Neglecting to address network security abuse can cause widespread problems for both the service provider and its clients, which is why it’s imperative to remediate or mitigate the threat once it has been collated, parsed, and handled. This is the final phase of the network abuse handling process.
In this blog, we’ll look at which route to take in order to handle network abuse and security as effectively as possible.
Remediation / Mitigation
Remediation occurs when the threat can be eradicated, while mitigation involves minimizing the damage as it cannot be fully eliminated. For example, Distributed Denial of Service (DDOS) mitigation routes suspicious traffic to a centralized location where it is filtered. Note that mitigation is generally less preferable as risks that cannot be fully eliminated are more costly to control. For instance, fixing a network security issue is better than blocking the port that could expose it.
See also: Managing Network Security Ticket Volume
Remediation is dependent on the type, category, and priority that the abuse falls into. A case-by-case assessment should be applied to each issue, taking into account its seriousness and its scope. Service providers need to work with their customers and advise them on the processes needed to remediate it.
In some cases, remediation and mitigation go hand in hand where you stop the problem (mitigate the threat) and wait until the customer has solved his problems (remediate the threat). This is a classic example for port 25 blocking in outbound spamming incidences. However, port blocking should always be a short period mitigation measure. Once everything is back to normal, port 25 can be opened up again.
It might also be necessary to shut down any non-responsive customers if they have been compromised or if they are engaging in the illegitimate activity themselves. An example of this would be to suspend email activity for repeat spam offenders. To pre-empt this, send customers the Terms and Conditions if they have breached the contract and caused the violation. This approach protects the service provider from any legality that may arise and discourages customers from continuing to engage in illegal activity.
There are four main root causes of network abuse when remediation or mitigation takes place:
Compromised Accounts, Customers, And Servers
In these instances, a user, customer, or host is unaware that they are the victim of an incident. Their personal details could have been stolen after unwittingly clicking on a phishing link, or if their antivirus and antispyware software are outdated.
Under these circumstances, the customer would need to be notified of a network security breach and advised to take measures to address the problem. This could include advising them to reinstall and upgrade their security software, or change server or user passwords to ensure that attackers no longer have access to the system.
Fraudulent Criminal Activity
Fraudulent criminal activity is more likely to occur in hosting environments where fraudulent accounts have been opened. Any unpaid bills can cause reputational damage along with the additional costs and time required to remove customer blacklistings if they are the victim.
These cases are usually the easiest to handle as the network security service provider can cut off access to those accounts, ensuring the fraudsters do not have access to that part of the network. Service providers can prevent fraudulent accounts from gaining entry to the system in the future by:
- Keeping a record of fraudulent accounts
- Placing stricter criteria on new users before allowing them to open new accounts
- Implement a quality assurance fraud scoring system and reject accounts that do not pass the threshold
- Preauthorize new accounts and ensure that your sales team flag suspicious statements made by prospective new account applications
User behavior is usually less of a concern and requires direct communication with users who unknowingly commit network abuse, such as being flagged for spam. Other forms of infringement involve downloading copyrighted material, such as music, films, or television shows.
If this occurs, service providers should undertake an educational approach to inform those users of their transgression and advise them to cease their activity immediately.
Discovering where vulnerabilities lie is the first step in resolving a problem. Vulnerabilities come in many forms, from a compromised firewall to outdated antivirus software. Service providers can proactively help those customers mitigate these issues, or in some cases fix it for them, by updating their router hardware, for example, if this is an option.
In some cases, customers may operate on old product platforms, or may not have accepted the latest Acceptable Usage Policy (AUP) and still operate under old Terms and Conditions. Spammers specifically seek hosts with no AUP so they can abuse the network and threaten the network when action is taken against them, so it advisable to update these in good time.
Addressing all these issues at once can be an enormous challenge, which is why revisiting and iterating the handling process will help you improve your security protocols. Protecting networks from abuse is an ongoing task for even the most vigilant abuse desk team. AbuseHQ from Abusix integrates into existing infrastructures to provide the insight necessary to identify and mitigate and remediate network abuse at its source.
For more information about how Abusix can help you resolve up to 99% of network abuse incidents, talk to our team so we can set up a trial for you.