Cyber threat intelligence (CTI) sharing is something we all agree in theory is an excellent idea – until it comes time to actually do it.

Which data structure, transport, and format standards shall we use? What are the standards-within-standards all the sharing participants have to know about? What’s the absolute minimum acceptable quality we can get away with and still make a useful intel package?  What tools will we use for generating CTI packages, and then for receiving at the other end? Is the community’s state of tooling a level playing field? Who’s going to be making all these CTI packages, and will lawyers stop us sharing them anyway? What are we going to do with the theoretical mountain of intel we’ll be receiving? What actually makes for as actionable threat intelligence, even?

This presentation will also provide a brief retrospective on the past efforts in creating and sharing cyber threat intelligence (CTI). How did we used to share in the olden days of the 2000s and before, and how did tooling, standards, and thinking evolve to get to where we are today? We’ll talk about STIX and MISP in particular as modern solutions and how they line up against one another.

Finally, we’ll look at some exciting new ways to improve the lives of CTI analysts to produce better quality and more consistent packages faster. We’ll look in particular at the mainstream rise of machine learning to help us as well as some more conventional tricks to help keep creating, sending, and receiving CTI manageable.