Standardised languages such as STIX have taken huge steps forward to facilitate the translation of threat intelligence to network defence, but often leave the interpretation of a threat (how to represent it in STIX) to the analyst to decide. This has lead us to the unenviable position of having a huge range of communities and Intelligence Production outfits delivering 'structured Intelligence', each having unique interpretations of how to structure the data. This issue is often manageable within closed communities where standard 'libraries' can be agreed upon, but we can't always rely on good practices being adopted universally. Complex cyber security incidents depend on our ability to analyse all intelligence signals, evaluate provenance and make objective decisions on the best courses of action. Refusing to incorporate a data source to your knowledge base because "they don't do STIX right" is simply not an option and potentially misses out on that key indicator that can solve all your problems.

Some great work is ongoing in the OASIS CTI Technical Committee to improve the standard against this issue, but the fact remains that ensuring effective communication of understanding across communities is as much about analyst tradecraft in knowledge management as it is technology and standards. Universal adoption of a single standard, with clear implementation guidelines, is a utopia - and whether or not it ever gets truly realised there will inevitably be a period of transition. It is important to establish a set of simple Standard Operating Procedures (SOPs) to tackle this disparity and support decision making in cyber security incidents. When we do this right, we can reduce the time it takes to go from data, to information, to knowledge and, finally, wisdom.

This talk is for all practitioners of structured intelligence production and consumption, as well as those who write tools to support them. It highlights areas of work already being tackled by the CTI TC to address this issue and potential pitfalls for those still using older versions and/or converting. Recommended SOPs (and some bad practices) are explored to identify how to prepare for version transition and continue to facilitate cross-feed data correlation. Finally we will take a look at how this approach can lead to enhanced Intelligence Product delivery by demonstrating 'hybrid' Intelligence Products that bridge the gap between structured, tactical data and strategic reporting so that C-Suite can understand the same concepts as your SIEM.

Key takeaways:

• An understanding of the challenges in universal standardisation of threat intelligence
• Increased awareness of the improvements in STIX through to version 2.1 to help tackle these issues
• Suggested SOPs for use in STIX production that can be used now, regardless of language or version
• Examples of hybrid reporting products representing both sturctured and unstructured Intelligence value