diff --git a/threat-actor-naming/threat-actor-naming.html b/threat-actor-naming/threat-actor-naming.html index f90b660..5f13e81 100644 --- a/threat-actor-naming/threat-actor-naming.html +++ b/threat-actor-naming/threat-actor-naming.html @@ -499,6 +499,8 @@
  • No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)
  • Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)
  • Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)
    • +
  • Lack of time-based information about the threat actor name, such as date of naming
    • +
  • Lack of open "registry" of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The "registry" can contain the time-based information mentionned above.

    • @@ -522,7 +524,7 @@

    2.3. Format

    -

    The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.

    +

    The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease the search of keywords by analysts in public sources.

    2.4. Encoding

    diff --git a/threat-actor-naming/threat-actor-naming.txt b/threat-actor-naming/threat-actor-naming.txt index 9ac20a4..679f0d9 100644 --- a/threat-actor-naming/threat-actor-naming.txt +++ b/threat-actor-naming/threat-actor-naming.txt @@ -66,15 +66,15 @@ Table of Contents 2.1. Reusing threat actor naming . . . . . . . . . . . . . . . 3 2.2. Uniqueness . . . . . . . . . . . . . . . . . . . . . . . 3 2.3. Format . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2.4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2.5. Don't confuse actor naming with malware naming . . . . . 3 + 2.4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 4 + 2.5. Don't confuse actor naming with malware naming . . . . . 4 2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 - 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 7.1. Normative References . . . . . . . . . . . . . . . . . . 4 + 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 7.2. Informative References . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 @@ -103,8 +103,8 @@ Table of Contents name the threat actor after a specific set of campaigns? or specific set of targets?) - This document proposes a set of guidelines to name threat actors. - The goal is to reduce the above mentioned issues. + o Lack of time-based information about the threat actor name, such + as date of naming @@ -114,6 +114,14 @@ Dulaunoy & Bourmeau Expires December 11, 2020 [Page 2] Internet-Draft Recommendations on naming threat actors June 2020 + o Lack of open "registry" of reference, accessible to all, where to + register a new threat actor name, or to access all already named + threat actors. The "registry" can contain the time-based + information mentionned above. + + This document proposes a set of guidelines to name threat actors. + The goal is to reduce the above mentioned issues. + 1.1. Conventions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", @@ -148,7 +156,19 @@ Internet-Draft Recommendations on naming threat actors June 2020 The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to - ease search of keywords by analysts in public sources. + ease the search of keywords by analysts in public sources. + + + + + + + + +Dulaunoy & Bourmeau Expires December 11, 2020 [Page 3] + +Internet-Draft Recommendations on naming threat actors June 2020 + 2.4. Encoding @@ -163,13 +183,6 @@ Internet-Draft Recommendations on naming threat actors June 2020 in the threat intelligence community is Turla which can name a threat actor but also a malware used by this group or other groups. - - -Dulaunoy & Bourmeau Expires December 11, 2020 [Page 3] - -Internet-Draft Recommendations on naming threat actors June 2020 - - 2.6. Directory 3. Examples @@ -205,6 +218,14 @@ Internet-Draft Recommendations on naming threat actors June 2020 The authors wish to thank all contributors who provided feedback via Twitter. + + + +Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4] + +Internet-Draft Recommendations on naming threat actors June 2020 + + 6. References 7. References @@ -219,13 +240,6 @@ Internet-Draft Recommendations on naming threat actors June 2020 DOI 10.17487/RFC2119, March 1997, . - - -Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4] - -Internet-Draft Recommendations on naming threat actors June 2020 - - 7.2. Informative References [MISP-P] Community, M., "MISP Project - Open Source Threat @@ -257,20 +271,6 @@ Authors' Addresses - - - - - - - - - - - - - - diff --git a/threat-actor-naming/threat-actor-naming.xml b/threat-actor-naming/threat-actor-naming.xml index 6ffe22c..1e4a967 100644 --- a/threat-actor-naming/threat-actor-naming.xml +++ b/threat-actor-naming/threat-actor-naming.xml @@ -39,6 +39,8 @@ as a: No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?) Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used) Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?) +Lack of time-based information about the threat actor name, such as date of naming +Lack of open "registry" of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The "registry" can contain the time-based information mentionned above. This document proposes a set of guidelines to name threat actors. The goal is to reduce the above mentioned issues. @@ -56,8 +58,7 @@ document are to be interpreted as described in RFC 2119 <
    Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor MISP galaxy . Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST -reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best -practices defined in this document. +reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best practices defined in this document.
    @@ -65,7 +66,7 @@ practices defined in this document.
    -The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources. +The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease the search of keywords by analysts in public sources.