Developing a network security handling process is standard practice for abuse desk managers. That said, few manage and mitigate associated risks with a best practices approach.
The following pointers can help abuse desk managers implement an efficient process to handle network abuse.
Preparation — Inbound Abuse Handling:
An abuse desk is the last line of defense when it comes to abuse mitigation and remediation. The preparation and planning stage is thus the first step of handling abuse. It gives the abuse team guidance and a succinct strategy for managing everything in the abuse@ mailbox.
This is where the response plan is developed, outlining the procedures needed to roll it out. The abuse team strategizes and defines roles and responsibilities. Essentially, this stage sets the tone for how to collate and interpret data, how to define the criteria when declaring a report, what actions to take, and what tools to use when an incident is reported.
Without knowing what to do, which processes to follow, or who to communicate with, coordinating an appropriate response is considerably harder.
Assess how you will apply spam filters, which can discard messages that embed spam samples in reports. Consider tagging all incoming abuse@ mailbox traffic with a spam score, and ensure the auto responder emails are only sent to the appropriate senders.
In this stage, it’s important to decide on whether to use web forms or Application Programming Interface (APIs). APIs help automate pushing large amounts of data into the abuse handling process, even if this data comes from a third party.
Identification — Processing:
This is where you identify where the abuse occurred based on indicators, observations, signs, and events, as well as determine whether there are any deviations from normal operational procedures.
The source could be the abuse@ mailbox, Regional Internet Registries (RIRs) such as RIPE, ARIN, LACNIC, APNIC, and AFRINIC, internal and external data sources, and the Acceptable Usage Policy (AUP).
Knowing what the challenges are helps abuse desk managers know where to begin; this requires data. Unstructured data adds unnecessary work, so make sure to normalize its format and structure. Before organizing and parsing your data, find a common format for incoming reports that doesn’t require unnecessarily complicated rule sets.
It’s also important to associate reports to particular customers and determine when a single source is responsible for multiple instances of abuse. The attribution process will depend on your infrastructure and product portfolio. This can be done via a Unique Identifier in a Hosting Environment with dedicated IPs or domain, or a Unique Identifier in an Access Provider Environment, such as a cable, DSL, or mobile provider environment.
AbuseHQ collects and analyzes multiple sources of data and enables the abuse team to identify network abuse and neutralize it timeously. Thereafter, escalation policies take effect and an appropriate action is initiated.
Containment — Handling:
With the right processes already in place and having identified the abuse, the abuse team can take action to contain damage and prevent attacks.
Curtailing the attack may require disconnecting from the network or shutting down system operations all together, notifying customers, lowering bandwidth, or quarantining networks.
Abuse managers can further simplify the handling process by:
- Understanding the problem set: Identifying the issues that are most important.
- Establishing priorities: Depending on the infrastructure and product portfolio, it may be necessary to work on high-volume, low-priority cases before the low-volume, high-priority cases even become visible.
- Starting the manual process: Start manually testing processes by tackling one problem at a time. Building off individual priorities helps to gain experience in developing an automated process, with the aim of achieving full critical automation for all processes.
- Iterating and optimizing: Continue iterating and optimizing problem sets based on priority. Once the process for dealing with spam has been streamlined and automated, identify and focus on another problem set.
Eradication — Remediation:
Depending on the type, category, and priority of abuse, the abuse team can then remove the cause. Remediation occurs when the abuse can be eradicated completely—such as a virus—or if an individual has outdated security software and their credentials are compromised.
Mitigation, however, occurs when an abuse cannot be fully remediated, but the risks and its effects can be minimized. In this phase, abuse desk managers can investigate how the attack occurred. This helps them assess and mitigate vulnerabilities to ensure that similar abuse incidents don’t happen again. Compromised firewalls or outdated anti-virus software are often the initial causes of the problem. Proactively help your customers mitigate these issues or update their router hardware, if this is an option.
To help abuse teams better understand security and security threats, AbuseHQ from Abusix embeds into the existing network to provide a clearer insight into avoiding or shutting down any network abuse — before it gets out of hand. To find out more about how AbuseHQ can help abuse desks perform at their best, request your free demo today.