This is a preprint version of t he paper ent it led: " Surveying Cyber Threat Int elligence and Collaborat ion: A Concise Analysis of Current Landscape and Trends" . The public version is available in IEEE Xplore: ht t ps:/ / ieeexplore.ieee.org/ abst ract / document / 10475684 Cit at ion: P. Radoglou-Grammat ikis, E. Kioseoglou, D. Asimopoulos, M . SIavvas, I. Nanos, T. Lagkas, V. Argyriou, K. E. Psannis, S. Goudos and P. Sarigiannidis, " Surveying Cyber Threat Int elligence and Collaborat ion: A Concise Analysis of Current Landscape and Trends," 2023 IEEE Int ernat ional Conference on Cloud Comput ing Technology and Science (CloudCom), Naples, It aly, 2023, pp. 309-314, doi: 10.1109/ CloudCom59040.2023.00057. Surveying Cyber Threat Intelligence and Collaboration: A Concise Analysis of Current Landscape and Trends Panagiotis Radoglou-Grammatikis†‡ , Elisavet Kioseoglou† , Dimitrios Asimopoulos§ , Miltiadis Siavvas¶ , Ioannis Nanos∥ , Thomas Lagkas∗∗ , Vasileios Argyriou†† , Konstantinos E. Psannis‡‡ , x Sotirios Goudos and Panagiotis Sarigiannidis† Abstract—The evolution of cyberattacks has been significantly impacted by the rise of Artificial Intelligence (AI). In particular, AI-driven attacks leverage Machine Learning (ML) and Deep Learning (DL) methods to automate tasks like identifying vulnerabilities, crafting convincing phishing emails, and evading conventional security measures. These cyberattacks can adapt in real time, making them more elusive and challenging to detect. Furthermore, AI has enabled the development of AIpowered malware that can learn and evolve, making it even more dangerous. As AI continues to evolve, both attackers and defenders are engaged in a relentless arms race, with cybersecurity professionals striving to harness AI for threat detection and response while cybercriminals seek to exploit AI’s capabilities for their malicious purposes. This ongoing battle underscores the need for proactive and adaptive cybersecurity strategies to mitigate the evolving threats posed by AI-driven cyberattacks. Based on the aforementioned remarks, it is evident that efficient and adaptable countermeasures are necessary. In this paper, we focus our attention on Cyber Threat Intelligence (CTI) mechanisms. CTI is the process of collecting, analysing, ∗ This project has received funding from the European Union’s Horizon Europe research and innovation programme under grant agreement No 101070450 (AI4CYBER). Disclaimer: Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Commission. Neither the European Union nor the European Commission can be held responsible for them. † P. Radoglou-Grammatikis, E. Kioseoglou and P. Sarigiannidis are with the Department of Electrical and Computer Engineering, University of Western Macedonia, Campus ZEP Kozani, 50100, Kozani, Greece - E-Mail: {pradoglou, ekioseoglou, psarigiannidis}@uowm.gr ‡ P. Radoglou-Grammatikis is also with K3Y Ltd, William Gladstone 31,1000 Sofia, Bulgaria - E-Mail: pradoglou@k3y.bg § D. Asimopoulos is with MetaMind Innovations P.C., Kila, 50100 Kozani, Greece- E-Mail: dasimopoulos@metamind.gr ¶ M. Siavvas is with Centre for Research and Technology Hellas/Information Technologies Institute, Charilaou-Thermi Rd, Thermi, 57001, Thessaloniki, Greece - E-Mail: siavvasm@iti.gr ∥ I. Nanos is with Sidroco Holdings Ltd, Petraki Giallourou 22, Office 11, 1077 Nicosia, Cyprus - E-Mail: inanos@sidroco.com ∗∗ T. Lagkas is with the Department of Computer Science, International Hellenic University, Kavala Campus, 65404, Kavala, Greece - E-Mail: tlagkas@cs.ihu.gr †† V. Argyriou is with the Department of Networks and Digital Media, Kingston University London, Penrhyn Road, Kingston upon Thames, Surrey KT1 2EE, UK - E-Mail: vasileios.argyriou@kingston.ac.uk ‡‡ K. E. Psannis is with the Department of Applied Informatics, School of Information Sciences, University of Macedonia, 156 Egnatia Street, Thessaloniki Greece - E-Mail: kpsannis@uom.edu.gr x S. Goudos is with the School of Physics, Aristotle University of Thessaloniki, 54124 Thessaloniki, Greece - E-Mail: sgoudo@physics.auth.gr and sharing information about potential cybersecurity threats to help organisations proactively defend against cyberattacks. In particular, after providing an overview of the CTI use cases, a brief analysis of existing solutions follows, highlighting the current trends and directions for future work in this research field. Index Terms—Cybersecurity, Cyber Threat Intelligence, Information Sharing, Proactive Defense, Survey I. I NTRODUCTION Cyberthreats are continuously evolving, taking full advantage of emerging technologies, such as Artificial Intelligence (AI). Ransomware attacks remain a major concern, becoming more sophisticated and targeting not only individuals but also critical infrastructure and supply chains. Nation-state actors continue to engage in cyber espionage and disruptive attacks, often focusing on political, economic, or technological objectives. The expansion of the Internet of Things (IoT) has also introduced vulnerabilities, leading to an