Published on November 19, 2025, this guidance targets internet service providers (ISPs) and network defenders, offering strategic recommendations to dismantle the infrastructure that underpins global cybercrime.
The advisory, developed by the Joint Ransomware Task Force (JRTF), addresses the growing threat posed by “bulletproof hosting” (BPH) services that knowingly support ransomware groups, phishing campaigns, and other malicious activities.
Bulletproof hosting providers differ from legitimate infrastructure services by intentionally ignoring abuse complaints and legal processes such as court orders or subpoenas.
These entities market their services to cybercriminals with the assurance of impunity, often allowing illicit content to remain online despite evidence of criminal activity.
The joint guidance highlights that BPH providers frequently resell infrastructure leased or stolen from legitimate data centers and cloud providers, effectively hiding malicious traffic within valid networks.
To evade detection, these actors employ sophisticated techniques such as “fast flux,” in which they rapidly cycle through IP addresses and domain names, or migrate frequently between Autonomous System Numbers (ASNs) to bypass static blocklists.
The authorizing agencies emphasize that mitigating BPH risks requires a nuanced approach to avoid disrupting legitimate internet traffic. Network defenders are urged to curate high-confidence lists of malicious internet resources by leveraging commercial and open-source threat intelligence feeds.
Rather than relying solely on broad blocking measures, defenders should implement granular filtering at the network border, targeting specific IP ranges or ASNs identified as hostile.
The guidance also highlights the importance of traffic analysis to establish baseline network behavior, which allows security teams to identify outlier activity that may indicate a connection to BPH infrastructure.
Centralized event logging systems should be configured to alert on traffic from known malicious sources, ensuring rapid identification of potential compromises.
ISPs play a critical role in the proposed defense strategy and are encouraged to adopt stricter “Know Your Customer” (KYC) protocols to prevent BPH providers from easily acquiring infrastructure.
The advisory suggests that ISPs require verifiable identification and banking details from prospective customers to validate their legitimacy. Furthermore, the guidance proposes establishing sector-wide codes of conduct, such as agreeing to block malicious IP ranges for up to 90 days to disrupt criminal operations.
ISPs are also advised to notify customers when traffic is blocked due to malicious associations and to offer opt-out filtering services that provide enhanced protection for organizations with lower risk tolerances.
By tightening these controls, the international coalition aims to force cybercriminals away from bulletproof havens and onto legitimate platforms where law enforcement can more effectively intervene.
| Recommended Action | Description | Target Audience |
|---|---|---|
| Curate Blocklists | Develop and maintain lists of “high confidence” malicious resources using threat intel feeds. | Network Defenders |
| Traffic Analysis | Establish network baselines to identify outlier activity resembling fast flux or BPH patterns. | Network Defenders |
| Implement Filters | Apply granular filters for ASNs or IPs at network borders, ensuring audit logs are maintained. | ISPs & Defenders |
| Know Your Customer | Verify customer identity (IDs, banking details) to prevent fraudulent infrastructure leasing. | ISPs |
| Code of Conduct | Establish industry norms, such as 90-day blocks for abusive IP ranges, to enforce accountability. | ISPs |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post NSA Issues Guidance for ISPs and Network Defenders to Combat Malicious Activity appeared first on Cyber Security News.
A persistent bug in Windows 11 in-place upgrades is reportedly wiping critical 802.1X wired authentication…
Google’s Threat Intelligence Group (GTIG) has uncovered Coruna, a sophisticated iOS exploit kit containing 23…
Former state and national GOP Chair Michael Whatley (left) and former Gov. Roy Cooper are…
U.S. Sen. Thom Tillis, Republican of North Carolina, speaks as Homeland Security Secretary Kristi Noem…
Diana Fenton has withdrawn her name from consideration to be New Hampshire’s next child advocate…
A family in Byron is sharing the story of their 1-year-old son, J.J. Larson and…
This website uses cookies.