After a few cycles of just looking at the data, a funny thing happens.. you start making choices a bit differently, if only because there's data staring at you in the face....

... and in less than 5min you're streaming all the public data from within CSIRTG (which- at the time of this writing is comprised mostly of various types of scanning activity from honeypots as well as odd-ball spam/phishing urls, email addresses, email attachment hashes, etc..).

There is also an example feed and correlation tool to help get you started, maybe even generate an idea or two.  The correlation tool looks at all the scanners coming across all the feeds in real-time and simply produces a correlated indicator when it finds an indicator created across 3 different users within a 24 hour period. Crazy simple, yet produces a highly suspect list of suspicious actors that can be confidently acted on in your security infrastructure.

...with chatbots, we can hyper-focus those contexts and interactions to generate a more meaningful experience. If we're in a chatroom, talking about an indicator- the subtly of a bot PM'ing us and suggesting "hey! i know about that- here are some links.." mid conversation can be quite useful. You obviously don't want the bot to be too spammy, but with the right combination of query-ability and common sense, it can be the subtle difference between finding that breach you've been hunting for- and not...

A buddy of mine and I were talking one day about businesses. Working with them, partnering with them, and more importantly .. starting them. There's a famous saying, "ideas are a dime a dozen, everyone's got one and none of them are of any value". Finally, after years of watching fad's come and go- I get it. Something like 90% of new businesses fail in the first few years, not because their ideas were bad, but because of three things- market timing, money and execution.

For anyone that's ever tried, there's no 'one way' to parse email, it's one of those long standing protocols that was developed during a different period of time, is extremely resilient, can carry just about anything, works across different encodings, systems and will do just about anything you want it to. The very thing that makes it so versatile- is the very thing that makes it extremely difficult to parse- well. Transporting email is easy, most of the headers and other implementation details in the RFC define that pretty well. It's what IN the messages that's important (and hard)....