Whether you manage an email service, an ISP, or a corporation’s network, you are no doubt aware that attacks continue to increase in both volume and sophistication. Your team members are constantly struggling to handle abuse reports, but you worry that your overworked, highly stressed cybersecurity professionals might one day miss an attack that could bring your entire operation to a screeching halt. At the same time, budget constraints and a shortage of well-trained, experienced candidates mean that you are forced to do more with less. If you need to reduce the time spent on managing abuse reports while keeping your network and your subscribers safe, you might want to consider AbuseHQ’s inbound processing capabilities. AbuseHQ lets you automate your inbound processing, giving you more time to address issues by saving you the time you would normally spend examining, organizing, and attempting to understand abuse reports. Instead, you have the power to prevent some events from ever reaching AbuseHQ and to enrich the events that you want to be passed.
You can use a variety of fields to filter incoming reports. These choices include filtering by client, IP, date, subscriber number, complainant, subscriber type, malware, product category, and other categories that can be selected from a dropdown that is already populated with common filters. For example, you might want to filter out events that occurred more than a certain number of days ago if you feel that any action would not be meaningful.
Handling Misguided Reports
If you have ever received abuse reports that have IP addresses that are not your responsibility, you know how frustrating it can be to deal with the unnecessary clutter. Inbound processing in AbuseHQ lets you define the networks for which you are responsible and automatically filters out all others.
You may need to forward a report or message. For example, some organizations have separate divisions that share an abuse-mailbox, so you might need to forward reports to the responsible division. Other reports may need to be sent to the legal department immediately.
Automatic Tagging and Clustering
Behind the scenes, AbuseHQ automatically tags every event to identify the type of abuse and reporter. Related events will be automatically clustered and assigned a common identifier. You can choose to have AbuseHQ automatically include other tags, including data center, infection or malware, country, shared resources, and subscriber class.
How Does Inbound Processing Work in AbuseHQ?
If you were to look at a chart showing the flow of events, you would see an input node that receives the parsed events and an AHQ node that receives the reports. In between, you can set the filter node to ensure that only events matching your requirements are passed to the resolver. The resolver will make an attempt at enriching the event before passing it to the AHQ node.
Your flow’s general setup is validated by three distinct integrity checks. The first checks to see whether there are any possible loops in the flow that could send events into limbo. The second integrity check verifies that there is a connection between the input node and the AHQ node. The third check looks for unreachable or dead nodes.
Out of the box, AbuseHQ is preconfigured with an IP resolver that uses the event’s IP address as a default subscriber ID. This is true whether the report is for a domain, an IP address, or a URL. After resolution, AbuseHQ has data that can later be used to automatically resolve an event occurring on dynamic, shared, or dedicated services to a subscriber ID.
Abuse HQ’s inbound processing lets you have a clean data flow instead of raw reports. You are no longer spending your time building parsers, writing scripts, or examining single reports. Metadata can be automatically extracted from the reports, subscribers can be identified for additional action, network resources can be tagged, and reports can be rerouted to the appropriate department or division. You will have more time to deal with serious issues that require human intervention to resolve.
Best of all, you do not need to make a significant investment in time to configure AbuseHQ inbound processing. On average, it takes less than 15 minutes to complete an upfront configuration.
If you would like to see for yourself what AbuseHQ can do for you, contact us for a free trial.