increase in attacks targeting interconnected devices. In addition, social engineering techniques like phishing and spear phishing are becoming more personalised and convincing, exploiting human psychology to gain unauthorised access to sensitive information. The rise of AI and machine learning is both a potential solution and a concern, as these technologies are leveraged by both attackers and defenders to optimise their strategies. As a result, a comprehensive and adaptable cybersecurity approach is crucial to mitigate these evolving threats. Based on the aforementioned remarks, Cyber Threat Intelligence (CTI) refers to the information collected, analysed, and disseminated about potential and current cybersecurity threats and vulnerabilities. It is a proactive approach to cybersecurity that involves gathering data from various sources, such as security research, hacking forums, malware samples, and network monitoring, to understand and predict potential cyberthreats. CTI encompasses a wide range of data, including indicators of compromise (IoCs) such as IP addresses, domain names, hashes of malicious files, patterns of attack behaviours, and tactics, techniques, and procedures (TTPs) used by threat actors. This information is then analysed to identify patterns, trends, and potential risks. In this paper, we provide a brief analysis of CTI solutions, highlighting the current trends and directions for future research works. The rest of this paper is organised as follows. Section II summarises the use cases of CTI. Section III describes existing works in this field. Next, section IV summarises trends and research directions. Finally, section V concludes this paper. II. U SE C ASES OF C YBER T HREAT I NTELLIGENCE As presented in Fig. 1, CTIS is composed of five main stages: (a) Planning and Direction, (b) Collection, (c) Analysis, (d) Production and (e) Dissemination and Feedback. Commonly, organisations adopt CTI mechanisms to: • Enhance Proactive Defense: By staying ahead of potential threats, organisations can implement measures to detect and prevent attacks before they occur. • Incident Response: CTI helps organisations respond more effectively to security incidents by providing information about the nature and scope of the threat. • Patch and Vulnerability Management: Understanding emerging threats can help prioritise which vulnerabilities to address first. • Risk Assessment: CTI assists in evaluating the potential impact of various threats on an organisation’s systems and data. • Cybersecurity Strategy: It aids in developing a strategic approach to cybersecurity, focusing resources on the most relevant and likely threats. • Sharing Insights: Organisations can share CTI within their industry or sector, contributing to a more collaborative approach to cybersecurity. • Decision Making: CTI provides actionable insights that aid in making informed decisions about security measures and investments. • Understanding Attackers: By studying threat intelligence, organisations can gain insights into the motivations, techniques, and intentions of various threat actors. III. A NALYSIS OF E XISTING W ORKS In [1], M. Mena and B. Yang present an implementation of the blockchain protocol in a home network with IoT devices with the aim of providing a decentralised system that shares CTI between service providers and consumers. As a proof of concept, the authors designed a network simulation environment with the following components: an Ethereum blockchain network, a GNS3 server and another server that acts as a gateway to the rest of the network. Bonesi, an open-source tool that simulates botnet behaviour, was used to simulate a Distributed Denial of Service (DDoS) attack. The analysis was focused on three different metrics: network performance, Ethereum network performance and network security capabilities. There were two scenarios to test the framework. One tested network performance without the attacks to create a baseline for normal network activity, and the other tested the Ethereum network performance under DDoS attacks. A comparison was made between two groups, one without blockchain instances (control group) and another with blockchain instances (experimental group), during the streaming of a Youtube performance. The DDoS attack triggered a blockchain transaction through Snort, which was then broadcast to the rest of the network, which in turn automatically stopped the attack. The impact on the response time for the home networks was a small delay of 2%, and connection speed was better in the control group. There was also a creation of a blockchain-based CTI report that took only 55 seconds to reach the other blockchain nodes when the attack was detected. In [2], the authors aim to address the rare use of CTI by Small and Medium-sized Enterprises (SMEs) by conducting a systematic review of current approaches in sharing CTI and presenting a prototype that uses a Malware Information Sharing Platform (MISP). The prototype is particularly useful for less digitally mature SMEs.The literature review