Securing the Signaling Interconnect - Oracle | Integrated ... · Title: Oracle-16x9-2016 Author: kstorms Subject: Corproate Presentation Template Created Date: 10/11/2016 4:31:30
Post on 19-Jul-2018
215 Views
Preview:
Transcript
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Securing the Signaling Interconnect Oracle’s Perspective on Recent Security Events
Travis Russell Director, Cyber Security, Service Provider Networks Oracle Communications June 2016
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Telecom Security Attacks Are on the Rise
Detected Telecom Security Incidents Worldwide Increased 45% from 2014 to 2015
Source: Global State of Information Security Survey 2015
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle’s Role in Network Security Standards
• Oracle Communications security work: a special focus on control plane network security around SS7, Diameter and SIP technologies.
– Contributing to security standards such as IR.88, FS.11, FS.07, SA.3, and many other standards and standards groups
– Chair of IETF SIP Telephony Identity Revisited (STIR)
– FCC CSRIC WG10 investigating signaling vulnerabilities
– Advisor to US Congress on security matters
• Decades of signaling expertise
3
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
• 47,000 apps downloaded
• 1300 new mobile users
• 135 botnet infections
• 20 new victims of ID theft
In an Internet Minute
Source: From Twitter @kzhu91 from @intel.http://t.co/6k53RcXf
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
200M Experian Mar ‘14
150M
eBay May ‘14
150M + Code Adobe Oct ‘13
98M Target DEC ‘13
56M Home Depot
Sep ‘14
76M JPMC Oct ‘14
Growing Data Breaches
80M Anthem Feb ‘15
2M
Vodafone Oct ‘13
SA Banks Oct ‘13
Credit Cards
Immigration June’14 Personal Records
TBs IP Sony
Nov ’14 2M
Orange Feb/Apr 14
20M Credit Bureau
12M Telecom
S. Korea Jan ‘14
22M Benesse
Education July ‘14
Japan
Espionage Kaspersky
Jun‘15
400GB IP Theft
Hacking Team Jul ‘15
Carphone Warehouse
Aug’15
2.4M 4M
Talk Talk Feb 15
Attack Vectors Interconnects
Internet facing nodes Password Theft Insider Access
Signaling modification
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Increasing Value of Data
83
68
32
15 12
17
32
68
85 88
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1975 1985 1995 2005 2014
Components of the SP 500 Market Value
Tangible Assets Intangible Assets
8
Source: Ocean Toma
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
The True Cost of Network Breaches
• 31% have little confidence in their mobile provider
• Only 5% are “very confident”
• TalkTalk lost more than 100,000 subscribers and suffered costs of 60M pounds
• Network breaches can do tremendous harm to a service providers brand and stock price
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
We are now hearing about telecom breaches
Increase in customer data breaches in
telecom networks in 2015
45%
40% increase in mobile device
exploits
40% 81%
Damage to brand and reputation sharply increased in 2015
Source: Global State of Information Security Survey 2015 Source: PriceWaterHouse Source: PriceWaterHouse
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Rules • Margin Goals • Behavior Goals • Specials •
Partners • Sales Role • Order Receipt • Order Acceptance •
Assign Credit • Assess Disputes • Make Payments • Mid
Year Adjustments • Compliance Reporting • Management
Insight Reporting • Pick, Pack, Ship, Bill • Spend
Classification and Analysis • Procure to Pay • Catalog
Production • Contract Management • Job Status Inquiry •
Financial Close • Supply Chain Management • Rate Change
Impact Analysis • Instant Part Reuse • Analysis • Order
Importation • Work Order-Less Completion • Root Cause
Analysis •Business Strategy and Goals • Products • Quotas •
Payment Rate • Rules • Margin Goals • Behavior Goals •
Specials • Partners • Sales Role • Order Receipt • Order
Acceptance • Assign Credit • Assess Disputes • Make
• Value of information
• Sensitivity of information
• Impact of breach
How Important Is the Information in Your Network?
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Why is it telecom is suddenly vulnerable?
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Historically: closed connections
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
The same tools – new application
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
“It was kind of easy. When someone trusts you, they let their guard down.”
