Source: MISP Standard – MISP Standard Author: Alexandre Dulaunoy URL: https://www.misp-standard.org/rfc/threat-actor-naming.html

ONE SENTENCE SUMMARY:

The document outlines guidelines for effectively naming threat actors to enhance clarity and reduce confusion in threat intelligence.

MAIN POINTS:

1. Naming threat actors often lacks guidelines, leading to confusion and duplication.
2. Existing names should be reviewed before creating new threat actor names.
3. Unique names must not be dictionary words or previously used in different contexts.
4. Threat actor names should consist of a single word and use 7-bit ASCII.
5. Names must not reference tools or techniques used by the threat actor.
6. A registry of threat actor names is recommended for consistency.
7. Examples illustrate both effective and poor naming practices for threat actors.
8. Sensitive information must be avoided in threat actor names.
9. Time-based information, such as UUIDs, should be included where possible.
10. Naming conventions aid intelligence analysts and enhance interoperability across platforms.

TAKEAWAYS:

1. Guidelines are essential for coherent threat actor naming.
2. Prioritize name uniqueness to avoid confusion.
3. Avoid names based on tools or common terms.
4. Utilize a registry for public access and standardization.
5. Conduct thorough reviews to prevent sensitive disclosures in names.