was conducted using a combination of an active learning phase and a backward snowballing phase. It was determined that structured open-source intelligence sources and, more specifically, the VERIS Community Database (VCDB) are more suitable for the SME’s needs. However, these sources need to be complemented by the ENISA rankings. The proposed solution uses MISP in conjunction with the GEIGER application. The CERT-RO CTI feed in MISP provides GEIGER with processed MISP events via its Application Programming Interface (API). Then, a process of prioritising the CTI threats with the help of VCDB data for digitally dependent SMEs,digitally-based SMEs and digital enablers takes place. This classifies threats depending on which of them are related to the SME users. The threat prioritisation is done periodically with the help of an exponential smoothing algorithm. The change in the threat prioritisation and in the relevant countermeasures that need to be implemented does not take into account internal data from SMEs and eliminates the need for a security expert. Following the previous paper, in [3], the authors present an overview of MISP. First, it shows the data format of the events. Then, the different sharing models are analysed. The concept of taxonomies, with the triple tag structure, is also analysed. The next section is about the synchronisation protocol. There are three mechanisms present in the protocol, namely, the push and pull mechanism and the cherry-pick technique. All three are analysed in great detail. Finally, there are also statistics about the use of MISP. A distribution of events per month from 2013 to 2016 is presented with a peak of published events in 2015 and 2016. In [4], the authors present LUUNU, a blockchain-based, MISP, Model Cards and Federated Learning (FL) enabled CTI sharing platform. This platform provides transparency and credibility to the CTI sharing by storing CTI data on the MISP storage in the form of Model Card objects. The anonymity of the organisations that report these data is ensured with the use of a Self-sovereign identity-enabled mobile wallet. The LUUNU architecture has five layers: the first is the Stakeholder Layer, which contains incident reporters/viewers and admins. The second is the Smart Contract Layer. This is where the Fig. 1: Lifecycle of Cyber Threat Intelligence user’s digital identity proofs are stored, along with CTI, FL and notification contracts. Another service is the encoding of CTI data and ML information into Model Card objects. The Blockchain Storage Layer contains the nodes of each organisation. The MISP Layer stores the Model Card objects and allows the blockchain smart contracts to interact with it via its API. The fifth layer, called the Data Analytic Layer, provides the FL service. That is a service that uses FL models to detect cyberattacks. The functionality of LUUNU is to register the organisation on the platform as a blockchain node so that they can report incidents, which are then encoded into the Model Card and saved in the MISP database. The LUUNU platform is implemented on top of the Rahasak blockchain. The FL functions originate from Pytorch and Pysyft. The Model Card service is built with TensorFlow Model Card Toolkit, and the operation handling of the blockchain is managed with Apache Kafka. In [5], the authors present the Enriched Threat Intelligence Platform (ETIP), whose functionality is to collect, relate and aggregate OSINT data and data from the monitored infrastructure. The OSINT data are stored in the MISP database, and the infrastructure data are stored in the Heuristic Component database. The MISP platform was selected based on criteria such as the integration with Security Information and Event Management (SIEM) and Intrusion Detection Tool (IDS) tools because the goal is to feed the enriched data to an IDS or an SIEM. The ETIP architecture has two modules: the Composed IoC module, which collects IoCs and interrelates them, making them more enriched and the Context-Aware Intelligence Sharing module, which contains a MISP instance and a heuristic component. The heuristic component receives data from MISP, and its purpose is to produce a Threat Score(TS) for the received data. To compute the TS, the Weighted Mean(WM) function was used, and it is calculated by summing the individual heuristic values times and the individual weight factor. The weighting criteria of this factor are relevance, accuracy, variety and timeliness. If there is a match with the MISP attributes, a score is computed according to these criteria. Finally, depending on whether the TS score is high enough, the enriched IoCs will help analysts determine the risk score on tools such as IDS and SIEM. The goal of this paper [6] is to describe the data interaction methods used to evaluate the information exchanged in MISP and to propose a scoring technique for decaying information. A feature of MISP called taxonomies is used to evaluate attributes. Taxonomies are a classification method with its own vocabulary. The taxonomies are part