Internet Service Providers have the enormous task of protecting their systems from regular network infringement. Without a security plan in place, networks are prone to becoming a haven for network abuse.
According to Cybersecurity Ventures’ 2016 Cybercrime Report, the costs of global annual cybercrime will increase from US $3 trillion in 2015 to US $6 trillion by 2020. Microsoft Advanced Threat Analytics states that attackers stay in a network for an average of 140 days before they are detected.
The following points will help service providers implement the security measures needed to avoid becoming a spam haven of network abuse:
Setting Up Honeypots
Honeypots, as the name suggests, have the sole purpose of drawing attackers into their system so that they can be attacked and infected instead of a system rich in data. Honeypots allow abuse employees to collate real-time data reports based on actual threats, and monitor and draw intelligence from the attacker’s activity — this includes previously unknown abuse capabilities.
Honeypots are so effective because once the attacker penetrates that system the abuse team can contain and deal with that threat before it does damage elsewhere. Abuse teams are then better prepared to defend the network and prevent future abuse. AbuseHQ automatically contains Abusix honeypot reports that allows you to see network abuse in real-time, and to take proactive action. It isn’t a matter of whether or not you should set up a honeypot, but what kind.
Make Use Of Abuse Desk Tactics
There are 4 main tactics abuse managers can deploy to make their handling system more effective:
- Inbound abuse handling – Managing abuse starts with the @abuse mailbox: one location where everything can be collated and identified. Web forms are also a great way to increase the quality of spam reporting while automated APIs push large amounts of data into the abuse handling process. However, these two should not replace the @abuse inbox.
- Parsing and analyzing abuse – Large amounts of data sources need to be organized and analyzed into a report format. Consider a M3AAWG best practice. Process IP abuse reports through a unique identifier and find ways to associate reports with a particular IP source that is responsible for multiple abuse reports.
- Handling abuse – the manual process needs to be optimized, which can be done by identifying the most important issues first, prioritizing and manually testing one problem at a time, and continuing to optimize problem sets based on priority. Then identify and focus on another problem set.
- Remediation and mitigation – Depending on where the root cause of abuse is located, remediate the abuse if it can be eliminated completely, or mitigate it so that it can be minimized.
DNS Query Monitoring
When a user visits a domain for the first time, their computer must learn what the IP address is and sends a query to do so. Service providers can see each subscriber’s domain, which allows them to analyze DNS query information.
DNS domain queries are not encrypted, even if connections to their data are, which makes monitoring those user queries that much easier. It’s also cost effective and feasible. In abuse handling prevention, DNS query monitoring helps track which users are visiting domains infected with malware and detect malicious software on their devices.
Service providers can monitor their subscribers’ DNS queries, correlating them with their IP abuse report. If too many MX queries are raised, it’s a sign that something is wrong with their system.
Nothing Is 100% Secure
Despite all the practical - and necessary - security systems available to service providers and their subscribers, it is not possible to have 100% security due to the technological tools available to attackers.
Service providers can thwart potential incidents from spiraling out of control by providing their customers with security advice or recommendations on a regular basis. Some of the following points can be implemented into your onboarding and regular communiqués process:
- Ensure anti-virus software has been installed and is automatically updated.
- Avoid suspicious links or attachments in your email and social media accounts.
- Be extremely cautious when connecting to public Wi-Fi points as these can be compromised exposing your device to potential risk, especially with financial and personal accounts.
- Change, lengthen and strengthen your passwords by combining upper and lower case letters, numbers and symbols.
- Update software regularly—When a software vendor provides upgrade notifications, it’s wise to do so as the older version may have had a security flaw. Activate automatic updating on the settings key.
Networking intrusion monitoring is a 24-hour process. As the last line of defense, service providers need to be equipped with the right tools and processes— an abuse desk that transforms data into real-time intelligence and detects which computers within their network have been compromised.
AbuseHQ from Abusix provides the necessary tools and clarity for service providers to stay on top of their game 24/7/365. It integrates seamlessly into your current infrastructure. To find out more about how AbuseHQ can help abuse desks perform at their optimum, request your free demo today.
Download the Abuse Handling Basics report that walks you through the steps on implementing an abuse handling desk.