Download rethink network availability

RETHINK
NETWORK
AVAILABILITY
New Threats and Attacks in Next-Generation Mobile Networks
Near-perfect network availability is one of the most important ­strategic
objectives for mobile network operators (MNOs) and supported by
billions in network investment. But the environment has significantly
changed, and MNOs are now facing new malware-based incidents that
threaten network availability as well as subscriber confidentiality.
Botnet attacks have become real. The nightmare scenario of millions, if
not billions, of robots or bots embedded in the internal “trusted” side of
providers’ networks and controlled by a malicious actor outside of the
service provider’s reach is a possibility, if no action is taken.
Malicious attacks are now as likely to come from infected mobile or IoT
devices through the radio access network or roaming partners as through
the internet, and the potential to trigger abnormalities in signaling and
control planes is greatly increased as networks become more ­distributed
and virtualized. This requires a significant shift in how MNOs have
­traditionally approached network availability and security.
Mobile network outages are costly. Most are quietly managed by diligent
operations personnel to minimize the impact on subscribers, but that ­effort
still chews up resources for troubleshooting and repair. A single ­publicized
incident damages brand and reputation, can require c­ ompensation
to s­ ubscribers, increases customer churn, and can draw in unwanted
­regulatory attention or even fines.
A more cost-efficient, comprehensive and effective security posture is
required to sustain desired network availability against a growing number
of unknown exploits and malware.
This paper discusses expanding attack vectors and proposes a new,
­prevention-oriented approach to mobile network security that provides
application-level visibility and better equips operators to sustain network
availability objectives against growing malware threats.
Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper
Table of Contents
Abstract 1
Malware-Infected Devices – the New Threat to Network Availability
3
The Year of the Botnet – Volumetric Attacks From Within
3
Focused Denial-of-Service Attacks – Malware Threats to Critical Public Infrastructure
3
Exploitation of Known Vulnerabilities in an Expanded Attack Surface
4
The Expanded Attack Surface
4
Signaling Vulnerabilities
5
Exploitation of Network Vulnerabilities
5
Cybercriminal Speed and Sophistication
7
Effective Prevention From the Network
7
Rethink Network Availability
8
Limitations of Legacy Security Approaches
Requirements for Next-Generation Security
Prevent Successful Breaches
About Palo Alto Networks
Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper
8
8
9
9
2
Malware-Infected Devices – the New Threat to Network Availability
Cyberthreats have become increasingly sophisticated over time, with attackers perfecting the techniques used
to attract victims and using multiple application types to maximize their financial gains or inflict damage on
network availability. Malware is the preferred tool for cybercriminals and is a part of the event chain in virtually every cybersecurity incident. With malware installed on millions of smart devices and connected “things,”
cybercriminals can launch attacks against subscribers and signaling or other infrastructure.
Where previously mobile network operators (MNOs) viewed attacks as coming from the “outside” (i.e., the
internet), now threats can also be generated from the “inside” – from infected subscriber mobile devices or
any connected “thing” – all located on the trusted side of providers’ networks. With this added “inside” threat
from malware-infected smart devices, subscribers and mobile network operators are more vulnerable to
volumetric botnet attacks, focused denial-of-service attacks, and more sophisticated manipulation of existing
network vulnerabilities. These threats are described in the sections that follow.
The Year of the Botnet – Volumetric Attacks From Within
In October 2016, a botnet of connected things strung together by the Mirai malware launched a distributed
denial-of-service attack against the DNS service provider Dyn, causing internet service outages of many
high-profile enterprise accounts.1 About a month later, the same malware took a different and more evolved
tactic by targeting a specific vulnerability in a management interface present in routers used by almost a million customers of a tier 1 European mobile operator, with the goal of infecting the devices and making them
part of a Mirai botnet. The infection attempts failed but nevertheless caused the routers to crash.2 These two
events signal a significant shift in the threat vector targeting MNO networks and demonstrate the persistence
and rapid adaptability of cybercriminals and the negative impact possible to mobile networks.