of the scoring model through tagging. A data interaction method in MISP is the sightings, which provide information about the validity of an attribute, categorising it into priority or decaying attributes. Each attribute has a decaying function. There are also some parameters that need to be considered for its overall score: the base score of an attribute, which is calculated with the help of its weighted applied tags and the source confidence, the difference in time between the current time and the time of the attribute’s last sighting and the decay rate or the speed at which the attribute’s score decreases. The two parameters of the model are the end time of an attribute and the variable decay rate. Two models are considered for calculating the score, one with exponential digression and another one with a polynomial function. The polynomial function was more advantageous. Security playbooks present the necessary steps and processes to mitigate cyberattacks, or they can also automate security functions in an efficient way. In [7], the authors introduce a metadata template to integrate security playbooks and, more specifically, the Collaborative Automated Course of Action Operations(CACAO) playbook into the MISP threat intelligence platform and a cyber threat intelligence ontology named Threat Actor Context ontology(TAC). A CACAO playbook can consist of a series of actions for cyberdefense functions such as threat hunting or attack emulation. It is represented in JSON format and can be digitally signed. To integrate the CACAO playbook into shareable threat intelligence, a metadata template was created to map the metadata of CACAO. The template contains elements such as id, description, impact and severity. The MISP platform allows the creation of objects, which are templates that represent complex structures of attributes that share a contextual bond. The object named course of action describes the measures of responding to an attack. Based on that, the proposed template elements now become the attributes of a new object, called MISP Security Playbook object, that can also be linked to other objects, such as attack emulation objects. Finally, the TAC ontology, which is based on the STIX 2.1 standard, a standard that also includes course of action, can be converted into an ontological representation. This representation is also based on the proposed metadata template. Because IoCs may not always be as effective in identifying an attack and their value may decay with time, in [8], the authors proposed a solution that shares ML models for threat detection. To protect these models, they enforced a cryptographic scheme so that only authorised parties in the community have access to them. The sharing of ML models is happening through a MISP object template. The goal is to investigate a variety of ML models against a DDoS scenario to determine which one provides a good classification of malicious and benign traffic. The first model to be tested was the Decision Tree Classifier with a depth of 2. The classification was almost perfect, but when tested against a scenario where the attacker sends a modified HyperText Transfer Protocol (HTTP) payload, it misclassified the malicious traffic as benign. Next, a Random Forest Classifier with 20 decision trees was tested. The performance was better than the previous model, but the modified HTTP payload was still misclassified. The third model was a ‘OneClassSVM’ where the attack is considered an outlier. The performance was not as good as the other two, but it correctly classified the modified HTTP responses as malicious. The fourth model was a Multi-Layer Perceptron (MLP) binary classifier. The classifier not only had excellent performance, but it also identified the modified HTTP payload correctly as malicious. This model could be a good contribution to the threat intelligence community. Finally, a set of autoencoders was trained in an unsupervised way on benign traffic. The modified HTTP payloads were correctly classified as malicious. Next, the authors defined a taxonomy for adversarial ML threats. Finally, a CiphertextPolicy Attribute-Based Encryption (CP-ABE) scheme was used for the encryption of the data on the MISP database. In [9], the authors present an investigation of available formats, languages, and sources of threat feeds along with their suitability for several use cases related to security. The categories of the examined CTI sources were internally sourced, such as system logs and events or network events, externally sourced observables or feeds and open-source intelligence. The CTI format and languages investigation mainly focused on CTI standards specifically used for CTI representation, such as STIX, CybOX and CVRF, application-specific or vendorspecific formats such as MISP, commonly used standards that were not initially intended for CTI sharing and legacy formats referred in the literature but no longer in use. The analysis that the authors provide is focused on the CTI source feeds, formats and languages. First, they examined