From 5133dbec55d8031a8465e9f3bc60c9b453563a97 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Wed, 10 Jun 2020 22:39:43 +0200
Subject: [PATCH] chg: [threat-actor-naming] WiP

---
 threat-actor-naming/raw.md                   |  12 ++-
 threat-actor-naming/threat-actor-naming.html |  92 +++++++++-------
 threat-actor-naming/threat-actor-naming.txt  | 106 ++++++++++++++-----
 threat-actor-naming/threat-actor-naming.xml  |   9 ++
 4 files changed, 154 insertions(+), 65 deletions(-)

diff --git a/threat-actor-naming/raw.md b/threat-actor-naming/raw.md
index 34d3699..e9a0903 100755
--- a/threat-actor-naming/raw.md
+++ b/threat-actor-naming/raw.md
@@ -55,17 +55,23 @@ The key words "**MUST**", "**MUST NOT**", "**REQUIRED**", "**SHALL**", "**SHALL
 "**SHOULD**", "**SHOULD NOT**", "**RECOMMENDED**", "**MAY**", and "**OPTIONAL**" in this
 document are to be interpreted as described in RFC 2119 [@!RFC2119].
 
-# Reusing threat actor naming
+# Recommendations
+
+## Reusing threat actor naming
 
 Before creating a new threat actor name, you **MUST** consider a review of existing threat actor names from databases such as the threat actor
 MISP galaxy [@!MISP-G]. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you **MUST**
 reuse an existing threat actor name. If there is no specific threat actor name, you **SHALL** create a new threat actor following the best
 practices defined in this document.
 
-# Format
+## Don't confuse actor naming with malware naming
 
-# Encoding
+## Format
 
+## Encoding
+
+## Directory
+ 
 # Examples
 
 # Security Considerations
diff --git a/threat-actor-naming/threat-actor-naming.html b/threat-actor-naming/threat-actor-naming.html
index 51e749c..ca26c13 100644
--- a/threat-actor-naming/threat-actor-naming.html
+++ b/threat-actor-naming/threat-actor-naming.html
@@ -376,16 +376,19 @@
   <link href="#rfc.toc" rel="Contents">
 <link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
 <link href="#rfc.section.1.1" rel="Chapter" title="1.1 Conventions and Terminology">
-<link href="#rfc.section.2" rel="Chapter" title="2 Reusing threat actor naming">
-<link href="#rfc.section.3" rel="Chapter" title="3 Format">
-<link href="#rfc.section.4" rel="Chapter" title="4 Encoding">
-<link href="#rfc.section.5" rel="Chapter" title="5 Examples">
-<link href="#rfc.section.6" rel="Chapter" title="6 Security Considerations">
-<link href="#rfc.section.7" rel="Chapter" title="7 Acknowledgements">
-<link href="#rfc.section.8" rel="Chapter" title="8 References">
-<link href="#rfc.references" rel="Chapter" title="9 References">
-<link href="#rfc.references.1" rel="Chapter" title="9.1 Normative References">
-<link href="#rfc.references.2" rel="Chapter" title="9.2 Informative References">
+<link href="#rfc.section.2" rel="Chapter" title="2 Recommendations">
+<link href="#rfc.section.2.1" rel="Chapter" title="2.1 Reusing threat actor naming">
+<link href="#rfc.section.2.2" rel="Chapter" title="2.2 Don't confuse actor naming with malware naming">
+<link href="#rfc.section.2.3" rel="Chapter" title="2.3 Format">
+<link href="#rfc.section.2.4" rel="Chapter" title="2.4 Encoding">
+<link href="#rfc.section.2.5" rel="Chapter" title="2.5 Directory">
+<link href="#rfc.section.3" rel="Chapter" title="3 Examples">
+<link href="#rfc.section.4" rel="Chapter" title="4 Security Considerations">
+<link href="#rfc.section.5" rel="Chapter" title="5 Acknowledgements">
+<link href="#rfc.section.6" rel="Chapter" title="6 References">
+<link href="#rfc.references" rel="Chapter" title="7 References">
+<link href="#rfc.references.1" rel="Chapter" title="7.1 Normative References">
+<link href="#rfc.references.2" rel="Chapter" title="7.2 Informative References">
 <link href="#rfc.authors" rel="Chapter">
 