– Hacker, Albert Gonzales
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Mobile privacy open to global cyber
snooping from 'SS7 protocol'
Hackers demo network-level call interception January 05, 2015 White-hat hackers at the 31st Chaos Computer Congress have demonstrated fundamental flaws in the underlying infrastructure of 2G and 3G mobile phone networks. The flaws allow attackers to covertly track the location of a phone number as well as intercept calls and SMS - all at the network level.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
There are 5 claims being made
• The areas of focus have been around these 5 things:
– Location tracking
– Call intercept
– Subscriber Denial of Service
– Subscriber Account fraud
– SMS SPAM
• All of these areas utilize messages from the Mobile Application Part (MAP) in the control plane
• These were demonstrated at the C3 conference in Hamburg, as well as several other hacker conferences
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Some facts about these exploits
• All of these exploits require multiple steps to be successful. They cannot be performed with just one command
• Stopping any part of the exploit is all that is required
– An operator does not have to prevent ALL of the messages from being received
• Limiting the access another network has into your network is the best approach
– This is the message that the hackers themselves have been sending in all of their presentations
– Use existing resources to prevent these exploits, rather than purchase another box
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Some facts about these exploits
• While all of the talk has been around SS7, this issue is not limited to SS7
– Hackers are already demonstrating their ability to perform these exploits in Diameter networks as well
– Other technologies have not been demonstrated because of a lack of knowledge in the hacker community
– The main point being driven by all of the hackers is that they were able to purchase network access very easily and cheaply • This means ANY network of ANY type is susceptible to abuse and exploit if it connects to other
networks
• Access control becomes one of the most urgent practices in our industry!
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
The Issue is the Business of Interconnect
• Telecom networks are not designed with access control in mind –Signaling networks are only connected
with other “trusted” networks
–Signaling networks are secured through business arrangements rather than firewalls
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
How do they get access? • At least one researcher advertises their own SS7 interconnect capability for “security audits”
– Researchers have admitted to paying for an interconnect
– They are also paying for Global Titles so they can look like a legitimate network
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
And now these exploits have been productized
Cell Phone Reports = $150 Interception = $100/call SS7 API = $250/month
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
The newest player to appear
• Now we hear from another company providing a product capable of these same claims
– Appears to be a laptop running open source scripts such as OpenSS7
– They have automated all of the scripts so hackers only need to know the rudimentary data to launch each exploit
– “Only available to Governments and Law Enforcement” • This company is based in Israel, so they are selling to global
governments and not in the US (yet)
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Some other security concerns
• The focus of the hacker community on telecom networks is increasing
– 2600 Magazine now featuring numerous articles on telecom technologies
• K. Singh, S. Sangal, N. Jain, P. Traynor and W.Lee, “Evaluating Bluetooth as a Medium for Botnet Command and Control,” July 2010.
• P. Traynor,M. Lin, M. Ongtang, V. Rao, T. Jaeger, T. La Porta and P. McDaniel, “On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core,” November 2009.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
One such paper on using botnets “On Cellular Botnets: Measuring the Impact of Malicious Attacks” • Devices on a Cellular Network Core
– HLRs represent a chokepoint in the wireless network
– LTE outages have demonstrated the impact of HSS outages
• When combined with BOTNETs, a DDoS aimed at the HLR is a reality
• This paper (and the other related papers) all represent a continuing interest in wireless networks
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
USES GLOBAL
INTERCONNECTS
AND LEASED GLOBAL
TITLES TO REACH
TARGET NETWORKS
ATTACKER
IMPERSONATES
A NETWORK
THROUGH
EMULATION
SOFTWARE
NEGOTIATES
INTERCONNECT
AGREEMENT
ANATOMY OF AN ATTACK STARTS WITH NETWORK ACCESS
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
i i i i i i i i
i i i i
i i
USES SIGNALING COMMANDS
TO REACH SS7 OR DIAMETER
NETWORK ELEMENTS
USES RETRIEVED DATA
FOR NEXT PHASE OF
EXPLOIT
GATHERING
SUBSCRIBER AND
NETWORK
DATA
ANATOMY OF AN ATTACK COLLECT NETWORK AND SUBSCRIBER DATA
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
SUBSCRIBER PROFILE MANIPULATION
ALLOWS ATTACKER TO CONTROL
CALLS AND TEXT MESSAGES
ANYWHERE
