Telecommunication Security Use Cases

Telecommunications cellular antenna

Attacks made against telcos and internet service providers (ISPs) have steadily risen. Distributed denial of service (DDoS) attackers launched an 11-day attack against a Chinese telco in 2017 — breaking the DDoS record that year. That same year, Kaspersky Lab reported a 20GB per second siege that lasted an hour, reflecting a new trend of long and extensive attacks of DDoS. In early 2020, a DDoS attack took down 25 percent of the Iranian internet.

Download Telco Use Case White Paper

The Growing Telco Threat

Another growing mode of attack against telcos is the SIM swap scam, which allows hackers to take control of an individual’s mobile identity. Hackers have used it to drain millions from bank accounts and hijack the online personas of politicians and celebrities.[1] As SIM swap scam attacks mostly target telco subscribers, it remains hard to detect until it is often too late or when victims find their bank accounts drained and social media accounts seized.

With the increase in attacks from multiple pathways, how can telcos effectively manage today’s risks while speeding up detection and mitigation of modern threats? Below are three practical use cases to defend against the three most common damaging cyberattacks:

1. Use Case: Detect Possible Distributed Denial of Service (DDoS) Attacks

DDoS attacks have become one of the most common attacks targeting the telco industry in recent years.[2] Swift detection of DDoS early before it overwhelms the capacity of connected devices is critical as it quickly becomes more challenging to redirect or conduct black hole routing of DDoS traffic once that occurs. In this use case, we will detect an attacker that aims to launch a DDoS attack to crash an application or host and any attempt to prevent authentication services for subscribers.

Utilizing LogRhythm’s out-of-the-box rule to detect possible DDoS attacks gives telco security teams the capability to detect DDoS attempts early on before hosts or services become overwhelmed and unavailable. With risk-based prioritization (RBP) value incorporated within LogRhythm’s alarm, security teams can also quickly prioritize and drill down on riskier threats in their IT or OT environment.

LogRhythm dashboard showing risk based prioritization and possible DDoS detected
Figure 1: RBP and summary on possible DDoS detected

A new feature in LogRhythm 7.5, known as Node-Link Graph, enables teams to visualize the attack and determine right away if the attack is genuine or a false positive. Visualization remains one of the best differentials when it comes to identifying and confirming if there is indeed an attack. The Node Link Graph feature does this with visualizations between users and hosts in the environment. The Node-Link Graph feature also bridges communication with management, helping them visualize a team’s current IT environment and incidents.

LogRhythm Node-Link Graph on possible DDOS detected
Figure 2: Node-Link Graph on possible DDoS detected

2. Use Case: Detect Ransomware

Ransomware has surged in magnitude and frequency and is proving to be costly[3]. Orange, the fourth largest mobile operator in Europe, fell victim to a Netfilim ransomware attack in July 2020, impacting 20 of their enterprise customers. Netfilim ransomware — a newer form of ransomware — follows the trend of stealing data before threatening to reveal the information exfiltrated to the public to increase the ransom demanded.

The LogRhythm XDR Stack enables the detection of ransomware attacks through a combination of LogRhythm’s AI Engine rules and LogRhythm’s File Integrity Monitoring (FIM) solution, known as LogRhythm’s SysMon Pro. Most ransomware attacks have the goal of encrypting files. Thus, extensive file access from a new process will be one of the indications of anomalous behavior.

To mitigate the ransomware threat, LogRhythm’s unique SmartResponse automation™ enables rapid incident response. SmartResponse improves time to response (TTR) by providing automation that can integrate with other solutions. Analysts can execute fully automated remediation actions such as to quarantine or isolate an infested host, or members of the SOC team (e.g., senior incident analysts) can review before they are executed in semi-automated, approval-based response actions. Teams can decide which actions to automate so they can focus on more complex incident response that requires skill and creativity.

LogRhythm SmartResponse automation to quarantine endpoint
Figure 3: LogRhythm SmartResponse automation to quarantine endpoint

With LogRhythm SmartResponse automation, LogRhythm users choose between fully automated playbook actions or semi-automated, approval-based response actions that allow users to review before executing countermeasures.

Security automation use cases include:

  • Endpoint quarantine: Identify the network port where a suspicious device is located and disable the port/device.
  • Suspend users: If your team suspects an account has been compromised, they can halt a user’s account access no matter what device they use.
  • Collect machine data: Gather forensic data from a suspicious endpoint during a malware investigation.
  • Suspend network access: If data exfiltration is occurring, you can kill the connection by updating the access control list used by your firewalls.
  • Kill processes: Discontinue any unknown or blacklisted process on a critical device with an automated SmartResponse action.

3. Use Case: Detect SIM Swap

A SIM swap scam or fraud is a type of account takeover with the goal of obtaining short message service (SMS) test messages as a form of two-factor authentication sent to a mobile phone. Hackers often conduct SIM swaps by using data exposed in the Dark Web to defraud mobile carriers that they are in fact the owner of the SIM, with the intent of getting a SIM card replaced. The biggest challenge here is detecting suspicious behavior related to SIM swapping.

Teams can detect possible acts of SIM swap by monitoring subscriber activity, especially the changes of address and SIM. If a change in address and SIM occur at around the same time, it is most likely an anomalous behavior which could potentially lead to a SIM swap fraud or scam.

Analysts can then trigger an alarm enabled by LogRhythm’s AI Engine when this happens for further investigation.

LogRhythm dashboard example of a SIM swap alarm
Figure 4: SIM swap alarm
LogRhythm drilldown search investigation related on change address and change SIM activity
Figure 5: Drilldown search investigation related on change address and change SIM activity

LogRhythm ingests many types of logs that are found within telecommunication applications. These include subscriber information such as:

  • IMEI
  • Subscriber ID, Activity, Address, Device Type
  • IMSI
  • IMSI PIE (5G)
  • ISDN
  • MSIDN
  • Subscriber’s Plan, Call Type, Call Status, Customer Type, Call Duration
  • Source IP Address

The ability to ingest a wide variety of subscriber log data provides critical context that feeds into LogRhythm NextGen SIEM Platform, so analysts can drill down on alarms from the platform’s risk-based prioritization.

Telco: Detect and Mitigate Ransomware, DDoS, and SIM Swap Attacks

Telcos and ISPs have become popular targets for hackers in recent years, and protection based on a holistic approach is needed to thwart new threats and take on new business challenges. LogRhythm’s NextGen SIEM Platform helps telecommunication organizations by utilizing AI Engine and security orchestration, automation, and response (SOAR) to build telco-relevant use cases and solve their business challenges.

To learn more about how LogRhythm’s SOAR capabilities can streamline threat investigation, visit our RespondX data sheet for additional features and benefits.

Download Telco Use Case White Paper

 

[1] Hackers Hit Twitter C.E.O. Jack Dorsey in a ‘SIM Swap.’ You’re at Risk, Too.

[2] More than 8.4 million DDoS Attacks Targeted IT Infrastructures, Cloud, Mobile Networks & IoT Devices in 2019

[3] Ransomware Damage Hit $11.5B in 2019