chg: [threat-actor-naming] WiP

2 years ago · 5133dbec55
parent 2eab004862
commit 5133dbec55
4 changed files with 154 additions and 65 deletions
--- a/threat-actor-naming/raw.md
+++ b/threat-actor-naming/raw.md
@ -55,17 +55,23 @@ The key words "**MUST**", "**MUST NOT**", "**REQUIRED**", "**SHALL**", "**SHALL
 "**SHOULD**", "**SHOULD NOT**", "**RECOMMENDED**", "**MAY**", and "**OPTIONAL**" in this
 document are to be interpreted as described in RFC 2119 [@!RFC2119].

-# Reusing threat actor naming
+# Recommendations
+
+## Reusing threat actor naming

 Before creating a new threat actor name, you **MUST** consider a review of existing threat actor names from databases such as the threat actor
 MISP galaxy [@!MISP-G]. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you **MUST**
 reuse an existing threat actor name. If there is no specific threat actor name, you **SHALL** create a new threat actor following the best
 practices defined in this document.

-# Format
+## Don't confuse actor naming with malware naming
+
+## Format

-# Encoding
+## Encoding

+## Directory
+ 
 # Examples

 # Security Considerations
--- a/threat-actor-naming/threat-actor-naming.html
+++ b/threat-actor-naming/threat-actor-naming.html
@ -376,16 +376,19 @@
  <link href="#rfc.toc" rel="Contents">
 <link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
 <link href="#rfc.section.1.1" rel="Chapter" title="1.1 Conventions and Terminology">
-<link href="#rfc.section.2" rel="Chapter" title="2 Reusing threat actor naming">
-<link href="#rfc.section.3" rel="Chapter" title="3 Format">
-<link href="#rfc.section.4" rel="Chapter" title="4 Encoding">
-<link href="#rfc.section.5" rel="Chapter" title="5 Examples">
-<link href="#rfc.section.6" rel="Chapter" title="6 Security Considerations">
-<link href="#rfc.section.7" rel="Chapter" title="7 Acknowledgements">
-<link href="#rfc.section.8" rel="Chapter" title="8 References">
-<link href="#rfc.references" rel="Chapter" title="9 References">
-<link href="#rfc.references.1" rel="Chapter" title="9.1 Normative References">
-<link href="#rfc.references.2" rel="Chapter" title="9.2 Informative References">
+<link href="#rfc.section.2" rel="Chapter" title="2 Recommendations">
+<link href="#rfc.section.2.1" rel="Chapter" title="2.1 Reusing threat actor naming">
+<link href="#rfc.section.2.2" rel="Chapter" title="2.2 Don't confuse actor naming with malware naming">
+<link href="#rfc.section.2.3" rel="Chapter" title="2.3 Format">
+<link href="#rfc.section.2.4" rel="Chapter" title="2.4 Encoding">
+<link href="#rfc.section.2.5" rel="Chapter" title="2.5 Directory">
+<link href="#rfc.section.3" rel="Chapter" title="3 Examples">
+<link href="#rfc.section.4" rel="Chapter" title="4 Security Considerations">
+<link href="#rfc.section.5" rel="Chapter" title="5 Acknowledgements">
+<link href="#rfc.section.6" rel="Chapter" title="6 References">
+<link href="#rfc.references" rel="Chapter" title="7 References">
+<link href="#rfc.references.1" rel="Chapter" title="7.1 Normative References">
+<link href="#rfc.references.2" rel="Chapter" title="7.2 Informative References">
 <link href="#rfc.authors" rel="Chapter">


