Finding the money shot is key to successfully containing an emerging threat. What do I mean by the money shot? That would be the point at which the point of no return is passed in a security incident. In most malicious code incidents, this is where a binary reaches a system (via HTTP download, email, or some other means) and successfully executes. It's fairly common nowadays to see 2, 3, 4, or more re-directs from one compromised or malicious site to another before finally reaching the money shot. But trying to keep up with blocking/containing all the stage 1, stage 2, etc. re-direct domains is an exhausting and futile process. On top of that, it's an extremely false positive prone undertaking that could have a fair bit of collateral damage as well (in terms of blocking traffic necessary for business operations). Focus on the money shot first. That's where the most containment bang for the buck is to be found. It's the only chance we as practitioners have at keeping up with the ever-changing landscape. It's all about the money shot.