Cyber threat intelligence: Exploring attack forms

The increased digitalization of society has led to a heightened level of sophistication, persistence, and coverage of cyberattacks towards critical infrastructure, including mobile networks. This trend will continue with the ongoing wide adoption of 5G and its new services like enhanced broadband, massive IoT and ultra-low latency communications that enable new usage scenarios such as smart factories, smart cities, autonomous vehicles, and remote control of heavy machinery, among others.

It is therefore of utmost importance to use cyber threat intelligence that can help to deliver detailed understanding of the complete anatomy of advanced threats.  While there are various definitions of cyber threat intelligence, in this blog we define it as the process consisting of the following steps:

1. collect data
2. extract threat information
3. enrich, contextualize, and analyze said information
4. discover insights that can be used for informed decisions and action-oriented advice

Cyber threat intelligence also includes sharing insights about modelled threats within a given technology domain, for example telecom, automotive or finance.

Understanding and modelling attack patterns based on during a cyberattack is one of the important aspects that threat intelligence focuses on questions such as:

• What was the ultimate objective?
• How did the attack start?
• What was the sequence of actions and stepping-stones?
• What was the complete arsenal of ‘weapons’ used?
• Was the attack like previously observed ones and, if so, what was new this time?

Compared to conventional threat analysis, where the focus is on individual indicators of compromise such as malicious URLs, software exploits, malware or suspicious domain names, the behavioral analysis approach seeks to understand the adversary’s mindset and the complete chain of actions. The behavioral approach is not new and has been applied to other disciplines like psychoanalysis, criminology, or game theory.

MITRE ATT&CK threat modelling

There are several threat modelling frameworks, but let’s take a look at the most widely used one: MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge). For this framework there are two fundamental concepts: tactic and technique.

• A tactic is the why an adversary is doing a specific action
• A technique is the how an adversary is achieving this goal

Another way to view a tactic is to see it as a goal that the adversary wants to achieve, while the technique is the instrument to realize a tactic. For example, the tactic ‘Credential Access’ can be achieved using different techniques such as ‘Brute Force’ password guessing or stealing ‘Credentials from Password Stores’. Each technique also includes – apart from the actual description – advice for detection and mitigation. The complete set of tactics and techniques are visualized using a matrix where columns represent tactics and rows represent techniques (see Figure 1). MITRE has published matrices for three technology domains: Enterprise, Mobile devices, and Industrial Control Systems.

Figure 1. ATT&CK mobile device matrix modelling two attack campaigns, each of them illustrated by a sequence of connected ellipses. Each ellipse represents a concrete adversarial technique to achieve the tactic in the corresponding heading column. The attacks in the figure are dummy and only illustrative. © 2021 The MITRE Corporation.

Understanding adversarial behavior can open new doors

So, why is adversarial behavior modelling so important? Here are some key benefits for security communities, organizations, and industrial sectors:

• Common language and knowledge base enables threat intelligence sharing. A structured data model and common taxonomy help the security community to share information about the adversaries and their behavior. Textual descriptions alone are insufficient to describe details and variations of each attack. By breaking the attacks into smaller components, it is easier for the security professionals to see common patterns and identify similarities with other attack campaigns.
• Improved robustness against attacks. So-called ‘Red teams’ can use the framework when simulating attacks. The framework can also be used to emulate new potential adversarial behavior.
• Improved threat mitigations. The framework can be used as a threat modeling tool in risk assessment. This helps organizations to identify possible threats and design, assess, and deploy adequate mitigations. Understanding the offense is a part the defense.

Example cyber threat scenario in telecom networks

Let’s put these concepts together in the context of a threat described in 3GPP TR 33.861:

Denial-of-service (DDoS) attacks towards the 5G core network include both large numbers of signal packets and user plane packets sent by compromised CIoT) devices overloading the network. This kind of attack would lead to denial-of-service or at least throughput degradation caused by congestion to legitimate UEs [user equipment devices] whose traffic shares the same core network links.

Figure 2. Hypothetical threat showing the adversarial tactic and techniques to achieve DDoS in a mobile network. Operators can also use detections and mitigations to deter the attack.

Figure 2. Hypothetical threat showing the adversarial tactic and techniques to achieve DDoS in a mobile network. Operators can also use detections and mitigations to deter the attack. 

For this threat, let’s model the hypothetical adversary’s behavior as illustrated in Figure 2. The adversary called APT999 has the tactic of disrupting mobile services in a certain geolocation. The prefix APT stands for advanced persistent threat, commonly used to denote known adversaries whose behavior has been tracked. To achieve its goal, APT999 uses false base stations (FBS) and Cellular Mirai – a hypothetical version of infamous IoT malware Mirai – that purportedly only spreads in mobile networks via cellular IoT devices. APT999 deploys FBS in a target location attracting IoT devices to connect to said FBS. Once devices “camp” near the FBS, APT999 infects them using Cellular Mirai and turns them into cellular botnets that are remotely controlled by a command and control (C&C) center that in turn makes them generate large amounts of traffic leading to DDoS.

Modeling adversarial behavior using ATT&CK

Now, let’s apply the ATT&CK framework and philosophy to model this DDoS hypothetical attack. We add more details with the aim of identifying how well the ATT&CK tactics (in bold below) and techniques cover the adversarial behavior for this mobile network specific attack.

