Source: MISP Standard – MISP Standard Author: Alexandre Dulaunoy URL: https://www.misp-standard.org/rfc/threat-actor-naming.html
-
ONE SENTENCE SUMMARY: The document outlines guidelines for effectively naming threat actors to enhance clarity and reduce confusion in threat intelligence.
-
MAIN POINTS:
-
Naming threat actors often lacks guidelines, leading to confusion and duplication.
-
Existing names should be reviewed before creating new threat actor names.
-
Unique names must not be dictionary words or previously used in different contexts.
-
Threat actor names should consist of a single word and use 7-bit ASCII.
-
Names must not reference tools or techniques used by the threat actor.
-
A registry of threat actor names is recommended for consistency.
-
Examples illustrate both effective and poor naming practices for threat actors.
-
Sensitive information must be avoided in threat actor names.
-
Time-based information, such as UUIDs, should be included where possible.
-
Naming conventions aid intelligence analysts and enhance interoperability across platforms.
-
TAKEAWAYS:
-
Guidelines are essential for coherent threat actor naming.
-
Prioritize name uniqueness to avoid confusion.
-
Avoid names based on tools or common terms.
-
Utilize a registry for public access and standardization.
-
Conduct thorough reviews to prevent sensitive disclosures in names.