Introduction
The Telecom Industry should support new ways to share information for which they need a specific language to share information about specific threat actors. To understand what telecom attackers do and help the unification of IT and telecom security monitoring mutual understanding knowledge of MITRE ATT&CK framework for mobile networks would be a great help.
We need to work on adopting more effective ways of identifying threats and sharing information and intelligence which should include information about threats like what exactly a threat is and whether we can recognize and how can we share most efficiently and effectively information about it?
An example of sharing effective information by the telecom industry on some threats is of four years ago in Germany there were several news reports explaining how the Signaling System 7 (SS7) which is the mobile device control plane protocol for 2G/3G was exploited. When the attackers got access to this registered mobile network protocol, they were able to exploit ss7 flaws and drain the bank accounts of some subscribers.
The hackers intercepted the text messages which had been used for two-factor authentication to access the bank accounts. Though, the SS7 protocol would be exploited more for surveillance and nation-state-level type attacks. Within the GSM Association prior to news of the attack emerging the information about this vulnerability had been shared. Global Title data was some of the information shared. The details from where these attacks originated, and the source was also identified and it was associated with other attack sources.
SS7 attacks
When the information of SS7 attacks was communicated to the people being affected through multiple European operators including those who were not their customers as this information would be useful for them to deal with these attacks. The information with law enforcement so, in advance of the attack, a map of this group was built, to check what sources were they using sources from the UK, and also other countries such as Turkmenistan.
With this example, it can be said that there are benefits and capabilities of sharing but this is not possible in case of larger attacks where all the information might not be available. In the SS7 case, information could be shared because everybody understood what was being shared and there was really no context that required interpretation.
With the restrictions as to the amount of information that can be shared in the telecom ecosystem where the technical level of sharing is not always possible. The information of the telecom industry and its partners is confidential, and thus it cannot be shared about who has been targeted.
The system which shares information on SS7 or 3G, this will not work for 4G attacks executed via SMS, as the technology used by attackers is not fixed and thus would not work for any type of combined attack.
How can we improve telecommunication security by learning from IT security?
To improve telecommunication security we need a language to express the activity of threat actors and ways to share what they do and how they do which can be referred to as “Fair sharing”
This would allow a greater understanding of the threats and collaborative efforts required to build defenses against them.
The type of information you would require?
The information should be factual, high-level, concise information which summarizes the tactics or techniques used by the attackers. It should carry specific high-level information that means you are able to act on the threats which are present.
The language and methods of how to share details of these attackers and the approaches they are using need to be worked on so that our response needs to be quick and efficient while respecting privacy. Security companies can share information internally, but a need to build up a bigger, better way of working together is required. To get the information they want attackers are going to do whatever they can as they not going to strike in any one specific place using one particular method. A mindset of sharing should be developed as standard practice.
MITRE ATT&CK framework for mobile network
There is a common framework called the MITRE ATT&CK framework in the IT world, which describes the detailed approach an attacker uses – in terms of tactics, techniques, and sub-techniques. This framework is widely supported as it uses common tools and is thus being used throughout the IT industry. Thus helping people speak about what attackers are doing at a high-level, and how a threat was discovered.
The list of matrices for mobile is very device-centric, covering Android and iOS, but it does not consider mobile networks. There is a section that refers to network-based effects, which are not separate and standalone and do not consider mobile network attack cases or anything related to 5G.
How can we define a MITRE ATT&CK model based on mobile core network attacks?
Though it is agreed that there should be more information sharing in the industry, still there is no easy way of doing it, especially in the areas of signaling or 5G as it arrives. For this, we need to define a framework and come up with a new way of threat information sharing and defining a model for all the tactics and techniques experienced in real life.
The Industry must consider a vast array of telecom protocols and new systems created considering future-proofed. As 5G is not like a replacement for 3G and 4G but is a whole different array of other protocols therefore we need to ensure that we have systems to share information and the threats to it. In the coming time, 5G is going to take over the world it can result dangerous for users.
Adaptive Mobile Security’s approach for extending MITRE ATT&CK for telecom security monitoring
Extend ATT&CK Mobile Matrix by mobile network aspects is a method extending the MITRE ATT&CK ecosystem for mobile network operators which takes into account that there are many different types of telecom attacks, a
It is proposed to extend the mobile attack matrix by adding a third matrix as well as iOS and Android, and then we would take parts from the existing matrix and use different types of subtexts to ensure that it is compatible with everyone. This means that it can be reused, and other people from outside the telecom security industry would be able to look at this and understand and use it.
This new matrix is based on realistic attacks and adversary behavior that telecom and other industries and mobile operators have seen in real life. Some of the techniques are applicable to some of the specific attacks, that we would see in 5G and take other ideas and measures from the beta framework with a lot of new things to be added based on real attacks.
Comments