Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer network wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wireless security wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Distributed firewall wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Network tap wikipedia , lookup
RETHINK NETWORK AVAILABILITY New Threats and Attacks in Next-Generation Mobile Networks Near-perfect network availability is one of the most important strategic objectives for mobile network operators (MNOs) and supported by billions in network investment. But the environment has significantly changed, and MNOs are now facing new malware-based incidents that threaten network availability as well as subscriber confidentiality. Botnet attacks have become real. The nightmare scenario of millions, if not billions, of robots or bots embedded in the internal “trusted” side of providers’ networks and controlled by a malicious actor outside of the service provider’s reach is a possibility, if no action is taken. Malicious attacks are now as likely to come from infected mobile or IoT devices through the radio access network or roaming partners as through the internet, and the potential to trigger abnormalities in signaling and control planes is greatly increased as networks become more distributed and virtualized. This requires a significant shift in how MNOs have traditionally approached network availability and security. Mobile network outages are costly. Most are quietly managed by diligent operations personnel to minimize the impact on subscribers, but that effort still chews up resources for troubleshooting and repair. A single publicized incident damages brand and reputation, can require c ompensation to s ubscribers, increases customer churn, and can draw in unwanted regulatory attention or even fines. A more cost-efficient, comprehensive and effective security posture is required to sustain desired network availability against a growing number of unknown exploits and malware. This paper discusses expanding attack vectors and proposes a new, prevention-oriented approach to mobile network security that provides application-level visibility and better equips operators to sustain network availability objectives against growing malware threats. Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper Table of Contents Abstract 1 Malware-Infected Devices – the New Threat to Network Availability 3 The Year of the Botnet – Volumetric Attacks From Within 3 Focused Denial-of-Service Attacks – Malware Threats to Critical Public Infrastructure 3 Exploitation of Known Vulnerabilities in an Expanded Attack Surface 4 The Expanded Attack Surface 4 Signaling Vulnerabilities 5 Exploitation of Network Vulnerabilities 5 Cybercriminal Speed and Sophistication 7 Effective Prevention From the Network 7 Rethink Network Availability 8 Limitations of Legacy Security Approaches Requirements for Next-Generation Security Prevent Successful Breaches About Palo Alto Networks Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper 8 8 9 9 2 Malware-Infected Devices – the New Threat to Network Availability Cyberthreats have become increasingly sophisticated over time, with attackers perfecting the techniques used to attract victims and using multiple application types to maximize their financial gains or inflict damage on network availability. Malware is the preferred tool for cybercriminals and is a part of the event chain in virtually every cybersecurity incident. With malware installed on millions of smart devices and connected “things,” cybercriminals can launch attacks against subscribers and signaling or other infrastructure. Where previously mobile network operators (MNOs) viewed attacks as coming from the “outside” (i.e., the internet), now threats can also be generated from the “inside” – from infected subscriber mobile devices or any connected “thing” – all located on the trusted side of providers’ networks. With this added “inside” threat from malware-infected smart devices, subscribers and mobile network operators are more vulnerable to volumetric botnet attacks, focused denial-of-service attacks, and more sophisticated manipulation of existing network vulnerabilities. These threats are described in the sections that follow. The Year of the Botnet – Volumetric Attacks From Within In October 2016, a botnet of connected things strung together by the Mirai malware launched a distributed denial-of-service attack against the DNS service provider Dyn, causing internet service outages of many high-profile enterprise accounts.1 About a month later, the same malware took a different and more evolved tactic by targeting a specific vulnerability in a management interface present in routers used by almost a million customers of a tier 1 European mobile operator, with the goal of infecting the devices and making them part of a Mirai botnet. The infection attempts failed but nevertheless caused the routers to crash.2 These two events signal a significant shift in the threat vector targeting MNO networks and demonstrate the persistence and rapid adaptability of cybercriminals and the negative impact possible to mobile networks. Attackers can rapidly infect large numbers of lightly protected smart, mobile devices and IoT devices, and leverage them as botnets – threatening both the mobile infrastructure and the subscriber or enterprise customer. Bots are often embedded in those mobile and IoT devices without users or “things” even being aware of them. The devices are redirected into malicious websites, and then malware is loaded. Bot activations are then typically controlled by