There has been a lot of conversation around threat feeds and how to automate the ingestion of ip’s and domains. A lot of work can go into taking these indicators, wrapping automation around it and feeding our detection tools, but I have to wonder if we have become somewhat lazy when it comes to detection. I almost think that some have become very reliant on this data and and see it as a best form of detection. I’ve already written a post on my thoughts around these feeds so I won’t go into much of that here. What I do want to talk about is the valuable data that some may not be taking advantage of.
more here..........http://blog.handlerdiaries.com/?p=703
more here..........http://blog.handlerdiaries.com/?p=703