Attackers can rapidly infect large numbers of lightly protected smart, mobile devices and IoT devices, and
leverage them as botnets – threatening both the mobile infrastructure and the subscriber or enterprise customer.
Bots are often embedded in those mobile and IoT devices without users or “things” even being aware of them.
The devices are redirected into malicious websites, and then malware is loaded. Bot activations are then typically
controlled by a hacker who is located outside of the provider’s network. In the case of the Dyn/Mirai attack, the
attacker drew from over 550,000 infected nodes, including connected home DVRs, IP-enabled cameras, home
networking gear, and other connected devices that had default or weak credentials and were easily compromised.
Dark Reading predicted that 2016 would be “the year that attackers make a concerted effort to turn the
Internet of Things (IoT) into the Botnet of Things.” With the success of the Dyn/Mirai attack, that prediction
seems to be coming true.
Attackers will target devices that are largely unprotected, powerful enough, well-connected, and largely ignored. IoT devices are perfect candidates. Most mobile devices also have little or no security software installed
and are easy targets for malicious attacks or botnet recruitment. Further, most mobile devices have mobile
apps installed, most of which are insecure, increasing the devices’ vulnerabilities even more.
Focused Denial-of-Service Attacks – Malware Threats to Critical Public Infrastructure
The Mirai attack described earlier depended upon a broad base of botnet devices. However, attackers can
also be successful in creating significant disruption in service by infecting small numbers of end devices and
selectively targeting critical infrastructure.
For example, researchers have demonstrated that malware attacks focused on specific 911 centers can
severely impair the availability of critical emergency services with infection rates of only 0.081 percent of
the population.4 In their model, the malware caused the infected devices to generate “false” calls to the 911
center, but they either hung up or kept silent after the call was answered. In the 911 guidelines, if there is no
response, the call agent is required to call back and solicit the help of emergency services. The added “false”
call volume requires a longer response time, ties up call center resources, and can effectively make the service
unavailable for other genuine emergency calls. Figure 3 describes the model assumptions and shows the
corresponding waiting time for emergency calls when the call arrival rate increases. When the call arrival rate
is larger than 18.65 calls per minute, the call waiting time is more than 20 minutes on average, which is not
acceptable for emergencies. This makes the 911 service practically unavailable to the public.
1. Source: Threatpost, October 22, 2016
2. Dark Reading, Hacker 2016 To-Do List: Botnet All The Things!, January 5, 2016
3. Exploitation and Threat Analysis of Open Mobile Devices, Lei Liu, Xinwen Zhang, Sognqing Chen, Guanhua Yan
Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper
3
Illustrative Example – Malware Infected Devices Create Denial of Service for 911 Services
911 Emergency Center
Call Wait Time vs. Call Arrival Rate
Model Assumptions
Population in Region = 7 million
◦◦ Generates 3M calls/hour (incoming + outgoing)
◦◦ 8.1% of calls made by Linux® OS mobile devices
◦◦ 1% of Linux devices are infected
◦◦ 0.081% of population have infected devices
(8.1% x 1%)
20
Emergency Call
Wait Time (min)
15
10
911 Call Center
◦◦ Receives 90 calls per hour (wireline, mobile, VoIP)
◦◦ Infected devices make 19.8 false calls/min.
◦◦ 3M x 8.1% x 1%/2/60 seconds = 19.8/min.
5
0
5
10
15
16
17
18
When call volume exceeds 18.65 calls/minute,
emergency services are effectively unavailable
18.5 18.65
Call Arrival Rate (call per min)
Figure 1: A small percentage of malware-infected smartphones could deny service for critical emergency services
This example illustrates the importance of preventing malware infestation in order to protect critical infrastructure
availability and how even small infection rates can be leveraged by clever cybercriminals for high, negative impact.
Exploitation of Known Vulnerabilities in an Expanded Attack Surface
Sophisticated bad actors can inject new types of malware into an ever-growing volume of traffic distribution points to
attack both the mobile network and the subscriber and then quickly morph and spread to avoid control and detection.
The Expanded Attack Surface
With increased IoT device connections, small-cell deployment, converged access (e.g., fixed, mobile, Wi-Fi), public
and private cloud, and shared mobile infrastructure, the attack surface available on service provider networks has
expanded. The evolution from 4G to 5G and virtual networks (NFV/SDN) will continue to shift the distribution of
traffic across multiple network environments. Core network functions, content and applications may be located
closer to the RAN or distributed across multiple virtual machines or data centers. Traffic between roaming
partners is also growing exponentially – tripling year-on-year – illustrating a growing demand for high-speed data.
Shared
RAN
Untrusted
Domains?
Mobile
Users, devices,
applications
Strong
authentication
and authorization
Packet
Core
(EPC)
Social
applications
Trusted Domain
Internet
IPX/
roaming
Untrusted
Domains
Figure 2: The rapidly expanding attack surface in mobile networks requires full visibility
Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper
4
Thus, the seamless interconnection of service provider networks, so valued by subscribers, also provides
more potential entry points for malicious actors to spread infection or other malicious activities quickly
across multiple networks.
Signaling Vulnerabilities
The mobile network is vulnerable to denial-of-service attacks, particularly when directed at its signaling
infrastructure.
All network elements that process signaling and control traffic (e.g., MME, SGW, HSS, eNodeB, P-GW, GGSN)
are configured for a certain maximum processing capacity (transactions per second/messages per second). As
that capacity is reached, the element will either falter or cease to function altogether. This effectively denies or
impairs services to all other legitimate traffic.
In LTE networks, signaling attacks take advantage of the signaling overhead required to set up and tear down
dedicated radio bearers, upon initial network attachment with the user equipment (UE). This is illustrated in
Figure 3.
Signaling Messages Required for a Single Bearer Activation Request
UE
eNodeB
MME
SGW
PGW
PCRF
1. PCRF Initiated IP-CAN
Session Modification, begin
2. Create Dedicated Bearer Request
3. Create Dedicated Bearer Request
4. Bearer Setup Request/Session Management Request
5. RRC Connection Reconfiguration
6. RRC Connection Reconfiguration Complete
576 Signaling Messages per Minute
per Device
How it Works
• Upon initial network attachment, each
UE will be assigned a default bearer
that remains active throughout the
UE’s ­presence in the Radio Resource
Control (RRC) ­connected state.
• One request from a UE generates 12
­messages to attach and another 12 to
detach.
7. Bearer Setup Response
8. Direct Transfer
9. Session Management Response
10. Create Dedicated Bearer Response
11. Create Dedicated Bearer Response
12. PCRF initiated IP-CAN
Session Modification, end
• One UE can establish up to eight different data bearers simultaneously.
• Within each 20 second automatic
timeout, a single device can cause
192 messages, or 576 messages per
minute (8 x 12 x 2 x 3).
Figure 3: Signaling attacks take advantage of the signaling overhead required to set up and
tear down dedicated radio bearers4
Thus, just as in the 911 example, a relatively small number of infected devices, when focused on a cell area of
the network, can cause service degradation or denial to subscribers in that area. A broader attack with a much
larger quantity of infected devices can bring down core network and deny service to the entire network.
Exploitation of network vulnerabilities
The known architectural vulnerabilities of 3G and 4G networks have been identified and analyzed by multiple
industry and standards groups. In addition to vulnerabilities to overload in signaling, control and data plane
traffic, mobile networks are vulnerable to session and packet abnormalities, all of which can cause network
failure or degradation. While these conditions can also be created by non-malicious actions (such as maintenance activities, poorly designed mobile applications, or local outages), sophisticated cybercriminals are learning
to exploit protocol and interface vulnerabilities for their own malicious objectives.
4. “Signaling Oriented Denial of Service on LTE Networks”, Department of Electrical and Computer Engineering, American University of
Beirut
Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper
5
A number of malicious attack types has been observed in live networks and/or identified by industry as possible.
These are summarized below.
Network vulnerabilities have also been manipulated to allow unbilled and unauthorized services, and for data
exfiltration from subscriber devices, often using infected devices as unwitting accomplices.
Attacks Allowing Unauthorized Access
DNS Tunneling
Silent SMS
Attackers use protocols, such as HTTP within DNS, to pass IP traffic that eludes or
circumvents service provider billing mechanisms (e.g., premium Wi-Fi), steal personal
information from infected mobile devices, or download malicious code.
Attackers embed malware into mobile devices, which would trigger the impacted
mobile device into the use of premium services. This happens “silently,” without
customers’ awareness of the situation, and results in customer overbilling and bad
experiences.
Overbilling Attacks
An attacker, using a mobile device, creates a data session to initiate a UDP request
to a server and then terminates the PDP context (and hence releasing the dynamic
IP address back to the pool). Subsequently, another user may create a PDP context
and obtain the IP address once allocated to the attacker. The victim will then
receive the response from the serve, and be billed for it, even though he/she has
never requested the data.5
Proxy Applications
There are a number of proxy applications that hide access to blocked websites
anonymously. Those include, but are not limited to, Glype-proxy and PHProxy.
Should a service provider be regulated to block access to some websites, these proxy
applications would aid in breaking the governmental regulations.
Table 1: Summary of malicious attacks that can impact mobile network availability and subscriber
experience – service bypass
GTP-Based Attacks
GPRS6 Tunneling Protocol (GTP) is a tunneling protocol responsible for control and data planes in 3G and 4G
networks. The following possible attacks have been identified by researchers studying GTP vulnerabilities:7
GTP scanning
Sends echo messages to scan network elements and can cause information leakage on
4G mobile networks, as GTP echo/request can reveal identity of network components.
Create Session
Request
Consists of repetitive session-creation requests, causing resource exhaustion due to
an abnormal use of GTP session-creation request messages to set resources during
the initial attack.
Abnormal GTP packet
Can result in GTP fuzzing on 4G mobile network and the malfunction of GTP
­components after receiving abnormal GTP messages.
Voice phishing
May be performed by the tampering of SIP protocol.
Infrastructure
An insider can modify its own IP address and connect to the core network
­components and target other mobile devices by encapsulating GTP attack packets.
DDoS
Hidden inside the GTP user plane: Typically, this occurs when mobile users’ devices
are infected with bots.
S1-AP and Diameter Attacks:
These are signaling plane flood attacks, where an abnormally high number of signaling requests are sent from
either one or more mobile devices.
Table 2: Summary of malicious attacks that can impact mobile network availability– GTP, S1-AP/Diameter
5. Sans Institute, “Securing the GPRS Network Infrastructure – a Network Operator’s Perspective”
6. From the control plane perspective, GTP manages sessions and the necessary resources within LTE core network elements. From the
user plane perspective, it is used to transfer data through in the 3G and 4G networks and assign IP or manage the network resources.
7. IEEE, “Survey of Threats and Attacks on Mobile Networks,” August 18, 2016
Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper
6
In all cases, the prevention of an IoT attack, or other malware-enabled attack earlier in the infection cycle, would
be more effective than trying to manage protection after the attack has started.
The speed with which cybercriminals can leverage technology and use off-the-shelf malware tools to morph and
change and avoid detection allows them to evade most legacy (L2/L3) security solutions. This makes malware
infection an especially dangerous threat to mobile network availability.
Cybercriminal Speed and Sophistication
Threat actors can and will utilize any potential attack vector they can, with no regard for morality. They will prey on
subscribers’ natural curiosity and emotions to easily gain access to a system or to lure them into opening a potentially malicious email attachment or malicious site. Detecting and preventing the spread of unknown malware is a
big challenge. Armed with off-the-shelf tools, attackers can quickly morph to avoid detection by defined signature
firewalls. One instance of malware can spread to over 45,000 instances in just 30 minutes, if left unchecked.
For example, Palo Alto Networks® examined several world events for evidence of weaponization and found that,
generally, any given world event widely reported in news outlets was found to be weaponized within six hours on
average, several even within three hours, as depicted in Figure 5. In these examples, cybercriminals used headlines
from widely read news publications to embed malicious attachments or draw victims to malicious domains.
0
12 hours
3h
4h
6h
24 hours
12h
24h
• ISIS Tunisa
• Germanwings
crash
• Ferguson
police shooting
• Average weaponization time
Figure 4: Cybercriminals can weaponize world events in as few as three hours8
Effective Prevention From the Network
Prevention is always more effective than mitigation. Once an attack has begun, it may be nearly impossible to fight
it. In the Dyn/Mira attack, traffic attack rates were estimated up to 1.2 Tbps – 40–50 times higher than normal. The
service provider applied many mitigation tactics, but many customers, including Amazon®, PayPal® and Twitter, suffered severe service degradation. If the installation of the malware could have been prevented or the command and
control mechanism blocked, attacks like this could be stopped. The ability to see application-layer malicious traffic
plays an important role in preventing the success. How this could be appliled is described in the figure that follows.
Figure 5 shows a representative infection cycle leading up to a malware-induced DDoS attack.
PREVENTION #2
STEP 1
Malicious
message or
link sent and
received
and malware
installed
Radio
Access
Network
STEP 2
C&C
established
PREVENTION #1
Deep packet inspection of
packet and protocols through
mobile network could flag or
block activity
Application layer inspection
could identify malicious
attachment or link and block
Evolved
Packet
Core
Internet
Command
and Control
(C&C)
+
STEP 3
Malicious
traffic
generated
PREVENTION #3
Signaling protection blocks or
throttles excessive messages
Figure 5: Application-layer inspection can prevent successful malware-initiated DDoS attacks
8. Palo Alto Networks Unit 42, Application Usage and Threat Report, October 2015
Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper
7
• In Step 1, with application-layer inspection, this malicious message (attachment or link) would have been
flagged as malicious and could have been blocked at the internet interface to the mobile core before it could
even have been loaded into its targeted end device, thereby resulting in the prevention of malware being
embedded into UEs.
• With the correlation of traffic to device, the specific device could have been identified and malicious
traffic, potentially blocked or at least identified as infected for future remediation.
• In Step 2, the identification of packet anomalies or attempts to access malicious domains could also be
identified and the C&C channel, disrupted.
• Finally, in Step 3, the cybercriminal C&C center initiates the DDoS attacks and causes the infected devices
to send malicious traffic.
As shown in Figure 5, the impact of the attack can sometimes be minimized by throttling or blocking excessive
or malicious traffic once the attack has been initiated (Step 3). But that would not have been necessary if the
malicious invitation had been blocked in Step 1.
When the MNO has full visibility into the traffic, there are multiple interface points in the network where the
attack can be prevented or minimized.
Rethink Network Availability
There is no value in providing faster processing of malware-infected traffic.
Without the ability to quickly prevent breaches from new, evolved malware, high-performance solutions simply
serve as speedy delivery vehicles. The growing sophistication and speed of cyberattacks requires equally
sophisticated and comprehensive response and prevention techniques.
Network availability targets have been achieved by deploying high throughput and low-latency network
elements, including security appliances. However, with the exponential speed of malware spread, stronger focus
needs to be placed on effective prevention requirements.
Network and service availability remains high in MNO priorities, and any incident sends mobile operators
scurrying to apply a quick set of solutions as any incident can become highly publicized and bring negative
consequences to the operator. This reactive response may relieve the immediate pain point, but it results in a set
of uncorrelated security mechanisms and an unsustainable need to increase manual intervention over time, with
volumes of unknown attacks outpacing their ability to stay ahead.
Limitations of Legacy Security Approaches
Legacy network security solutions do not provide the rapid response or deeper application visibility that is now
required to be effective against rapidly evolving threats.
Legacy security approaches focus on mitigation by blocking known threats on the most commonly used ports
(Layer 4) and protocols (Layer 3) and incrementally adding single-purpose devices, blades, or functions to
address new vulnerabilities after they arise. This serial approach adds considerable operational complexity and
requires continued manual correlation forensics and cost.
MNOs require a comprehensive security posture that will prevent attacks and protect the signaling, control
plane, data plane and bearer infrastructure from both known network vulnerabilities and unknown, malicious
attacks throughout the network transformations that are taking place simultaneously.
Requirements for Next-Generation Security
MNOs require an approach that ultimately will reduce the expanding attack surface area affecting both their
networks and their mobile users. This approach must comprise a comprehensive, automated and integrated
platform that prevents both known and unknown threats:
• Complete application-layer visibility: Simply put, you cannot prevent what you cannot see. In order to
prevent security breaches and attacks in a 4G/5G world, MNOs must establish visibility in all environments (network, cloud and endpoints), especially at the application layer.
• Contextual analysis of all traffic: In order to employ the right security measures that will prevent
threats, MNOs need to ensure that all traffic can be analyzed contextually – by application, by user
and by content type.
• Establish a consistent security posture: The same level of security efficacy needs to be established across
all points in the network for all users in all locations. Those include RAN/EPC and roaming boundaries,
and SGi interfaces.
Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper
8
• Predictable performance: MNOs need to be able to increase their overall security efficacy without experiencing any degradation in performance.
• Integrated and automated: MNOs need to leverage global threat intelligence, real-time analysis, and contextual insights into threats – all combined with tight integration across the entire security architecture
and with a high degree of automation. The ability to correlate attack traffic to infected subscriber devices
or IoT devices is especially critical.
• Elimination of zero-day attacks: MNO must be in the position to discover the unknown malware very rapidly. This, combined with dynamic security policies and the power of threat correlation, aids in combating
the exponential growth of new malware daily.
• Consistent security with both hardware and software models (SDN and NFV): MNOs need to maintain the
same security efficacy as they migrate to virtualized and software-defined network architectures.
Prevent Successful Breaches
Mobile operators need to shift their security priorities to prevention, rather than mitigation. Successful breaches
or attacks can be prevented if application-level malware is never allowed to install or execute in the first place.
This requires constant, application-level vigilance across the entire network and automated, near-real-time
response to unknown threats.
Malware is part of the event chain in virtually every security incident. By stopping malware installation on mobile
devices, or disrupting its execution if already installed, MNOs can prevent threats to their subscribers and their
own networks.
About Palo Alto Networks
Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of service providers and organizations
worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our
game-changing security platform delivers security far superior to legacy or point products, safely enables daily
business operations, and protects an organization’s most valuable assets.
Palo Alto Networks Next-Generation Security Platform provides a comprehensive, cost-effective solution
that helps mobile operators get ahead of the tremendous leaps in cybercriminal capability and relieve multiple,
urgent mobile operator pain points.
Find out more at www.paloaltonetworks.com.
4401 Great America Parkway
Santa Clara, CA 95054
Main:+1.408.753.4000
Sales:+1.866.320.4788
Support:+1.866.898.9087
www.paloaltonetworks.com
© 2017 Palo Alto Networks, Inc. Palo Alto Networks is a
registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/
company/trademarks.html. All other marks mentioned herein
may be trademarks of their respective companies. rethink-network-availability-mobile-service-providers-wp-120716