search

MISP / misp-galaxy

Clusters and elements to attach to MISP events or attributes (like threat actors)
https://misp-galaxy.org/
Other
513 stars 257 forks source link

Tailgater Team duplicate #8

Closed cvandeplas closed 7 years ago

cvandeplas commented 7 years ago

Tailgater Team is defined twice in the threat-actors:


    {
      "value": "Aurora Panda",
      "refs": [
        "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
      ],
      "country": "CN",
      "synonyms": [
        "APT 17",
        "Deputy Dog",
        "Group 8",
        "APT17",
        "Hidden Lynx",
        "Tailgater Team"
      ]
    },
    {
      "value": "Axiom",
      "refs": [
        "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/",
        "http://williamshowalter.com/a-universal-windows-bootkit/"
      ],
      "country": "CN",
      "synonyms": [
        "Winnti Group",
        "Tailgater Team",
        "Group 72",
        "Group72",
        "Tailgater",
        "Ragebeast",
        "Blackfly"
      ]
    },```
adulau commented 7 years ago

IMHO, it's still fine as you can have share common synonyms among different groups (depending on the attribution from some A/V vendors). In MISP, it should be fine and allows the analyst to pick the group (s)he really wants as the key is the value. Let me know if there is a specific issue with such definition. Thanks a lot.

cvandeplas commented 7 years ago

I understand the reasoning, even if it feels confusing. It shows the complexity of the various names invented by different organisations; and also the big challenge to attribution/association.