Securing the Signaling Interconnect - Oracle | Integrated ... · Title: Oracle-16x9-2016 Author: kstorms Subject: Corproate Presentation Template Created Date: 10/11/2016 4:31:30

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Securing the Signaling Interconnect Oracle’s Perspective on Recent Security Events

Travis Russell Director, Cyber Security, Service Provider Networks Oracle Communications June 2016


Telecom Security Attacks Are on the Rise

Detected Telecom Security Incidents Worldwide Increased 45% from 2014 to 2015

Source: Global State of Information Security Survey 2015


Oracle’s Role in Network Security Standards

• Oracle Communications security work: a special focus on control plane network security around SS7, Diameter and SIP technologies.

– Contributing to security standards such as IR.88, FS.11, FS.07, SA.3, and many other standards and standards groups

– Chair of IETF SIP Telephony Identity Revisited (STIR)

– FCC CSRIC WG10 investigating signaling vulnerabilities

– Advisor to US Congress on security matters

• Decades of signaling expertise

3


Our Digital Lifestyles


It’s the data that has value


• 47,000 apps downloaded

• 1300 new mobile users

• 135 botnet infections

• 20 new victims of ID theft

In an Internet Minute

Source: From Twitter @kzhu91 from @intel.http://t.co/6k53RcXf


200M Experian Mar ‘14

150M

eBay May ‘14

150M + Code Adobe Oct ‘13

98M Target DEC ‘13

56M Home Depot

Sep ‘14

76M JPMC Oct ‘14

Growing Data Breaches

80M Anthem Feb ‘15

2M

Vodafone Oct ‘13

SA Banks Oct ‘13

Credit Cards

Immigration June’14 Personal Records

TBs IP Sony

Nov ’14 2M

Orange Feb/Apr 14

20M Credit Bureau

12M Telecom

S. Korea Jan ‘14

22M Benesse

Education July ‘14

Japan

Espionage Kaspersky

Jun‘15

400GB IP Theft

Hacking Team Jul ‘15

Carphone Warehouse

Aug’15

2.4M 4M

Talk Talk Feb 15

Attack Vectors Interconnects

Internet facing nodes Password Theft Insider Access

Signaling modification


Increasing Value of Data

83

68

32

15 12

17

32

68

85 88

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

1975 1985 1995 2005 2014

Components of the SP 500 Market Value

Tangible Assets Intangible Assets

8

Source: Ocean Toma


The True Cost of Network Breaches

• 31% have little confidence in their mobile provider

• Only 5% are “very confident”

• TalkTalk lost more than 100,000 subscribers and suffered costs of 60M pounds

• Network breaches can do tremendous harm to a service providers brand and stock price


We are now hearing about telecom breaches

Increase in customer data breaches in

telecom networks in 2015

45%

40% increase in mobile device

exploits

40% 81%

Damage to brand and reputation sharply increased in 2015

Source: Global State of Information Security Survey 2015 Source: PriceWaterHouse Source: PriceWaterHouse


Rules • Margin Goals • Behavior Goals • Specials •

Partners • Sales Role • Order Receipt • Order Acceptance •

Assign Credit • Assess Disputes • Make Payments • Mid

Year Adjustments • Compliance Reporting • Management

Insight Reporting • Pick, Pack, Ship, Bill • Spend

Classification and Analysis • Procure to Pay • Catalog

Production • Contract Management • Job Status Inquiry •

Financial Close • Supply Chain Management • Rate Change

Impact Analysis • Instant Part Reuse • Analysis • Order

Importation • Work Order-Less Completion • Root Cause

Analysis •Business Strategy and Goals • Products • Quotas •

Payment Rate • Rules • Margin Goals • Behavior Goals •

Specials • Partners • Sales Role • Order Receipt • Order

Acceptance • Assign Credit • Assess Disputes • Make

• Value of information

• Sensitivity of information

• Impact of breach

How Important Is the Information in Your Network?


Why is it telecom is suddenly vulnerable?


Historically: closed connections


IP Became an Enabler


The same tools – new application


“It was kind of easy. When someone trusts you, they let their guard down.”