@ -449,25 +452,31 @@
 </li>
 <ul><li>1.1.   <a href="#rfc.section.1.1">Conventions and Terminology</a>
 </li>
-</ul><li>2.   <a href="#rfc.section.2">Reusing threat actor naming</a>
+</ul><li>2.   <a href="#rfc.section.2">Recommendations</a>
 </li>
-<li>3.   <a href="#rfc.section.3">Format</a>
+<ul><li>2.1.   <a href="#rfc.section.2.1">Reusing threat actor naming</a>
 </li>
-<li>4.   <a href="#rfc.section.4">Encoding</a>
+<li>2.2.   <a href="#rfc.section.2.2">Don't confuse actor naming with malware naming</a>
 </li>
-<li>5.   <a href="#rfc.section.5">Examples</a>
+<li>2.3.   <a href="#rfc.section.2.3">Format</a>
 </li>
-<li>6.   <a href="#rfc.section.6">Security Considerations</a>
+<li>2.4.   <a href="#rfc.section.2.4">Encoding</a>
 </li>
-<li>7.   <a href="#rfc.section.7">Acknowledgements</a>
+<li>2.5.   <a href="#rfc.section.2.5">Directory</a>
 </li>
-<li>8.   <a href="#rfc.section.8">References</a>
+</ul><li>3.   <a href="#rfc.section.3">Examples</a>
 </li>
-<li>9.   <a href="#rfc.references">References</a>
+<li>4.   <a href="#rfc.section.4">Security Considerations</a>
 </li>
-<ul><li>9.1.   <a href="#rfc.references.1">Normative References</a>
+<li>5.   <a href="#rfc.section.5">Acknowledgements</a>
 </li>
-<li>9.2.   <a href="#rfc.references.2">Informative References</a>
+<li>6.   <a href="#rfc.section.6">References</a>
+</li>
+<li>7.   <a href="#rfc.references">References</a>
+</li>
+<ul><li>7.1.   <a href="#rfc.references.1">Normative References</a>
+</li>
+<li>7.2.   <a href="#rfc.references.2">Informative References</a>
 </li>
 </ul><li><a href="#rfc.authors">Authors' Addresses</a>
 </li>
@ -483,33 +492,42 @@
 </h1>
 <p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 <a href="#RFC2119" class="xref">[RFC2119]</a>.</p>
 <h1 id="rfc.section.2">
-<a href="#rfc.section.2">2.</a> <a href="#reusing-threat-actor-naming" id="reusing-threat-actor-naming">Reusing threat actor naming</a>
+<a href="#rfc.section.2">2.</a> <a href="#recommendations" id="recommendations">Recommendations</a>
+</h1>
+<h1 id="rfc.section.2.1">
+<a href="#rfc.section.2.1">2.1.</a> <a href="#reusing-threat-actor-naming" id="reusing-threat-actor-naming">Reusing threat actor naming</a>
+</h1>
+<p id="rfc.section.2.1.p.1">Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor MISP galaxy <a href="#MISP-G" class="xref">[MISP-G]</a>. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best practices defined in this document.</p>
+<h1 id="rfc.section.2.2">
+<a href="#rfc.section.2.2">2.2.</a> <a href="#don-t-confuse-actor-naming-with-malware-naming" id="don-t-confuse-actor-naming-with-malware-naming">Don't confuse actor naming with malware naming</a>
+</h1>
+<h1 id="rfc.section.2.3">
+<a href="#rfc.section.2.3">2.3.</a> <a href="#format" id="format">Format</a>
+</h1>
+<h1 id="rfc.section.2.4">
+<a href="#rfc.section.2.4">2.4.</a> <a href="#encoding" id="encoding">Encoding</a>
+</h1>
+<h1 id="rfc.section.2.5">
+<a href="#rfc.section.2.5">2.5.</a> <a href="#directory" id="directory">Directory</a>
 </h1>
-<p id="rfc.section.2.p.1">Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor MISP galaxy <a href="#MISP-G" class="xref">[MISP-G]</a>. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best practices defined in this document.</p>
 <h1 id="rfc.section.3">
-<a href="#rfc.section.3">3.</a> <a href="#format" id="format">Format</a>
+<a href="#rfc.section.3">3.</a> <a href="#examples" id="examples">Examples</a>
 </h1>
 <h1 id="rfc.section.4">
-<a href="#rfc.section.4">4.</a> <a href="#encoding" id="encoding">Encoding</a>
+<a href="#rfc.section.4">4.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>
 </h1>
+<p id="rfc.section.4.p.1">Naming a threat actor could include specific sensitive reference to a case or an incident. Before releasing the naming, the creator MUST review the name to ensure no sensitive information is included in the threat actor name.</p>
 <h1 id="rfc.section.5">
-<a href="#rfc.section.5">5.</a> <a href="#examples" id="examples">Examples</a>
+<a href="#rfc.section.5">5.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
 </h1>
+<p id="rfc.section.5.p.1">The authors wish to thank all contributors who provided feedback via Twitter.</p>
 <h1 id="rfc.section.6">
-<a href="#rfc.section.6">6.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>
-</h1>
-<p id="rfc.section.6.p.1">Naming a threat actor could include specific sensitive reference to a case or an incident. Before releasing the naming, the creator MUST review the name to ensure no sensitive information is included in the threat actor name.</p>
-<h1 id="rfc.section.7">
-<a href="#rfc.section.7">7.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
-</h1>
-<p id="rfc.section.7.p.1">The authors wish to thank all contributors who provided feedback via Twitter.</p>
-<h1 id="rfc.section.8">
-<a href="#rfc.section.8">8.</a> <a href="#references" id="references">References</a>
+<a href="#rfc.section.6">6.</a> <a href="#references" id="references">References</a>
 </h1>
 <h1 id="rfc.references">
-<a href="#rfc.references">9.</a> References</h1>
+<a href="#rfc.references">7.</a> References</h1>
 <h1 id="rfc.references.1">
-<a href="#rfc.references.1">9.1.</a> Normative References</h1>
+<a href="#rfc.references.1">7.1.</a> Normative References</h1>
 <table><tbody>
 <tr>
 <td class="reference"><b id="MISP-G">[MISP-G]</b></td>
@ -523,7 +541,7 @@
 </tr>
 </tbody></table>
 <h1 id="rfc.references.2">
-<a href="#rfc.references.2">9.2.</a> Informative References</h1>
+<a href="#rfc.references.2">7.2.</a> Informative References</h1>
 <table><tbody><tr>
 <td class="reference"><b id="MISP-P">[MISP-P]</b></td>
 <td class="top">
--- a/threat-actor-naming/threat-actor-naming.txt
+++ b/threat-actor-naming/threat-actor-naming.txt
@ -62,16 +62,19 @@ Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Conventions and Terminology . . . . . . . . . . . . . . .   2
-   2.  Reusing threat actor naming . . . . . . . . . . . . . . . . .   2
-   3.  Format  . . . . . . . . . . . . . . . . . . . . . . . . . . .   2
-   4.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . . . .   2
-   5.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   2
-   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   2
-   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   3
-   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
-   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
-     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
-     9.2.  Informative References  . . . . . . . . . . . . . . . . .   3
+   2.  Recommendations . . . . . . . . . . . . . . . . . . . . . . .   2
+     2.1.  Reusing threat actor naming . . . . . . . . . . . . . . .   2
+     2.2.  Don't confuse actor naming with malware naming  . . . . .   2
+     2.3.  Format  . . . . . . . . . . . . . . . . . . . . . . . . .   2
+     2.4.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . .   3
+     2.5.  Directory . . . . . . . . . . . . . . . . . . . . . . . .   3
+   3.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
+   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
+   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   3
+   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
+   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
+     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
+     7.2.  Informative References  . . . . . . . . . . . . . . . . .   3
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   3