IN THE WORLD
STOLEN DATA
USED IN FOLLOW ON
ATTACKS
ANATOMY OF AN ATTACK MANIPULATE SUBSCRIBER PROFILES IN THE NETWORK
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
The Interconnect Can Be Secured Oracle Communications Best Practices
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
3 STEPS TO SECURE A NETWORK NETWORK DEFENSE-IN-DEPTH STRATEGY
Encrypt Your IMSIs Prevent
Unauthorized Network Access
Detect, Alert on All Abnormal Activity
*7#$%!@!% #<>*$#@3
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Don’t leave the door wide open • Restrict the access allowed for all
partner networks – do not give unlimited access
• Partner with the roaming department to better understand partner needs
• Never assume the partner network is secure – many times the attacker is on the other side of their network
• Treat your interconnect like any other network access privilege – use access control
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Access Control is about permissions
• Each network connection is defined by permissions to be granted
– The network resources they are allowed to connect
– The types of messages (ISUP, SCCP, SCMG) they are allowed to send
– The types of operation codes they are allowed to send
• Black listing should only be used as a last resort
– Trying to maintain a black list of any kind is extremely difficult
– There will be a lot of false positives
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Protect against non-telco partners
• Many partners are not true service providers
– They provide content and services such as location services
– These partners should not be granted access to SS7 or Diameter
• Their access should be controlled through APIs – Services Gatekeeper provides this type of
access without connecting them to the control plane
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Monitor and Analyze everything! Analytics is key to understanding events
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
"If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
– Sun Tzu; "The Art of War"
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Monitoring is important
• Without monitoring, you cannot see what is coming into the network
– Monitoring with multiple systems can be challenging
– Network-wide monitoring is expensive, especially when having to replace multiple systems with one single solution
• Analytics provides much more powerful tools for analyzing network metadata, from SS7, SIP, and Diameter – And it can be combined with charging data, as well as data from other sources
– This network “Big Data” approach provides the best and most efficient means for analyzing interconnect traffic
– Some security events will only be detected using analytics
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Rules • Margin Goals • Behavior Goals • Specials •
Partners • Sales Role • Order Receipt • Order Acceptance
• Assign Credit • Assess Disputes • Make Payments • Mid
Year Adjustments • Compliance Reporting • Management
Insight Reporting • Pick, Pack, Ship, Bill • Spend
Classification and Analysis • Procure to Pay • Catalog
Production • Contract Management • Job Status Inquiry •
Financial Close • Supply Chain Management • Rate Change
Impact Analysis • Instant Part Reuse • Analysis • Order
Importation • Work Order-Less Completion • Root Cause
Analysis •Business Strategy and Goals • Products • Quotas
• Payment Rate • Rules • Margin Goals • Behavior Goals •
Specials • Partners • Sales Role • Order Receipt • Order
Acceptance • Assign Credit • Assess Disputes • Make
• Managing Network Access
• Monitoring Traffic
• Security Processes
How Are You Doing in Creating Your Information Fortress?
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
We have reached a new era
• Researchers once focused on IT have turned their attention to telecom
– We will see many more reports about “hacking” the telecom networks
– Researchers are learning our craft and exploiting the fact that telecom networks have been “open” for some time
– They are now selling toolkits for other hackers to use the same exploits
• We are migrating to an IT architecture
– And so we should be migrating to IT practices as well, especially when it comes to security
– Analytics and network signaling metadata are absolutely paramount to identifying interconnect abuse
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
What Did We Learn?
• There is no such thing as a trusted network
– All networks should be treated as untrusted
• Security should be used at both the transport layer and the application layer
– The gateway is the best place to implement security
• More attention needs to be paid to access control in the control plane – The majority of “events” detected during monitoring stages has shown other service
providers “misbehaving” rather than nefarious attacks
– Granting access to your network without limitations leads to exploitations
– Granting access to your network to unknown companies is dangerous
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
What Did We Learn?
• Should I buy another device?
– Researchers suggest use what you have in the network already
– Operators already have solutions but do not realize it!
