Feedback on the Threat Actor Naming Standard

[colin-sophos]

MISP Team,

I wanted to share my feedback about the new Threat Actor Naming Standard Proposal section 2.1. Reusing Threat Actor Names

2.1. Reusing Threat Actor Names
Before creating a new threat actor name, you MUST consider a review of existing threat actor names from databases such as the threat actor MISP galaxy [MISP-G]. Proliferation of threat actor names is a significant challenge for day-to-day analyst work. If your defined threat actor matches an existing threat actor, you MUST reuse an existing threat actor name. If there is no matching threat actor name, you SHALL create a new threat actor name, following the best practices defined in this document.

I think it's shortsighted not to discuss the risk of over-pivoting in this section. Here's what I think should be included:

2.1. Reusing Threat Actor Names
Before attributing malicious activity to a known group, you MUST thoroughly justify the connection with credible evidence. Over-pivoting is a persistent challenge for day-to-day intelligence analysis. If your research cannot adequately align the activity with a known threat actor, you SHALL create a new threat actor name, following the best practices defined in this document.

[adulau]

Thanks a lot for the feedback. I’ll include it, it’s a very good point.

[C00kie-]

Thank you for your feedback, it is indeed a good point.
Pauline.