Security Experts:

Attacking the Organism: Telecom Service Providers

Securing the Massive Netwoks of Telecom Service Providers is a Major Challenge and Becoming More Complex

Service providers and telecom carriers form the backbone of communications and commerce in modern economies. Their networks and cell towers deliver the internet itself—and everything that depends on it—to homes, businesses and mobile devices all over the world. And the complexity involved in doing so creates enormous security challenges. 

Major telecom companies provide the back-end datacenters, backhaul networks and cell towers to deliver connectivity all the way to your individual device and the array of applications on it. They also offer many of the storefronts that put manufacturers’ devices into your hands in the first place.  

Much has been said of the explosion of applications now driving everything from power grids to Pokemon, but it’s this pervasive global industry that provides the connective tissue for all those billions of end points. An average smartphone may have several dozen applications on it. The potential for backdoors in applications and devices can create even more challenges.

Service providers also deploy a multitude of applications themselves—to support not just phone, internet and account services but also a host of other customer-facing features and functions. There may be hundreds of applications on the back end that support delivery of all those services. 

Cell towerEvery one of these components is a potential insertion point for an attacker. Since this industry touches nearly every person and organization, motivations for those attacks—the CHEW involved—can arise from anywhere. Service disruption may be the goal for some attackers, but more often they seek to infiltrate administrative accounts as a means to gain deeper access into the networks of their ultimate marks: end customers, whether they be individuals or large enterprise companies.

Recently, researchers in Germany discovered a vulnerability in modern LTE/4G devices that can allow attackers to impersonate a device’s owner, access accounts and download any unencrypted information. Since the hack requires attackers to be in close proximity to the target, most people are unlikely to be affected. 

But high-value individuals with access to sensitive information could be targeted for purposes of espionage, cyberwarfare or financial gain. Attackers may try to use compromised devices as another avenue for entry into a larger network with high-value information. 

Gaining entry through a mobile device may be on the rise, but it’s still less common than other types of attacks. Data from F5 Labs shows that over the past few years DDoS and brute force attacks are the most common vectors for the service provider industry, both when the customer was the ultimate target and when the service provider was. Denial-of-service (DoS) attacks against service providers generally focus on services and apps or the IT infrastructure itself, attempting to drown the bandwidth and take down the network, or to target more customers. 

Access and authentication hacks are also a common scheme for using service providers to attack customers further downstream. Brute force attacks are among the most frequently used to either breach a customer or attempt to obtain administrative credentials. This can involve credential stuffing with stolen combinations, trying classic weak passwords like “password” or simply guessing at a massive scale in an automated fashion.  

In each of these cases, it can be difficult for the service provider to discover the attack until a service has gone down or calls start coming in, especially in cases of account takeovers. 

So how does the industry defend this colossal expanded organism? Since many of these attacks are masked as a spike in traffic or a general outage, service providers must be equipped to analyze unusual traffic against expected conditions, and then identify all the junk queries in their network service logs. 

The ability to detect spikes in log-in attempts or bad queries to the network or other suspicious traffic is the best way to mitigate an attack before it goes too far—or before an attacker has slipped undetected into a higher-value network.

To protect their traffic as it flows from the back end to towers all over the world to devices in users’ hands and back again, service providers also need advanced firewall protections that essentially “understand” more of the LTE network and the protocols within that infrastructure, including signaling protocols like Diameter and SIP. Protecting the applications traversing that network path is also critical, requiring solutions for application health monitoring, a robust WAF, web access controls and TCP optimization.

As expansive and important as this industry already is, the risks for carriers are only becoming more intense as today’s LTE and upcoming 5G networks move more applications, data and intelligence closer to the network edge where users interact with it. The network is becoming software in itself, and all those applications need service providers to function. 

As service providers’ networks continue to become more pervasive, more critical as infrastructure and more valuable, there will also be more room for errors to be exploited. Fortunately, targeted defenses are growing in sophistication as well, helping support this critical industry as it tries to keep pace with today’s malicious actors.

Related: ZenKey - How Major Mobile Carriers Are Teaming Up to Eliminate Passwords

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.