The threat surface has increased – here’s how to tackle it
Imagine a castle. Built with the toughest materials, the thickest walls, and filled with the shrewdest soldiers. And there’s a moat. One might feel safe in this place, certain the enemy will move on to easier targets.
Now picture this castle as a telecoms network. And the enemy, in this case cybercriminals, is persistent. In fact, they launch an attack every 39 seconds, according to a study at the University of Maryland, and the implications can be crippling. The average total cost of a data breach is US $3.86 million according to Ponemon Institute. NotPetya, the costliest cyber-attack of all time, netted US $10 billion.
Security concerns for communications service providers (CSPs) are not new. They have long protected themselves against breaches and are well positioned when it comes to the design and implementation of network and infrastructure security, identity and access management, and data protection. Many network vendors have implemented Design for Security principles as well as security functionality specified by standardization bodies such as 3GPP or IETF.
But there are two kinds of networks that run in parallel within a CSP’s environment. First is the IT network, where all the operator’s business applications (e.g. billing, CRM) and end user services (e.g. IPTV, Smart Home) run. Second is the telecom network supporting the access, transport and core domains with their respective network functions. While security for both networks remains paramount, there needs to be more focus on rapidly detecting and responding to incidents when these latter systems are breached.
“What is happening today is that security in the telecom network is the extension of IT security and run with an IT-centric approach,” says Vishal Sahay, head of Nokia’s Security Operations portfolio. “And because of this, the telecom specific threat scenarios are not as effectively addressed as the IT threat scenarios. This can make it a much easier task for cyber criminals to start penetrating the telecom network.”
Telecom security executives would agree. According to a recent survey conducted by Nokia and Pulse, none of the respondents said they felt fully equipped to respond to security threats.
More vulnerability points, more motivated hackers
Security is a full-time concern according to Holly Grace Williams, managing director of cybersecurity consultancy Secarma and ethical hacker.
“Organizations need to care about security all of the time,” Williams says. “It’s not as simple as having an annual security review. You have to worry all the time about the changes you’re making to systems, what new technologies you’re introducing, and how does that impact the threat landscape.”
And while security threats overall are inevitable, the attack surface in the telecom domain specifically has been expanding in the last decade, according to the GSMA Mobile Telecommunications Security Threat Landscape report.
• Vulnerability points in telecom networks have dramatically increased. There are now open interfaces in virtualized or cloud-native network functions and local break outs of edge-cloud implementations. As well, application servers and operations and management systems are now connected to the internet.
• New devices and operating systems now offer more diverse targets for cybercriminals to exploit. According to the Nokia Threat Intelligence Report, malware targeting Android phones accounts for more than 93% of smartphone attacks. More than 25 million Android malware samples have been identified so far, and data indicate we should expect steady growth. Additionally, IoT device infections doubled year-over-year, with 33% of mobile network infections now related to IoT.
• And hackers are more motivated. When the prize was free phone calls or an unlocked phone, interest was relatively low. Nowadays, with industry verticals – like banking and healthcare – running mission-critical applications on CSP networks, hackers are targeting subscriber data for financial gain or shuttering a business for fun or ideology. Even automobiles are being hacked, with drivers at the wheel.
With the attack surface expanding, it’s not enough to simply port over the principles of threat management from the IT world. The IT and telecom domains are very different, and the strategies must be as well.
Telecom-relevant use cases need to be part of the security roadmap, according to Sahay. The kinds of scenarios are broad, and the threat can be significant.
For example, telecom signalling attacks designed to affect the behaviour of specific network functions have had harmful outcomes, including:
• critical network functions or users blocked by denial of service attacks
• location disclosure attacks that compromise user privacy
• SMS rerouting that results in access to one-time-passwords for accounts, for example in banking
There has also been unauthorized access to telecom network functions on the management plane via insider attacks, social engineering and malware implants, a technique that can be used for a large-scale break of the SIM-locks on smartphones.
CSPs must also consider that hackers will attack both domains simultaneously and protect for this scenario, too. The hacker group APT41 performed an attack designed to target the server farms of multiple operators for the interception of short messages (SMS) sent by identified targets. The attack started in the IT network and from there gained entry to the telecom network.
