Speakers
Synopsis
Cyber threat intelligence (CTI) attracts a lot of fancy frameworks and terminology, often coming from military intelligence. In spite of this, we often see CTI packages in feeds and sharing communities listing a few IPs addresses with very little context about their exact nature. If we find one of these IPs in our environment, so what? Will the CTI report tell us what we're dealing with?
Let's get back to fundamentals and remove all the specialist language: what makes a CTI report actually useful? What does it need to do and who are we writing it for?
There's something we all learned in primary school English classes that can help us write better CTI reports: how to write a newspaper article. If we get into the headspace of a reporter verifying their sources, thinking about their audience, and including the who, what, when, where, why, and how translated into cyber threats, we can improve the standard of CTI packages than a lot of what we see shared today.
In this presentatation, we'll use this approach from first principles for making better CTI packages using MISP and STIX as well as something we can send to our executives.