a hacker who is located outside of the provider’s network. In the case of the Dyn/Mirai attack, the attacker drew from over 550,000 infected nodes, including connected home DVRs, IP-enabled cameras, home networking gear, and other connected devices that had default or weak credentials and were easily compromised. Dark Reading predicted that 2016 would be “the year that attackers make a concerted effort to turn the Internet of Things (IoT) into the Botnet of Things.” With the success of the Dyn/Mirai attack, that prediction seems to be coming true. Attackers will target devices that are largely unprotected, powerful enough, well-connected, and largely ignored. IoT devices are perfect candidates. Most mobile devices also have little or no security software installed and are easy targets for malicious attacks or botnet recruitment. Further, most mobile devices have mobile apps installed, most of which are insecure, increasing the devices’ vulnerabilities even more. Focused Denial-of-Service Attacks – Malware Threats to Critical Public Infrastructure The Mirai attack described earlier depended upon a broad base of botnet devices. However, attackers can also be successful in creating significant disruption in service by infecting small numbers of end devices and selectively targeting critical infrastructure. For example, researchers have demonstrated that malware attacks focused on specific 911 centers can severely impair the availability of critical emergency services with infection rates of only 0.081 percent of the population.4 In their model, the malware caused the infected devices to generate “false” calls to the 911 center, but they either hung up or kept silent after the call was answered. In the 911 guidelines, if there is no response, the call agent is required to call back and solicit the help of emergency services. The added “false” call volume requires a longer response time, ties up call center resources, and can effectively make the service unavailable for other genuine emergency calls. Figure 3 describes the model assumptions and shows the corresponding waiting time for emergency calls when the call arrival rate increases. When the call arrival rate is larger than 18.65 calls per minute, the call waiting time is more than 20 minutes on average, which is not acceptable for emergencies. This makes the 911 service practically unavailable to the public. 1. Source: Threatpost, October 22, 2016 2. Dark Reading, Hacker 2016 To-Do List: Botnet All The Things!, January 5, 2016 3. Exploitation and Threat Analysis of Open Mobile Devices, Lei Liu, Xinwen Zhang, Sognqing Chen, Guanhua Yan Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper 3 Illustrative Example – Malware Infected Devices Create Denial of Service for 911 Services 911 Emergency Center Call Wait Time vs. Call Arrival Rate Model Assumptions Population in Region = 7 million ◦◦ Generates 3M calls/hour (incoming + outgoing) ◦◦ 8.1% of calls made by Linux® OS mobile devices ◦◦ 1% of Linux devices are infected ◦◦ 0.081% of population have infected devices (8.1% x 1%) 20 Emergency Call Wait Time (min) 15 10 911 Call Center ◦◦ Receives 90 calls per hour (wireline, mobile, VoIP) ◦◦ Infected devices make 19.8 false calls/min. ◦◦ 3M x 8.1% x 1%/2/60 seconds = 19.8/min. 5 0 5 10 15 16 17 18 When call volume exceeds 18.65 calls/minute, emergency services are effectively unavailable 18.5 18.65 Call Arrival Rate (call per min) Figure 1: A small percentage of malware-infected smartphones could deny service for critical emergency services This example illustrates the importance of preventing malware infestation in order to protect critical infrastructure availability and how even small infection rates can be leveraged by clever cybercriminals for high, negative impact. Exploitation of Known Vulnerabilities in an Expanded Attack Surface Sophisticated bad actors can inject new types of malware into an ever-growing volume of traffic distribution points to attack both the mobile network and the subscriber and then quickly morph and spread to avoid control and detection. The Expanded Attack Surface With increased IoT device connections, small-cell deployment, converged access (e.g., fixed, mobile, Wi-Fi), public and private cloud, and shared mobile infrastructure, the attack surface available on service provider networks has expanded. The evolution from 4G to 5G and virtual networks (NFV/SDN) will continue to shift the distribution of traffic across multiple network environments. Core network functions, content and applications may be located closer to the RAN or distributed across multiple virtual machines or data centers. Traffic between roaming partners is also growing exponentially – tripling year-on-year – illustrating a growing demand for high-speed data. Shared RAN Untrusted Domains? Mobile Users, devices, applications Strong authentication and authorization Packet Core (EPC) Social applications Trusted Domain Internet IPX/ roaming Untrusted Domains Figure 2: The rapidly expanding attack surface in mobile networks requires full visibility Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper 4 Thus, the seamless interconnection of service provider networks, so valued by subscribers, also provides more potential entry points for malicious actors to spread infection or other malicious activities quickly across multiple networks. Signaling Vulnerabilities The mobile network is vulnerable to denial-of-service attacks, particularly when directed at its signaling infrastructure. All network elements that process signaling and control traffic (e.g., MME, SGW, HSS, eNodeB, P-GW, GGSN) are