the CTI source originality, whether they are original or retransmitted. Then, they presented the range of CTI types (like IP, URL, domain) in the CTI source feeds. Based on that range, they defined rich CTI as CTI with more than two types in the feed and sparse CTI. It was found that only half of the examined feeds contained rich CTI. Moreover, various CTI formats and languages were searched for efficiency regarding different use cases. These use cases could be Email Blocklists, Spam filters, Network IDS (NIDS) or malware analysis. The goal of this paper [10] is to capture the changes in a threat actor’s behaviour and the polymorphism in their actions over time. The tendency of some threat actors to use obfuscation techniques prevents security analysts from associating an event with a particular threat group. To resolve this issue, the authors used a proof-of-concept ontological representation of Threat Actor Library (TAL) to identify threat actor types from CTI objects. TAL is a threat agent library, and it is used for risk assessment. It enumerates twenty-one threat actor types, such as government spies and radical activists. Several threat actor knowledge bases are presented to show how they could benefit from a more structured and automatic way to query them. For example, the MISP Threat Actor Cluster uses the term espionage for both an incident type and a motive, which creates ambiguity. The domain ontology for threat actor profiling created by the authors refined TAL to remove ambiguities that may occur. As an example, the object property hasDefiningMotivation on the ontology refers to the object of an attack that was influenced by motivation. It could also be hasPersonalMotivation. A threat actor type object could be a HostileThreatActorType or a NonHostileThreatActorType. Finally, the Lazarus Group case is presented to evaluate how a polymorphic group can be identified in an automatic way using deductive reasoning. Being polymorphic, it has exhibited behaviour that could be categorised as organised cybercrime, hacktivists or cyber vandals. Examining some attacks, such as the DarkSeoul attack, and characterising them using the proposed domain ontology, the Lazarus Group was revealed to be the one behind them. The goal of this paper [11] is to determine the criteria that evaluate different TIPs. This was achieved by conducting a literature review to gather studies related to threat intelligence sharing (TIS) and TISPs. Out of the 40 collected papers with the greatest relevance to the study, a set of 62 criteria was extracted. The 62 criteria were grouped into two main categories: functional and non-functional criteria. The functional criteria contain the Phases of TIS, which are Collection, Aggregation, Analysis and Dissemination of TI. Each one of them contains subphases with Available Functions and Degrees of Automation existing in every phase. The functional criteria also contain Cross-Phase Support, which consists of Information Security, Data Privacy, Data Quality, Trust, Import and Export, Collaboration(which contains Anonymity Levels), Reporting and Additional Functions. The non-functional criteria contain Architecture and Interfaces (Type of Platform, Architecture, APIs, User Interface), Content and Standardization (Data Origin, Threat Intelligence and Standardization), Provider and Users and Usage Fees, License and Distribution (Usage Fees, License, Geographical Focus and Sectoral Focus). All these criteria are part of the evaluation framework, which was then used to test ten TISPs, with three of them included and analysed in the paper. These were MISP, OTX and ThreatQ.Some similarities derived from the framework were that all of them provide collection, aggregation and dissemination of TI, all of them use the STIX, TAXII and OpenIOC standards and all of them process external data sources apart from internal. On the other hand, not all of them have the same data quality and reporting functions, as only OTX offers comprehensive reporting and individualisation. Regarding the content, MISP focuses on IoCs while the other two on TTPs. In [12], T. Schaberreiter et al. introduce a framework to evaluate trust in the quality of CTI sources. The approach proposed here is based on a closed-world assumption. This means that information provided by a specific set of CTI sources is all the information that exists in the world of CTI. The advantage of the closed world assumption is that every time a new CTI is shared with the world, the evaluation parameters of trust can be re-evaluated. There are two main aspects in this framework: the first one describes a set of quantitative evaluation parameters and the way they are computed. These are Extensiveness, Maintenance, False Positives, Verifiability, Intelligence, Interoperability, Compliance, Timeliness, Completeness and Similarity. The second main aspect is the derivation of a trust-based quality indicator to assess the quality of each source that exists in the worldview. The trust indicator(TI) of each intelligence source in the