Dear Anti-Abuse WG, As already mentioned to Brian and the WG chairs in a private mail, I would like to raise your attention towards a new initiative that I will be pursuing in 2022: an open source abuse handling automation tool for smaller network operators. Thanks to the RIPE CPF it got some initial funding. Here is the RIPE CPF summary: Project abstract ---------------- ``` Open Source Automatic Incident Report Handling and Response Tool for RIPE Members RIPE members range from large network operators to small or even very small networks (the “long tail”). Common to all of them, is that they have publicly routed and active IP addresses and devices which are reachable from the Internet. With Internet-wide scanning tools (shodan, etc.), any vulnerable device is discoverable with a click of a button for any malicious actor. While large network operators can spend a lot on IT security-incidence response (IR), network hygiene and incident report handling, smaller ones can’t. In our experience, these smaller networks very selectively deal with IR. Many of the reports sent by national CERTs are ignored due to the lack of personnel, skills or resources. The effect being that Internet hygiene is suboptimal in the long tail. Which in turn, creates more hacked devices, DDoS amplifiers, etc. and poses more threats to the global network. Our project aims at bringing the best of breed open-source technology as a turn-key package to the “long tail” networks to plug into their customer contacts database (CRM) system on the one side and to the global feeds of threat intelligence and scanning alerts (such as shadowserver.org). Automate the IR, improve network hygiene! ``` (Source: https://www.ripe.net/support/cpf/funding-recipients-2021) Rest assured, I am aware of all the good work done at this WG and at abuse.io and abusix. Not trying to re-invent the wheel, no worries :) About myself and motivation for this project -------------------------------------------- I have been working at a European national CERT for 12 years and am one of the two co-founders of the https://intelmq.org Incident Response (IR) automation project. IntelMQ is mainly geared towards the "information router" role of national CERTs. Less so for network operators. What struck me during that time at the national CERT is that there is a wide variation between how some network operators clean up after abuse reports, and some do the bare minimum (no accusation here!). Even though good tools such as abusix would exist for them. So, the question is: *why* is that so? There must be a good reason for it. And this leads me to the project motivation. The first part of this project shall analyse, *why* and *how many* of the abuse notifications are not done. Is it the network operator? Is it the end-customer? Is it culture? Is it lack of resources? Is it the (economic) network externalities? Is it all of the above? I believe, once we identify some of the blockers, we can *improve* existing solutions, add to the portfolio of existing solutions and/or combine them into a packages which might actually do the next step without much effort. Ideally, abusix, abuseio, intelmq, n6, warden, ... (all these tools which help in IR for network operators) would get a boost by this project AND the network operators get improved tools.[1] Request for your help --------------------- Since this is an open source project, I would like to reach out to anyone here who is interested and start collecting some initial quantitative interviews with you on the questions (the "why?" questions) above (interviews will start in mid-Dec). In parallel, I'll be doing some lit.research on the topic. I'd be thrilled to have the combined knowledge of the WG as part of this project. After all, the problem we are trying to solve is similar to tackling pollution or climate change (just - for the internet): it's a super hard problem. Lots of externalities, lots of hard nuts to crack and for sure no-one can solve this problem on his/her own. Thanks for your time, reading this. Aaron Kaplan. PS: I probably can't make it to tomorrow's Anti-Abuse WG session (I have parallel calls which I can't skip). But I'd appreciate you reaching out to me via email. In in the WG session tomorrow you could mention this little project of mine, I'd be quite happy about that. [1] I am very aware that with limited funding and an infinitely, arbitrarily large problem, we won't be able to tackle all of it in this small project. But we can try and add the our global anti-abuse capabilities. Hence, I am reaching out to this WG for input and advice.