Establishing MoTIF: The Mobile Threat Intelligence Framework

The GSMA has recently published a new tool for the telecommunications security industry. Called MoTIF, which stands for Mobile Threat Intelligence Framework, this is a GSMA member-developed framework designed to classify the threat actors that we see active over telecom networks today. What this is, and why it is required is explained below.

The IT security industry already uses threat intelligence frameworks to classify what an adversary has done. Some examples are ATT&CK® from MITRE and the Cyber Kill Chain developed by Lockheed Martin. These frameworks generally take the perspective of adversaries and serve to break down what it is an adversary has done. The basis of this adversary-focused breakdown, and subsequent sharing, is that then defenders can:

  • Look for the same behaviour across different attacks, and therefore assess whether they are likely to have been performed by the same or different adversaries.
  • Help discover new attacks or vulnerabilities. This can be done by analysing observed evidence of adversary behaviour and comparing it with known or expected adversary behaviour based on previous attacks classified using a threat intelligence framework. Finding similarities or differences in adversary behaviour across attacks can give a defender valuable insight on where to focus defender resources and how to reduce risk
  • Build up defences (mitigations) against attacks based on observed or anticipated adversary behaviour, or consider the outstanding risk if stronger defences are not put in place.

Examples of these frameworks being used can be found in many places, for example, here is the overview issued by the Irish NCSC after the destructive attack on Ireland’s healthcare sector in 2023, which contains a MITRE ATT&CK® framework breakdown of the attacker. More recently, the UK, US, Canada , Australia and New Zealand issued an analysis of the Infamous Chisel malware, which had been developed by Russia for use against Ukrainian army Android tablets. This also contains a MITRE ATT&CK® breakdown of the adversary.

The need for a framework like this in the mobile telecoms industry has been evident for some time. Unlike the IT security industry, the mobile industry has not had a way to classify and deconstruct the various tactics and techniques used by adversaries in this space. Basically, we have been lacking a language to describe the activity of threat actors attacking mobile industry targets by explaining their tactics and techniques in a formal, machine-readable way. An example of this is the Russian-linked signalling network threat actor called HiddenArt. Due to the use of signalling networks and techniques specific to mobile technology, such an attack and the associated threat actor behaviour would be impossible to represent using existing frameworks like MITRE ATT&CK®. As a result, the only way to share high and medium-level level information on this threat actor was via blogs and write-ups. While useful, this is not a formal taxonomy, so could not easily allow others to determine if they have also been targeted, or to look for commonalities between them and other signalling threat actors.

An important point is that this language/framework does not need to focus on specifics such as exact origin point or command format, but instead focusses on higher level “tactics” or “techniques”. This is because these specifics can and do change over time, and in many cases there is sensitivity in sharing these specifics, especially where confidential mobile network information is involved. The overall objective of a mobile threat intelligence framework is that it will allow defenders to gain a greater understanding of the threats, and then ultimately a greater ability to defend against attacks from these adversaries, based on faster sharing of attack information that is relevant, valuable, and timely without being restricted due to sensitivity.

Given this need, a small group of contributors within the GSMA came together in early 2022 to specify a framework for the mobile industry to use to categorise adversary behaviour, both now and in the future. This work within the GSMA is known as MoTIF. The group first considered whether the mobile industry could use existing frameworks. It found that that none of the more well-known frameworks are mobile network focused, that is, they miss many of the concepts that mobile network security needs. In addition, other frameworks that have been proposed over the years specifically for mobile networks have not been adopted or used to any great degree. As a result, a decision was made to develop a new, industry-supported threat intelligence framework, by building on the extensive knowledge and experience within the GSMA Fraud and Security Group (FASG). The group also decided to closely base this framework on the principles and structures behind MITRE ATT&CK®. This is due to the widespread knowledge and experience in the security community for MITRE ATT&CK, which would help with take-up and improve ease-of-use of the new framework within the mobile community.

With these decisions made, the MoTIF group worked diligently to develop version 1 of MoTIF, now published. Version 1 of MoTIF enables defenders to describe, in a structured way, how adversaries attack and use mobile networks, based on the tactics, techniques and procedures (TTPs) that they use. At its heart, MoTIF is focussed on mobile network related attacks that are not already covered by existing public frameworks like MITRE ATT&CK® and MITRE FiGHT™.

MoTIF v1.0 consists of two documents:

  • FS.57 MoTIF Principles (Public): This document provides an overview of MoTIF and defines the techniques and sub-techniques used in the framework. It also describes how MoTIF can be represented in STIX, a structured language for describing cyber threat information. This is a public document, intended to facilitate and encourage widespread mobile industry adoption and use of MoTIF.
  • FS.58 MoTIF Examples (non-Public): This document provides information on how MoTIF can be applied, with reference to specified example attack scenarios. Due to the sensitivity of some of its contents, this document is available to GSMA members only.

This version is just a first release. MoTIF will grow over time, especially as many adversary techniques and sub-techniques have not been defined yet. The aim of the GSMA group behind MoTIF at this stage is to make the wider community aware of this work, and to encourage them to contribute and use this and later versions.

Interested observers may query the relationship between MoTIF and MITRE FiGHT™, which was mentioned earlier. MITRE FiGHT™ is a threat framework published in late 2022 that recognises the limitations of MITRE ATT&CK for mobile networks and seeks to create a new framework for mobile networks. However, MITRE FiGHT™ is 5G-focused (+ 4G when it comes to interworking with 5G) and is built upon attack examples that are available in the public domain. This is different from MoTIF, which is focused on all network generations, and has access to attack examples which have not been publicly shared. Nonetheless, the GSMA MoTIF group has worked with MITRE (which participates in the MoTIF group) to ensure interoperability and a shared understanding between MoTIF and FiGHT™. MITRE has already noted suggestions from the MoTIF group to incorporate into the FiGHT™ framework. It is expected that over time this interworking and relationship will draw both frameworks even closer.

With the public release of version 1 of FS.57, the wider mobile and cybersecurity community will be able to inspect and review this work. Next steps will be influenced by the level of adoption, active use and calls for extension of the framework. The road ahead for MoTIF won’t be without its challenges. Understanding, using, and ultimately benefiting from MoTIF will require a concerted effort from all interested stakeholders, ranging from mobile network operators to cybersecurity vendors. But those behind its development believe that MoTIF will demystify attacks and allow us to classify the types of adversaries we see in the mobile security sphere, and will further encourage a culture of information sharing, transparency, and collaboration – values that lie at the heart of effective cybersecurity in any domain.