 1.  Introduction
@ -82,7 +85,9 @@ Table of Contents
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

-2.  Reusing threat actor naming
+2.  Recommendations
+
+2.1.  Reusing threat actor naming

   Before creating a new threat actor name, you MUST consider a review
   of existing threat actor names from databases such as the threat
@ -93,18 +98,13 @@ Table of Contents
   name, you SHALL create a new threat actor following the best
   practices defined in this document.

-3.  Format
+2.2.  Don't confuse actor naming with malware naming
+
+2.3.  Format

-4.  Encoding

-5.  Examples

-6.  Security Considerations

-   Naming a threat actor could include specific sensitive reference to a
-   case or an incident.  Before releasing the naming, the creator MUST
-   review the name to ensure no sensitive information is included in the
-   threat actor name.



@ -114,16 +114,29 @@ Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 2]
 Internet-Draft   Recommendations on naming threat actors       June 2020


-7.  Acknowledgements
+2.4.  Encoding
+
+2.5.  Directory
+
+3.  Examples
+
+4.  Security Considerations
+
+   Naming a threat actor could include specific sensitive reference to a
+   case or an incident.  Before releasing the naming, the creator MUST
+   review the name to ensure no sensitive information is included in the
+   threat actor name.
+
+5.  Acknowledgements

   The authors wish to thank all contributors who provided feedback via
   Twitter.

-8.  References
+6.  References

-9.  References
+7.  References

-9.1.  Normative References
+7.1.  Normative References

   [MISP-G]   Community, M., "MISP Galaxy - Public repository",
              <https://github.com/MISP/misp-galaxy>.
@ -133,7 +146,7 @@ Internet-Draft   Recommendations on naming threat actors       June 2020
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

-9.2.  Informative References
+7.2.  Informative References

   [MISP-P]   Community, M., "MISP Project - Open Source Threat
              Intelligence Platform and Open Standards For Threat
@ -151,6 +164,12 @@ Authors' Addresses
   Email: alexandre.dulaunoy@circl.lu


+
+Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 3]
+
+Internet-Draft   Recommendations on naming threat actors       June 2020
+
+
   Pauline Bourmeau
   Corexalys
   26 Rue de la Bienfaisance
@ -165,4 +184,41 @@ Authors' Addresses



-Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 3]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 4]
--- a/threat-actor-naming/threat-actor-naming.xml
+++ b/threat-actor-naming/threat-actor-naming.xml
@ -38,6 +38,8 @@ document are to be interpreted as described in RFC 2119 <xref target="RFC2119"><
 </section>
 </section>

+<section anchor="recommendations" title="Recommendations">
+
 <section anchor="reusing-threat-actor-naming" title="Reusing threat actor naming">
 <t>Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor
 MISP galaxy <xref target="MISP-G"></xref>. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST
@ -45,12 +47,19 @@ reuse an existing threat actor name. If there is no specific threat actor name,
 practices defined in this document.</t>
 </section>

+<section anchor="don-t-confuse-actor-naming-with-malware-naming" title="Don't confuse actor naming with malware naming">
+</section>
+
 <section anchor="format" title="Format">
 </section>

 <section anchor="encoding" title="Encoding">
 </section>

+<section anchor="directory" title="Directory">
+</section>
+</section>
+
 <section anchor="examples" title="Examples">
 </section>