MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [threat-actor-naming] feedback merged + need to add reference to MISP galaxy format

pull/39/head
Alexandre Dulaunoy 2020-06-12 21:59:36 +02:00
parent 0f4c51aea8
commit 959dad2ee3
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
3 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
threat-actor-naming/threat-actor-naming.html
View File

@ -499,8 +499,8 @@
<li>No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)</li> <li>No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)</li>
<li>Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)</li> <li>Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)</li>
<li>Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)</li> <li>Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)</li>
<li>Lack of time-based information about the threat actor name, such as date of naming</li> <li>Lack of time-based information about the threat actor name, such as date of naming or and UUID.</li>
<li>Lack of open "registry" of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The "registry" can contain the time-based information mentionned above.</li> <li>Lack of open mirrored "registry" of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The "registry" can contain the time-based information mentionned above, it is a tool.</li>
</ul> </ul>
<p> </p> <p> </p>

10
threat-actor-naming/threat-actor-naming.txt
View File

@ -104,7 +104,7 @@ Table of Contents
specific set of targets?) specific set of targets?)
o Lack of time-based information about the threat actor name, such o Lack of time-based information about the threat actor name, such
as date of naming as date of naming or and UUID.
@ -114,10 +114,10 @@ Dulaunoy & Bourmeau Expires December 11, 2020 [Page 2]
Internet-Draft Recommendations on naming threat actors June 2020 Internet-Draft Recommendations on naming threat actors June 2020
o Lack of open "registry" of reference, accessible to all, where to o Lack of open mirrored "registry" of reference, accessible to all,
register a new threat actor name, or to access all already named where to register a new threat actor name, or to access all
threat actors. The "registry" can contain the time-based already named threat actors. The "registry" can contain the time-
information mentionned above. based information mentionned above, it is a tool.
This document proposes a set of guidelines to name threat actors. This document proposes a set of guidelines to name threat actors.
The goal is to reduce the above mentioned issues. The goal is to reduce the above mentioned issues.

4
threat-actor-naming/threat-actor-naming.xml
View File

@ -39,8 +39,8 @@ as a:</t>
<t>No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)</t> <t>No clearly defined text format to describe the same threat actor (e.g. Is the threat actor name case sensitive? Is there a dash or a space between the two words?)</t>
<t>Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)</t> <t>Confusion between techniques/tools used by a threat actor versus its name (e.g. naming a threat actor after a specific malware used)</t>
<t>Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)</t> <t>Lack of source and list from vendors to describe their threat actor names and the reasoning behind the naming (e.g. did they name the threat actor after a specific set of campaigns? or specific set of targets?)</t>
<t>Lack of time-based information about the threat actor name, such as date of naming</t> <t>Lack of time-based information about the threat actor name, such as date of naming or and UUID.</t>
<t>Lack of open &quot;registry&quot; of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The &quot;registry&quot; can contain the time-based information mentionned above.</t> <t>Lack of open mirrored &quot;registry&quot; of reference, accessible to all, where to register a new threat actor name, or to access all already named threat actors. The &quot;registry&quot; can contain the time-based information mentionned above, it is a tool.</t>
</list> </list>
</t> </t>
<t>This document proposes a set of guidelines to name threat actors. The goal is to reduce the above mentioned issues.</t> <t>This document proposes a set of guidelines to name threat actors. The goal is to reduce the above mentioned issues.</t>