telecom misp - ernw insight · telecom community benefits • sharing sms & spam call numbers...
TRANSCRIPT
Telecom MISP
Building a Telecom Information Sharing Platform
Alexandre De Oliveira
MISP history
• Actively developed and maintained by CIRCL
− Computer Incident Response Center Luxembourg
• Open Source Software - https://github.com/MISP/MISP
• Community of 750 organizations with more than 1500 users sharing and updating daily cybersecurity indicators, financial indicators or threats in both ways.
• Beside the tools, practices, standard formats and classifications play an important role.
MISP contributors• There are many different types of users of an information
sharing platform like MISP:
− Malware reversers willing to share indicators of analysis with respective colleagues.
− Security analysts searching, validating and using indicators in operational security.
− Intelligence analysts gathering information about specific adversary groups.
− Law-enforcement relying on indicators to support or bootstrap their DFIR cases.
− Risk analysis teams willing to know about the new threats, likelihood and occurrences.
− Fraud analysts willing to share financial indicators to detect financial frauds.
MISP journey
• CIRCL and MISP are mainly financed by Minister of Economy of Luxembourg
− European Union is part of the financial contributors
− They is no business model behind CIRCL/MISP
• MISP is being audited by large number of organisations
− Code is Open-Source making it easier to review by everyone
− Around 15 pentest/review done by external parties every year
• MISP platform is GDPR aware− https://www.misp-
project.org/compliance/gdpr/information_sharing_and_cooperation_gdpr.html
POST on MISP
• Using MISP since some time for IT related threat sharing
• In summer 2017 we started to have huge Call Spam campaigns− Robot call for call back to premium numbers
− Unsolicited Advertisements
• Got a lot of complaints from our subscribers and the Lux police
• How share these numbers to other operators ?
• We decided to publish them on
Telecom Call fraud sharing on MISP
• Started in October 2017 to share Call Spam numbers with a weekly event (continuous info updates)
• Pushing via Splunk the blacklisted numbers detected
Feedback from operators
• The weekly feed from POST is being used by other operators on MISP
• Sharing this information brought new operators on the MISP platform
• Already several feedbacks and a real interest on a more telecom dedicated MISP platform
• It was time to implement MISP Telecom instance
Starting a MISP Telecom instance!
• We contacted CIRCL to create a new MISP instance dedicated for telecom purposes
• Built together new telecom dedicated objects:− SS7 attacks− Diameter attacks− GTP attacks
• Can be extended, CIRCL is always open for collaboration and new ideas.
• The platform is accessible by telecom operators only, and for free.
• CIRCL will provide the platform and maintain it, we offer to GSMA to be involved in the administration of MISP Telecom instance.
https://misptelco.circl.lu/
MISP Events
Feeding MISP with Telecom use case
Wangiri/Robot Calls
Why ?
How do we feed MISP ?
• What do all operator have ?
CDRs and signaling traffic
• Let’s take the case of using CDRs
• CDRs are produced for Mobile/Fixed Calls, SMS, MMS, Data,…
• For POST it’s around 80GB of global CDRs per day
• Why not using all the data we have to detect frauds ?
• Let’s feed our log analytics platform with CDRs!
Wangiri Fraud detection
• Behavior & Machine learning based analytic, keep track of every activity on the network via CDR analysis
• We have different indicators to decide to block or not numbers:
− Threshold
− Multiplication factor based on last days behavior
− Cost of the communication
− Call duration
• We also have a whitelist for Survey companies, Govs, etc.
Wangiri Fraud detection
• CDRs used for this use case are MSS (Mobile) and International Gateway (Fixed / Mobile)
• We have achieved 10-15min reactivity on blocking spam campaigns. Live CDR feed coming soon.
• Splunk is updating via API the blacklist on IGW equipment's
Call Spam fraud event
Distributed SPAM calls
• After implementing the automatic blocking attackers are in an adaptation mode
• Trying to find our blocking triggers
• They now how to distribute and
are organized… as we should be !
Subs receiving calls
Attacker ANumber
Wangiri Call Fraud statisticsLast 11 weeks
171 Call Spam Attacks
Detection Remarks
• Mainly coming from Africa & Europe
• Even when changing the number they are in the same subrange− Blocking the range could be problematic, side effects…
• Spam campaign are mainly starting on Friday/weekend and trying back 1-2 weeks after with same numbers
• Using ITU unallocated ranges (Somalia +2525XXXXXX)
• New trends every 3 weeks…− Usage of international lines (Boat, offshore, Sat)− Spoofing Luxembourgish numbers
• Tracing the real origin of the call is almost impossible…
POST Trends
• March 2017 – No automatic detection− ~50 attacks/month – 1 attack could involve multiple numbers
− Massive attacks minimum 5k calls to 100k calls within 1h
• October 2017 – Starting dumb version of the detection− ~100 attacks/month
− Massive attacks still trying but moved to a lot of lower level attacks
− Trying from new ranges like offshore, SAT, etc
• December 2017 – Starting ML detection− Profiling every Anumber on the network
− Attacks <30 attacks/month, all are blocked after maximum 500 calls
− Last week 6 attacks…
• Now attackers are using/spoofing Lux numbers…
Goal seems to be reached…
0
5
10
15
20
25
0 10 20 30 40 50 60 70 80 90 100
Cost Revenue
K
K
Telecom community benefits
• Sharing SMS & SPAM call numbers
− Can be used to feed SMS/SS7 firewalls
• Sharing information about SMS gray routes
− Billing reduction/bypass
• Sharing SS7, Diameter & GTP attack patterns
• Will be a continuity in the movement of knowledge sharing started in GSMA groups since some years
Future data integration
• SS7, Diameter and GTP attacks
• GSMA High Risk range list
• SMS Spam campaigns
• Telecom vulnerabilities – Nodes & Protocols
• …
MISP Telecom
• Free Telecom Threat intel platform
• Discussions with GSMA Security team are ongoing
• Accessible and feeded by operators for operators
− This could evolve quickly !
• Already up and running
Questions ?
Thank you