configured for a certain maximum processing capacity (transactions per second/messages per second). As that capacity is reached, the element will either falter or cease to function altogether. This effectively denies or impairs services to all other legitimate traffic. In LTE networks, signaling attacks take advantage of the signaling overhead required to set up and tear down dedicated radio bearers, upon initial network attachment with the user equipment (UE). This is illustrated in Figure 3. Signaling Messages Required for a Single Bearer Activation Request UE eNodeB MME SGW PGW PCRF 1. PCRF Initiated IP-CAN Session Modification, begin 2. Create Dedicated Bearer Request 3. Create Dedicated Bearer Request 4. Bearer Setup Request/Session Management Request 5. RRC Connection Reconfiguration 6. RRC Connection Reconfiguration Complete 576 Signaling Messages per Minute per Device How it Works • Upon initial network attachment, each UE will be assigned a default bearer that remains active throughout the UE’s presence in the Radio Resource Control (RRC) connected state. • One request from a UE generates 12 messages to attach and another 12 to detach. 7. Bearer Setup Response 8. Direct Transfer 9. Session Management Response 10. Create Dedicated Bearer Response 11. Create Dedicated Bearer Response 12. PCRF initiated IP-CAN Session Modification, end • One UE can establish up to eight different data bearers simultaneously. • Within each 20 second automatic timeout, a single device can cause 192 messages, or 576 messages per minute (8 x 12 x 2 x 3). Figure 3: Signaling attacks take advantage of the signaling overhead required to set up and tear down dedicated radio bearers4 Thus, just as in the 911 example, a relatively small number of infected devices, when focused on a cell area of the network, can cause service degradation or denial to subscribers in that area. A broader attack with a much larger quantity of infected devices can bring down core network and deny service to the entire network. Exploitation of network vulnerabilities The known architectural vulnerabilities of 3G and 4G networks have been identified and analyzed by multiple industry and standards groups. In addition to vulnerabilities to overload in signaling, control and data plane traffic, mobile networks are vulnerable to session and packet abnormalities, all of which can cause network failure or degradation. While these conditions can also be created by non-malicious actions (such as maintenance activities, poorly designed mobile applications, or local outages), sophisticated cybercriminals are learning to exploit protocol and interface vulnerabilities for their own malicious objectives. 4. “Signaling Oriented Denial of Service on LTE Networks”, Department of Electrical and Computer Engineering, American University of Beirut Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper 5 A number of malicious attack types has been observed in live networks and/or identified by industry as possible. These are summarized below. Network vulnerabilities have also been manipulated to allow unbilled and unauthorized services, and for data exfiltration from subscriber devices, often using infected devices as unwitting accomplices. Attacks Allowing Unauthorized Access DNS Tunneling Silent SMS Attackers use protocols, such as HTTP within DNS, to pass IP traffic that eludes or circumvents service provider billing mechanisms (e.g., premium Wi-Fi), steal personal information from infected mobile devices, or download malicious code. Attackers embed malware into mobile devices, which would trigger the impacted mobile device into the use of premium services. This happens “silently,” without customers’ awareness of the situation, and results in customer overbilling and bad experiences. Overbilling Attacks An attacker, using a mobile device, creates a data session to initiate a UDP request to a server and then terminates the PDP context (and hence releasing the dynamic IP address back to the pool). Subsequently, another user may create a PDP context and obtain the IP address once allocated to the attacker. The victim will then receive the response from the serve, and be billed for it, even though he/she has never requested the data.5 Proxy Applications There are a number of proxy applications that hide access to blocked websites anonymously. Those include, but are not limited to, Glype-proxy and PHProxy. Should a service provider be regulated to block access to some websites, these proxy applications would aid in breaking the governmental regulations. Table 1: Summary of malicious attacks that can impact mobile network availability and subscriber experience – service bypass GTP-Based Attacks GPRS6 Tunneling Protocol (GTP) is a tunneling protocol responsible for control and data planes in 3G and 4G networks. The following possible attacks have been identified by researchers studying GTP vulnerabilities:7 GTP scanning Sends echo messages to scan network elements and can cause information leakage on 4G mobile networks, as GTP echo/request can reveal identity of network components. Create Session Request Consists of repetitive session-creation requests, causing resource exhaustion due to an abnormal use of GTP session-creation request messages to set resources during the initial attack. Abnormal GTP packet Can result in GTP fuzzing on 4G mobile network and the malfunction of GTP components after receiving abnormal GTP messages. Voice phishing May be performed by the tampering of SIP protocol. Infrastructure An insider can modify its own IP address and connect to the core network components and target other mobile devices by encapsulating GTP attack packets. DDoS Hidden inside the GTP user plane: Typically, this occurs when mobile users’ devices are infected with bots. S1-AP and Diameter Attacks: These are signaling plane flood attacks, where an abnormally high number of signaling requests are sent from either one or more mobile devices. Table 2: Summary of malicious attacks that can impact mobile network availability– GTP, S1-AP/Diameter 5. Sans Institute, “Securing the GPRS Network Infrastructure – a Network Operator’s Perspective” 6. From the control plane perspective, GTP manages sessions and the necessary resources within LTE core network elements. From the user plane perspective, it is used to transfer data through in the 3G and 4G networks and assign IP or manage the network resources. 