Telecom MISP Building a Telecom Information Sharing Platform Alexandre De Oliveira TelcoSecDays 2018 - Troopers

MISP history • Actively developed and maintained by CIRCL − Computer Incident Response Center Luxembourg • Open Source Software - https://github.com/MISP/MISP • Community of 750 organizations with more than 1500 users sharing and updating daily cybersecurity indicators, financial indicators or threats in both ways. • Beside the tools, practices, standard formats and classifications play an important role.

MISP contributors • There are many different types of users of an information sharing platform like MISP: − Malware reversers willing to share indicators of analysis with respective colleagues. − Security analysts searching, validating and using indicators in operational security. − Intelligence analysts gathering information about specific adversary groups. − Law-enforcement relying on indicators to support or bootstrap their DFIR cases. − Risk analysis teams willing to know about the new threats, likelihood and occurrences. − Fraud analysts willing to share financial indicators to detect financial frauds.

MISP journey • CIRCL and MISP are mainly financed by Minister of Economy of Luxembourg − European Union is part of the financial contributors − They is no business model behind CIRCL/MISP • MISP is being audited by large number of organisations − Code is Open-Source making it easier to review by everyone − Around 15 pentest/review done by external parties every year • MISP platform is GDPR aware − https://www.misp- project.org/compliance/gdpr/information_sharing_and_cooperation_gdpr.html

POST on MISP • Using MISP since some time for IT related threat sharing • In summer 2017 we started to have huge Call Spam campaigns − Robot call for call back to premium numbers − Unsolicited Advertisements • Got a lot of complaints from our subscribers and the Lux police • How share these numbers to other operators ? • We decided to publish them on

Telecom Call fraud sharing on MISP • Started in October 2017 to share Call Spam numbers with a weekly event (continuous info updates) • Pushing via Splunk the blacklisted numbers detected

Feedback from operators • The weekly feed from POST is being used by other operators on MISP • Sharing this information brought new operators on the MISP platform • Already several feedbacks and a real interest on a more telecom dedicated MISP platform • It was time to implement MISP Telecom instance

Starting a MISP Telecom instance! • We contacted CIRCL to create a new MISP instance dedicated for telecom purposes • Built together new telecom dedicated objects: − SS7 attacks − Diameter attacks − GTP attacks • Can be extended, CIRCL is always open for collaboration and new ideas. • The platform is accessible by telecom operators only, and for free. • CIRCL will provide the platform and maintain it, we offer to GSMA to be involved in the administration of MISP Telecom instance. https://misptelco.circl.lu/

Demo https://misptelco.circl.lu

MISP Events

Feeding MISP with Telecom use case Wangiri/Robot Calls

Why ?

How do we feed MISP ? • What do all operator have ? CDRs and signaling traffic • Let’s take the case of using CDRs • CDRs are produced for Mobile/Fixed Calls, SMS, MMS, Data,… • For POST it’s around 80GB of global CDRs per day • Why not using all the data we have to detect frauds ? • Let’s feed our log analytics platform with CDRs!

Wangiri Fraud detection • Behavior & Machine learning based analytic, keep track of every activity on the network via CDR analysis • We have different indicators to decide to block or not numbers: − Threshold − Multiplication factor based on last days behavior − Cost of the communication − Call duration • We also have a whitelist for Survey companies, Govs, etc.

Wangiri Fraud detection • CDRs used for this use case are MSS (Mobile) and International Gateway (Fixed / Mobile) • We have achieved 10-15min reactivity on blocking spam campaigns. Live CDR feed coming soon. • Splunk is updating via API the blacklist on IGW equipment's

Call Spam fraud event

Distributed SPAM calls • After implementing the automatic blocking attackers are in an adaptation mode • Trying to find our blocking triggers • They now how to distribute and are organized… as we should be ! Subs receiving calls Attacker ANumber

Wangiri Call Fraud statistics Last 11 weeks 171 Call Spam Attacks

Detection Remarks • Mainly coming from Africa & Europe • Even when changing the number they are in the same subrange − Blocking the range could be problematic, side effects… • Spam campaign are mainly starting on Friday/weekend and trying back 1-2 weeks after with same numbers • Using ITU unallocated ranges (Somalia +2525XXXXXX) • New trends every 3 weeks… − Usage of international lines (Boat, offshore, Sat) − Spoofing Luxembourgish numbers • Tracing the real origin of the call is almost impossible…

POST Trends • March 2017 – No automatic detection − ~50 attacks/month – 1 attack could involve multiple numbers − Massive attacks minimum 5k calls to 100k calls within 1h • October 2017 – Starting dumb version of the detection − ~100 attacks/month − Massive attacks still trying but moved to a lot of lower level attacks − Trying from new ranges like offshore, SAT, etc • December 2017 – Starting ML detection − Profiling every Anumber on the network − Attacks <30 attacks/month, all are blocked after maximum 500 calls − Last week 6 attacks… • Now attackers are using/spoofing Lux numbers…

Goal seems to be reached… 0 5 10 15 20 25 0 10 20 30 40 50 60 70 80 90 100 Cost Revenue K K

Telecom community benefits • Sharing SMS & SPAM call numbers − Can be used to feed SMS/SS7 firewalls • Sharing information about SMS gray routes − Billing reduction/bypass • Sharing SS7, Diameter & GTP attack patterns • Will be a continuity in the movement of knowledge sharing started in GSMA groups since some years

Future data integration • SS7, Diameter and GTP attacks • GSMA High Risk range list • SMS Spam campaigns • Telecom vulnerabilities – Nodes & Protocols • …

MISP Telecom • Free Telecom Threat intel platform • Discussions with GSMA Security team are ongoing • Accessible and feeded by operators for operators − This could evolve quickly ! • Already up and running − alexandre.deoliveira@post.lu − info@circl.lu

Questions ?

Thank you