If you’re in the US or just in tech you must have heard about the large hacks of Yahoo, Ashley Madison, Home Depot, eBay, Anthem, Sony and recently Equifax. Those are what we think of when we talk about traditional software security and involve keeping your systems up-to-date, setup and configured correctly. But I’m not here to talk about that kind of software security. I’m here to talk about AbuseOps.
Let’s say you start a website that sells tickets to events. One day you notice that some events get sold out within seconds. At first you are happy that your site is so popular but then you realize all of the purchases are all from the same person. Well you figure he or she is probably buying your tickets and reselling them for a profit. Simple enough, you limit the number of tickets that can be bought by any one user. It works, and for a few days everything is back to normal. But then, it happens again, and all the tickets are sold within a second. This time it’s split between multiple accounts. After some investigation, you find the multiple accounts are all fake and likely owned by the same person.
At this point you put one of your engineers on it. He comes up with a simple solution and suggests adding a captcha to every purchase! Well this will solve the problem, but everyone hates captchas, so you tell him to keep at it. With some additional time and effort, he comes up with an even better idea, showing captcha only to suspicious traffic. Brilliant! This seems to work, and although the engineer needs to update the system every now and then, it doesn’t take much of his time.
You move on and build more features in your website, this time a review system to past events. This feature booms and becomes very popular. Users come to your website not only to buy tickets but also for the reviews. Then one day you search the web and find most of your reviews on some other site. They have been systematically copied and pasted without your permission!
So, you are back to putting an engineer on the problem. Thanks to your site’s growth, he now works in your new security team and has the entire team working on this new problem. However, after a couple of months, they complain that they are software engineers and as such want to write more code, updating the logic to stop the attacks is not as interesting to them and takes a lot of their time. They would rather work on the infrastructure needed to stop the malicious activity.
This is just an example of abuse that can start on your service and fall into another category of security called fraud and abuse. If your service is prone to this kind of abuse, what you probably need is a team dedicated to actively find and stop abusive activity. Many social networks have a team to investigate the real-life people behind fraud and abuse, but for more large scale automated attacks you need a different set of skills.
Here is where AbuseOps comes in. AbuseOps is a small team of engineers dedicated to measure abuse, find attacks, work with the relevant teams to build tools to stop the attacks and operate those tools on an ongoing basis.
In the next few posts I’ll be talking about the tools, methodology and the skills needed for this role. I hope you enjoy reading about it as much as I do writing it, see you on the next post.