Solutions Now I Innovations for the Future

2019 S&T Cybersecurity and Innovation Showcase

1

Detecting NIDEs in Next Generation (NG)9-1-1 and Other Communication Networks

Mark Collier |SecureLogix CorporationMarch 18, 2019

2

Funded Contract Information This material is based on research sponsored by the Department of Homeland Security, Science and Technology Directorate via contract number 70RSAT18C00000011.

No Endorsement NotificationAny reference to any specific commercial products, processes, or services by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the Department of Homeland Security or the United States Government.

Hyperlinked Web sites do not constitute endorsement by DHS of the Web site or the information, products, or services contained therein. DHS does not exercise any editorial control over materials on this website or the information on non-DHS Web sites.

Disclaimer Notification The views, opinions, findings, conclusions, or recommendations expressed in this video are those of the authors and do not necessarily reflect the official policy or position of the Department of Homeland Security (DHS) or the United States Government. The publication of these views by DHS does not confer any individual rights or cause of action against the United States. Users of information in the materials assume all liability from such use.

Team Profile Mark Collier – CTO – Principal Investigator Kelly Minyard – SVP Sales – Transition Dr. Nisar Hundewale – Chief Scientist – Machine Learning Mark O’Brien – Senior Developer – Software Development Dr. Waleed Haddad – Chief Scientist – Detection algorithms Chris Duxler – West/ECaTS – Data/ECaTS dashboard

4

Customer Need

Financial Account Take Over (ATO)

OtherHarassing

Call Patterns

Call floods that crowd-out

legitimate calls

Automated telemarketing calls & spam

Targeted social engineering

AuthenticateFinancial CC

Calls

Harassing Calls

5

Customer Need Telephony Denial of Service (TDoS) attack against D.C. 9-1-1: About 6,000 calls All from the same source number Recorded calls with bible verses

TDoS attacks against multiple counties in D.C. area: Targeted the administrative phones and police department About 6,300 calls in one case Calls were dead air, recorded message, or Arabic language Used non-local, but valid, spoofed source numbers

6

Customer Need

7

Approach – Leverage Work to Date PolicyGuru solution improvements TDoS detection improvements Unique NG9-1-1 improvements Information from existing pilots Continue the existing pilots Integrate Call Authentication Service (CAS)

8

Approach – Define NIDE Taxonomy NIDE == Network Internet Disruptive Event (NIDE) Intentional TDoS Inadvertent TDoS (robocalls, faxes, call pumping) Pool, elevator, or other phone issue Persistent harassing caller Cellular jamming (impact to 9-1-1) Service provider issues and loss of key data Text and video

9

Approach – NIDE Detection Develop machine learning models Augment existing Call Authentication Service (CAS) Integrate with existing PolicyGuru solution Use West/ECaTS dashboard for visualization Develop interface for communication of events Ideally integrate into West NG9-1-1 offering Ideally integrate into EC3 concept

10

Approach – Architecture

11

ServiceProvider Call Handling

System

SIP Trunk

SBCNetwork Tap

ENUM

ENUMAppliance

SIP/RTPProbe

Visualization

Call AuthenticationAnd NIDE Detection

Service

MediationServer

ESRP

NG9-1-1 ESINet

AWS PSAP/NCCIC

Benefits Will result in a solution that protects NG9-1-1 from NIDEs Will distinguish between NIDEs and legitimate events Usable by metro area NG9-1-1 centers Usable by National Cybersecurity & Communications Integration Center (NCCIC) Used by the Emergency Communications Cybersecurity Center (EC3) Will apply to any communication system Possibly extend to legacy systems and text/video

12

Competition/Alternatives Competitors offer less comprehensive solutions: Much less robust detection (spoofing for example)

Some service providers have limited offerings: AT&T and Verizon resell SecureLogix solutions

Ribbon communications: We partner with Cisco and Oracle

Some very small competitors Comtech, Motorola, others

1313

Current Status Defined NIDEs Designed solution architecture Developing prototype and deploying at pilots: Defined visualization screens Started implementation of machine learning detection

Working with pilot partners Working with Office of Emergency Communications (OEC) on EC3

14

Current StatusNG9-1-1

Verizon XHeaders

TRUSTID

Blacklists

NewTech

STIRSHAKEN

Patterns

Numbers

VerizonAPI

Government, DoD, DHS

TDoSEngine

ScamEngine

Call Authentication

ServiceMachine Learning Core

15

Current Status

16

Transition/Completion Activities Solution deployed at two pilot partners Solution deployed at several counties in D.C. area Interest from multiple NG9-1-1 systems Working to integrate solution into AT&T and West offerings Working to integrate solution with EC3 CAS useful in any voice environment

17

Lessons Learned 9-1-1 systems are very vulnerable to TDoS: Primary threat is through mobile calls (80% of calls) Possible to generate attacks through SIP and NSI phones Other types of annoying attacks

Existing NG9-1-1 systems have a lot of variability: No real standard NG9-1-1 Some manage ESInets, some outsource Must access vendor-specific systems

18

Lessons Learned Needed data is not in SIP: Calling number and location

No consensus on call treatment: No Session Border Controllers (SBCs) to interface with Most likely approach is control of queues and priorities

Detection belongs in the cloud: Easy to change, machine learning, EC3

Visualization is critical

19

Contact Info

Mark CollierSecureLogixmark.collier@securelogix.com(210) 863-9001markcollier46

20

Solutions Now I Innovations for the Future

2019 S&T Cybersecurity and Innovation Showcase

21