Closed cvandeplas closed 7 years ago
IMHO, it's still fine as you can have share common synonyms among different groups (depending on the attribution from some A/V vendors). In MISP, it should be fine and allows the analyst to pick the group (s)he really wants as the key is the value. Let me know if there is a specific issue with such definition. Thanks a lot.
I understand the reasoning, even if it feels confusing. It shows the complexity of the various names invented by different organisations; and also the big challenge to attribution/association.
Tailgater Team is defined twice in the threat-actors: