Network-Centric Security Countermeasures

We provide an overview of existing countermeasures that focus on one or more threats, and address gaps and challenges in Appendix A.2 of document D4.3. This section aims to present the status of cybersecurity solutions connecting them to identified threats and gaps. We discuss classes of countermeasures, each describing the most relevant solutions to date.

• C2.1 – Vendor Process Evaluation and Product Assurance. In addition to the secure standardized system and protocols, it is needed to have the assurance that also implementations are secure. Operators should implement effective supply-chain and procurement controls to ensure the services they operate and provide comply with security requirements and manage supply-chain threats. Industry-standard assessment programs to assure vendor products in support of the purchasing decision.
  Threats: T2.4.1 – Failures of devices or systems, T2.4.2 – Supply chain, T2.4.3 – Software bug
  Gaps: G2.1 – Gaps on security testing, on security accreditation schemes of network devices, and on the massive deployment of PSIRT program from vendors. G2.16 – security of the new Open Radio Access Network model
• C2.2 – Automated Patch Management. The adoption of automated patch management allows proactively approaching the patching process by identifying systems that are non-compliant, vulnerable, or unpatched. Using software to automate and manage the patching process can allow for faster and more efficient patch management, simplifying the process of keeping operating systems and applications up to date. The implementation of automatic scanning permits to determine which patches each system, software, or app is missing and then to send the appropriate patches to all relevant devices. Vendors should build, as much as possible, systems that permit their upgrade in a “hot” manner, reducing to the minimum the need to stop the services running on them.
  Threats: T2.3.6 – Exploitation of vulnerabilities in services and remote tools – COVID19, T2.3.4 – Remote activities (execution), T2.1.1 – Erroneous use or administration of devices and systems, T2.4.3 – Software bug
  Gaps: G2.2 – Gaps on continuous hardening & patching of IT systems
• C2.3 – Security by default. The supplier should provide network assets and functions that are securely configured by default according to state-of-the-art security configuration practices and should employ system hardening best practices. This includes restricting protocol access, removing or disabling unnecessary software, network ports, and services, removing unnecessary files, user accounts, restricting file permissions. In addition, implementing automatic network asset scanning can help in detecting deviations in system settings, and identify non-compliant devices.
  Threats: T2.1.1 – Erroneous use or administration of devices and systems, T2.3.4 -Remote activities (execution), T2.3.6 – Exploitation of vulnerabilities in services and remote tools – COVID19
  Gaps: G2.2 – Gaps on continuous hardening & patching of IT systems
• C2.4 – Adoption of defensive solutions based on AI and ML. Machine learning (ML) and AI applied to threat detection can help identify and prevent attacks. Threat actor payloads and attacks, including TTPs, are dynamic and ever-changing. A robust intelligence approach requests to process big data, indicators of compromise coupled with context information, reputational data, and additional context. Leveraging ML and AI are essential to the timely and efficient processing of data, enhancing threat detection. One possible use case involves the development of an ML/AI solution to detect a spam wave campaign underway in the wild. Common TTPs for this involve abuse of the email vector, unique cryptographic checksum hash value malware variants, and some common infrastructure if remote command and control infrastructure is used. It’s also common to target specific sectors. The manual, slow and inconsistent method relies on threat analysts examining individual tickets to attempt to quickly identify a potential threat and then informing a client or internal team of the threat. ML/AI can be used to process vast amounts of data across multiple clients and tickets in real-time, correlating those, providing granular attribution, coupled with orchestration and automation actions like auto-notify, and auto-defend actions (e.g. take an infected endpoint offline). In this context artificial intelligence or machine learning techniques can help to complement the security awareness training program in assisting to identify possible spam and phishing email, thus preventing the installation of malware that can be downloaded from malicious URL´s included in the body of email, artificially created to fool employers, or sent as attachments. Another possible application of machine learning is to detect and mitigate malware. Microsoft was able to successfully implement ML (built into Windows Defense AV) to detect and mitigate Emotet malware [1].
  Threats: T2.1.1 – Erroneous use or administration of devices and systems
  Gaps: G2.3 – Gaps on security training and awareness toward employees, G2.10 – Gaps on malware detection solution
• C2.5 – Periodic network security assessment. For an understanding of the actual state of infrastructure, security assessment needs to be performed regularly, especially after reconfiguration or the addition of network equipment. By conducting regular external and internal penetration tests it is possible to identify vulnerabilities and attack vectors that can be used to exploit network systems successfully and to evaluate the effectiveness of the security measures in place. Testing should also cover the interfaces between the network nodes part of the infrastructures, between operators and providers, and customers.
  Threats: T2.2.1 – Signaling traffic interception, T2.2.2 – Data session hijacking, T2.3.7 – Exploitation of System Administrative Tools, T2.3.8 – Exploitation of application programming interfaces (APIs), T2.4.3 – Software bug
  Gaps: G2.4 – Gaps on the massive deployment of mobile signaling firewalling solutions and anomaly detection systems specific to mobile signaling protocols, G2.6 – Gaps on best practice to increment GTP security assessment procedure and on a robust solution against Data session hijacking, G2.15 – Gaps on attack surface awareness, G2.17 – Gaps in the design of standards
• C2.6 – Monitoring & Event Analysis. Network operators sometimes ignore that their networks are exposed to external threats. By monitoring network traffic at the interconnection points they can determine the effectiveness of existing configurations, of the measures in place, and highlights vulnerabilities and risks. This is especially important each time that network equipment is added or reconfigured. Only by constantly monitoring the traffic coming into the network it is possible to detect events like BGP hijacking and to detect the BGP routes taken by network traffic and abnormal route change. Similar measures apply in the context of mobile networks. GTP Inspection and GTP Firewall are useful tools for monitoring GTP traffic and detecting potential security threats that come from the Internet. The FS.11: SS7 interconnect security monitoring guidelines document from GSMA describes how to monitor SS7 traffic for potential attacks, how to classify incoming signaling messages that arrive on the interconnection interface.
  Threats: T2.2.1 – Signaling traffic interception, T2.2.2 – Data session hijacking, T2.3.7 – Exploitation of System Administrative Tools, T2.3.8 – Exploitation of application programming interfaces (APIs)
  Gaps: G2.4 – Gaps on the massive deployment of mobile signaling firewalling solutions and anomaly detection systems specific to mobile signaling protocols, G2.6 – Gaps on best practice to increment GTP security assessment procedure and on a robust solution against Data session hijacking, G2.14 – Gaps on Defense in Depth, G2.15 – Gaps on attack surface awareness, G2.17 – Gaps in the design of standards
• C2.7 – Adoption of End-to-end security approach. Interconnect protocols have been designed without security in mind. Several solutions have been proposed to secure SS7 and Diameter but have never been adopted by the industry (MAPsec, TCAPsec, Diameter over IPsec, Diameter over SCTP/DTLS). A good approach is to implement end-to-end security solutions, providing both confidentiality and integrity to sensitive exchanges. In this case, the choice for the network operators is to establish secure bi-directional links with a small number of partners providing source authentication, integrity, and confidentiality. However, such a solution would never apply to all roaming partners. The common practice to implement interconnection is via an IPX carrier. In this scenario, operators must request to IPX carriers the adoption of security requirements.
  Threats: T2.2.1 – Signaling traffic interception
  Gaps: G2.4 – Gaps on the massive deployment of mobile signaling firewalling solutions and anomaly detection systems specific to mobile signaling protocols
• C2.8 – Adoption of Formal verification methods in the security protocol design process. Protocols must be tested for their functional correctness before they are used in practice. Application of formal methods for verification of security protocols would enhance their reliability thereby, increasing the usability of systems that employ them. Formal security verification methods and schemas should be adopted by the specification and standardization bodies, to identify and address possible security issues since the initial steps of their definition. This will result in more robust specifications of networks, reducing time and efforts in addressing security issues when the products are already in place, limiting the impact of design security weaknesses.
  Threats: T2.3.1 – Exploitation of software bugs, T2.3.8 – Exploitation of application programming interfaces (APIs)
  Gaps: G2.5 – Gaps in the standardization process to include formal security verification and security assessment/testing of new protocol/network specifications, G2.17 – Gaps in the design of standards
• C2.9 – Protection at the network or transport layer with mutual authentication. Secure protocol on network or transport layer, providing confidentiality, integrity, and replay protection like IPSEC and DTLS shall be adopted for both user and control plane particularly in the untrusted portion of the network such as access network or roaming interconnection.  Mutual authentication between network functions shall be enabled for transport protection by using protocols like TLS with X.509v3 certificates to prevent access from a fake network component. Authorization to access resources provided by network function shall be also enforced by enabling authorization mechanisms like OAuth 2.0. Protection of DNS traffic using digital signatures based on public-key cryptography (DNSSEC).
  Threats: T2.2.3 – Traffic Eavesdropping, T2.2.4 – Traffic redirection, T2.3.8 – Exploitation of application programming interfaces (APIs)
  Gaps: G2.7 – Gaps on the deployment of the robust crypto algorithm to cipher user plane traffic while minimizing performance impact and interoperability issues. G2.8 – Gaps on robust and innovative solutions to protect DNS traffic systems, G2.17 – Gaps in the design of standards
• C2.10 – Adoption of strong and secure protocols. Strong, ciphering and integrity protection algorithms shall be enabled by default to protect data from interception and modification of both user and signaling data exchanged between the user equipment and the network. Deprecated algorithms (such as TLS 1.1), but also obsolete protocol versions kept working only for legacy reasons (e.g. TLS 1.2) should not be enabled using instead industry-standard network protocols with sufficient security measures and industry-accepted algorithms.