• Reconnaissance – APT999 does some homework identifying vulnerable cellular IoT devices that use non-secure software, OS or hardware components such as cheap baseband radio units. They would conduct market analysis of the penetration of vulnerable devices in different geographic areas looking for high-density deployments where vulnerable cellular IoT devices are deployed.
• Resource Development – APT999 develops or obtains hacking tools to attack vulnerable IoT devices, deploying IoT software botnet repositories, renting a server for running a C&C center, keeping a library of exploits per device, port scanners, automated password guessing tools, collecting commonly used passwords in IoT devices or exploits to enter the device. An FBS is deployed in the location where the attack will be conducted. The FBS has several functionalities such as IMSI catcher to identify potentially vulnerable cellular IoT devices; and malware delivery to inject binaries into vulnerable devices.
• Initial Access – APT999 switches the FBS on and IoT devices start camping on the deployed FBS that forces them to drop from 5G to 2G connectivity. For such devices, the FBS operates as transparent man-in-the-middle box. The C&C launches scanners that look for vulnerable devices to compromise using exploits or password cracking. Compromised devices are then listed as candidate botnets. The C&C makes profiles of the device CPU architecture, OS and software.
• Execution – APT999 C&C establishes direct IP connectivity to the victim devices through the FBS that injects the device-specific specific botnet malware turning them into cellular botnets.
• Persistence and Defense Evasion – once the IoT device has effectively become a botnet, it makes a ’hardening’ procedure by removing any IoT software and services that can disturb its work. The botnet also removes any possible defense mechanism or even competing botnets. The IoT device is now a botnet under full control of the C&C center.
• Discovery and Lateral Movement – botnets start looking for additional IoT devices in the geo-location neighborhood repeating the Initial Access Compromised IoT devices report their geo-location to the C&C.
• Command and Control – C&C centers use encryption, proxies, URLs, SMS, security-by-obscurity to hide their communications with botnets, also changing DNS names and IP addresses to avoid detection.
• Impact – Under the C&C control, and by having the geo-location of all botnets, APT999 can now launch targeted geo-location network attacks such as DDoS or flooding.

Lessons learnt

For this hypothetical attack, we note that the existing ATT&CK tactics could be reused and even several (sub)techniques. But because ATT&CK models mobile networks as a black box, the example also contains new (sub)techniques not available in any of the existing matrices. For instance (non-exhaustive list):

• attracting devices to attach with an FBS
• IMSI catcher
• identifying dense IoT deployments
• IoT malware adapted to a mobile context (for example Cellular Mirai)
• targeted geolocation attacks.

The above example shows that it is possible to reuse the existing MITRE ATT&CK and leverage on the corresponding knowledge base created by other industries. There were some gaps however, which is understandable since mobile networks and enterprise networks have different security, trust, and threat models. To mention a few key fundamental differences:

• Accessing a mobile network requires less effort than accessing an enterprise network, since the only thing needed is a mobile device with a SIM card.
• Adversaries can also obtain off-the-shelf FBS to passively listen to parts of the radio traffic or to actively attract mobile phone to camp nearby.
• Even if a mobile operator takes security measures to prevent their own subscribers’ devices from being infected, the operator can’t take preventive measures for devices that are roaming. For those, access can be denied only after the infection has been detected.
• Nation state adversaries abuse the interconnection networks to conduct surveillance on targeted subscribers.
• Adversaries in mobile networks have economic incentives, making fraud a common threat that uses several techniques (CLI spoofing, SIMBOX or SIM swaps being examples of different fraud types). Fraud is currently not considered in ATT&CK matrices.
• Starting from 5G, support for a new class of devices has been added, namely massive cellular IoT devices. The current ATT&CK matrix is covers threats towards smartphones whose security and behavior are totally different than IoT devices.
• By regulation and for legacy support, new generations of mobile networks must interoperate with older generations. Hence, attacks in older mobile generations may propagate into newer ones. Modelling adversary behavior on a specific generation, for example 5G, would only capture a subset of all potential threat scenarios making the models of limited benefit. The adversaries don’t limit their techniques to a certain mobile generation, they use whatever means are available to achieve their goals – be it 2G/3G protocol abuse or malware in OS.
• The Telecom landscape is also evolving, supporting verticals businesses which also brings a new type of threats from the interaction of IT/OT with mobile technologies.

The need for a new and adequate threat modelling framework has been discussed in the telecom community and a few players have published their ATT&CK-based proposals, such as Bhadra, CONCORDIA CMTMF. While these are steps in the right direction, we note that some aspects listed above are only partially addressed and lacking completeness. Another observation is that each of them has different views on how to model attacks, showing that their approaches are incompatible, despite the fact they build upon the same ATT&CK foundation. In fact, the art of correctly modelling threats is not an easy task, which is the reason why MITRE provides guidelines on how to develop modelling frameworks, adding, or extending tactics and (sub)techniques. A commonly agreed telecom threat modelling framework would prevent modelling fragmentation and make the cyber threat intelligence processes run efficiently.

From a strategic standpoint, there are other aspects to consider. The telecom industry is converging with IT technology by using Linux, virtualization, containers, and cloud technologies. Adversaries are increasingly using the same ATT&CK techniques in mobile networks as in enterprise. The vast knowledge base of documented ATT&CK detections and mitigations is also used by organizations to build up defenses. Therefore, it is equally important to make the telecom framework design compatible with existing ATT&CK matrices to leverage on them.

Want to know more?

Read more about the ATT&CK modelling framework’s  design and philosophy  to gain a better understanding of the motivation behind the framework and how to use it.

Read Ericsson’s 5G network security guide to get a better understanding of the telecom security aspect in 5G networks.

 Take a look at the GSMA  Mobile Telecommunications Security Landscape report for a broader overview of cybersecurity in mobile networks.

Visit Ericsson’s future network security page for more about our security research.