chg: [threat-actor-naming] Cookies feedback

pull/37/head
Alexandre Dulaunoy 2020-06-12 21:55:39 +02:00
parent ecce8cff1a
commit 70bed1a401
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
3 changed files with 43 additions and 40 deletions

View File

@ -499,6 +499,8 @@
<li>No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)</li> <li>No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)</li>
<li>Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)</li> <li>Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)</li>
<li>Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)</li> <li>Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)</li>
<li>Lack of time-based information about the threat actor name, such as date of naming</li>
<li>Lack of open "registry" of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The "registry" can contain the time-based information mentionned above.</li>
</ul> </ul>
<p> </p> <p> </p>
@ -522,7 +524,7 @@
<h1 id="rfc.section.2.3"> <h1 id="rfc.section.2.3">
<a href="#rfc.section.2.3">2.3.</a> <a href="#format" id="format">Format</a> <a href="#rfc.section.2.3">2.3.</a> <a href="#format" id="format">Format</a>
</h1> </h1>
<p id="rfc.section.2.3.p.1">The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.</p> <p id="rfc.section.2.3.p.1">The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease the search of keywords by analysts in public sources.</p>
<h1 id="rfc.section.2.4"> <h1 id="rfc.section.2.4">
<a href="#rfc.section.2.4">2.4.</a> <a href="#encoding" id="encoding">Encoding</a> <a href="#rfc.section.2.4">2.4.</a> <a href="#encoding" id="encoding">Encoding</a>
</h1> </h1>

View File

@ -66,15 +66,15 @@ Table of Contents
2.1. Reusing threat actor naming . . . . . . . . . . . . . . . 3 2.1. Reusing threat actor naming . . . . . . . . . . . . . . . 3
2.2. Uniqueness . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Uniqueness . . . . . . . . . . . . . . . . . . . . . . . 3
2.3. Format . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.3. Format . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 3 2.4. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 4
2.5. Don't confuse actor naming with malware naming . . . . . 3 2.5. Don't confuse actor naming with malware naming . . . . . 4
2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 4 2.6. Directory . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
7.1. Normative References . . . . . . . . . . . . . . . . . . 4 7.1. Normative References . . . . . . . . . . . . . . . . . . 5
7.2. Informative References . . . . . . . . . . . . . . . . . 5 7.2. Informative References . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
@ -103,8 +103,8 @@ Table of Contents
name the threat actor after a specific set of campaigns? or name the threat actor after a specific set of campaigns? or
specific set of targets?) specific set of targets?)
This document proposes a set of guidelines to name threat actors. o Lack of time-based information about the threat actor name, such
The goal is to reduce the above mentioned issues. as date of naming
@ -114,6 +114,14 @@ Dulaunoy & Bourmeau Expires December 11, 2020 [Page 2]
Internet-Draft Recommendations on naming threat actors June 2020 Internet-Draft Recommendations on naming threat actors June 2020
o Lack of open "registry" of reference, accessible to all, where to
register a new threat actor name, or to access all already named
threat actors. The "registry" can contain the time-based
information mentionned above.
This document proposes a set of guidelines to name threat actors.
The goal is to reduce the above mentioned issues.
1.1. Conventions and Terminology 1.1. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
@ -148,7 +156,19 @@ Internet-Draft Recommendations on naming threat actors June 2020
The name of the threat actor SHALL be composed of a single word. If The name of the threat actor SHALL be composed of a single word. If
there is multiple part like a decimal value such as a counter, the there is multiple part like a decimal value such as a counter, the
values MUST be separated with a dash. Single words are preferred to values MUST be separated with a dash. Single words are preferred to
ease search of keywords by analysts in public sources. ease the search of keywords by analysts in public sources.
Dulaunoy & Bourmeau Expires December 11, 2020 [Page 3]
Internet-Draft Recommendations on naming threat actors June 2020
2.4. Encoding 2.4. Encoding
@ -163,13 +183,6 @@ Internet-Draft Recommendations on naming threat actors June 2020
in the threat intelligence community is Turla which can name a threat in the threat intelligence community is Turla which can name a threat
actor but also a malware used by this group or other groups. actor but also a malware used by this group or other groups.
Dulaunoy & Bourmeau Expires December 11, 2020 [Page 3]
Internet-Draft Recommendations on naming threat actors June 2020
2.6. Directory 2.6. Directory
3. Examples 3. Examples
@ -205,6 +218,14 @@ Internet-Draft Recommendations on naming threat actors June 2020
The authors wish to thank all contributors who provided feedback via The authors wish to thank all contributors who provided feedback via
Twitter. Twitter.
Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
Internet-Draft Recommendations on naming threat actors June 2020
6. References 6. References
7. References 7. References
@ -219,13 +240,6 @@ Internet-Draft Recommendations on naming threat actors June 2020
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
Dulaunoy & Bourmeau Expires December 11, 2020 [Page 4]
Internet-Draft Recommendations on naming threat actors June 2020
7.2. Informative References 7.2. Informative References
[MISP-P] Community, M., "MISP Project - Open Source Threat [MISP-P] Community, M., "MISP Project - Open Source Threat
@ -257,20 +271,6 @@ Authors' Addresses

View File

@ -39,6 +39,8 @@ as a:</t>
<t>No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)</t> <t>No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)</t>
<t>Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)</t> <t>Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)</t>
<t>Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)</t> <t>Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)</t>
<t>Lack of time-based information about the threat actor name, such as date of naming</t>
<t>Lack of open &quot;registry&quot; of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The &quot;registry&quot; can contain the time-based information mentionned above.</t>
</list> </list>
</t> </t>
<t>This document proposes a set of guidelines to name threat actors. The goal is to reduce the above mentioned issues.</t> <t>This document proposes a set of guidelines to name threat actors. The goal is to reduce the above mentioned issues.</t>
@ -56,8 +58,7 @@ document are to be interpreted as described in RFC 2119 <xref target="RFC2119"><
<section anchor="reusing-threat-actor-naming" title="Reusing threat actor naming"> <section anchor="reusing-threat-actor-naming" title="Reusing threat actor naming">
<t>Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor <t>Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor
MISP galaxy <xref target="MISP-G"></xref>. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST MISP galaxy <xref target="MISP-G"></xref>. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST
reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best practices defined in this document.</t>
practices defined in this document.</t>
</section> </section>
<section anchor="uniqueness" title="Uniqueness"> <section anchor="uniqueness" title="Uniqueness">
@ -65,7 +66,7 @@ practices defined in this document.</t>
</section> </section>
<section anchor="format" title="Format"> <section anchor="format" title="Format">
<t>The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease search of keywords by analysts in public sources.</t> <t>The name of the threat actor SHALL be composed of a single word. If there is multiple part like a decimal value such as a counter, the values MUST be separated with a dash. Single words are preferred to ease the search of keywords by analysts in public sources.</t>
</section> </section>
<section anchor="encoding" title="Encoding"> <section anchor="encoding" title="Encoding">