Imagine you receive a letter from your bank informing you that attempts have been made to hack into your account. The following day your anti-virus software raises an alert that malware has been found on your PC. The next day your Internet Service Provider informs you that suspicious activity has been seen on your home connection. The next day your phone’s operating system tells you that… You get the point – you are the victim of an organised and concerted attack.
None of these providers guarantee that your data has not been compromised. By now you would be worried and concerned about potential damage. Could it be financial, reputational, privacy etc.? Will personal or commercial secrets be stolen? Could you be subject to blackmail? With so much of our lives digitalised the risks seem endless.
How would you feel if none of these providers suggested any remedial action? Wouldn’t you expect them to take some proactive action and to advise you of some steps to take? Surely actions such as a review of: security procedures, user credentials, security hardware/software and a cleanse of your PC etc. should be conducted? Anecdotal experience shows that the most you are likely to receive is personalised alerts from a credit scoring service!
The point of this story is that when we deal with security risk and protection there is a vast difference between doing the minimum necessary and best practice. Furthermore, best practice varies significantly depending upon the current state of affairs.
To give you an illustration of that, many people use Google services. Whether it is a Gmail account, Android account, Google Drive account etc - they all form part of a standard Google account. However, the security deployed on an account depends upon the both the user’s and Google’s perception of risk. Behind the scene Google conducts real-time analysis using a huge amount of diverse data to identify risk and impose stricter controls. In parallel, did you know that Google offers an Advanced Protection Program aimed at high risk users? If that isn’t for you they still offer two factor authentication. If that still isn’t for you then you can still continue with standard single factor authentication – not something I would recommend!
So how does all of this relate to the world of signalling firewalls? Until a couple of years ago, the risk of signalling being used to launch a remote attack on a mobile network was seen as purely theoretical. Eventually a few early adopters implemented firewalls that delivered Intrusion Protection Systems (“IPS”). Others had attempted upgrades to their network elements such as STPs. The over-riding concern of both was to ensure compliance with the recommendations of the GSM Association (“GSMA”). Those recommendations provide a standard set of protections an operator should implement as a minimum set of protections against basic attacks.
However, it is now widely accepted that remote signalling attacks against mobile networks is commonplace - and there has been plenty of evidence to demonstrate this. Protecting a network must be much more than protection against a minimum set of vulnerabilities. Mobile operators realise that their subscribers are under threat. Numerous penetration test vendors have reported that they continue to find vulnerabilities across all of the networks they have tested.
The risk of signalling attacks is no longer theoretical and in fact, the risk level is very high. Despite this we still observe a core requirement to merely comply with GSMA recommendations. However this should be the starting point of network protection and not the final goal! Attacks are now far more sophisticated than just a few years ago e.g. multi-protocol and cross protocol attacks. It is clear to us that there is a limited capability in the market to address these more sophisticated attacks.
There are options available to operators who wish to do more than the bare minimum. Advanced Intrusion Detection Systems (“IDS”) deliver immeasurable benefits to Mobile Operators. An IDS will enable you to benefit from advanced analytics and machine learning to identify new and unknown threats - precisely the threats that the GSMA can never recommend against since they are not yet known! Afterall, you can't block what you can't detect. Even more critical is to take that approach and apply it not just to all protocols at risk in a siloed manner but to do so in a coordinated manner. A multi-protocol and cross-protocol IDS is the key to defending your subscribers and network.
Imagine being able to benchmark all networks elements from around the world. Combine this information with data collected over SS7, Diameter, GTP and SIP. Analysis of the behaviour of those elements, across all relevant protocols, provides a treasure trove of information. This approach is a game changer. Instead of being in a constant react and defend mode you will be able to proactively protect your subscribers and your network. To address the scenario described at the beginning of this article, isn’t it time that Operators informed their customers that they had been the victim of an attempt to hack their account and that their Operator had protected them from that. The Operator could outline the attack type – a journalist would love to know someone is trying to track them whilst a bank customer would love to know that someone has access to their account and is trying to empty it by intercepting a two factor SMS PIN code!
It is time to up the game and moved beyond a basic signalling firewall. Advanced analytics and machine learning is a key feature of Mobileum’s signalling firewall. Our multi-protocol and cross-protocol firewall is both an Intrusion Detection System and an Intrusion Protection Systems. Today it is deployed around the world in both IDS mode, IPS mode and as both IDS and IPS.
PS Since writing this blog post I read an article in The Times (paywall) relating to China’s relationship the rest of the world. Discussing a Chinese dissident in exile, the article mentioned that he “received a warning from Google that a “state actor” had attempted to access his accounts.”