How to Detect and Respond to SS7 Attacks — OT Telco Use Cases

Man talking over the phone with AirPods on

In the telecom environment, using Signaling System No.7 (SS7) protocol is very crucial, especially in 2G networks. If you’re wondering how SS7 works, SS7 protocol is an international telecommunications standard used to set up public switched telephone network (PSTN) and one of the services that it offers is for Short Message Service (SMS). A common concern is that attackers try to exploit security vulnerabilities in the SS7 protocol which compromises voice and SMS communications.

To detect an SS7 attack, Positive Technologies developed a solution called Telecom Attack Discovery (TAD). Due to the nature and extent of an attack, which can cross from information technology (IT) to operational technology (OT), LogRhythm has implemented TAD into our security solutions to help combat SS7 attacks.

How to Detect and Respond to an SS7 Network Attack with LogRhythm’s TAD Integration

Here are four of the most common SS7 vulnerabilities customers and telecommunications organizations can detect using LogRhythm’s integration with TAD.

1. Detect Prohibited Interconnect Packets

Attackers can exploit messages received from interconnected links from other networks, without any explicit agreement to do so. Here are examples of what damages this type of SS7 attack can cause:

Denial of Service (DoS)

  • Disruption of network nodes operation
  • Disruption of phone subscription services


  • Illegal use of network resources or services
  • Money transfer from subscriber’s account
  • Call redirection
  • Modification of subscriber’s profile

Data leakage

  • Disclosure, interception, or theft of subscriber information such as location, text messages, and conversations
  • Access to network configuration details

For all of these examples, LogRhythm has automated alert and alarm capabilities using Risk-Based Priority (RBP) in order to detect these types of attacks and notifications are sent to the appropriate user or groups.

How to detect prohibited interconnect packets with LogRhythm
Figure 1: How to detect prohibited interconnect packets with LogRhythm

2. Detect Packets from an Unauthorized Network Requiring an Answer

This attack exploits messages which should mainly be received in relation to an inbound roaming (visiting) subscriber from that subscriber’s home network and require an answer. The impact of this attack is data leakage.

LogRhythm dashboard: Detect packets from unauthorized network requiring an answer
Figure 2: Detect packets from unauthorized network requiring an answer

3. Detect Suspicious Location Packets

This SS7 attack exploits messages related to a roaming subscriber activity (other than subscriber registration) from the visited network that the subscriber is currently roaming in. The calling signaling connection control part (SCCP) address of such messages should normally match the current visitor location register (VLR) address. The impact of this attack is data leakage.

Detection of suspicious location packets with LogRhythm
Figure 3: Detect suspicious location packets

4. Detect Suspicious Registration Attempts

This attack exploits messages directly involved in subscriber registration such as UL and serving area interface (SAI). These should normally be received only in relation to a roaming subscriber from the visited network that the subscriber is currently roaming in. Impact of this attack is DoS and fraud.

Detect suspicious registration attempts with LogRhythm
Figure 4: Detect suspicious registration attempts

Identify and Respond to an SS7 Attack in the Telco Environment

Providing 24×7 monitoring is another important step to detecting an SS7 attack in the telco environment. LogRhythm’s Event Dashboard and Analyze Dashboard layouts both leverage the same building blocks (widgets) to deliver use cases that help analysts identify and investigate activity. LogRhythm provides a Telco Security Dashboard which accumulates all the information from TAD and projects it in live form. This way customers can easily be able to monitor any abnormality triggered in their OT telco environment.

LogRhythm Telco security dashboard
Figure 5: Telco security dashboard

LogRhythm Scheduled Reporting Capabilities

LogRhythm’s comprehensive reporting capabilities combine the convenience of prepackaged reports with the flexibility of custom reports to allow for effortless distribution of data. LogRhythm can be configured to send alerts and reports directly to individuals, groups, shared directories, helpdesks — or any combination — allowing for the effective dissemination of information across a distributed workforce. Reports can be scheduled for delivery or generated on-demand. They are easily accessed via the real-time Personal Dashboard, email notifications, or exported tools such as Excel files and PDF files.

LogRhythm Telco security schedule report
Figure 6: Telco security schedule report

Detect SS7 Attacks with SOAR

LogRhythm Case Management and SmartResponse automation™ streamline incident response and enable security orchestration with prescribed analyst workflows, team collaboration tools, and built-in escalation processes. To help mitigate SS7 attacks, LogRhythm’s unique SmartResponse enables automated incident response which improves time to response (TTR). Analysts can execute fully automated actions such as case creation or assign playbooks. LogRhythm also has options for workflow automation to specific users for review before they are executed in semi-automated, approval-based response actions. Teams can decide which actions to automate so that they can focus on more critical issues and less manual tasks.

Automated response on adding playbook with LogRhythm
Figure 9: Automated response on adding playbook

Secure Your Telecommunication Organization with LogRhythm

With the increasing number of cyberattacks on telecommunication organizations, it’s critical to mature your security operations by implementing a security orchestration, automation, and response (SOAR) solution that can streamline threat investigation. LogRhythm’s SOAR product, RespondX, decreases workflow steps by dissecting use cases into manageable pieces. As your team standardizes process and becomes more efficient, you can take on complex telco-relevant use cases at scale.