  Threats: T2.2.3 – Traffic Eavesdropping
  Gaps: G2.7 – Gaps on the deployment of the robust crypto algorithm to cipher user plane traffic while minimizing performance impact and interoperability issues
• C2.11 – Threat Intelligence Integration and Automation. To increase SOC productivity and accelerate incident investigations SOAR (advanced orchestration, automation, and response capabilities) technologies should be adopted. These are based on three distinct technology: security orchestration and automation, security incident response platforms (SIRP), and Threat Intelligence Platforms (TIP). By adopting SOAR the SOC can rely on the standardized process for data aggregation that assists human and machine-led analysis and automates detection and response processes, allowing analysts to focus on the tasks that require deeper human analysis and intervention.
  Threats: T2.3.6 – Exploitation of vulnerabilities in services and remote tools – COVID19, T2.3.3 – Malicious code/software/activity
  Gaps: G2.13 – Gaps on the reduced capacity to perform security operations
• C2.12 – Adoption of cooperative DDoS attack detection and mitigation. A countermeasure to fight DDoS attacks is to adopt a cooperative approach across organizations and sectors through the sharing of expertise and experiences, the sharing of measurements of the properties of DDoS attacks, and information about DDoS attacks. In this direction is the initiative carried out inside CONCORDIA related to the T3.2 (Piloting a DDoS Clearing House for Europe) and T3.1 (Building a Threat Intelligence for Europe).
  Threats: T2.3.5 – Malicious code – Signaling amplification attacks
  Gaps: G2.11 – Gaps on containing amplification attacks
• C2.13 – Adoption of enhanced filtering, cross-correlation mechanisms. The complexity of network deployments related to the need to interwork with other network functions, to interoperate with the legacy network, to support different use cases and security configurations opens to potential attack paths that exploit the lack of cross-validation between the different layers.  A pure IP layer firewall or general transport layer security solution cannot provide such a holistic approach, as it does not have the understanding of the interaction of the layers, such as whether the slice identity in the actual signaling layer request matches the transport layer, or if a UE identity belongs to a slice or not. Therefore, the deployment of an IP firewall gives a false sense of security, as the controls provided by it can be bypassed on the signaling layer. Adoption of enhanced filtering and validation approach, which combines information from different layers, protocols and integrates external threat information is a necessary countermeasure to detect complex attacks. Cross-correlation of attack information maximizes the protection against sophisticated attackers and allows better mitigations and faster detection while minimizing false.
  Threats: T2.3.8 – Attacks to sliced 5G core network, T2.2.1 – Signaling traffic interception
  Gaps: G2.5 – Gaps in the standardization process to include formal security verification and security assessment/testing of new protocol/network specifications, G2.17 -Gaps on the security of network slicing
• C2.14 – Managing firmware updates and hardware. Management of firmware includes several aspects such as updating firmware, secure settings of firmware, and monitoring of firmware. Network devices should be configured to check for the existence of firmware updates at frequent intervals. Automatic firmware updates should be enabled by default assuring that the update server is secure, that the update file is transmitted via a secure connection, that it does not contain sensitive data (e.g. hardcoded credentials), that it is signed by an authorized trust entity, and encrypted using accepted encryption methods, and that the update package has its digital signature, signing certificate, and signing certificate chain, verified by the device before the update process begins.
  Threats: T2.3.2 – Manipulation of hardware and firmware
  Gaps: G2.9 – Gaps on wide adoption of integrity-protected firmware also in IoT system

---

Highlights on Identified Countermeasures

Security assurance of network components certifying that a particular product has been designed and developed with a specified level of security, according to the given standards is a requisite for deploying secure network architectures. This means that supply chain risk assessment and product testing shall be in place, ensuring that vendors offer appropriate security protection and are accountable for security lapses, especially in heterogeneous networks where there may be an increase in the number of vendors. Network deployment shall follow security best practices and guidelines in terms of activation of security features, hardening of the configuration, network segmentation and protection of internal interfaces from external access. Network monitoring solutions provide visibility of network security giving greater insight into the traffic entering the network and its behaviour. Where applicable usage of automation and machine learning shall be integrated into network operation and management processes. Internal vulnerability management procedures have to be reviewed and adapted to be more effective with aggressive timeline in patching and staying current on security updates. Although measures should be taken to mitigate the risk of 0-day vulnerabilities, patching publicly known vulnerabilities as quickly as possible significantly reduces the risk of exploitation.

---

[1] https://www.microsoft.com/security/blog/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/