HP’s policies and procedures for naming third-party organizations in our threat blogs

Overall policy
HP’s overall policy is to anonymize details about the target so that readers of the blog cannot identify them. It is acceptable to describe general information about the target’s industry and geographical location to provide context to readers, provided it maintains the anonymity of the target.

Aim
This policy is concerned with disclosures to third-party organizations whose brands have been abused. 

Context
Threat actors regularly abuse the brands of well-known organizations, products and services to create convincing lures that are used to trick targets in malicious campaigns (Figure 1). For example, threat actors may copy logos or email signatures, register fake websites that imitate an organization, or spoof an organization’s domain name in an email. 

Definitions
⦁ The threat actor is the entity that conducts an attack.
⦁ The target is the individual or organization that was attacked or breached.
⦁ The third-party organization is an organization whose brand is abused by a threat actor to create a credible lure in a malware campaign but is not the target of the campaign.
⦁ Brand abuse is the unauthorized re-use of an organization’s brand. 

Figure 1 – A typical attack flow chart involving brand abuse of a third-party organization.


HP Security policy

⦁ In line with industry practice, it is acceptable to include details of brand abuse in blogs so that readers know what to look out for and can defend against similar malware campaigns.
⦁ The blog author will contact the security team at the third-party organization in advance to share the blog and keep a record of the notification email(s).


HP CO Org policy
⦁ This will be led by Michael Howard’s team (HP Security & Analytics practice), in partnership with local CO org.
⦁ They will contact the third-party organization as they deem appropriate.
⦁ In cases where the third-party organization requests that details about their brand are removed altogether, then Boris / Ian will be notified, and Michael Howard’s team and the local CO Org will make the final decision.

HP PR policy
⦁ Media content will not identify the third party organization but may describe it in sector / regional terms and will direct to the blog.
⦁ The local comms team will contact the third-party organization’s comms team in advance and share the blog.