\item MISP is a {\bf threat information sharing} platform that is free \& open source software
\item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
\item Normalises, {\bf correlates}, {\bf enriches} and {\bf connects} the data
\item Allows teams and communities to {\bf collaborate} and {\bf share}
\item{\bf Feeds} automated protective tools and analyst tools with the output
\item MISP is a {\bf complete threat intelligence platform} with strong sharing capabilities and extendability
\end{itemize}
\end{frame}
\begin{frame}[plain,c]
\begin{center}
{\Huge Two years from now, threat intelligence will be easy.\\}
{\it Bill Gates if he did work in threat intelligence}
\end{center}
\end{frame}
\begin{frame}
\frametitle{The aim of this presentation}
\begin{itemize}
\item{\Large Showing the {\bf evolution of threat intelligence}\footnote{based on our empirical view from users using/integrating MISP} and
\item{\bf data-driven threat hunting} over the past years}
\item{\Large What can we expect in {\bf the future}?}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{From standalone indicator to advanced object data models}
\begin{itemize}
\item In early 2010, MISP supported basic indicators sharing with a limited set of types
\item In 2022, MISP integrates a dynamic object model with advanced custom relationships
\item Why such evolution?
\begin{itemize}
\item{\bf Increase of intelligence usage in different sectors}. From threat-hunting\footnote{With different types of threat hunts including TTP-driven, intelligence-driven, asset-driven...} to risk assessment or strategic decisions
\item Showing {\bf how diverse\footnote{Embrace the diversity of models, taxonomies. 146 taxonomies are available in MISP taxonomies.} our societies are}
\item{\bf Building narratives is critical in threat intelligence}
\begin{itemize}
\item Intelligence narrative can be described in structured format (e.g. course-of-action)
\item Or written in natural language used to describe higher-level (e.g. assesment, executive summary or strategic information)
\end{itemize}
\item For years, many thought that narrative and structured intelligence were separated.
\item Accepting that {\bf structured and unstructed can be together\footnote{Mixed free-text Markdown reports with graph-oriented intelligence sharing in MISP increased during the past year.}} became critical.
\item{\bf Sharing detection engineering} information became more prevalent
\begin{itemize}
\item Sharing only the resulting analysis (indicators) is the bare minimal requirement in various sharing communities
\item Sharing the complete detection process\footnote{Detection rules, scripts and playbooks} increases\footnote{New object template to support advanced detection engineering or intelligene pipelines.}
\item Reproducible {\bf workflows and playbooks} play an important to {\bf actionable intelligence}\footnote{MISP worflow blueprints}
\item{\bf Sharing more} without disclosing the actual information\footnote{Grow of research about PSI (private set intersection) and an increased usage of MISP feed caching}
\item{\bf Automatic data modeling} on unstructured intelligence
\item Advanced sighting and {\bf feedback on engineering detection rules}\footnote{Sharing back training-sets or dataset with the actual false-positive detection}
\item Automation and sharing of the threat intelligence pipelines framework.