Securing Mobile Networks
Legacy telecommunications protocols have stood the test of time, underpinning the foundations of our day-to-day communications. Many of the early 2G and 3G protocols still exist within our network having been utilised for many decades, although security for these protocols has long been overlooked.
Network operators have supported communications across the globe for many years, resulting in them being considered a part of our Critical National Infrastructure (CNI). Whilst network communications protocols have evolved over the years, the likes of SS7, GTP-C, BGP and Diameter remain commonly used. However, as some of these are considered to be legacy protocols (as in they have been used for many decades) they have not previously had to face the security concerns that our networks are facing today.
With threat actors and cyber criminals becoming ever more sophisticated, constantly evolving their techniques and tools which they utilise to compromise networks, many are now looking towards mobile networks as a ‘low hanging fruit’ for exploitation. That is to say that these protocols can be readily exploited and there is much less security focus placed on them today then there are within the cyber domain. Exploitation of such protocols can enable threat actors to gain information which can facilitate location tracking, digital identify theft, financial fraud and theft, data/call intercept, and many more.
This has resulted in an increase in targeted attacks against mobile networks and whilst existing solutions such as firewalls exist, which can be and are currently implemented widely across telecoms networks utilising comprehensive rulesets such as those provided by the GSMA, attacks are still capable of evading detection. This raises questions around the security of these networks and whether utilising firewalls alone is sufficient.
Monitoring beyond firewalls
For many years within the cyber domain there has been a drive for enhancing the security of a network, from firewalls and antivirus solutions to Endpoint and Network Detection and Response (EDR and NDR) solutions. One of the key conversations in the industry today is around ‘how can we improve?’ These solutions are constantly looking to develop their capabilities, be it through utilising more rulesets to detect malicious activity, monitoring more endpoints, monitoring logs from multiple devices and pulling them to a single solution where the information is stitched together to highlight potentially malicious activity through anomalous behaviours, supported by technologies such as machine learning and artificial intelligence. In addition to this, there is also a drive towards the concept of ‘proactive defence’. With this mind set, we no longer purely rely on technology to alert us to incidents/events, but we can now leverage this technology to actively investigate the masses of data generated by our systems and networks in order to hunt for threats within the network, identifying threat actor’s operations before they are able to carry out actions on their objectives.
This proactive defence not only helps to reduce Mean Time to Detection (MTTD), but also reduces Mean Time to Response (MTTR) and puts the advantage in the corner of the blue team, enabling informed and considered decisions to be made prior to an attack, instead of in response to one. So, if this technology is being utilised within the cyber domain, why shouldn’t it be used within the mobile domain?
The good news is, it can!
Telesoft Technologies Ltd have developed the Mobile Signalling Probe to complement our existing network monitoring platform, the Telesoft Data Analytics Capability (TDAC), enabling extended visibility beyond the cyber domain and into the mobile environment. The Mobile Signalling Probe has been designed to be integrated seamlessly into existing network infrastructure at convenient monitoring locations and is capable of unsampled traffic monitoring across the 2G, 3G and 4G and 5G networks, and enhancing the existing firewalls and security solutions in place. As firewalls have been designed to detect and stop malicious traffic through dropping of bad packets, they do not store any data related to the traffic passing through. The Mobile Signalling Probe is not only capable of monitoring all of the network traffic, but also provides the storage required and the threat hunting capability to autonomously search for known and unknown malicious signalling messages.
Through extraction and storage of metadata and signalling control plane messages from the network, including common protocols such as SS7, GTP-C, BGP and Diameter, records are generated and egressed to a secure, scalable data lake. This enables analysts and threat hunting teams to investigate the masses of data collected and to understand if there are malicious activities existing within the network beyond those identified and stopped by the existing firewalls.
This capability is not only able to enhance existing security postures across the mobile environment but aims to support the Telecommunications industry in achieving the goals laid out by the National Cyber Security Centre (NCSC). In the summary of the ‘Security Analysis for the UK Telecoms Sector’, the NCSC states:
“Operators must today consider that any inbound signalling may be malicious and treat it appropriately. Without the implementation of appropriate mitigations by operators, malicious inbound signalling could impact the availability of core network nodes, extract network or user metadata, or reroute user calls or data.”
The document goes on to discuss that network operators must take a ‘proactive approach to monitoring for threats, including the use of threat hunting where appropriate.’ It is likely that over the coming months or years network operators will be faced with additional requirements surrounding monitoring, analysis, and data retention of communications on their network. The potential impact and requirements to be placed on network operators has been considered throughout the design and development of the Mobile Signalling Probe, including long term data retention for data protection requirements.
If you are looking for solutions that can provide deep network visibility and can help secure your mobile and cyber environments, then get in touch with our experts today to discuss…
You may also like
400GBPS FlowProbe: Network Traffic Monitoring
Monitor real time traffic information and network performance whilst using anomaly detection to maintain cyber security with our ultra high performance 4x 100GbE network traffic monitor.
100GBPS CERNE: INTRUSION DETECTION
100 Gbps IDS engine and alert driven packet recorder that enables 24/7 real-time network threats monitoring and access control.
400GBPS TRITON: CYBER WARFARE SIMULATION
Prove and enhance your cyber security posture with our Cyber Warfare Simulation tool and our world class SLA and advanced on-site/ off-site support.
TDAC: Digital Forensics
Unlocks network visibility and threat identification