MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-rfc/threat-actor-naming/threat-actor-naming.xml

136 lines
8.3 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.miek.nl" -->
<rfc version="3" ipr="trust200902" docName="draft-00" submissionType="independent" category="info" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" indexInclude="true">
<front>
<title abbrev="Recommendations on Naming Threat Actors">Recommendations on Naming Threat Actors</title><seriesInfo value="draft-00" stream="independent" status="informational" name="Internet-Draft"></seriesInfo>
<author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>122, rue Adolphe Fischer</street>
<city>Luxembourg</city>
<code>L-1521</code>
<country>Luxembourg</country>
</postal><phone>+352 247 88444</phone>
<email>alexandre.dulaunoy@circl.lu</email>
</address></author><author initials="P." surname="Bourmeau" fullname="Pauline Bourmeau"><organization abbrev="Cubessa">Cubessa</organization><address><postal><street></street>
</postal><email>Pauline@cubessa.io</email>
</address></author><date year="2024" month="December" day="21"></date>
<area>Security</area>
<workgroup></workgroup>
<abstract>
<t>This document provides advice on the naming of threat actors (also known as malicious actors).
The objective is to provide practical advice for organizations such as security vendors or organizations attributing
incidents to a group of threat actors. It also discusses the implications of naming a threat actor for intelligence analysts
and threat intelligence platforms such as MISP <xref target="MISP-P"></xref>.</t>
</abstract>
</front>
<middle>
<section anchor="introduction"><name>Introduction</name>
<t>In threat intelligence, a name can be assigned to a threat actor without specific guidelines. This leads to issues such
as:</t>
<ul spacing="compact">
<li>A proliferation of threat actor names generating overlaps or different names for similar threat actors (e.g., some threat actors have more than 10 synonyms).</li>
<li>Ambiguity in the words used to name the threat actor in different contexts (e.g., using common words).</li>
<li>Lack of a clearly defined text format to describe the same threat actor (e.g., Is the threat actor name case-sensitive? Is there a dash or a space between the words?).</li>
<li>Confusion between techniques/tools used by a threat actor versus its name (e.g., naming a threat actor after a specific malware used).</li>
<li>Lack of source and reasoning from vendors when they describe their threat actor names (e.g., did they name the threat actor after a specific set of campaigns or a specific set of targets?).</li>
<li>Lack of time-based information about the threat actor name, such as date of naming or a UUID.</li>
<li>Lack of an open, mirrored &quot;registry&quot; of reference, accessible to all, where a new threat actor name can be registered, or where all already named threat actors can be accessed. The &quot;registry&quot; can contain the time-based information mentioned above; it is a tool.</li>
</ul>
<t>This document proposes a set of guidelines for naming threat actors. The goal is to reduce the issues mentioned above.</t>
<section anchor="conventions-and-terminology"><name>Conventions and Terminology</name>
<t>The key words &quot;<bcp14>MUST</bcp14>&quot;, &quot;<bcp14>MUST NOT</bcp14>&quot;, &quot;<bcp14>REQUIRED</bcp14>&quot;, &quot;<bcp14>SHALL</bcp14>&quot;, &quot;<bcp14>SHALL NOT</bcp14>&quot;,
&quot;<bcp14>SHOULD</bcp14>&quot;, &quot;<bcp14>SHOULD NOT</bcp14>&quot;, &quot;<bcp14>RECOMMENDED</bcp14>&quot;, &quot;<bcp14>MAY</bcp14>&quot;, and &quot;<bcp14>OPTIONAL</bcp14>&quot; in this
document are to be interpreted as described in RFC 2119 <xref target="RFC2119"></xref>.</t>
</section>
</section>
<section anchor="recommendations"><name>Recommendations</name>
<t>The recommendations listed below provide a minimal set of guidelines when assigning a new name to a threat actor.</t>
<section anchor="reusing-threat-actor-names"><name>Reusing Threat Actor Names</name>