– Hacker, Albert Gonzales


Mobile privacy open to global cyber

snooping from 'SS7 protocol'

Hackers demo network-level call interception January 05, 2015 White-hat hackers at the 31st Chaos Computer Congress have demonstrated fundamental flaws in the underlying infrastructure of 2G and 3G mobile phone networks. The flaws allow attackers to covertly track the location of a phone number as well as intercept calls and SMS - all at the network level.

http://www.independent.co.uk/

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://gotspy.com/links/threatpost&ei=HDilVLibH-PU7AaY64H4Dg&bvm=bv.82001339,d.ZGU&psig=AFQjCNH0LLyMMZA_D_5QXVZnIPO_rhoMAQ&ust=1420200334495718

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.cloudlock.com/blog/zdnet-mentions-cloudlock/&ei=5D2lVO_BI-aa7ga2v4H4Dg&bvm=bv.82001339,d.ZGU&psig=AFQjCNEWcmy9V5vpO7rt3wSB-PQCgkNoiw&ust=1420201816708263

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://techcontestnotice.blogspot.com/2013/12/toms-hardware-nvidia-dyi-g-sync-kit.html&ei=oDWlVPLEEqrc7Ab0oQE&bvm=bv.82001339,d.ZGU&psig=AFQjCNGWrgZM5SSQ1w05JhAOqvdS7CS_zw&ust=1420199694318112


What are the claims?


There are 5 claims being made

• The areas of focus have been around these 5 things:

– Location tracking

– Call intercept

– Subscriber Denial of Service

– Subscriber Account fraud

– SMS SPAM

• All of these areas utilize messages from the Mobile Application Part (MAP) in the control plane

• These were demonstrated at the C3 conference in Hamburg, as well as several other hacker conferences


Some facts about these exploits

• All of these exploits require multiple steps to be successful. They cannot be performed with just one command

• Stopping any part of the exploit is all that is required

– An operator does not have to prevent ALL of the messages from being received

• Limiting the access another network has into your network is the best approach

– This is the message that the hackers themselves have been sending in all of their presentations

– Use existing resources to prevent these exploits, rather than purchase another box


Some facts about these exploits

• While all of the talk has been around SS7, this issue is not limited to SS7

– Hackers are already demonstrating their ability to perform these exploits in Diameter networks as well

– Other technologies have not been demonstrated because of a lack of knowledge in the hacker community

– The main point being driven by all of the hackers is that they were able to purchase network access very easily and cheaply • This means ANY network of ANY type is susceptible to abuse and exploit if it connects to other

networks

• Access control becomes one of the most urgent practices in our industry!


The Issue is the Business of Interconnect

• Telecom networks are not designed with access control in mind –Signaling networks are only connected

with other “trusted” networks

–Signaling networks are secured through business arrangements rather than firewalls


How do they get access? • At least one researcher advertises their own SS7 interconnect capability for “security audits”

– Researchers have admitted to paying for an interconnect

– They are also paying for Global Titles so they can look like a legitimate network


And now these exploits have been productized

Cell Phone Reports = $150 Interception = $100/call SS7 API = $250/month


The newest player to appear

• Now we hear from another company providing a product capable of these same claims

– Appears to be a laptop running open source scripts such as OpenSS7

– They have automated all of the scripts so hackers only need to know the rudimentary data to launch each exploit

– “Only available to Governments and Law Enforcement” • This company is based in Israel, so they are selling to global

governments and not in the US (yet)


Some other security concerns

• The focus of the hacker community on telecom networks is increasing

– 2600 Magazine now featuring numerous articles on telecom technologies

• K. Singh, S. Sangal, N. Jain, P. Traynor and W.Lee, “Evaluating Bluetooth as a Medium for Botnet Command and Control,” July 2010.

• P. Traynor,M. Lin, M. Ongtang, V. Rao, T. Jaeger, T. La Porta and P. McDaniel, “On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core,” November 2009.


One such paper on using botnets “On Cellular Botnets: Measuring the Impact of Malicious Attacks” • Devices on a Cellular Network Core

– HLRs represent a chokepoint in the wireless network

– LTE outages have demonstrated the impact of HSS outages

• When combined with BOTNETs, a DDoS aimed at the HLR is a reality

• This paper (and the other related papers) all represent a continuing interest in wireless networks


Here are the details …......