worldview depends on the weighted sum of the respective parameters. It also depends on the interval t at which the trust indicator is recalculated. The selection of this time interval is dependent on the rate at which the parameters change values and the specific needs of the use case. The Extensiveness quality indicator is calculated as a computational example. The data sample contains three STIX messages from MISP. In [13], the authors propose a platform for ORchestrated Information SHaring and Awareness(ORISHA) which is backed by a distributed Threat Intelligence Platform (TIP). In this case, the TIP is a network of several MISP instances. The benefits of ORISHA are the improvement of the detection accuracy for the Threat Detection Systems(TDS) and the sharing of reliable threat detection information among organisations with different TDSs. The ORISHA platform consists of three parts: the distributed TIP, responsible for storing data and delivering them to the other components/other MISP instances. The TDS layer includes ensemble-based IDS (EBIDS), an ML-based intrusion detection method for classifying network flows as attack-related or normal. The cooperation and active learning among the TDSs with the goal of improving their detection capabilities is very similar to a Query-By-Committee (QbC) strategy. Let’s assume that TDS1 detects an anomaly in network traffic. This triggers the creation of a MISP security event. When the event is distributed in the TIP, a second IDS (TDS2) analyses it. If the classification is different than the one TDS1 gave, the event is returned to TDS1, which uses the re-evaluated event for its training set. In the opposite case, the event now has two consensus labels, and it is validated by an expert and later retrieved by other TDSs.To evaluate the platform, a series of experiments are conducted, where the different entities in the TIP share anomalies detected by their own TDSs. To measure the performance of the classification models, AUC, AUC-PR and F-measure were used as metrics. The experimental results showed an improvement in terms of accuracy of detection due to the implementation of the ORISHA. In [14], K. Rantos et al. propose a layered model to address the interoperability challenges that organisations face when exchanging CTII. The four interoperability layers that represent the security issues that organisations have to confront when CTII is about to be shared are the following: legal interoperability, which covers legal restrictions and the impact on data privacy while sharing, policy and procedures, which are formal statements of the organisations objectives, along with instructions to achieve them, semantic and syntactic interoperability, that concerns the different data types and standards of CTII, such as STIX, MISP, CAPEC, MAEC, IODEFv2 and IDMEF and finally technical interoperability that involves protocols proposed for the transmission of CTII and the protection of information during sharing. The authors conducted an analysis of various CTII sources with respect to interoperability and focused on semantic and syntactic standards as well as policies. The analysis showed that 50% of the sources chose the JSON format, while 59% and 31% chose plaintext and CSV, respectively. Only a small percentage opted for CTII-oriented standards such as MISP. The majority of the sources provide information in generic formats only and not CTII-related ones. As far as policies are concerned, only 15 out of 32 sources provide open and public information. In [15], the authors present an evaluation methodology for both threat intelligence standards and threat intelligence platforms. Because of the overwhelming number of results found in the literature, the standards and platforms that are unable to cover two or more stages of the threat intelligence production process flow were excluded. Then, the most popular free and open-source standards and platforms were selected. To evaluate them, a holistic architecture model was developed based on the 5W3H (what, who, why, when, where, how, how much and how long) method. For example, the field describes the way the cyberattack took place and the related techniques. Four additional entities, namely Threat, Incident, Threat Actor and Defense, are added to the architecture. Based on the popularity, the chosen standards were STIX, TAXII, IODEF, RID, CybOX and OpenIOC.Based on the holistic architecture and applicability in different use cases, STIX, combined with TAXII, was the best choice. In the same manner, the platforms selected for analysis were MISP, CIF, CRITs, OpenCTI and Anomali STAXX. Based on the holistic architecture and some processual criteria, such as collection process, correlation and classification mechanisms, visualisation and integration with other security tools and platforms, MISP and OpenCTI were the two most complete platforms. IV. T RENDS AND R ESEARCH D IRECTIONS Based on the analysis of the previous works, the following trends and research directions are identified: Automation and AI: The use