In the context of security, IPv6 has no meaningful granularity below /64. Seconds of research will also show how cheap it is to get a /48 as well. Everytime I see full IPv6 addresses as if they were meaningful at that resolution, I die just a little bit on the inside. Policy issues with filtering by country of origin aside; ASN would be a better filter here over country of origin.
It's also unclear why using a /48 helps evade their indicators of compromise detection?
> Takeaway: Looking at User Activity Timelines Isn’t Enough
I mean, obviously? You'd only look at a users timeline if a user was compromised. Looking at users timeline looking for infra attacks is like studying the rings on a tree you just cut down, as a means to determine if the forest is on fire.
As a whole this intro to security detection doesn't fill me with a ton of confidence... Everything here is exclusively superficial.
It's also unclear why using a /48 helps evade their indicators of compromise detection?
> Takeaway: Looking at User Activity Timelines Isn’t Enough
I mean, obviously? You'd only look at a users timeline if a user was compromised. Looking at users timeline looking for infra attacks is like studying the rings on a tree you just cut down, as a means to determine if the forest is on fire.
As a whole this intro to security detection doesn't fill me with a ton of confidence... Everything here is exclusively superficial.