USES GLOBAL

INTERCONNECTS

AND LEASED GLOBAL

TITLES TO REACH

TARGET NETWORKS

ATTACKER

IMPERSONATES

A NETWORK

THROUGH

EMULATION

SOFTWARE

NEGOTIATES

INTERCONNECT

AGREEMENT

ANATOMY OF AN ATTACK STARTS WITH NETWORK ACCESS


i i i i i i i i

i i i i

i i

USES SIGNALING COMMANDS

TO REACH SS7 OR DIAMETER

NETWORK ELEMENTS

USES RETRIEVED DATA

FOR NEXT PHASE OF

EXPLOIT

GATHERING

SUBSCRIBER AND

NETWORK

DATA

ANATOMY OF AN ATTACK COLLECT NETWORK AND SUBSCRIBER DATA


SUBSCRIBER PROFILE MANIPULATION

ALLOWS ATTACKER TO CONTROL

CALLS AND TEXT MESSAGES

ANYWHERE

IN THE WORLD

STOLEN DATA

USED IN FOLLOW ON

ATTACKS

ANATOMY OF AN ATTACK MANIPULATE SUBSCRIBER PROFILES IN THE NETWORK


The Interconnect Can Be Secured Oracle Communications Best Practices


3 STEPS TO SECURE A NETWORK NETWORK DEFENSE-IN-DEPTH STRATEGY

Encrypt Your IMSIs Prevent

Unauthorized Network Access

Detect, Alert on All Abnormal Activity

*7#$%!@!% #<>*$#@3


Don’t leave the door wide open • Restrict the access allowed for all

partner networks – do not give unlimited access

• Partner with the roaming department to better understand partner needs

• Never assume the partner network is secure – many times the attacker is on the other side of their network

• Treat your interconnect like any other network access privilege – use access control


Access Control is about permissions

• Each network connection is defined by permissions to be granted

– The network resources they are allowed to connect

– The types of messages (ISUP, SCCP, SCMG) they are allowed to send

– The types of operation codes they are allowed to send

• Black listing should only be used as a last resort

– Trying to maintain a black list of any kind is extremely difficult

– There will be a lot of false positives


Protect against non-telco partners

• Many partners are not true service providers

– They provide content and services such as location services

– These partners should not be granted access to SS7 or Diameter

• Their access should be controlled through APIs – Services Gatekeeper provides this type of

access without connecting them to the control plane


Monitor and Analyze everything! Analytics is key to understanding events


"If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

– Sun Tzu; "The Art of War"


Monitoring is important

• Without monitoring, you cannot see what is coming into the network

– Monitoring with multiple systems can be challenging

– Network-wide monitoring is expensive, especially when having to replace multiple systems with one single solution

• Analytics provides much more powerful tools for analyzing network metadata, from SS7, SIP, and Diameter – And it can be combined with charging data, as well as data from other sources

– This network “Big Data” approach provides the best and most efficient means for analyzing interconnect traffic

– Some security events will only be detected using analytics


Impacted Subscribers


Rules • Margin Goals • Behavior Goals • Specials •

Partners • Sales Role • Order Receipt • Order Acceptance

• Assign Credit • Assess Disputes • Make Payments • Mid

Year Adjustments • Compliance Reporting • Management

Insight Reporting • Pick, Pack, Ship, Bill • Spend

Classification and Analysis • Procure to Pay • Catalog

Production • Contract Management • Job Status Inquiry •

Financial Close • Supply Chain Management • Rate Change

Impact Analysis • Instant Part Reuse • Analysis • Order

Importation • Work Order-Less Completion • Root Cause

Analysis •Business Strategy and Goals • Products • Quotas

• Payment Rate • Rules • Margin Goals • Behavior Goals •

Specials • Partners • Sales Role • Order Receipt • Order

Acceptance • Assign Credit • Assess Disputes • Make

• Managing Network Access

• Monitoring Traffic

• Security Processes

How Are You Doing in Creating Your Information Fortress?


We have reached a new era

• Researchers once focused on IT have turned their attention to telecom

– We will see many more reports about “hacking” the telecom networks

– Researchers are learning our craft and exploiting the fact that telecom networks have been “open” for some time

– They are now selling toolkits for other hackers to use the same exploits

• We are migrating to an IT architecture

– And so we should be migrating to IT practices as well, especially when it comes to security

– Analytics and network signaling metadata are absolutely paramount to identifying interconnect abuse


What Did We Learn?

• There is no such thing as a trusted network

– All networks should be treated as untrusted

• Security should be used at both the transport layer and the application layer

– The gateway is the best place to implement security

• More attention needs to be paid to access control in the control plane – The majority of “events” detected during monitoring stages has shown other service

providers “misbehaving” rather than nefarious attacks

– Granting access to your network without limitations leads to exploitations

– Granting access to your network to unknown companies is dangerous


What Did We Learn?

• Should I buy another device?

– Researchers suggest use what you have in the network already

– Operators already have solutions but do not realize it!