of automation and AI in CTI has been growing. These technologies can help process and analyse vast amounts of data more quickly and accurately, enabling faster threat detection and response. Contextual Threat Intelligence: Contextualising CTI by considering factors such as industry-specific risks, geopolitical events, and an organisation’s own infrastructure enhances the relevance and effectiveness of threat intelligence. Dark Web Monitoring: Monitoring underground forums, marketplaces, and other parts of the dark web has become crucial for understanding cybercriminal activities, sharing intelligence, and staying ahead of emerging threats. Threat Actor Attribution: While attribution remains challenging, there is growing interest in accurately attributing cyberattacks to specific threat actors, groups, or nation-states. This can help organisations understand motives and respond effectively. Regulatory Compliance: With the introduction of data protection regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), threat intelligence is being used to ensure compliance and demonstrate due diligence in protecting sensitive data. Machine-Readable Threat Intelligence (MRTI): The adoption of standardised formats for threat intelligence data enables easier sharing, integration, and automation across security tools and platforms. Edge and Remote Workforce Focus: With the shift to edge services and remote work, CTI is adapting to address the unique security challenges associated with these environments. V. C ONCLUSIONS The continuous evolution of cyberthreats requires the presence of adaptable and proactive countermeasures. In this paper, we focus on CTI mechanisms, investigating existing solutions in this field. Based on this analysis, trends and research directions in this field are identified. R EFERENCES [1] D. Mendez Mena and B. Yang, “Decentralized actionable cyber threat intelligence for networks and the internet of things,” IoT, vol. 2, no. 1, pp. 1–16, 2020. [2] M. Van Haastrecht, G. Golpur, G. Tzismadia, R. Kab, C. Priboi, D. David, A. Răcătăian, L. Baumgartner, S. Fricker, J. F. Ruiz et al., “A shared cyber threat intelligence solution for smes,” Electronics, vol. 10, no. 23, p. 2913, 2021. [3] C. Wagner, A. Dulaunoy, G. Wagener, and A. Iklody, “Misp: The design and implementation of a collaborative threat intelligence sharing platform,” in Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, 2016, pp. 49–56. [4] E. Bandara, S. Shetty, R. Mukkamala, A. Rahaman, and X. Liang, “Luunu—blockchain, misp, model cards and federated learning enabled cyber threat intelligence sharing platform,” in 2022 Annual Modeling and Simulation Conference (ANNSIM). San Diego, CA, USA: IEEE, 2022, pp. 235–245. [5] M. Faiella, G. G. Granadillo, I. Medeiros, R. Azevedo, and S. G. Zarzosa, “Enriching threat intelligence platforms capabilities.” in ICETE (2), 2019, pp. 37–48. [6] S. Mokaddem, G. Wagener, A. Dulaunoy, and A. Iklody, “Taxonomy driven indicator scoring in misp threat intelligence platforms,” arXiv preprint arXiv:1902.03914, 2019. [7] V. Mavroeidis, P. Eis, M. Zadnik, M. Caselli, and B. Jordan, “On the integration of course of action playbooks into shareable cyber threat intelligence,” in 2021 IEEE International Conference On Big Data (Big Data). Orlando, FL, USA: IEEE, 2021, pp. 2104–2108. [8] D. Preuveneers and W. Joosen, “Sharing machine learning models as indicators of compromise for cyber threat intelligence,” Journal of Cybersecurity and Privacy, vol. 1, no. 1, pp. 140–163, 2021. [9] A. Ramsdale, S. Shiaeles, and N. Kolokotronis, “A comparative analysis of cyber-threat intelligence sources, formats and languages,” Electronics, vol. 9, no. 5, p. 824, 2020. [10] V. Mavroeidis, R. Hohimer, T. Casey, and A. Jesang, “Threat actor type inference and characterization within cyber threat intelligence,” in 2021 13th International Conference on Cyber Conflict (CyCon). IEEE, 2021, pp. 327–352. [11] S. Bauer, D. Fischer, C. Sauerwein, S. Latzel, D. Stelzer, and R. Breu, “Towards an evaluation framework for threat intelligence sharing platforms.” in HICSS, 2020, pp. 1–10. [12] T. Schaberreiter, V. Kupfersberger, K. Rantos, A. Spyros, A. Papanikolaou, C. Ilioudis, and G. Quirchmayr, “A quantitative evaluation of trust in the quality of cyber threat intelligence sources,” in Proceedings of the 14th international conference on availability, reliability and security, 2019, pp. 1–10. [13] M. Guarascio, N. Cassavia, F. S. Pisani, and G. Manco, “Boosting cyber-threat intelligence via collaborative intrusion detection,” Future Generation Computer Systems, vol. 135, pp. 30–43, 2022. [14] K. Rantos, A. Spyros, A. Papanikolaou, A. Kritsas, C. Ilioudis, and V. Katos, “Interoperability challenges in the cybersecurity information sharing ecosystem,” Computers, vol. 9, no. 1, p. 18, 2020. [15] A. de Melo e Silva, J. J. Costa Gondim, R. de Oliveira Albuquerque, and L. J. Garcı́a Villalba, “A methodology to evaluate standards and platforms within cyber threat intelligence,” Future Internet, vol. 12, no. 6, p. 108, 2020.