 
@@ -449,25 +452,31 @@
 </li>
 <ul><li>1.1.   <a href="#rfc.section.1.1">Conventions and Terminology</a>
 </li>
-</ul><li>2.   <a href="#rfc.section.2">Reusing threat actor naming</a>
+</ul><li>2.   <a href="#rfc.section.2">Recommendations</a>
 </li>
-<li>3.   <a href="#rfc.section.3">Format</a>
+<ul><li>2.1.   <a href="#rfc.section.2.1">Reusing threat actor naming</a>
 </li>
-<li>4.   <a href="#rfc.section.4">Encoding</a>
+<li>2.2.   <a href="#rfc.section.2.2">Don't confuse actor naming with malware naming</a>
 </li>
-<li>5.   <a href="#rfc.section.5">Examples</a>
+<li>2.3.   <a href="#rfc.section.2.3">Format</a>
 </li>
-<li>6.   <a href="#rfc.section.6">Security Considerations</a>
+<li>2.4.   <a href="#rfc.section.2.4">Encoding</a>
 </li>
-<li>7.   <a href="#rfc.section.7">Acknowledgements</a>
+<li>2.5.   <a href="#rfc.section.2.5">Directory</a>
 </li>
-<li>8.   <a href="#rfc.section.8">References</a>
+</ul><li>3.   <a href="#rfc.section.3">Examples</a>
 </li>
-<li>9.   <a href="#rfc.references">References</a>
+<li>4.   <a href="#rfc.section.4">Security Considerations</a>
 </li>
-<ul><li>9.1.   <a href="#rfc.references.1">Normative References</a>
+<li>5.   <a href="#rfc.section.5">Acknowledgements</a>
 </li>
-<li>9.2.   <a href="#rfc.references.2">Informative References</a>
+<li>6.   <a href="#rfc.section.6">References</a>
+</li>
+<li>7.   <a href="#rfc.references">References</a>
+</li>
+<ul><li>7.1.   <a href="#rfc.references.1">Normative References</a>
+</li>
+<li>7.2.   <a href="#rfc.references.2">Informative References</a>
 </li>
 </ul><li><a href="#rfc.authors">Authors' Addresses</a>
 </li>
@@ -483,33 +492,42 @@
 </h1>
 <p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 <a href="#RFC2119" class="xref">[RFC2119]</a>.</p>
 <h1 id="rfc.section.2">
-<a href="#rfc.section.2">2.</a> <a href="#reusing-threat-actor-naming" id="reusing-threat-actor-naming">Reusing threat actor naming</a>
+<a href="#rfc.section.2">2.</a> <a href="#recommendations" id="recommendations">Recommendations</a>
+</h1>
+<h1 id="rfc.section.2.1">
+<a href="#rfc.section.2.1">2.1.</a> <a href="#reusing-threat-actor-naming" id="reusing-threat-actor-naming">Reusing threat actor naming</a>
+</h1>
+<p id="rfc.section.2.1.p.1">Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor MISP galaxy <a href="#MISP-G" class="xref">[MISP-G]</a>. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best practices defined in this document.</p>
+<h1 id="rfc.section.2.2">
+<a href="#rfc.section.2.2">2.2.</a> <a href="#don-t-confuse-actor-naming-with-malware-naming" id="don-t-confuse-actor-naming-with-malware-naming">Don't confuse actor naming with malware naming</a>
+</h1>
+<h1 id="rfc.section.2.3">
+<a href="#rfc.section.2.3">2.3.</a> <a href="#format" id="format">Format</a>
+</h1>
+<h1 id="rfc.section.2.4">
+<a href="#rfc.section.2.4">2.4.</a> <a href="#encoding" id="encoding">Encoding</a>
+</h1>
+<h1 id="rfc.section.2.5">