Source: Alexandre De Oliveira, “Assaulting IPX Diameter roaming network” Troopers,
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
“The initial protection level, comparable to other STP deployments, was so low that we were planning to add an external appliance to mitigate all the known SS7 vulnerabilities presented in the past years. Thanks to your extensive research in the documented and undocumented features of the STP, we finally have covered all the SCCP level protection measures (blocked GT-spoofing, SSN firewall evasion tricks, GT enumeration from unknown parties) and many of the MAP/TCAP based attacks (blocking dangerous requests by OPCODE and by Application Context based on the source”
– Asian operator using Oracle EAGLE
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
“We should have security at every level.”
– Larry Ellison, Oracle Open World Keynote, October 2015
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 47
A more effective and secure approach
Network A
Network B
• Many vendors propose a ‘point-solution’ to solve network security • Not only is this
inefficient, but it is vulnerable as well
• Manage network access at the network gateway at all layers
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 48
Applying our business drivers
çeviklik – smidighet -敏捷 – agilidad - رشاقة – agilité
创新 – inovace – innovaatio – καινοτομία – innovasjon
Transformacja – transformación – dönüştürme - трансформації
Гнучкість – flexibilidad – 유연성 – flexibilitu - ευελιξία
11
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 49
Agility Ability to think and understand quickly
Network security solutions must be able to
quickly identify new anomalies in the network and respond, and be agile enough to adapt to
ever-changing exploits.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 50
Transformation A thorough or dramatic change in form
or appearance
We need to change our way of thinking about security. We must rethink how security is
implemented in our networks – IT principles need to be implemented and data center
security models embraced.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 51
Innovation A new method, idea, product, etc.
Security today requires new innovation. A different
way of thinking about how we control network access and access policy.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 52
Flexibility Capable of being changed or adjusted to
meet particular or varied needs
Every network is unique. There are no ‘one-size-fits-all’ solutions for network security. Solutions must be flexible enough to meet demands today
and tomorrow.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Network Security
• Performance Intelligence Center (PIC) – Monitoring the entire network can be expensive – focus on the interconnect
– CDRs are no longer sufficient for evaluating attacks and breaches; visibility to the network signaling is paramount
– Network visibility is crucial at the signaling level and the application level to understand interconnect vulnerabilities and exploits
• Combine monitoring systems into one cohesive view
– Oracle Communications Analytics (OCA) allows service providers to combine outputs from multiple systems into one analytical view
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Network Security
• Oracle Communications EAGLE STP provides SS7 security at the core
– Providing multiple layers of security to prevent unauthorized access
– Mitigate the effects of rogue SMS originators through filtering and blocking
– Prevent exploitation of interconnects by rogue service providers
• Diameter Signaling Router (DSR) provides access control at the network edge as well as the core
– Much like the STP in a Diameter network
– Absolutely critical for controlling DoS and preventing unauthorized access
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Network Security
• Session Border Controller (SBC) provides access control in the SIP network
– The same platform is used for CSCF in the IMS domain
– SBC also provides filtering and fraud monitoring in VoIP networks
• Services Gatekeeper (OCSG) provides API access to network resources without providing full SS7/Diameter access
– This is the critical control point for content providers
– Allows access to subscriber information without providing access to the signaling
• Convergent Charging Controller (OC3C) provides powerful service logic providing a stateful firewall
– Obfuscation of IMSI and verification of roaming are just part of this powerful tools abilities
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle’s Unique Approach
Carrier Grade Network Consulting Service
Carrier Grade Network Consulting Service • Network Experts develop site-specific MoPs
• For each engagement
• In our fully-dedicated multi-million dollar test lab
• Before touching your network
• We never re-use a MoP or introduce risk
• Only Oracle network consulting experts bring this level of strength to your engagement
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
10 Best practices for telecom network security
① Develop clear access policies for partners
② Implement “least access” privileges at the interconnect
③ Collect event logs from all systems
④ Maintain compliance with CERT, ISO, NIST and other standards
⑤ Keep security patches current in all network elements
⑥ Monitor, monitor, and monitor some more
⑦ Create a network breach plan
⑧ Monitor all user activity on critical systems
⑨ Educate and train all network personnel
⑩ Beware of social engineering!!
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
In an increasingly insecure world, doesn’t your most critical asset deserve the
best protection?
top related