing a threat actor name, uniqueness is a critical property. The threat actor name **MUST** be unique and not existing in different contexts. The name **MUST** not be a word from a dictionary which can be used in other contexts.
|
||||
|
||||
## Format
|
||||
|
||||
The name of the threat actor **SHALL** be composed of a single word. If there is multiple part like a decimal value such as a counter, the values **MUST** be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.
|
||||
|
||||
## Encoding
|
||||
|
||||
The name of the threat actor **MUST** be expressed in ASCII 7-bit. Assigning a localized name to a threat actor **MAY** create a set of ambiguity about different localized version of the same threat actor.
|
||||
|
||||
## Don't confuse actor naming with malware naming
|
||||
|
||||
The name of the threat actor **MUST NOT** be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.
|
||||
The name of the threat actor **MUST NOT** be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.
|
||||
|
||||
## Directory
|
||||
|
||||
|
@ -101,6 +103,13 @@ Some known examples are included below and serve as reference for good practices
|
|||
- APT-1
|
||||
- TA-505
|
||||
|
||||
The below threat actor names can be considered as example to not follow:
|
||||
|
||||
- GIF89a (Word also used for the GIF header)
|
||||
- ShadyRAT (Confusion between the name and the tool)
|
||||
- Group 3 (Common name used for other use-cases)
|
||||
- ZooPark (Name is used to describe something else)
|
||||
|
||||
# Security Considerations
|
||||
|
||||
Naming a threat actor could include specific sensitive reference to a case or an incident. Before releasing the naming, the creator
|
||||
|
|
|
@ -518,10 +518,11 @@
|
|||
<h1 id="rfc.section.2.2">
|
||||
<a href="#rfc.section.2.2">2.2.</a> <a href="#uniqueness" id="uniqueness">Uniqueness</a>
|
||||
</h1>
|
||||
<p id="rfc.section.2.2.p.1">When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts.</p>
|
||||
<p id="rfc.section.2.2.p.1">When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts. The name MUST not be a word from a dictionary which can be used in other contexts.</p>
|
||||
<h1 id="rfc.section.2.3">
|
||||
<a href="#rfc.section.2.3">2.3.</a> <a href="#format" id="format">Format</a>
|
||||
</h1>
|
||||
<p id="rfc.section.2.3.p.1">The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.</p>
|
||||
<h1 id="rfc.section.2.4">
|
||||
<a href="#rfc.section.2.4">2.4.</a> <a href="#encoding" id="encoding">Encoding</a>
|
||||
</h1>
|
||||
|
@ -529,7 +530,7 @@
|
|||
<h1 id="rfc.section.2.5">
|
||||
<a href="#rfc.section.2.5">2.5.</a> <a href="#don-t-confuse-actor-naming-with-malware-naming" id="don-t-confuse-actor-naming-with-malware-naming">Don't confuse actor naming with malware naming</a>
|
||||
</h1>
|
||||
<p id="rfc.section.2.5.p.1">The name of the threat actor MUST NOT be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</p>
|
||||
<p id="rfc.section.2.5.p.1">The name of the threat actor MUST NOT be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</p>
|
||||
<h1 id="rfc.section.2.6">
|
||||
<a href="#rfc.section.2.6">2.6.</a> <a href="#directory" id="directory">Directory</a>
|
||||
</h1>
|
||||
|
@ -544,6 +545,17 @@
|
|||
<li>TA-505</li>
|
||||
</ul>
|
||||
|
||||
<p> </p>
|
||||
<p id="rfc.section.3.p.3">The below threat actor names can be considered as example to not follow:</p>
|
||||
<p></p>
|
||||
|
||||
<ul>
|
||||
<li>GIF89a (Word also used for the GIF header)</li>
|
||||
<li>ShadyRAT (Confusion between the name and the tool)</li>
|
||||
<li>Group 3 (Common name used for other use-cases)</li>
|
||||
<li>ZooPark (Name is used to describe something else)</li>
|
||||
</ul>
|
||||
|
||||
<p> </p>
|
||||
<h1 id="rfc.section.4">
|
||||
<a href="#rfc.section.4">4.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>
|
||||
|
|
|
@ -68,15 +68,15 @@ Table of Contents
|
|||
2.3. Format . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
2.4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
2.5. Don't confuse actor naming with malware naming . . . . . 3
|
||||
2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
|
||||
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
7.1. Normative References . . . . . . . . . . . . . . . . . . 4
|
||||
7.2. Informative References . . . . . . . . . . . . . . . . . 4
|
||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
7.2. Informative References . . . . . . . . . . . . . . . . . 5
|
||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
|
||||
|
||||
1. Introduction
|
||||
|
||||
|
@ -140,10 +140,16 @@ Internet-Draft Recommendations on naming threat actors June 2020
|
|||
|
||||
When choosing a threat actor name, uniqueness is a critical property.
|
||||
The threat actor name MUST be unique and not existing in different
|
||||
contexts.
|
||||
contexts. The name MUST not be a word from a dictionary which can be
|
||||
used in other contexts.
|
||||
|
||||
2.3. Format
|
||||
|
||||
The name of the threat actor SHALL be composed of a single word. If
|
||||
there is multiple part like a decimal value such as a counter, the
|
||||
values MUST be separated with a dash. Single words are preferred to
|
||||
ease search of keywords by analysts in public sources.
|
||||
|
||||
2.4. Encoding
|
||||
|
||||
The name of the threat actor MUST be expressed in ASCII 7-bit.
