Unfortunately,
router/modems are the weakest security link for a consumer. Unlike computer/
smartphone operating systems, consumer networking equipment firmwares aren't updated automatically or regularly by default to patch vulnerabilities. Added to this, is the default/weak password used in those devices.
Only reason the ISP's sprung into action in the case of 'BrickBot' is actually because the customers lost access to the Internet, I don't think they took any action for 'Mirai' bot net which used the same methodology to convert routers, modems, IOT's to bots for DDOS attacks and the device owner wouldn't even have a clue in this case.
To answer your question ,
What do you guys think, is this the right approach for an ISP to thwart intrusion or any malware attack, are there any networking/security Guys who can enlighten us?
1. Though the best strategy is to patch the vulnerabilities,
Easiest : Deny connection to the customers who have default passwords, call them and force them to update the password.
Recommended : To update firmwares for all the affected devices.
2. In case of Mirai or other bot-net malware,
Blocking outbound access for C&C (Command and Control ) center for the bot-net , rendering the infected devices useless for the malware owners.
There are other complex packet analysis mechanisms to detect malwares, recent jump in machine learning technologies has made it much more effective. ISP's should be mandatorily made to disclose security breaches and should be audited regularly by CERT-IN (
DoT).
For Home users :
Custom routers can be constructed which could run regular desktop OS such as Ubuntu or OpenBSD , that can be updated regularly.
For ISP :
Long term strategy should be aimed at procuring networking equipments which can be regularly updated. With little support from the government, local manufacturers can definitely manufacture networking equipments; it can be an asset to the national security as well.