This presentation forms part of the CTA's Threat Intelligence Practitioners' Summit
Thursday 25 September 16:00 - 16:30, Small Talks room
Kihong Kim & SuhMahn Hur (SandsLab)
Today’s threat intelligence ecosystem generates an unprecedented volume of data across numerous channels, ranging from freely available OSINT to highly specialized commercial CTI services. The amount of information that can be collected daily often reaches hundreds of thousands or even millions of entries, utilized for incident investigation, anomaly detection, and proactive defence against emerging threats.
However, the current data sharing paradigm faces fundamental challenges. Shared information tends to be unilateral and its actual relevance and value can vary significantly depending on the recipient’s geographic or operational context. While many threat intelligence providers claim a global focus, in practice, locally sourced and locally analysed information often holds much greater practical value within specific regions. Moreover, an overemphasis on the sheer quantity of shared data, without sufficient quality control, risks degrading the effectiveness of defensive measures.
In this talk, we propose a shift beyond simple IoC sharing towards a data-driven sharing framework that clearly articulates the collection rationale, threat assessment purpose, and data generation background.
Specifically, we advocate for the adoption of a Quality and Relative Evaluation-based Trust Scoring Model, rather than a quantity-based contribution model.
This framework would emphasize data quality and relative trustworthiness, encouraging community members to continuously improve the integrity and practical utility of shared intelligence.
It aims to enhance the reliability and actionable value of community-shared data across the ecosystem. Additionally, this session will offer a candid assessment of the current qualitative state of threat intelligence data shared within the CTA community, and propose actionable directions for fostering a more mature, effective, and trustworthy collective defence posture.
Ultimately, this presentation seeks to reinforce the essential role of community-driven collaboration and to contribute to the establishment of a more robust, quality-centred threat intelligence sharing environment.
 |
Kihong Kim Kihong Kim is the Founder and CEO of SANDS Lab, a leading AI-powered cybersecurity company based in South Korea. With nearly two decades of experience in cyber threat intelligence (CTI), Kihong is recognized as one of South Korea’s foremost experts in malware analysis and threat actor profiling. He holds more than 100 patents in the fields of malicious code analysis, automated threat detection, and profiling technologies – demonstrating his deep commitment to advancing the core technologies that defend against evolving cyber threats. His pioneering work has earned him national recognition, including prestigious awards from the President of South Korea, the Prime Minister, and the Minister of Science and ICT. Kihong is passionate about taking Korean cybersecurity innovations to the global stage. He is actively involved in international alliances such as the Cyber Threat Alliance (CTA), where he continuously contributes to collaborative defence efforts and strives to promote the value and necessity of CTI worldwide.
|
 |
SuhMahn Hur SuhMahn Hur is the Team Lead of the Threat Analysis Team at SANDS Lab. He has a strong interest in cyber threat intelligence, malware analysis, and URL analysis. Leveraging his extensive analytical experience, he has developed numerous detection solutions and is also deeply interested in applying artificial intelligence to security technologies. He has worked for several years as an incident response analyst and has developed a platform that significantly reduces incident analysis time by creating artifact collection tools and malware detection agents. |
Back to VB2025 conference page