Telecom MISP. Building a Telecom Information Sharing Platform. Alexandre De Oliveira

Transcription

1 Telecom MISP Building a Telecom Information Sharing Platform Alexandre De Oliveira

2 MISP history Actively developed and maintained by CIRCL Computer Incident Response Center Luxembourg Open Source Software - Community of 750 organizations with more than 1500 users sharing and updating daily cybersecurity indicators, financial indicators or threats in both ways. Beside the tools, practices, standard formats and classifications play an important role.

3 MISP contributors There are many different types of users of an information sharing platform like MISP: Malware reversers willing to share indicators of analysis with respective colleagues. Security analysts searching, validating and using indicators in operational security. Intelligence analysts gathering information about specific adversary groups. Law-enforcement relying on indicators to support or bootstrap their DFIR cases. Risk analysis teams willing to know about the new threats, likelihood and occurrences. Fraud analysts willing to share financial indicators to detect financial frauds.

4 MISP journey CIRCL and MISP are mainly financed by Minister of Economy of Luxembourg European Union is part of the financial contributors They is no business model behind CIRCL/MISP MISP is being audited by large number of organisations Code is Open-Source making it easier to review by everyone Around 15 pentest/review done by external parties every year MISP platform is GDPR aware

5 POST on MISP Using MISP since some time for IT related threat sharing In summer 2017 we started to have huge Call Spam campaigns Robot call for call back to premium numbers Unsolicited Advertisements Got a lot of complaints from our subscribers and the Lux police How share these numbers to other operators? We decided to publish them on

6 Telecom Call fraud sharing on MISP Started in October 2017 to share Call Spam numbers with a weekly event (continuous info updates) Pushing via Splunk the blacklisted numbers detected

7 Feedback from operators The weekly feed from POST is being used by other operators on MISP Sharing this information brought new operators on the MISP platform Already several feedbacks and a real interest on a more telecom dedicated MISP platform It was time to implement MISP Telecom instance

8 Starting a MISP Telecom instance! We contacted CIRCL to create a new MISP instance dedicated for telecom purposes Built together new telecom dedicated objects: SS7 attacks Diameter attacks GTP attacks Can be extended, CIRCL is always open for collaboration and new ideas. The platform is accessible by telecom operators only, and for free. CIRCL will provide the platform and maintain it, we offer to GSMA to be involved in the administration of MISP Telecom instance.

9 Demo

10 MISP Events

11 Feeding MISP with Telecom use case Wangiri/Robot Calls

12 Why?

13 How do we feed MISP? What do all operator have? CDRs and signaling traffic Let s take the case of using CDRs CDRs are produced for Mobile/Fixed Calls, SMS, MMS, Data, For POST it s around 80GB of global CDRs per day Why not using all the data we have to detect frauds? Let s feed our log analytics platform with CDRs!

14 Wangiri Fraud detection Behavior & Machine learning based analytic, keep track of every activity on the network via CDR analysis We have different indicators to decide to block or not numbers: Threshold Multiplication factor based on last days behavior Cost of the communication Call duration We also have a whitelist for Survey companies, Govs, etc.

15 Wangiri Fraud detection CDRs used for this use case are MSS (Mobile) and International Gateway (Fixed / Mobile) We have achieved 10-15min reactivity on blocking spam campaigns. Live CDR feed coming soon. Splunk is updating via API the blacklist on IGW equipment's

16 Call Spam fraud event

17 Distributed SPAM calls After implementing the automatic blocking attackers are in an adaptation mode Trying to find our blocking triggers Attacker ANumber Subs receiving calls They now how to distribute and are organized as we should be!

18 Wangiri Call Fraud statistics Last 11 weeks 171 Call Spam Attacks

19 Detection Remarks Mainly coming from Africa & Europe Even when changing the number they are in the same subrange Blocking the range could be problematic, side effects Spam campaign are mainly starting on Friday/weekend and trying back 1-2 weeks after with same numbers Using ITU unallocated ranges (Somalia +2525XXXXXX) New trends every 3 weeks Usage of international lines (Boat, offshore, Sat) Spoofing Luxembourgish numbers Tracing the real origin of the call is almost impossible

20 POST Trends March 2017 No automatic detection ~50 attacks/month 1 attack could involve multiple numbers Massive attacks minimum 5k calls to 100k calls within 1h October 2017 Starting dumb version of the detection ~100 attacks/month Massive attacks still trying but moved to a lot of lower level attacks Trying from new ranges like offshore, SAT, etc December 2017 Starting ML detection Profiling every Anumber on the network Attacks <30 attacks/month, all are blocked after maximum 500 calls Last week 6 attacks Now attackers are using/spoofing Lux numbers

21 Goal seems to be reached 25K K Cost Revenue

22 Telecom community benefits Sharing SMS & SPAM call numbers Can be used to feed SMS/SS7 firewalls Sharing information about SMS gray routes Billing reduction/bypass Sharing SS7, Diameter & GTP attack patterns Will be a continuity in the movement of knowledge sharing started in GSMA groups since some years

23 Future data integration SS7, Diameter and GTP attacks GSMA High Risk range list SMS Spam campaigns Telecom vulnerabilities Nodes & Protocols

24 MISP Telecom Free Telecom Threat intel platform Discussions with GSMA Security team are ongoing Accessible and feeded by operators for operators This could evolve quickly! Already up and running

25 Questions?

26 Thank you