Cyberattacks continue to increase, the bad guys are not going away, and governments simply cannot solve the problem by enacting laws that are typically only enforceable within their own borders. Well-organized, highly skilled criminal groups and state-sponsored hackers have largely replaced the amateurs and lone wolfs. Your cybersecurity staff members and analysts are dealing with hundreds or even tens of thousands of reports every day, and they are suffering from event fatigue. They cannot process all reports in a timely manner, and they are beginning to feel that they are fighting a battle that they can never win. Some days, the best they can manage to accomplish is to identify and handle most of the incidents that pose the greatest threat, but even they are not certain how many potentially disastrous threats they miss. On a bad day, they may become so bogged down with low-priority incidents that they overlook a high-priority incident that could have catastrophic repercussions.
Abuse management does not have to be a haphazard, thankless, ineffective task that leads to high rates of employee turnover, corrupted systems, and network-wide peril. The answer is security orchestration, automation and response, commonly known as SOAR. Perhaps you have already automated some of your procedures. Unfortunately, this could lead to a situation in which you lock the barn after the cybercriminal has stolen your horse. Without security orchestration as your front-line defense, automation will provide limited benefits.
At this point, you may be weighing the pros and cons of adding yet another tool to the collection that the people staffing your abuse desk must employ. It is not a question of tossing another stand-alone tool into the toolbox. It is simply a matter of selecting a superior, multifunction tool for SOAR.
The Top Three Ways to Empower Your Abuse Desk
Before discussing three ways that you can empower your abuse desk, it might be helpful to direct your attention to this paper prepared by the Message, Mobile and Malware Anti-Abuse Working Group. In the paper, incidents are assigned priority levels that range from P0 to P4. P0 incidents have a critical priority, P1 incidents have a high priority, P2 incidents have a medium priority, P3 incidents have a low priority, and P4 incidents have a very low priority.
P0 incidents include child exploitation, data theft from a corporation, and harmful or offensive content.
P1 incidents include distributed denial of service attacks, botnets, and data theft on or from a network.
P2 incidents include data theft as client, dictionary or brute force attacks, and phish hosting or data drops.
P3 incidents include spam, remote file injection, spamvertising, and SSH forwarding.
P4 incidents include comment spamming, web defacement, port scanning, and exploitable services.
Typically, your abuse desk will receive far more P3 and P4 incidents than P0 incidents. The huge volume of low-priority incidents makes it much harder to find the high-priority reports. Furthermore, P0 reports are frequently not in a standardized format, making them even more difficult to find.
However, it must be remembered that circumstances can change how abuse reports are prioritized. Prioritization must include an evaluation of the seriousness and scope of the abuse, the potential for damage to the customer's or hosting company's reputation, and the report's source. Therefore, there may be times when a P2 or P3 report must be prioritized over a P1. For example, although botnets normally rank as a P1, a dormant botnet might be less critical at the moment than a massive, active spam campaign. In addition, the priority given to certain types of abuse may depend on the location of the hosting provider and the issue. In North America, trademark and copyright issues typically need to be assigned a P1 or P2 level to meet the requirements for a safe harbor under the DMCA, but in Europe, these issues may be assigned a lower priority.
There are three key features that can help you prioritize your inbound abuse reports correctly, and AbuseHQ can help you with all of them.
- Parse as many incoming reports as possible.
- AbuseHQ offers automatic parsing of inbound reports in more than 500 formats from more than 7,000 sources, including ARF, ACNS, IODEF, and Shadowserver. This gives you permanent freedom from parser maintenance.
- Categorize the parsed reports.
- AbuseHQ uses content and source to categorize reports.
- Automate the process for spam, DDoS and other mass reports as much as possible to ensure that you have enough cycles to manually process the high-priority reports.
- AbuseHQ can automatically resolve 99% of your abuse incidents. This helps ensure that your internal resources are not being wasted on working primarily low-priority reports.