Why telecom is different
In addition to understanding how use cases might affect detection and mitigation strategies, CSPs face challenges that are specific to the telecom network. “Without domain knowledge or expertise, it is extremely difficult to build the appropriate security solutions,” Sahay says.
Identifying and mitigating attacks in the IT world is relatively easier with available off-the shelf solutions or methods. This may be one reason why CSPs are better equipped to detect and respond to breaches within the IT domain, according to analysis from a series of security risk assessments we conducted with operators.
Say, for example, an organization provides a portal for supply chain vendors. When a vulnerability is identified on a given service or protocol, the enterprise simply restricts traffic to that portal from known destinations on specific ports using a firewall – thereby reducing the attack surface – and easily deploys known mitigation controls to reduce the risk. In telecom networks, a CSP cannot always use a similar mitigation control response to shrink the attack surface. Suspending a network function, say for an attack on the LTE core network, risks interfering with a vital service. Solutions are available, but the appropriate response requires domain expertise to manage those vulnerabilities.
Finding those domain experts cannot be underestimated. Cybersecurity requires a very specific skill set, which means that good security specialists are in demand, and the job market is extremely competitive. The Nokia-Pulse survey results showed that 99% of telecom security executives are having difficulty recruiting the cybersecurity talent they need to protect their organizations.
Having those domain experts in place will help to reduce the time to detect and resolve data breaches. And, as the saying goes: time is money. According to the 2020 Ponemon report, the average time across all industries to detect an incident was 207 days – plus an additional 73 days to contain the breach. The longer a breach lasts, the bigger the financial hit to the organization. Data breaches with a lifecycle of more than 200 days on average added 30% more cost.
“What’s important to understand is that the shelf life of a vulnerability in a telecom network environment is much higher than when we compare it to an IT environment,” Sahay says. “And for the time that vulnerability is open, the risk to the network increases.”
Another way in which the two domains diverge is in the multi-vendor, multi-technology approach taken to building the telecom network. That approach now poses a challenge to managing security.
“It would be easier if everything was uniform,” Sahay says. “But the way products are designed, coming from different vendors, into diverse network elements, this is one of the security challenges where the CSPs are struggling.”
As an example, an operator may have sourced its HLR – a database containing subscriber data – from as many as three different network vendors. The network elements from each vendor perform the same function, yet each has its own predefined security configurations and even varies in the way the system generates an alarm. Products can also differ when it comes to how configurations and vulnerabilities are managed. So, when a vulnerability is discovered it cannot be patched on the fly, as is done in IT. The vulnerabilities are addressed as part of a version upgrade of that software or network element, which can take anywhere from three months to a year.
Towards a more secure future
CSPs have started to recognize the challenges they face in the telecom domain and voiced a willingness to invest even more in security. Indeed, 94% of the security executives responding to our recent Pulse survey agreed they are planning to increase their investments over the next 12 months – with 81% planning to do so in the near term.
This becomes even more critical with the advent of 5G technology. More devices, more operating systems, and more industries will be onboarded. 5G is a foundational technology for what’s being called Industry 4.0 – the full digitalization of industry, including those asset-heavy industries like mining, manufacturing and transportation which have so far not made the transition. The threat surface – and consequent likelihood of attacks – will expand exponentially.
Security should be approached with an end-to-end (E2E) strategy. This is what 74% of telecom security executives agree is the right strategy when preparing for 5G and digital transformation threats.
There are four key areas to be considered:
1. Build-in security to all network domains to keep the threat surface as low as possible and raise the entry barrier for attacks
2. Combine different security technologies and measures to create multiple layers of security across the entire network with well-integrated defense-in-depth systems
3. Provide an overarching and adaptive security lifecycle management solution that orchestrates risk and threat prediction as well as prevention, detection and response measures into seamless workflows with E2E security orchestration
4. Automate security by using artificial intelligence and machine learning to increase efficiency in operations and enable adaptability to the evolving threat landscape.
"What matters is how effectively one manages vulnerabilities to prevent or reduce the probability of occurrence of threats," says Sahay. The fear, chaos and financial opportunities that cybercriminals seek to create may be on the rise, but with robust systems and strategies in place, CSPs can defend against what’s become the world’s biggest criminal growth industry.
Let’s keep the conversation going
Click to learn more from Nokia.