In a perfect world, abuse handlers would have the ability to block potential threats before they had a chance to enter their networks. That is certainly a goal for abuse handlers in the 21st century, but there is one huge obstacle to achieving this goal – abusers continually evolve their tactics based on our defenses.
See also: Are Your Abuse Desk Customers Unhappy?
Then again, there are two sides to this coin. When we think of threat protection, it’s generally in an “inbound” perspective, i.e. guarding our customers against what’s out there on the Internet. That’s primarily accomplished through firewalls, antivirus software, and spam filters that hide content that our users don’t want to see. Abuse handling focuses primarily on outbound threats – protecting the Internet from our customers.
For instance, the recent Wannacry ransomware attack was immune to inbound protections because it was unknown, and there were no security measures in place to stop it. In order to mitigate the damage and make those inbound protections, security companies have to learn about the threat, identify what vulnerabilities it exploits, and then make the proper updates to prevent future spreading.
To do that as quickly as possible on a zero-day attack, it requires spotting the outbound abuse. That’s the only way to continually minimize the potential damage from the new threats that arise daily.
Here’s an example. Say that there’s a vulnerability in WordPress that an abuser takes advantage of. That means it’s already on a server (undetected), and the process can be replicated an unlimited number of times on Hosting Companies all over the world. Once an abuse handler spots the issue, he can try to shut down the problem in that one instance- but it does nothing to stop the spread of the problem in other places.
Even when the actual threat is identified in WordPress, a patch has to be created to solve that vulnerability. Then the update needs to be distributed to customers. From there the customer has to install it…which stops the inbound threat, but does nothing since the abuse is already using the compromised WordPress installations to do bad things. And what if some of your users do not update WordPress immediately? The vulnerability remains open and the compromised WordPress will be exploited “forever”.
See also: Top 8 Reasons Abuse Desks Struggle With Network Abuse
While we may never achieve that “perfect world” scenario, the only way to come close depends on the speed and proficiency of abuse handlers to recognize an initial problem. For more information on how to accomplish that, check out another article in this series that discusses prioritizing your network response.
If you want to learn more about managing an abuse desk, check out our guide with more tips and tricks.