Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Telecom MISP - Building a Telecom Information S...

Telecom MISP - Building a Telecom Information Sharing Platform

MISP have been a great threat intelligence sharing platform and since years it helps organisations to share IOC for Malware and other type of attacks.
A real need came for POST recently to start sharing in the organisation some telecom security information, mainly due to huge frauds continiously targetting us and no platform was dedicated to share such information for telecom operators.
Building such platform was interesting for POST, but we know since the beginning that it would be even more profitable for us if we started to share with other operators.
The goal behind this ? Start catching up from attackers technics and share them as soon as possible since attackers are replaying the same attacks over and over in different networks.
Now it's time to join the platform and share !

https://twitter.com/yodresh
MISP twitter: https://twitter.com/MISPProject

Alexandre De Oliveira

March 13, 2018
Tweet

More Decks by Alexandre De Oliveira

Other Decks in Technology

Transcript

  1. MISP history • Actively developed and maintained by CIRCL −

    Computer Incident Response Center Luxembourg • Open Source Software - https://github.com/MISP/MISP • Community of 750 organizations with more than 1500 users sharing and updating daily cybersecurity indicators, financial indicators or threats in both ways. • Beside the tools, practices, standard formats and classifications play an important role.
  2. MISP contributors • There are many different types of users

    of an information sharing platform like MISP: − Malware reversers willing to share indicators of analysis with respective colleagues. − Security analysts searching, validating and using indicators in operational security. − Intelligence analysts gathering information about specific adversary groups. − Law-enforcement relying on indicators to support or bootstrap their DFIR cases. − Risk analysis teams willing to know about the new threats, likelihood and occurrences. − Fraud analysts willing to share financial indicators to detect financial frauds.
  3. MISP journey • CIRCL and MISP are mainly financed by

    Minister of Economy of Luxembourg − European Union is part of the financial contributors − They is no business model behind CIRCL/MISP • MISP is being audited by large number of organisations − Code is Open-Source making it easier to review by everyone − Around 15 pentest/review done by external parties every year • MISP platform is GDPR aware − https://www.misp- project.org/compliance/gdpr/information_sharing_and_cooperation_gdpr.html
  4. POST on MISP • Using MISP since some time for

    IT related threat sharing • In summer 2017 we started to have huge Call Spam campaigns − Robot call for call back to premium numbers − Unsolicited Advertisements • Got a lot of complaints from our subscribers and the Lux police • How share these numbers to other operators ? • We decided to publish them on
  5. Telecom Call fraud sharing on MISP • Started in October

    2017 to share Call Spam numbers with a weekly event (continuous info updates) • Pushing via Splunk the blacklisted numbers detected
  6. Feedback from operators • The weekly feed from POST is

    being used by other operators on MISP • Sharing this information brought new operators on the MISP platform • Already several feedbacks and a real interest on a more telecom dedicated MISP platform • It was time to implement MISP Telecom instance
  7. Starting a MISP Telecom instance! • We contacted CIRCL to

    create a new MISP instance dedicated for telecom purposes • Built together new telecom dedicated objects: − SS7 attacks − Diameter attacks − GTP attacks • Can be extended, CIRCL is always open for collaboration and new ideas. • The platform is accessible by telecom operators only, and for free. • CIRCL will provide the platform and maintain it, we offer to GSMA to be involved in the administration of MISP Telecom instance. https://misptelco.circl.lu/
  8. How do we feed MISP ? • What do all

    operator have ? CDRs and signaling traffic • Let’s take the case of using CDRs • CDRs are produced for Mobile/Fixed Calls, SMS, MMS, Data,… • For POST it’s around 80GB of global CDRs per day • Why not using all the data we have to detect frauds ? • Let’s feed our log analytics platform with CDRs!
  9. Wangiri Fraud detection • Behavior & Machine learning based analytic,

    keep track of every activity on the network via CDR analysis • We have different indicators to decide to block or not numbers: − Threshold − Multiplication factor based on last days behavior − Cost of the communication − Call duration • We also have a whitelist for Survey companies, Govs, etc.
  10. Wangiri Fraud detection • CDRs used for this use case

    are MSS (Mobile) and International Gateway (Fixed / Mobile) • We have achieved 10-15min reactivity on blocking spam campaigns. Live CDR feed coming soon. • Splunk is updating via API the blacklist on IGW equipment's
  11. Distributed SPAM calls • After implementing the automatic blocking attackers

    are in an adaptation mode • Trying to find our blocking triggers • They now how to distribute and are organized… as we should be ! Subs receiving calls Attacker ANumber
  12. Detection Remarks • Mainly coming from Africa & Europe •

    Even when changing the number they are in the same subrange − Blocking the range could be problematic, side effects… • Spam campaign are mainly starting on Friday/weekend and trying back 1-2 weeks after with same numbers • Using ITU unallocated ranges (Somalia +2525XXXXXX) • New trends every 3 weeks… − Usage of international lines (Boat, offshore, Sat) − Spoofing Luxembourgish numbers • Tracing the real origin of the call is almost impossible…
  13. POST Trends • March 2017 – No automatic detection −

    ~50 attacks/month – 1 attack could involve multiple numbers − Massive attacks minimum 5k calls to 100k calls within 1h • October 2017 – Starting dumb version of the detection − ~100 attacks/month − Massive attacks still trying but moved to a lot of lower level attacks − Trying from new ranges like offshore, SAT, etc • December 2017 – Starting ML detection − Profiling every Anumber on the network − Attacks <30 attacks/month, all are blocked after maximum 500 calls − Last week 6 attacks… • Now attackers are using/spoofing Lux numbers…
  14. Goal seems to be reached… 0 5 10 15 20

    25 0 10 20 30 40 50 60 70 80 90 100 Cost Revenue K K
  15. Telecom community benefits • Sharing SMS & SPAM call numbers

    − Can be used to feed SMS/SS7 firewalls • Sharing information about SMS gray routes − Billing reduction/bypass • Sharing SS7, Diameter & GTP attack patterns • Will be a continuity in the movement of knowledge sharing started in GSMA groups since some years
  16. Future data integration • SS7, Diameter and GTP attacks •

    GSMA High Risk range list • SMS Spam campaigns • Telecom vulnerabilities – Nodes & Protocols • …
  17. MISP Telecom • Free Telecom Threat intel platform • Discussions

    with GSMA Security team are ongoing • Accessible and feeded by operators for operators − This could evolve quickly ! • Already up and running − [email protected][email protected]