Chris, great post for the SpiderLabs blog. I too found myself unnecessarily targeting Chinese or Russian URLs, simply because it was China and Russia. What I found (I analyze network traffic, so I have limited access at the system level) completely supports what you said...put it in the right context. I ended up finding out that the hours spent on "juicy" investigations, turned out to be a Chinese employee visiting Chinese sights...is it unusual for a Chinese individual to visit Baidu or some shopping sight in China? Not necessarily. Good reminder to "let the evidence shape your theory".
Chris, great post for the SpiderLabs blog. I too found myself unnecessarily targeting Chinese or Russian URLs, simply because it was China and Russia. What I found (I analyze network traffic, so I have limited access at the system level) completely supports what you said...put it in the right context. I ended up finding out that the hours spent on "juicy" investigations, turned out to be a Chinese employee visiting Chinese sights...is it unusual for a Chinese individual to visit Baidu or some shopping sight in China? Not necessarily. Good reminder to "let the evidence shape your theory".
ReplyDelete