7. IEEE, “Survey of Threats and Attacks on Mobile Networks,” August 18, 2016 Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper 6 In all cases, the prevention of an IoT attack, or other malware-enabled attack earlier in the infection cycle, would be more effective than trying to manage protection after the attack has started. The speed with which cybercriminals can leverage technology and use off-the-shelf malware tools to morph and change and avoid detection allows them to evade most legacy (L2/L3) security solutions. This makes malware infection an especially dangerous threat to mobile network availability. Cybercriminal Speed and Sophistication Threat actors can and will utilize any potential attack vector they can, with no regard for morality. They will prey on subscribers’ natural curiosity and emotions to easily gain access to a system or to lure them into opening a potentially malicious email attachment or malicious site. Detecting and preventing the spread of unknown malware is a big challenge. Armed with off-the-shelf tools, attackers can quickly morph to avoid detection by defined signature firewalls. One instance of malware can spread to over 45,000 instances in just 30 minutes, if left unchecked. For example, Palo Alto Networks® examined several world events for evidence of weaponization and found that, generally, any given world event widely reported in news outlets was found to be weaponized within six hours on average, several even within three hours, as depicted in Figure 5. In these examples, cybercriminals used headlines from widely read news publications to embed malicious attachments or draw victims to malicious domains. 0 12 hours 3h 4h 6h 24 hours 12h 24h • ISIS Tunisa • Germanwings crash • Ferguson police shooting • Average weaponization time Figure 4: Cybercriminals can weaponize world events in as few as three hours8 Effective Prevention From the Network Prevention is always more effective than mitigation. Once an attack has begun, it may be nearly impossible to fight it. In the Dyn/Mira attack, traffic attack rates were estimated up to 1.2 Tbps – 40–50 times higher than normal. The service provider applied many mitigation tactics, but many customers, including Amazon®, PayPal® and Twitter, suffered severe service degradation. If the installation of the malware could have been prevented or the command and control mechanism blocked, attacks like this could be stopped. The ability to see application-layer malicious traffic plays an important role in preventing the success. How this could be appliled is described in the figure that follows. Figure 5 shows a representative infection cycle leading up to a malware-induced DDoS attack. PREVENTION #2 STEP 1 Malicious message or link sent and received and malware installed Radio Access Network STEP 2 C&C established PREVENTION #1 Deep packet inspection of packet and protocols through mobile network could flag or block activity Application layer inspection could identify malicious attachment or link and block Evolved Packet Core Internet Command and Control (C&C) + STEP 3 Malicious traffic generated PREVENTION #3 Signaling protection blocks or throttles excessive messages Figure 5: Application-layer inspection can prevent successful malware-initiated DDoS attacks 8. Palo Alto Networks Unit 42, Application Usage and Threat Report, October 2015 Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper 7 • In Step 1, with application-layer inspection, this malicious message (attachment or link) would have been flagged as malicious and could have been blocked at the internet interface to the mobile core before it could even have been loaded into its targeted end device, thereby resulting in the prevention of malware being embedded into UEs. • With the correlation of traffic to device, the specific device could have been identified and malicious traffic, potentially blocked or at least identified as infected for future remediation. • In Step 2, the identification of packet anomalies or attempts to access malicious domains could also be identified and the C&C channel, disrupted. • Finally, in Step 3, the cybercriminal C&C center initiates the DDoS attacks and causes the infected devices to send malicious traffic. As shown in Figure 5, the impact of the attack can sometimes be minimized by throttling or blocking excessive or malicious traffic once the attack has been initiated (Step 3). But that would not have been necessary if the malicious invitation had been blocked in Step 1. When the MNO has full visibility into the traffic, there are multiple interface points in the network where the attack can be prevented or minimized. Rethink Network Availability There is no value in providing faster processing of malware-infected traffic. Without the ability to quickly