There was a time a few years back where a list of malicious domain names was one of the prized possessions of an incident response team. In previous blog postings, I've discussed how attackers have moved away from purely malicious domains and more towards using legitimate or even "disposable" domains coupled with specific URL patterns. One needs to work at staying on top of these as Indicators of Compromise (IoCs), as they change quite frequently. Given this, one would expect that vendors would quickly pounce on this opportunity to service their customer base by:
- Providing URL pattern based intelligence rather than just domain name based intelligence
- Allowing for mining of the vendor collected data using URL patterns
Surprisingly, there are few vendors that facilitate this type of approach. My hope is that in the near future, more vendors will rise to the challenge confronting us all.
No comments:
Post a Comment