3rd party incident response - Abuse/phishing/malware - Knowledgebase

Portal Home > Knowledgebase > Articles Database > 3rd party incident response - Abuse/phishing/malware

3rd party incident response - Abuse/phishing/malware

Posted by faxur, 03-19-2014, 12:36 PM
Hello Everybody, I was wondering if anybody in the forum uses 3rd party companies to deal with abuse and incident response issues. If you do, how well does it work? If you don't, would you consider it? If not, why? It seems that more and more the ISPs are having hundreds of notifications about such issues and not all of them are able to handle them in an effective way, so I was wondering what kind of options would be out there to minize the problem. Thanks your your comments!
Posted by lenaPS, 03-19-2014, 01:43 PM
Hi faxur, Having a 3rd party service that automatically monitors abuse mailboxes (or traffic) is very cost effective as it automates what can be a significant work load and can provide 24/7 monitoring. This then eliminates delays in taking care of bad content.
Posted by my247webhosting, 03-19-2014, 02:33 PM
There are third party like Hackalert which you can use to get notified for malware contents on websites This would help you proactively resolve issues
Posted by faxur, 03-19-2014, 02:37 PM
Hi lenap, Thanks for your reply. For sure I believe such service is valuable, but it relates more to pro-active/preventive resource. What I meant was actually the treatment and response to incidents tat have already been detected and notified. Something like having an external team working to respont to the abuse reports that ISPs receive.
Posted by lenaPS, 03-19-2014, 02:53 PM
faxur, In my opinion, having an external team that handles reported incidents is essentially an endless story. Clients get hacked; malware/phishing content is placed on the server; incident handled by external team and the story repeats itself. Bear in mind that once something is reported, it usually means that the rest of the security community is already aware of that, i.e. high chance of hurting your business reputation and loosing money. Taking a proactive approach will in the long run require less resources and can bring better results. For example, if phishing content is just placed on your server and you run a proactive solution, your team or service can be notified the moment the content is available and take care of the issue. The issue is never reported in the security community and you and your clients never suffer from reputation/blacklisting issues. Last edited by lenaPS; 03-19-2014 at 02:57 PM.
Posted by faxur, 03-19-2014, 03:25 PM
I understand that but that really is not the point I want to make here. That tool can be very useful but, still, someone will need to verify and respond to the notifications made by the "whateverproactiveservice". I would basically do the same job some security providers do: Identtify the therat and reporto to the provider (even if it may do it in a more efficient way). More than that, even if that service is cheap, it is an endless discussion about who should pay for it: The provider? The person/company whose domain is hosted o the provider? Also, even if you implement such tool, you will still have to have (or at least should) an abuse team operating to deal with the notifications coming from such tool and th ones you receive from external teams, since for sure the tool would help preventing threats, but there will be always someone sending an abuse notification, which means you would have the cost of the team + the cost of the tool. My question here is about the job after the notification. It seems to be "the boring part of the job" for most providers, so I was wondering if hiring a third party company/team/whatever could help taking this off the providers shoulders. Again, don't take me wrong, I believe such tool can be really efficient as a tool, but my intention with this post is to discuss the other part of the job.
Posted by lenaPS, 03-19-2014, 04:32 PM
faxur, You brought up some good points indeed. I would recommend what I call the 'mash-up strategy'. In addition to using a 3rd party proactive tool/service, I would develop a small utility (in-house or outsource) that reads the notifications from the tool/service and automatically blocks access to the reported content. However, since we all know that there's no perfect security solution, I may want someone to look through the reports and also be in charge of removing the malicious content. This approach gives you and your clients a "quick fix" and buys you time to handle the incidents. Also, this allows you to cut your abuse team as you no longer need prompt responses. Regarding incidents that are reported from other sources, you can essentially feed them through the same tool/service and automate the process.
Posted by faxur, 03-20-2014, 08:17 AM
That sounds like something that could work. But, still, would any of the ISPs around be willing to have their abuse cases treated by a 3rd party company?

Add to Favourites Print this Article