prevent breaches from new, evolved malware, high-performance solutions simply serve as speedy delivery vehicles. The growing sophistication and speed of cyberattacks requires equally sophisticated and comprehensive response and prevention techniques. Network availability targets have been achieved by deploying high throughput and low-latency network elements, including security appliances. However, with the exponential speed of malware spread, stronger focus needs to be placed on effective prevention requirements. Network and service availability remains high in MNO priorities, and any incident sends mobile operators scurrying to apply a quick set of solutions as any incident can become highly publicized and bring negative consequences to the operator. This reactive response may relieve the immediate pain point, but it results in a set of uncorrelated security mechanisms and an unsustainable need to increase manual intervention over time, with volumes of unknown attacks outpacing their ability to stay ahead. Limitations of Legacy Security Approaches Legacy network security solutions do not provide the rapid response or deeper application visibility that is now required to be effective against rapidly evolving threats. Legacy security approaches focus on mitigation by blocking known threats on the most commonly used ports (Layer 4) and protocols (Layer 3) and incrementally adding single-purpose devices, blades, or functions to address new vulnerabilities after they arise. This serial approach adds considerable operational complexity and requires continued manual correlation forensics and cost. MNOs require a comprehensive security posture that will prevent attacks and protect the signaling, control plane, data plane and bearer infrastructure from both known network vulnerabilities and unknown, malicious attacks throughout the network transformations that are taking place simultaneously. Requirements for Next-Generation Security MNOs require an approach that ultimately will reduce the expanding attack surface area affecting both their networks and their mobile users. This approach must comprise a comprehensive, automated and integrated platform that prevents both known and unknown threats: • Complete application-layer visibility: Simply put, you cannot prevent what you cannot see. In order to prevent security breaches and attacks in a 4G/5G world, MNOs must establish visibility in all environments (network, cloud and endpoints), especially at the application layer. • Contextual analysis of all traffic: In order to employ the right security measures that will prevent threats, MNOs need to ensure that all traffic can be analyzed contextually – by application, by user and by content type. • Establish a consistent security posture: The same level of security efficacy needs to be established across all points in the network for all users in all locations. Those include RAN/EPC and roaming boundaries, and SGi interfaces. Palo Alto Networks | Rethink Network Availability – Mobile Service Providers | White Paper 8 • Predictable performance: MNOs need to be able to increase their overall security efficacy without experiencing any degradation in performance. • Integrated and automated: MNOs need to leverage global threat intelligence, real-time analysis, and contextual insights into threats – all combined with tight integration across the entire security architecture and with a high degree of automation. The ability to correlate attack traffic to infected subscriber devices or IoT devices is especially critical. • Elimination of zero-day attacks: MNO must be in the position to discover the unknown malware very rapidly. This, combined with dynamic security policies and the power of threat correlation, aids in combating the exponential growth of new malware daily. • Consistent security with both hardware and software models (SDN and NFV): MNOs need to maintain the same security efficacy as they migrate to virtualized and software-defined network architectures. Prevent Successful Breaches Mobile operators need to shift their security priorities to prevention, rather than mitigation. Successful breaches or attacks can be prevented if application-level malware is never allowed to install or execute in the first place. This requires constant, application-level vigilance across the entire network and automated, near-real-time response to unknown threats. Malware is part of the event chain in virtually every security incident. By stopping malware installation on mobile devices, or disrupting its execution if already installed, MNOs can prevent threats to their subscribers and their own networks. About Palo Alto Networks Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of service providers and organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our game-changing security platform delivers security far superior to legacy or point products, safely enables daily business operations, and protects an organization’s most valuable assets. Palo Alto Networks Next-Generation Security Platform provides a comprehensive, cost-effective solution that helps mobile operators get ahead of the tremendous leaps in cybercriminal capability and relieve multiple, urgent mobile operator pain points. Find out more at www.paloaltonetworks.com. 4401 Great America Parkway Santa Clara, CA 95054 Main:+1.408.753.4000 Sales:+1.866.320.4788 Support:+1.866.898.9087 www.paloaltonetworks.com © 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/ company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. rethink-network-availability-mobile-service-providers-wp-120716