+<a href="#rfc.section.2.5">2.5.</a> <a href="#directory" id="directory">Directory</a>
 </h1>
-<p id="rfc.section.2.p.1">Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor MISP galaxy <a href="#MISP-G" class="xref">[MISP-G]</a>. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best practices defined in this document.</p>
 <h1 id="rfc.section.3">
-<a href="#rfc.section.3">3.</a> <a href="#format" id="format">Format</a>
+<a href="#rfc.section.3">3.</a> <a href="#examples" id="examples">Examples</a>
 </h1>
 <h1 id="rfc.section.4">
-<a href="#rfc.section.4">4.</a> <a href="#encoding" id="encoding">Encoding</a>
+<a href="#rfc.section.4">4.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>
 </h1>
+<p id="rfc.section.4.p.1">Naming a threat actor could include specific sensitive reference to a case or an incident. Before releasing the naming, the creator MUST review the name to ensure no sensitive information is included in the threat actor name.</p>
 <h1 id="rfc.section.5">
-<a href="#rfc.section.5">5.</a> <a href="#examples" id="examples">Examples</a>
+<a href="#rfc.section.5">5.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
 </h1>
+<p id="rfc.section.5.p.1">The authors wish to thank all contributors who provided feedback via Twitter.</p>
 <h1 id="rfc.section.6">
-<a href="#rfc.section.6">6.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>
-</h1>
-<p id="rfc.section.6.p.1">Naming a threat actor could include specific sensitive reference to a case or an incident. Before releasing the naming, the creator MUST review the name to ensure no sensitive information is included in the threat actor name.</p>
-<h1 id="rfc.section.7">
-<a href="#rfc.section.7">7.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
-</h1>
-<p id="rfc.section.7.p.1">The authors wish to thank all contributors who provided feedback via Twitter.</p>
-<h1 id="rfc.section.8">
-<a href="#rfc.section.8">8.</a> <a href="#references" id="references">References</a>
+<a href="#rfc.section.6">6.</a> <a href="#references" id="references">References</a>
 </h1>
 <h1 id="rfc.references">
-<a href="#rfc.references">9.</a> References</h1>
+<a href="#rfc.references">7.</a> References</h1>
 <h1 id="rfc.references.1">
-<a href="#rfc.references.1">9.1.</a> Normative References</h1>
+<a href="#rfc.references.1">7.1.</a> Normative References</h1>
 <table><tbody>
 <tr>
 <td class="reference"><b id="MISP-G">[MISP-G]</b></td>
@@ -523,7 +541,7 @@
 </tr>
 </tbody></table>
 <h1 id="rfc.references.2">
-<a href="#rfc.references.2">9.2.</a> Informative References</h1>
+<a href="#rfc.references.2">7.2.</a> Informative References</h1>
 <table><tbody><tr>
 <td class="reference"><b id="MISP-P">[MISP-P]</b></td>
 <td class="top">
diff --git a/threat-actor-naming/threat-actor-naming.txt b/threat-actor-naming/threat-actor-naming.txt
index d3dc0ee..c8defbc 100644
--- a/threat-actor-naming/threat-actor-naming.txt
+++ b/threat-actor-naming/threat-actor-naming.txt
@@ -62,16 +62,19 @@ Table of Contents
 
