chg: [threat-actor-naming] Cookies feedback

2020-06-12 21:55:39 +02:00 · 2020-06-12 21:55:39 +02:00 · 70bed1a401
parent ecce8cff1a
commit 70bed1a401
3 changed files with 43 additions and 40 deletions
--- a/threat-actor-naming/threat-actor-naming.html
+++ b/threat-actor-naming/threat-actor-naming.html
@ -499,6 +499,8 @@
 <li>No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)</li>
 <li>Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)</li>
 <li>Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)</li>
+<li>Lack of time-based information about the threat actor name, such as date of naming</li>
+<li>Lack of open "registry" of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The "registry" can contain the time-based information mentionned above.</li>
 </ul>

 <p> </p>
@ -522,7 +524,7 @@
 <h1 id="rfc.section.2.3">
 <a href="#rfc.section.2.3">2.3.</a> <a href="#format" id="format">Format</a>
 </h1>
-<p id="rfc.section.2.3.p.1">The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.</p>
+<p id="rfc.section.2.3.p.1">The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease the search of keywords by analysts in public sources.</p>
 <h1 id="rfc.section.2.4">
 <a href="#rfc.section.2.4">2.4.</a> <a href="#encoding" id="encoding">Encoding</a>
 </h1>
--- a/threat-actor-naming/threat-actor-naming.txt
+++ b/threat-actor-naming/threat-actor-naming.txt
@ -66,15 +66,15 @@ Table of Contents
     2.1.  Reusing threat actor naming . . . . . . . . . . . . . . .   3
     2.2.  Uniqueness  . . . . . . . . . . . . . . . . . . . . . . .   3
     2.3.  Format  . . . . . . . . . . . . . . . . . . . . . . . . .   3
-     2.4.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . .   3
-     2.5.  Don't confuse actor naming with malware naming  . . . . .   3
+     2.4.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . .   4
+     2.5.  Don't confuse actor naming with malware naming  . . . . .   4
     2.6.  Directory . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   4
-   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
-   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
-     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   4
+   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
+   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
+     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   5
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

@ -103,8 +103,8 @@ Table of Contents
      name the threat actor after a specific set of campaigns? or
      specific set of targets?)

-   This document proposes a set of guidelines to name threat actors.
-   The goal is to reduce the above mentioned issues.
+   o  Lack of time-based information about the threat actor name, such
+      as date of naming



@ -114,6 +114,14 @@ Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 2]
 Internet-Draft   Recommendations on naming threat actors       June 2020


+   o  Lack of open "registry" of reference, accessible to all, where to
+      register a new threat actor name, or to access all already named
+      threat actors.  The "registry" can contain the time-based
+      information mentionned above.
+
+   This document proposes a set of guidelines to name threat actors.
+   The goal is to reduce the above mentioned issues.
+
 1.1.  Conventions and Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
@ -148,7 +156,19 @@ Internet-Draft   Recommendations on naming threat actors       June 2020
   The name of the threat actor SHALL be composed of a single word.  If
   there is multiple part like a decimal value such as a counter, the
   values MUST be separated with a dash.  Single words are preferred to
-   ease search of keywords by analysts in public sources.
+   ease the search of keywords by analysts in public sources.
+
+
+
+
+
+
+
+
+Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 3]
+
+Internet-Draft   Recommendations on naming threat actors       June 2020
+

 2.4.  Encoding

@ -163,13 +183,6 @@ Internet-Draft   Recommendations on naming threat actors       June 2020
   in the threat intelligence community is Turla which can name a threat
   actor but also a malware used by this group or other groups.

-
-
-Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 3]
-
-Internet-Draft   Recommendations on naming threat actors       June 2020
-
-
 2.6.  Directory

 3.  Examples
@ -205,6 +218,14 @@ Internet-Draft   Recommendations on naming threat actors       June 2020
   The authors wish to thank all contributors who provided feedback via
   Twitter.

+
+
+
+Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 4]
+
+Internet-Draft   Recommendations on naming threat actors       June 2020
+
+
 6.  References

 7.  References
@ -219,13 +240,6 @@ Internet-Draft   Recommendations on naming threat actors       June 2020
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

-
-
-Dulaunoy & Bourmeau     Expires December 11, 2020               [Page 4]
-
-Internet-Draft   Recommendations on naming threat actors       June 2020
-
-
 7.2.  Informative References

   [MISP-P]   Community, M., "MISP Project - Open Source Threat
@ -257,20 +271,6 @@ Authors' Addresses



-
-
-
-
-
-
-
-
-
-
-
-
-
-



--- a/threat-actor-naming/threat-actor-naming.xml
+++ b/threat-actor-naming/threat-actor-naming.xml
@ -39,6 +39,8 @@ as a:</t>
 <t>No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)</t>
 <t>Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)</t>
 <t>Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)</t>
+<t>Lack of time-based information about the threat actor name, such as date of naming</t>
+<t>Lack of open &quot;registry&quot; of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The &quot;registry&quot; can contain the time-based information mentionned above.</t>
 </list>
 </t>
 <t>This document proposes a set of guidelines to name threat actors. The goal is to reduce the above mentioned issues.</t>
@ -56,8 +58,7 @@ document are to be interpreted as described in RFC 2119 <xref target="RFC2119"><
 <section anchor="reusing-threat-actor-naming" title="Reusing threat actor naming">
 <t>Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor
 MISP galaxy <xref target="MISP-G"></xref>. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST
-reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best
-practices defined in this document.</t>
+reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best practices defined in this document.</t>
 </section>

 <section anchor="uniqueness" title="Uniqueness">
@ -65,7 +66,7 @@ practices defined in this document.</t>
 </section>

 <section anchor="format" title="Format">
-<t>The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.</t>
+<t>The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease the search of keywords by analysts in public sources.</t>
 </section>

 <section anchor="encoding" title="Encoding">