The biggest problem network abuse teams face on a daily basis is working through their reports. Network abuse is escalating at a rapid rate. The Global State of Information Security Survey 2016 reported that in 2015 there were 38% more security incidents than 2014 and that the number continues to climb.
The knock-on effect is that network abuse teams are dealing with more network security reports each day. To help assist your team with this, consider putting the following into place:
Prioritize the urgent from the usual
Abuse desks will rarely ever have enough staff to deal with the thousands of reports they’re faced with on a daily basis. To help deal with the volume, consider prioritizing your cases in the order that most MAAWG Collaboration Committee members prioritize them:
- Life-threatening emergencies: This is the highest priority and can include threats against customers or employees. Bomb threats against call centers or any online activity relating to child abductions or runaways.
- Law enforcement requests: The next priority are requests made by law enforcement officials, these can include reports of child pornography, solicitation of minors and crimes involving adults.
- Legal department requests: Third in line are requests from legal departments that can include customer records to fulfill a civil litigation court order or anything to do with copyright infringement.
- Malicious activity: This can include phishing sites, DDOS attacks, malware hosting and distribution and email solicitations. It includes any activity that puts the safety of the network or customers in danger.
- Spam: Spam is responsible for the majority of the reports that ISP abuse teams face. After teams take care of the above priorities that tend to be low volume, they tackle the spam reports.
- Port scans: Port scans are the last priority for most network abuse teams. Although it can be the forerunner of abusive activity, it should only be dealt with when the other reports are handled.
Implement abuse management systems
These are tools that allow you to manage report volumes. If your network team is forced to respond manually to every report as it appears, the cases will continue to pile up. Rather than playing whack-a-mole, get strategic about your report volume management. AbuseHQ from Abusix offers network abuse teams everything they need to efficiently deal with network security ticket volumes. This includes:
Offering full visibility for efficient response
AbuseHQ collects and displays data in real time, so your team has an immediate overview of all the reports they’re dealing with. AbuseHQ automatically classifies over 50 event types to help your team understand the nature of the type of abuse event.
The Abusix engine does this by performing continuous, integrated abuse and threat processing both in real-time and retrospectively, allowing your team to gain insights buried deep inside of your noisy network’s abuse data. This overview allows the team to immediately deal with the high priority items first, and then get down to the spam reports that take up most of their time.
Turning vast volumes of raw data into actionable data
Vast volumes of data are a good thing. The more data you have at your fingertips, the better you are able to predict abuse before it happens, and effectively deal with abuse before it causes too much damage. Abusix’s philosophy is “Data is King” for this very reason, but you need to have the tools in place to analyze all the data and turn it into action.
Abusix processes close to 100 billion individual events annually and makes this data available to ISPs so that they can detect spam, fraud and abuse in real-time as it occurs on their networks. AbuseHQ centralizes all abuse data in one easy-to-use big data service, giving you visibility and faster insights into abuse events taking place within your network.
AbuseHQ also contains the Abuse Data Service, Abusix honeypot reports, spamvertised and ns-vertised feeds when the system is on. This real-time, “black” data allows your team to view when spam runs and other attacks happen before they block your network or you receive abuse reports.
Finding commonalities amongst cases
AbuseHQ offers your network abuse team faster automated insights, enabling them to quickly assess whether the reports they are receiving are related to a single event, for example, a distributed denial of service attack. This allows them to immediately deal with the event, rather than the individual reports one at a time. The net result is that the report volumes and the knock-on effect the event could have had on other customers are all hugely reduced.
To find out more about how you can proactively protect your ISP from network abuse, download this free e-book from Abusix: