The Telco Insider Attack Spike
I recently participated in a webinar as part of a series co-hosted by Team8, Amdocs and AT&T called “The Future of Telco Cybersecurity.” I encourage you to watch the recording, which featured an interesting and wide-ranging discussion of the many security issues confronting telecommunications companies as we start winding down this crazy and unprecedented year.
As soon as I heard the audience would be made up of security personnel from the telecommunications industry, I knew that I wanted to focus my section of the presentation on what makes such companies uniquely vulnerable to insider threats. With the extraordinary disruptions of the past year, as well as the major changes imminent with the arrival of 5G, telcos have their fair share of external threats to mitigate and stop. But malicious insiders are also set to become a major issue. In this post, I will explain why I believe that is the case and how deception is crucial to paralyzing insiders before they get anywhere near critical assets beyond their job descriptions.
Why are Telcos a Target?
Telcos are always going to be in attacker crosshairs; their products and services underpin the networks all businesses use to communicate with fellow employees and customers. The pandemic has only made us more dependent on these channels, and the arrival of 5G will only intensify this trend. Indeed, the combination of a massive shift to working from home with the more decentralized nature of 5G creates a perfect storm of new vulnerabilities that will serve to enable external and internal attackers alike.
Attackers are already paying attention to these vulnerabilities. Last year, Operation Soft Cell, attributed to the APT10 group affiliated with the Chinese government, attacked 10 different telecommunication companies on four continents to steal over 100GB of call detail records. The attack went at the very heart of what makes telecommunications agencies an attractive target – they have enough identifiable information about their customers to let people piece together where a person of interest is located, who he or she is communicating with, at what time and more.
Earlier this year, telecommunications companies like France-based Orange and Telecom Argentina suffered major ransomware attacks that resulted in the massive theft of sensitive documents and the lockdown of thousands of workstations, respectively.
But these are attacks where the adversaries had to figure out a way inside. Potential malicious insiders already have authorized access to critical telco data. Why waste time figuring out a way to bust through the perimeter if you can get someone on the inside to help you get the valuable data you need?
Telcos Are Uniquely Vulnerable to Insider Threats
The very nature of what telcos sell makes their insiders more dangerous than the average organization. The network devices used to propagate network coverage – like routers and switches – are always on, difficult to protect with an agent, and provide a unique vantage to how an organization’s own network is laid out. Telco engineers are particularly likely to know how their own company’s network devices function, and where they might be vulnerable.
5G raises the stakes exponentially. In comparison to previous generations of networks, 5G is decentralized and in many places virtualized, creating numerous new potential access points where none existed before. These various access points will require more employees to keep these networks up and running; indeed, telcos are discovering that 5G is laying bare a skills gap and hiring shortage that will need to be resolved quickly so that the new networks can be implemented. That means a lot of new and untested employees with access to sensitive data and opportunities to be negligent or worse, malevolent.
Remote work provides the final wild card increasing insider threats. Many employees, out of necessity, have become their own IT departments—sourcing their own equipment and installing their own software. Moreover, due to layoffs, pay cuts or an unwelcome increased workload and the stress that comes with it, employees might feel a bit less loyal to their employer or seek some payback. It creates a chaotic work environment, and there is no longer anyone physically looking over your shoulder when you may decide to go rogue or get tempted by an outsider into doing so. Not a great combination, and as virus cases rise throughout the Americas and Europe, we are not headed back to the office in large numbers anytime soon.
Unfortunately, the activity-based tools most often used to identify insider behavior have suddenly been made useless. Anomaly detection always struggled to find needles in haystacks, but in a crisis where everything looks like a needle, it becomes completely miscalibrated. No normal baseline exists to compare with anomalous activity, so everything becomes an anomaly. Some Illusive customers have reported a 300% increase in their alerts from other activity-based solutions since the pandemic and its lockdowns began, and the situation hasn’t improved as employee habits adapt to constantly changing circumstances. Probabilistic solutions need to give way to alerts based on deterministic detections of malicious behavior. When an alert goes off, it needs to mean something, or it will just lead to false positives and wasted investigation time.
How an Active Defense Can Help Stop Malicious Insiders
Illusive has proven time and again to be a simple and effective insider threat mitigation tool that takes a two-pronged approach. Illusive first ensures that users do not have unauthorized credentials and connections to critical business assets. Then, tailored deceptions that even the most sophisticated insiders cannot distinguish from the real thing trigger alerts when the insider’s lateral movement attempt is detected. Real-time source forensics deliver incontrovertible proof of malicious intent and allow for catching insiders without tipping them off.