Welcome to our security threat landscape blog. Cybersecurity Awareness Month is this October; it’s recognised as a dedicated month for promoting security and safety and encouraging both public and private sectors to work together to raise cybersecurity awareness. This blog focuses on the need for full awareness of one’s inventory of equipment, software and services.
In order to establish and operate effective security defences, it is necessary to understand the assets that make up the network’s attack surface. This includes all the systems (development and operational), legacy equipment, people, processes and services used to operate, design and maintain the network. These assets can include hardware and server estate, cloud and other services, exposed network ports and the operational software stacks. Each can benefit from inventory management to fully document the potential attack surface. Once the full estate is understood, a comprehensive defensive strategy can be established.
Reconnaissance
Many potential attacks begin with a reconnaissance phase to understand the potential attack surface and possible weaknesses. This can involve a whole range of items, including IP address ‘pinging’, port scanning and reviewing LinkedIn member profiles. This latter item is used to better to understand possible phishing attack guises, understand the target’s likely levels of permission / privileges and what equipment vendors / products they are responsible for.
The attack surface
In some cases, we see a reduction in attack surface through the sunsetting of some 2G and 3G networks and by disabling unnecessary services and features. GSMA Intelligence cites that between 2010 and Q2 2024, there were 137 network sunsets, of which around 50% were completed in the last three years. However, there is also growth through deployment of stand-alone 5G cores, increased 5G radio access network deployment, disaggregated radio access networks (including O-RAN and virtualised RAN), introduction of new network APIs, extended supply chains, increased virtualisation infrastructure and the increasing number of connected devices, including smartphones, autonomous vehicles and other IoT equipment. In aggregate, network attack surfaces are expanding.
Attack vectors
There are a number of attack vectors that may seek to compromise inventory items and each requires strong security controls and processes to minimise the likelihood and impact of any attack:
- Phishing attacks: well-engineered and styled phishing attacks continue to have a finite success rate in penetrating perimeter defences. Consequently, anti-phishing campaigns and well architected internal network controls making lateral movement more difficult are important activities.
- Malicious Insider: in a similar manner, internal controls, least privilege, strong authentication and employee vetting make it harder for a malicious insider to gain traction.
- Managed Service Provider attack: remote compromise of a managed service provider offers a potential attack vector. Strong vetting, least privilege and trust domains form part of any defence.
- Inter-connect / Roaming / Internet Signalling and DDOS attack: this attack vector is well documented and attracts significant coverage in GSMA Security documents.
- Exposed routers and servers: a network operator will have a significant estate of vendor equipment, router and server infrastructure. Legacy equipment can use protocols with limited in-built security, eg Telnet. These exposed interfaces must be configured to use secure protocols or have additional security controls such as VPN protection to reduce the likelihood of success for an adversary attack. This applies to virtualised deployments in the same sense, in that bare metal compute, storage and network devices must be protected. Additionally, unused management protocols, internet services and accounts can be disabled to limit attack opportunities.
- Physical attack of network infrastructure: eg at Cell Site(s) or Data Centres can be minimised through physical protection layers as well as access controls, alarming etc. A further layer of defence is to ensure management and other equipment interfaces are suitably protected to prevent onward attack within the wider network. Physical attacks on the RAN can also include Joint Test Access Group (JTAG) attack and Serial management ports compromise.
- Device attack: with increasing access bandwidth and a range of malware attacks on device, protection must be considered against device-based network attacks (eg signalling ‘storms’, Denial of Service attacks, IoT Compromise) back into the network. Additionally, devices themselves may be subject to individual attack.
- Air interface attack onto Radio Access Network or further in the wider network.
- One critical security aspect is the link between the corporate and operator networks as it provides an attack vector into the operational network. Good security practices can mitigate this risk through secure networks, strong authentication and least privilege practices alongside strong Privileged Access Management (PAM).
Dimensions of inventory
It is interesting to consider some of the possible dimensions of inventory management. Earlier in this blog we identified servers and enabled port services, but we might also include detailed records of configuration and build management, security of back-up arrangements, hardware bills of materials, software bills of materials, enabling services, remote accesses, VPNs, firewalls, Citrix environments, ‘jump’ boxes, load balancers, proxies, out of band server management interfaces and privilege accesses / administrator activities…..
As mentioned upfront, an attacker is likely to undertake detailed reconnaissance before launching the later stages of attack. It is important to first know the entirety of one’s attack surface (& inventory) in order that it can be adequately defended.
Finally, I recommend you take a look at Gulistan Ladha’s ( GSMA’s Consumer Policy Director) blog ‘Security in a Shared Responsibility‘, which evaluates how and why cyberattacks are increasing in scope and scale across the world; and what mobile operators are doing to mitigate the risk of cyberattacks.
If you’d like to discuss these themes or to get more closely involved, please email [email protected].