Source: Alexandre De Oliveira, “Assaulting IPX Diameter roaming network” Troopers,


“The initial protection level, comparable to other STP deployments, was so low that we were planning to add an external appliance to mitigate all the known SS7 vulnerabilities presented in the past years. Thanks to your extensive research in the documented and undocumented features of the STP, we finally have covered all the SCCP level protection measures (blocked GT-spoofing, SSN firewall evasion tricks, GT enumeration from unknown parties) and many of the MAP/TCAP based attacks (blocking dangerous requests by OPCODE and by Application Context based on the source”

– Asian operator using Oracle EAGLE


“We should have security at every level.”

– Larry Ellison, Oracle Open World Keynote, October 2015

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 47

A more effective and secure approach

Network A

Network B

• Many vendors propose a ‘point-solution’ to solve network security • Not only is this

inefficient, but it is vulnerable as well

• Manage network access at the network gateway at all layers


Applying our business drivers

çeviklik – smidighet -敏捷 – agilidad - رشاقة – agilité

创新 – inovace – innovaatio – καινοτομία – innovasjon

Transformacja – transformación – dönüştürme - трансформації

Гнучкість – flexibilidad – 유연성 – flexibilitu - ευελιξία

11


Agility Ability to think and understand quickly

Network security solutions must be able to

quickly identify new anomalies in the network and respond, and be agile enough to adapt to

ever-changing exploits.


Transformation A thorough or dramatic change in form

or appearance

We need to change our way of thinking about security. We must rethink how security is

implemented in our networks – IT principles need to be implemented and data center

security models embraced.


Innovation A new method, idea, product, etc.

Security today requires new innovation. A different

way of thinking about how we control network access and access policy.


Flexibility Capable of being changed or adjusted to

meet particular or varied needs

Every network is unique. There are no ‘one-size-fits-all’ solutions for network security. Solutions must be flexible enough to meet demands today

and tomorrow.


Network Security

• Performance Intelligence Center (PIC) – Monitoring the entire network can be expensive – focus on the interconnect

– CDRs are no longer sufficient for evaluating attacks and breaches; visibility to the network signaling is paramount

– Network visibility is crucial at the signaling level and the application level to understand interconnect vulnerabilities and exploits

• Combine monitoring systems into one cohesive view

– Oracle Communications Analytics (OCA) allows service providers to combine outputs from multiple systems into one analytical view


Network Security

• Oracle Communications EAGLE STP provides SS7 security at the core

– Providing multiple layers of security to prevent unauthorized access

– Mitigate the effects of rogue SMS originators through filtering and blocking

– Prevent exploitation of interconnects by rogue service providers

• Diameter Signaling Router (DSR) provides access control at the network edge as well as the core

– Much like the STP in a Diameter network

– Absolutely critical for controlling DoS and preventing unauthorized access


Network Security

• Session Border Controller (SBC) provides access control in the SIP network

– The same platform is used for CSCF in the IMS domain

– SBC also provides filtering and fraud monitoring in VoIP networks

• Services Gatekeeper (OCSG) provides API access to network resources without providing full SS7/Diameter access

– This is the critical control point for content providers

– Allows access to subscriber information without providing access to the signaling

• Convergent Charging Controller (OC3C) provides powerful service logic providing a stateful firewall

– Obfuscation of IMSI and verification of roaming are just part of this powerful tools abilities


Oracle’s Unique Approach

Carrier Grade Network Consulting Service

Carrier Grade Network Consulting Service • Network Experts develop site-specific MoPs

• For each engagement

• In our fully-dedicated multi-million dollar test lab

• Before touching your network

• We never re-use a MoP or introduce risk

• Only Oracle network consulting experts bring this level of strength to your engagement


10 Best practices for telecom network security

① Develop clear access policies for partners

② Implement “least access” privileges at the interconnect

③ Collect event logs from all systems

④ Maintain compliance with CERT, ISO, NIST and other standards

⑤ Keep security patches current in all network elements

⑥ Monitor, monitor, and monitor some more

⑦ Create a network breach plan

⑧ Monitor all user activity on critical systems

⑨ Educate and train all network personnel

⑩ Beware of social engineering!!


In an increasingly insecure world, doesn’t your most critical asset deserve the

best protection?


Securing the Signaling Interconnect - Oracle | Integrated ... · Title: Oracle-16x9-2016 Author: kstorms Subject: Corproate Presentation Template Created Date: 10/11/2016 4:31:30

Documents