Security experts have released new guidelines aimed at bringing order to the chaotic world of naming malicious cyber threat actors. The recommendations address long-standing issues that have plagued threat intelligence sharing and analysis.
The new RFC document outlines key problems in current naming practices, including the confusing proliferation of multiple names for the same threat actors, with some groups having over 10 different aliases. It also highlights issues with using common dictionary words that create ambiguity.
"The objective is to provide practical advice for organizations such as security vendors who need to attribute incidents to specific threat actor groups," states the RFC document.
Key recommendations include:
- Names must be unique and not already used in other contexts
- Single word names are preferred, with dashes for any additional parts
- Names must use standard ASCII characters only
- Names should not be based on malware or tools used by the actors
- Organizations must check existing threat actor databases before creating new names
The document provides examples of good naming practices, such as "APT-1" and "TA-505", while warning against problematic names like "ShadyRAT" that create confusion between actor names and their tools.
A centralized registry of threat actor names is recommended to maintain consistency across different organizations. The document also emphasizes reviewing names to avoid accidentally exposing sensitive case information.
These guidelines aim to improve threat intelligence sharing by reducing confusion and making it easier for analysts to track specific threat groups across different reporting sources.
The recommendations are expected to be particularly valuable for security vendors, threat intelligence platforms, and organizations that need to consistently track and communicate about cyber threats.