diff --git a/threat-actor-naming/threat-actor-naming.html b/threat-actor-naming/threat-actor-naming.html
index f90b660..5f13e81 100644
--- a/threat-actor-naming/threat-actor-naming.html
+++ b/threat-actor-naming/threat-actor-naming.html
@@ -499,6 +499,8 @@
No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)
Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)
Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)
+Lack of time-based information about the threat actor name, such as date of naming
+Lack of open "registry" of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The "registry" can contain the time-based information mentionned above.
@@ -522,7 +524,7 @@
-The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.
+The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease the search of keywords by analysts in public sources.
diff --git a/threat-actor-naming/threat-actor-naming.txt b/threat-actor-naming/threat-actor-naming.txt
index 9ac20a4..679f0d9 100644
--- a/threat-actor-naming/threat-actor-naming.txt
+++ b/threat-actor-naming/threat-actor-naming.txt
@@ -66,15 +66,15 @@ Table of Contents
2.1. Reusing threat actor naming . . . . . . . . . . . . . . . 3
2.2. Uniqueness . . . . . . . . . . . . . . . . . . . . . . . 3
2.3. Format . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2.4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2.5. Don't confuse actor naming with malware naming . . . . . 3
+ 2.4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2.5. Don't confuse actor naming with malware naming . . . . . 4
2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
- 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
- 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
- 7.1. Normative References . . . . . . . . . . . . . . . . . . 4
+ 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 7.1. Normative References . . . . . . . . . . . . . . . . . . 5
7.2. Informative References . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
@@ -103,8 +103,8 @@ Table of Contents
name the threat actor after a specific set of campaigns? or
specific set of targets?)
- This document proposes a set of guidelines to name threat actors.
- The goal is to reduce the above mentioned issues.
+ o Lack of time-based information about the threat actor name, such
+ as date of naming
@@ -114,6 +114,14 @@ Dulaunoy & Bourmeau Expires December 11, 2020 [Page 2]
Internet-Draft Recommendations on naming threat actors June 2020
+ o Lack of open "registry" of reference, accessible to all, where to
+ register a new threat actor name, or to access all already named
+ threat actors. The "registry" can contain the time-based
+ information mentionned above.
+
+ This document proposes a set of guidelines to name threat actors.
+ The goal is to reduce the above mentioned issues.
+
1.1. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
@@ -148,7 +156,19 @@ Internet-Draft Recommendations on naming threat actors June 2020
The name of the threat actor SHALL be composed of a single word. If
there is multiple part like a decimal value such as a counter, the
values MUST be separated with a dash. Single words are preferred to
- ease search of keywords by analysts in public sources.
+ ease the search of keywords by analysts in public sources.
+
+
+
+
+
+
+
+
+Dulaunoy & Bourmeau Expires December 11, 2020 [Page 3]
+
+Internet-Draft Recommendations on naming threat actors June 2020
+
2.4. Encoding
@@ -163,13 +183,6 @@ Internet-Draft Recommendations on naming threat actors June 2020
in the threat intelligence community is Turla which can name a threat
actor but also a malware used by this group or other groups.
-
-
-Dulaunoy & Bourmeau Expires December 11, 2020 [Page 3]
-
-Internet-Draft Recommendations on naming threat actors June 2020
-
-
2.6. Directory
3. Examples
@@ -205,6 +218,14 @@ Internet-Draft Recommendations on naming threat actors June 2020
The authors wish to thank all contributors who provided feedback via
Twitter.
+
+
+
+Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
+
+Internet-Draft Recommendations on naming threat actors June 2020
+
+
6. References
7. References
@@ -219,13 +240,6 @@ Internet-Draft Recommendations on naming threat actors June 2020
DOI 10.17487/RFC2119, March 1997,
.
-
-
-Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
-
-Internet-Draft Recommendations on naming threat actors June 2020
-
-
7.2. Informative References
[MISP-P] Community, M., "MISP Project - Open Source Threat
@@ -257,20 +271,6 @@ Authors' Addresses
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/threat-actor-naming/threat-actor-naming.xml b/threat-actor-naming/threat-actor-naming.xml
index 6ffe22c..1e4a967 100644
--- a/threat-actor-naming/threat-actor-naming.xml
+++ b/threat-actor-naming/threat-actor-naming.xml
@@ -39,6 +39,8 @@ as a:
No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)
Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)
Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)
+Lack of time-based information about the threat actor name, such as date of naming
+Lack of open "registry" of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The "registry" can contain the time-based information mentionned above.
This document proposes a set of guidelines to name threat actors. The goal is to reduce the above mentioned issues.
@@ -56,8 +58,7 @@ document are to be interpreted as described in RFC 2119 <
Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor
MISP galaxy . Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST
-reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best
-practices defined in this document.
+reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best practices defined in this document.
@@ -65,7 +66,7 @@ practices defined in this document.
-The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.
+The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease the search of keywords by analysts in public sources.