Remove Roaming Mantis

[ninoseki]

Remove Roaming Mantis from threat-actor definitions because Roaming Mantis is not a name of a group / an actor

[adulau]

Thank you. So this blog post is incorrect then https://securelist.com/roaming-mantis-part-3/88071/ ?

[ninoseki]

@adulau please read the article carefully.
It says that "Kaspersky Lab published two blogposts about Roaming Mantis sharing details of this new cybercriminal campaign".
So "Roaming Mantis" is a name of a campaign, not a name of a threat actor.

Note: I am one of the authors of this Botconf presentation.

• https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Ishimaru-Niseki-Ogawa-Mantis.pdf

[adulau]

That was my understanding too. But the threat-actor galaxy also include campaigns (and Kaspersky is also using the term group to make it more confusing). Maybe we will keep it and update the meta-data. I'll have a look. Thanks a lot for your feedback.

[ninoseki]

@adulau Hmm. Then should I close this PR?

[adulau]

Thanks a lot for your feedback. I updated the Roaming Mantis metadata to update its classification as a campaign only. We will update also the standard document to add those description. If you have any additional ideas for the meta-field. Let us know.

threat-actor-classification meta field

There is an old and persistence issue in attribution world and basically no-one really agrees on this. So we decided to start a specific metadata threat-actor-classification on the threat-actor to define the various types per cluster entry:

• operation:
  • A military operation is the coordinated military actions of a state, or a non-state actor, in response to a developing situation. These actions are designed as a military plan to resolve the situation in the state or actor's favor. Operations may be of a combat or non-combat nature and may be referred to by a code name for the purpose of national security. Military operations are often known for their more generally accepted common usage names than their actual operational objectives. from Wikipedia
  • In the context of MISP threat-actor name, it's a single specific operation.
• campaign:
  • The term military campaign applies to large scale, long duration, significant military strategy plans incorporating a series of inter-related military operations or battles forming a distinct part of a larger conflict often called a war. The term derives from the plain of Campania, a place of annual wartime operations by the armies of the Roman Republic. from Wikipedia
  • In the context of MISP threat-actor-name, it's long-term activity which might be composed of one or more operations.
• threat-actor
  • In the context of MISP threat-actor-name, it's an agreed name by a set of organisations.
• activity group
  • In the context of MISP threat-actor-name, it's a group defined by its set of common techniques or activities.
• unknown
  • In the context of MISP threat-actor-name, it's still not clear if it's an operation, campaign, threat-actor or activity group

The meta field is an array to allow specific cluster of threat-actor to show the current disagreement between different organisations about the type (threat actor, activity group, campaign and operation).

For more info: #469