Telecom MISP

Building a Telecom Information Sharing Platform

Alexandre De Oliveira

MISP history

• Actively developed and maintained by CIRCL

− Computer Incident Response Center Luxembourg

• Open Source Software - https://github.com/MISP/MISP

• Community of 750 organizations with more than 1500 users sharing and updating daily cybersecurity indicators, financial indicators or threats in both ways.

• Beside the tools, practices, standard formats and classifications play an important role.

MISP contributors• There are many different types of users of an information

sharing platform like MISP:

− Malware reversers willing to share indicators of analysis with respective colleagues.

− Security analysts searching, validating and using indicators in operational security.

− Intelligence analysts gathering information about specific adversary groups.

− Law-enforcement relying on indicators to support or bootstrap their DFIR cases.

− Risk analysis teams willing to know about the new threats, likelihood and occurrences.

− Fraud analysts willing to share financial indicators to detect financial frauds.

MISP journey

• CIRCL and MISP are mainly financed by Minister of Economy of Luxembourg

− European Union is part of the financial contributors

− They is no business model behind CIRCL/MISP

• MISP is being audited by large number of organisations

− Code is Open-Source making it easier to review by everyone

− Around 15 pentest/review done by external parties every year

• MISP platform is GDPR aware− https://www.misp-

project.org/compliance/gdpr/information_sharing_and_cooperation_gdpr.html

POST on MISP

• Using MISP since some time for IT related threat sharing

• In summer 2017 we started to have huge Call Spam campaigns− Robot call for call back to premium numbers

− Unsolicited Advertisements

• Got a lot of complaints from our subscribers and the Lux police

• How share these numbers to other operators ?

• We decided to publish them on

Telecom Call fraud sharing on MISP

• Started in October 2017 to share Call Spam numbers with a weekly event (continuous info updates)

• Pushing via Splunk the blacklisted numbers detected

Feedback from operators

• The weekly feed from POST is being used by other operators on MISP

• Sharing this information brought new operators on the MISP platform

• Already several feedbacks and a real interest on a more telecom dedicated MISP platform

• It was time to implement MISP Telecom instance

Starting a MISP Telecom instance!

• We contacted CIRCL to create a new MISP instance dedicated for telecom purposes

• Built together new telecom dedicated objects:− SS7 attacks− Diameter attacks− GTP attacks

• Can be extended, CIRCL is always open for collaboration and new ideas.

• The platform is accessible by telecom operators only, and for free.

• CIRCL will provide the platform and maintain it, we offer to GSMA to be involved in the administration of MISP Telecom instance.

https://misptelco.circl.lu/

Demo

https://misptelco.circl.lu

MISP Events

Feeding MISP with Telecom use case

Wangiri/Robot Calls

Why ?

How do we feed MISP ?

• What do all operator have ?

CDRs and signaling traffic

• Let’s take the case of using CDRs

• CDRs are produced for Mobile/Fixed Calls, SMS, MMS, Data,…

• For POST it’s around 80GB of global CDRs per day

• Why not using all the data we have to detect frauds ?

• Let’s feed our log analytics platform with CDRs!

Wangiri Fraud detection

• Behavior & Machine learning based analytic, keep track of every activity on the network via CDR analysis

• We have different indicators to decide to block or not numbers:

− Threshold

− Multiplication factor based on last days behavior

− Cost of the communication

− Call duration

• We also have a whitelist for Survey companies, Govs, etc.

Wangiri Fraud detection

• CDRs used for this use case are MSS (Mobile) and International Gateway (Fixed / Mobile)

• We have achieved 10-15min reactivity on blocking spam campaigns. Live CDR feed coming soon.

• Splunk is updating via API the blacklist on IGW equipment's

Call Spam fraud event

Distributed SPAM calls

• After implementing the automatic blocking attackers are in an adaptation mode

• Trying to find our blocking triggers

• They now how to distribute and

are organized… as we should be !

Subs receiving calls

Attacker ANumber

Wangiri Call Fraud statisticsLast 11 weeks

171 Call Spam Attacks

Detection Remarks

• Mainly coming from Africa & Europe

• Even when changing the number they are in the same subrange− Blocking the range could be problematic, side effects…

• Spam campaign are mainly starting on Friday/weekend and trying back 1-2 weeks after with same numbers

• Using ITU unallocated ranges (Somalia +2525XXXXXX)

• New trends every 3 weeks…− Usage of international lines (Boat, offshore, Sat)− Spoofing Luxembourgish numbers

• Tracing the real origin of the call is almost impossible…

POST Trends

• March 2017 – No automatic detection− ~50 attacks/month – 1 attack could involve multiple numbers

− Massive attacks minimum 5k calls to 100k calls within 1h

• October 2017 – Starting dumb version of the detection− ~100 attacks/month

− Massive attacks still trying but moved to a lot of lower level attacks

− Trying from new ranges like offshore, SAT, etc

• December 2017 – Starting ML detection− Profiling every Anumber on the network

− Attacks <30 attacks/month, all are blocked after maximum 500 calls

− Last week 6 attacks…

• Now attackers are using/spoofing Lux numbers…

Goal seems to be reached…

0

5

10

15

20

25

0 10 20 30 40 50 60 70 80 90 100

Cost Revenue

K

K

Telecom community benefits

• Sharing SMS & SPAM call numbers

− Can be used to feed SMS/SS7 firewalls

• Sharing information about SMS gray routes

− Billing reduction/bypass

• Sharing SS7, Diameter & GTP attack patterns

• Will be a continuity in the movement of knowledge sharing started in GSMA groups since some years

Future data integration

• SS7, Diameter and GTP attacks

• GSMA High Risk range list

• SMS Spam campaigns

• Telecom vulnerabilities – Nodes & Protocols

• …

MISP Telecom

• Free Telecom Threat intel platform

• Discussions with GSMA Security team are ongoing

• Accessible and feeded by operators for operators

− This could evolve quickly !

• Already up and running

− alexandre.deoliveira@post.lu

− info@circl.lu

Questions ?

Thank you