|
||||
|
@ -152,16 +158,10 @@ Internet-Draft Recommendations on naming threat actors June 2020
|
|||
|
||||
2.5. Don't confuse actor naming with malware naming
|
||||
|
||||
The name of the threat actor MUST NOT be assigned based on the tools
|
||||
or techniques used by the threat actor. A notorious example in the
|
||||
threat intelligence community is Turla which can name a threat actor
|
||||
but also a malware used by this group or other groups.
|
||||
|
||||
2.6. Directory
|
||||
|
||||
|
||||
|
||||
|
||||
The name of the threat actor MUST NOT be assigned based on the tools,
|
||||
techniques or patterns used by the threat actor. A notorious example
|
||||
in the threat intelligence community is Turla which can name a threat
|
||||
actor but also a malware used by this group or other groups.
|
||||
|
||||
|
||||
|
||||
|
@ -170,6 +170,8 @@ Dulaunoy & Bourmeau Expires December 11, 2020 [Page 3]
|
|||
Internet-Draft Recommendations on naming threat actors June 2020
|
||||
|
||||
|
||||
2.6. Directory
|
||||
|
||||
3. Examples
|
||||
|
||||
Some known examples are included below and serve as reference for
|
||||
|
@ -180,6 +182,17 @@ Internet-Draft Recommendations on naming threat actors June 2020
|
|||
|
||||
o TA-505
|
||||
|
||||
The below threat actor names can be considered as example to not
|
||||
follow:
|
||||
|
||||
o GIF89a (Word also used for the GIF header)
|
||||
|
||||
o ShadyRAT (Confusion between the name and the tool)
|
||||
|
||||
o Group 3 (Common name used for other use-cases)
|
||||
|
||||
o ZooPark (Name is used to describe something else)
|
||||
|
||||
4. Security Considerations
|
||||
|
||||
Naming a threat actor could include specific sensitive reference to a
|
||||
|
@ -206,6 +219,13 @@ Internet-Draft Recommendations on naming threat actors June 2020
|
|||
DOI 10.17487/RFC2119, March 1997,
|
||||
<https://www.rfc-editor.org/info/rfc2119>.
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
|
||||
|
||||
Internet-Draft Recommendations on naming threat actors June 2020
|
||||
|
||||
|
||||
7.2. Informative References
|
||||
|
||||
[MISP-P] Community, M., "MISP Project - Open Source Threat
|
||||
|
@ -214,18 +234,6 @@ Internet-Draft Recommendations on naming threat actors June 2020
|
|||
|
||||
Authors' Addresses
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
|
||||
|
||||
Internet-Draft Recommendations on naming threat actors June 2020
|
||||
|
||||
|
||||
Alexandre Dulaunoy
|
||||
Computer Incident Response Center Luxembourg
|
||||
16, bd d'Avranches
|
||||
|
@ -256,14 +264,6 @@ Internet-Draft Recommendations on naming threat actors June 2020
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -61,10 +61,11 @@ practices defined in this document.</t>
|
|||
</section>
|
||||
|
||||
<section anchor="uniqueness" title="Uniqueness">
|
||||
<t>When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts.</t>
|
||||
<t>When choosing a threat actor name, uniqueness is a critical property. The threat actor name MUST be unique and not existing in different contexts. The name MUST not be a word from a dictionary which can be used in other contexts.</t>
|
||||
</section>
|
||||
|
||||
<section anchor="format" title="Format">
|
||||
<t>The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.</t>
|
||||
</section>
|
||||
|
||||
<section anchor="encoding" title="Encoding">
|
||||
|
@ -72,7 +73,7 @@ practices defined in this document.</t>
|
|||
</section>
|
||||
|
||||
<section anchor="don-t-confuse-actor-naming-with-malware-naming" title="Don't confuse actor naming with malware naming">
|
||||
<t>The name of the threat actor MUST NOT be assigned based on the tools or techniques used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</t>
|
||||
<t>The name of the threat actor MUST NOT be assigned based on the tools, techniques or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups.</t>
|
||||
</section>
|
||||
|
||||
<section anchor="directory" title="Directory">
|
||||
|
@ -87,6 +88,15 @@ practices defined in this document.</t>
|
|||
<t>TA-505</t>
|
||||
</list>
|
||||
</t>
|
||||
<t>The below threat actor names can be considered as example to not follow:</t>
|
||||
<t>
|
||||
<list style="symbols">
|
||||
<t>GIF89a (Word also used for the GIF header)</t>
|
||||
<t>ShadyRAT (Confusion between the name and the tool)</t>
|
||||
<t>Group 3 (Common name used for other use-cases)</t>
|
||||
<t>ZooPark (Name is used to describe something else)</t>
|
||||
</list>
|
||||
</t>
|
||||
</section>
|
||||
|
||||
<section anchor="security-considerations" title="Security Considerations">
|
||||
|
@ -105,6 +115,7 @@ MUST review the name to ensure no sensitive information is included in the threa
|
|||
|
||||
<back>
|
||||
<references title="Normative References">
|
||||
<?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?>
|
||||
<reference anchor="MISP-G" target="https://github.com/MISP/misp-galaxy">
|
||||
<front>
|
||||
<title>MISP Galaxy - Public repository </title>
|
||||
|
@ -112,7 +123,6 @@ MUST review the name to ensure no sensitive information is included in the threa
|
|||
<date></date>
|
||||
</front>
|
||||
</reference>
|
||||
<?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?>
|
||||
</references>
|
||||
<references title="Informative References">
|
||||
<reference anchor="MISP-P" target="https://github.com/MISP">
|
||||
|
|
Loading…
Reference in New Issue