mirror of https://github.com/MISP/misp-rfc
104 lines
4.5 KiB
XML
104 lines
4.5 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.miek.nl" -->
|
|
<!DOCTYPE rfc SYSTEM 'rfc2629.dtd' []>
|
|
<rfc ipr="trust200902" xml:lang="en" consensus="yes">
|
|
<?rfc toc="yes"?><?rfc symrefs="yes"?><?rfc sortrefs="yes"?><?rfc compact="yes"?><?rfc subcompact="no"?><?rfc comments="no"?>
|
|
<front>
|
|
<title abbrev="Recommendations on naming threat actors">Recommendations on naming threat actors</title><author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>16, bd d'Avranches</street>
|
|
<city>Luxembourg</city>
|
|
<code>L-1160</code>
|
|
<country>Luxembourg</country>
|
|
</postal><phone>+352 247 88444</phone>
|
|
<email>alexandre.dulaunoy@circl.lu</email>
|
|
</address></author>
|
|
<author initials="P." surname="Bourmeau" fullname="Pauline Bourmeau"><organization abbrev="CIRCL">Corexalys</organization><address><postal><street>26 Rue de la Bienfaisance</street>
|
|
<city>Paris</city>
|
|
<code>75008</code>
|
|
<country>France</country>
|
|
</postal><email>info@corexalys.com</email>
|
|
</address></author>
|
|
<date year="2020" month="June" day="9"></date>
|
|
<area>Security</area><workgroup></workgroup>
|
|
<abstract><t>This document provides advice on the naming of threat actors (also known as malicious actors).
|
|
The objective is to provide practical advices for organisations such as security vendors or organisations attributing
|
|
incidents to a group of threat actor. It also discusses the implication of naming a threat actor towards intelligence analysts
|
|
and threat intelligence platforms such as MISP <xref target="MISP-P"></xref>].</t>
|
|
</abstract>
|
|
|
|
</front>
|
|
|
|
<middle>
|
|
|
|
<section anchor="introduction" title="Introduction">
|
|
|
|
<section anchor="conventions-and-terminology" title="Conventions and Terminology">
|
|
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|
document are to be interpreted as described in RFC 2119 <xref target="RFC2119"></xref>.</t>
|
|
</section>
|
|
</section>
|
|
|
|
<section anchor="recommendations" title="Recommendations">
|
|
|
|
<section anchor="reusing-threat-actor-naming" title="Reusing threat actor naming">
|
|
<t>Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor
|
|
MISP galaxy <xref target="MISP-G"></xref>. Proliferation of threat actor names is a significant challenge for the day-to-day analyst work. If your threat actor defined an existing threat actor, you MUST
|
|
reuse an existing threat actor name. If there is no specific threat actor name, you SHALL create a new threat actor following the best
|
|
practices defined in this document.</t>
|
|
</section>
|
|
|
|
<section anchor="don-t-confuse-actor-naming-with-malware-naming" title="Don't confuse actor naming with malware naming">
|
|
</section>
|
|
|
|
<section anchor="format" title="Format">
|
|
</section>
|
|
|
|
<section anchor="encoding" title="Encoding">
|
|
</section>
|
|
|
|
<section anchor="directory" title="Directory">
|
|
</section>
|
|
</section>
|
|
|
|
<section anchor="examples" title="Examples">
|
|
</section>
|
|
|
|
<section anchor="security-considerations" title="Security Considerations">
|
|
<t>Naming a threat actor could include specific sensitive reference to a case or an incident. Before releasing the naming, the creator
|
|
MUST review the name to ensure no sensitive information is included in the threat actor name.</t>
|
|
</section>
|
|
|
|
<section anchor="acknowledgements" title="Acknowledgements">
|
|
<t>The authors wish to thank all contributors who provided feedback via Twitter.</t>
|
|
</section>
|
|
|
|
<section anchor="references" title="References">
|
|
</section>
|
|
|
|
</middle>
|
|
|
|
<back>
|
|
<references title="Normative References">
|
|
<?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?>
|
|
<reference anchor="MISP-G" target="https://github.com/MISP/misp-galaxy">
|
|
<front>
|
|
<title>MISP Galaxy - Public repository </title>
|
|
<author fullname="MISP Community" surname="MISP"></author>
|
|
<date></date>
|
|
</front>
|
|
</reference>
|
|
</references>
|
|
<references title="Informative References">
|
|
<reference anchor="MISP-P" target="https://github.com/MISP">
|
|
<front>
|
|
<title>MISP Project - Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing</title>
|
|
<author fullname="MISP Community" surname="MISP"></author>
|
|
<date></date>
|
|
</front>
|
|
</reference>
|
|
</references>
|
|
|
|
</back>
|
|
|
|
</rfc>
|