The digital anti-trafficking organization Thorn was founded by Ashton Kutcher and Demi Moore back in 2009 to make it harder for sex traffickers to target children online. Throughout the years working with various digital companies and service providers, they realized that the biggest challenge wasn’t the speed in which dangerous content was removed…it was spotting it in the first place.
In 2012, Thorn created the Industry Hash Sharing Platform so digital powerhouses like Google, Facebook, and Twitter could use their combined resources for much more powerful insights and detection. It raised an even larger industry question though- are ISP’s and service providers focusing on the right types of abuse to keep their networks as safe as possible?
Tobias Knecht, the CEO of Abusix, recently discussed this issue in detail at the Lacnic 27 conference. Here are a few of the larger takeaways.
Filtering Reports by Types of Abuse
Tobias explained that when he asks audiences what their biggest ISP threat is, the answer is almost overwhelmingly “spam.” While that may be the largest offender in volume on your network, it’s the botnets, malware, and client vulnerabilities that really put your customers at the most risk. In order to react properly, it is essential to filter reports by the types of security issues they represent.
For instance, if you have 14,000 messages about spam, should it be handled before one reported instance of a phishing attack? It may seem like it makes more sense to clear out the largest volume of reports first, but that’s exactly how threats such as child exploitation often manage to slip through the cracks. Report filters give a much clearer view of where to react first.
Allocating Subscribers Leads to Aggregation
Another thing to factor in is where those reports are coming from- which clients are actually being affected? Taking the example of 14k spam alerts from the last section, it helps to know how many of those incidents are tied to a single customer/subscriber. That’s why you need a way, either it will be an API or any other technique, that can turn those IP numbers and report times into data that gives you an actual customer to focus on. Why? Your job is not to handle those 14,000 reports, it’s to take care of your customers as quickly as possible. And if all of those reports are only coming from one customer, then that quickly gives you a priority to focus on.
Additionally, tasks like these should be automated as much as possible so your abuse team is not tied up in manual, repetitive processes to see where problems are coming from. This can be taken a step further by sending email alerts to your customers when a vulnerability is spotted, stopping abuse before it starts.
Tobias used an example of a customer installing a WordPress plugin and receiving an automated email about abuse 15 minutes later. Because of the fast reaction time, that customer is likely to put those two events together and be able to solve the problem themselves. But if you send a manual message 1-3 days later, they may not make that correlation.
Tying Together Better Insights & Smarter Data
Ultimately, you should prioritize based on your environment and the importance of your customers and their safety. More organized data with different levels of automation will provide valuable visibility and help you make smarter decisions regarding prioritization.
While there will always be tasks that have to be handled manually, it is possible (and recommended) to shrink that number as much as you can. The more you can understand where the origin(s) of threats and the user behavior of your customers, the more equipped you’ll be to automate processes even further.
Ready to get started with a better, more streamlined abuse desk? Contact our team via the contact form below to arrange a trial.