    1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
      1.1.  Conventions and Terminology . . . . . . . . . . . . . . .   2
-   2.  Reusing threat actor naming . . . . . . . . . . . . . . . . .   2
-   3.  Format  . . . . . . . . . . . . . . . . . . . . . . . . . . .   2
-   4.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . . . .   2
-   5.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   2
-   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   2
-   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   3
-   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
-   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
-     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
-     9.2.  Informative References  . . . . . . . . . . . . . . . . .   3
+   2.  Recommendations . . . . . . . . . . . . . . . . . . . . . . .   2
+     2.1.  Reusing threat actor naming . . . . . . . . . . . . . . .   2
+     2.2.  Don't confuse actor naming with malware naming  . . . . .   2
+     2.3.  Format  . . . . . . . . . . . . . . . . . . . . . . . . .   2
+     2.4.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . .   3
+     2.5.  Directory . . . . . . . . . . . . . . . . . . . . . . . .   3
+   3.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
+   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
+   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   3
+   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
+   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
+     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
+     7.2.  Informative References  . . . . . . . . . . . . . . . . .   3
    Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   3
 
 1.  Introduction
@@ -82,7 +85,9 @@ Table of Contents
    "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
    document are to be interpreted as described in RFC 2119 [RFC2119].
 
-2.  Reusing threat actor naming
+2.  Recommendations
+
+2.1.  Reusing threat actor naming
 
    Before creating a new threat actor name, you MUST consider a review
    of existing threat actor names from databases such as the threat
@@ -93,18 +98,13 @@ Table of Contents
    name, you SHALL create a new threat actor following the best
    practices defined in this document.
 
-3.  Format
+2.2.  Don't confuse actor naming with malware naming
+
+2.3.  Format
 
-4.  Encoding
 
-5.  Examples
 
-6.  Security Considerations
 
-   Naming a threat actor could include specific sensitive reference to a
-   case or an incident.  Before releasing the naming, the creator MUST
-   review the name to ensure no sensitive information is included in the
-   threat actor name.
 
 
 
@@ -114,16 +114,29 @@ Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 2]
 Internet-Draft   Recommendations on naming threat actors       June 2020
 
 
-7.  Acknowledgements
+2.4.  Encoding
+
+2.5.  Directory
+
+3.  Examples
+
+4.  Security Considerations
+
+   Naming a threat actor could include specific sensitive reference to a
+   case or an incident.  Before releasing the naming, the creator MUST
+   review the name to ensure no sensitive information is included in the
+   threat actor name.
+
+5.  Acknowledgements
 
    The authors wish to thank all contributors who provided feedback via
    Twitter.
 
-8.  References
+6.  References
 
-9.  References
+7.  References
 
-9.1.  Normative References
+7.1.  Normative References
 
    [MISP-G]   Community, M., "MISP Galaxy - Public repository",
               <https://github.com/MISP/misp-galaxy>.
@@ -133,7 +146,7 @@ Internet-Draft   Recommendations on naming threat actors       June 2020
               DOI 10.17487/RFC2119, March 1997,
               <https://www.rfc-editor.org/info/rfc2119>.
 
-9.2.  Informative References
+7.2.  Informative References
 
    [MISP-P]   Community, M., "MISP Project - Open Source Threat
               Intelligence Platform and Open Standards For Threat
@@ -151,6 +164,12 @@ Authors' Addresses
    Email: alexandre.dulaunoy@circl.lu
 
 
+
+Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 3]
+
+Internet-Draft   Recommendations on naming threat actors       June 2020
+
+
    Pauline Bourmeau
    Corexalys
    26 Rue de la Bienfaisance
@@ -165,4 +184,41 @@ Authors' Addresses
 
 
 
-Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 3]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 4]
diff --git a/threat-actor-naming/threat-actor-naming.xml b/threat-actor-naming/threat-actor-naming.xml
index 555e19b..220230d 100644
--- a/threat-actor-naming/threat-actor-naming.xml
+++ b/threat-actor-naming/threat-actor-naming.xml
@@ -38,6 +38,8 @@ document are to be interpreted as described in RFC 2119 <xref target="RFC2119"><
 </section>
 </section>
 
+<section anchor="recommendations" title="Recommendations">
+
 <section anchor="reusing-threat-actor-naming" title="Reusing threat actor naming">
 <t>Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor
 MISP galaxy <xref target="MISP-G"></xref>. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST
@@ -45,12 +47,19 @@ reuse an existing threat actor name. If there is no specific threat actor name,
 practices defined in this document.</t>
 </section>
 
+<section anchor="don-t-confuse-actor-naming-with-malware-naming" title="Don't confuse actor naming with malware naming">
+</section>
+
 <section anchor="format" title="Format">
 </section>
 
 <section anchor="encoding" title="Encoding">
 </section>
 
+<section anchor="directory" title="Directory">
+</section>
+</section>
+
 <section anchor="examples" title="Examples">
 </section>