I just posted this on Twitter:
The #HITME caught 1,684 new unique probes last week. That’s about 10 unique probes per hour or one unique probe every 6 minutes on avg.
Interesting idea that some sort of entropy in attacker signatures happens that often on average. Every 6 minutes some nuance of an attack pattern changes and we see it in the HITME data. Sure, some of these are encoding changes, slight modifications, but some are new scanning targets, new payloads and entirely new strains of attack and probe activity.
With attack patterns changing so rapidly, are you really sure your heuristics-based tools and approaches are able to keep up? Remember, too, this is just server/application viewpoint data. It has nothing to do with the threat entropy that a client application like a browser encounters. Those metrics, in my opinion, are likely to be exponentially higher if we could ever find a way to measure them in a meaningful way.