<t>Before creating a new threat actor name, you <bcp14>MUST</bcp14> consider a review of existing threat actor names from databases such as the threat actor MISP galaxy <xref target="MISP-G"></xref>. Proliferation of threat actor names is a significant challenge for day-to-day analyst work. If your defined threat actor matches an existing threat actor, you <bcp14>MUST</bcp14> reuse an existing threat actor name. If there is no matching threat actor name, you <bcp14>SHALL</bcp14> create a new threat actor name, following the best practices defined in this document.</t>
</section>
<section anchor="uniqueness"><name>Uniqueness</name>
<t>When choosing a threat actor name, uniqueness is a critical property. The threat actor name <bcp14>MUST</bcp14> be unique and not already in use in different contexts. The name <bcp14>MUST NOT</bcp14> be a word from a dictionary, which could be used in other contexts.</t>
</section>
<section anchor="format"><name>Format</name>
<t>The name of the threat actor <bcp14>SHALL</bcp14> be composed of a single word. If there are multiple parts, such as a decimal value or a counter, the values <bcp14>MUST</bcp14> be separated with a dash. Single words are preferred to ease keyword searches by analysts in public sources.</t>
</section>
<section anchor="encoding"><name>Encoding</name>
<t>The name of the threat actor <bcp14>MUST</bcp14> be expressed in 7-bit ASCII. Assigning a localized name to a threat actor <bcp14>MAY</bcp14> create ambiguity due to different localized versions of the same threat actor.</t>
</section>
<section anchor="avoid-confusing-actor-names-with-malware-names"><name>Avoid Confusing Actor Names with Malware Names</name>
<t>The name of the threat actor <bcp14>MUST NOT</bcp14> be based on the tools, techniques, or patterns used by the threat actor. A notorious example in the threat intelligence community is Turla, which can refer to a threat actor but also to a malware used by this group or other groups.</t>
</section>
<section anchor="directory"><name>Directory</name>
<t>A reference registry of threat actors is <bcp14>RECOMMENDED</bcp14> to ensure consistency of names across different parties such as the threat actor MISP galaxy <xref target="MISP-G"></xref>.</t>
</section>
</section>
<section anchor="examples"><name>Examples</name>
<t>Some known examples are included below and serve as references for good and bad practices in naming threat actors. The following threat actor names are considered good examples:</t>
<ul spacing="compact">
<li>APT-1</li>
<li>TA-505</li>
</ul>
<t>The following threat actor names are considered examples to avoid:</t>
<ul spacing="compact">
<li>GIF89a (Word also used for the GIF header)</li>
<li>ShadyRAT (Confusion between the name and the tool)</li>
<li>Group 3 (Common name used for other use-cases)</li>
<li>ZooPark (Name is used to describe something else)</li>
</ul>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>
<t>Naming a threat actor could include sensitive references to a case or an incident. Before releasing a name, the creator <bcp14>MUST</bcp14> review the name to ensure no sensitive information is included in the threat actor name.</t>
</section>
<section anchor="acknowledgements"><name>Acknowledgements</name>
<t>The authors wish to thank all contributors who provided feedback through the now-defunct Twitter and other new social networks.</t>
</section>
<section anchor="references"><name>References</name>
</section>
</middle>
<back>
<references><name>References</name>
<references><name>Normative References</name>
<reference anchor="MISP-G" target="https://github.com/MISP/misp-galaxy">
<front>
<title>MISP Galaxy - Public repository </title>
<author fullname="MISP Community" surname="MISP"></author>
<date></date>
</front>
</reference>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
</references>
<references><name>Informative References</name>
<reference anchor="MISP-P" target="https://github.com/MISP">
<front>
<title>MISP Project - Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing</title>
<author fullname="MISP Community" surname="MISP"></author>
<date></date>
</front>
</reference>
</references>
</references>
</back>
</rfc>
Reference in New Issue View Git Blame Copy Permalink