Gabriele Lieser

CUSTOMER SUCCESS MANAGER

Summary

Malicious actors are getting better organized, more sophisticated, and eventually more brazen. As a result, MNOs have difficulties in dealing with cyberthreats because previously powerful defense methods and tools are becoming less effective. But here is a thought: rather than each company upgrading defenses and accumulating costs, wouldn’t it be a good idea to allocate some of it and share threat intelligence? This comes in handy when fraudsters pass on successful attacks to similar organizations. Sharing fraud intelligence among trusted partners and trusted groups prevents fraud incidents from repeating, it speeds up reaction times and saves resources. Furthermore, it shortens the lifespan of attacks and places a big burden on attackers to stay in business. In recent years, there has been a noteworthy evolution of platforms and standards that help organisations collect, organise, share and identify sources of threat data. The Malware Information Sharing and Threat Intelligence Sharing Platform (MISP) is one such platform.

The MISP was conceived in 2011 as a remedy to inefficient manual sharing of intelligence by email or PDF documents. The early versions of the MISP improved information sharing via practical open-source tools, open formats and practices. These days, there are a variety of MISPs available specializing in terms of users; banks, for instance, have different threats to deal with than mobile operators.
Luckily, there is a dedicated GSMA MISP specially geared towards the mobile industry. It was jointly implemented by the GSMA and the prestigious Luxembourgish CIRCL (Computer Incident Response Center Luxembourg, circl.lu).
CIRCL leads the development of the open-source MISP, which is used by military or intelligence communities, private companies, the financial sector, national CERTs (Computer Emergency Response Teams), and LEAs (Law Enforcement Agencies) worldwide. More than 6000 organisations are using it. CIRCL operates several large MISP communities that actively share threat intelligence on a daily basis.

RoamsysNext Insights

In RoamsysNext Insights our experts share their views on extensive industry topics and possible solutions we can offer.

After decades of bad actors focusing on the financial services industry, its defenses have become strong. Fraudsters are looking for new targets, they go where victims are easy to find and where there is value. Just recently, intrusion attempts to steal data on COVID-19 vaccines have been in the news. National and civil structures such as power grids, water supplies, and hospitals are increasingly being attacked. When ransomware cripples a hospital, cybercrime does not only cost money; it literally costs lives.
So, the benefits of a malware information and threat intelligence sharing platform seem obvious. The many different user groups find indicators in the MISP to detect whether they have infected systems in their infrastructure or in the systems they operate. Others use the attributes to block, sinkhole or divert traffic. Indicator sharing is also used for intelligence, to gather information about campaigns and attacks to answer questions like: are certain campaigns and attacks related? Who is targeting me? Who are the perpetrators?

What are the Benefits of MISP?

Many different types of users take advantage of an information sharing platform like MISP to manage their daily work. These include malware reversers who want to share analysis indicators with their respective colleagues. Security analysts who actively seek out indicators, validate them and use them in operational security. Intelligence analysts who need information about specific adversary groups. Law enforcement agencies that rely on indicators to drive their DFIR cases (Digital Forensics and Incident Response). Risk analysis teams that want to know about new threats, probabilities and incidents. And also fraud analysts who are willing to share financial indicators to detect financial frauds.

Difficulties with Sharing Information?

Many useful community projects struggle with the problem of engagement. Take Wikipedia, highly regarded and widely used by everyone, and yet they suffer from funding problems. Something similar is true for MISP: difficulties in sharing are rarely caused by technical problems, but rather by the issue of trust. Legal and practical constraints are then often listed as problems. MNOs who could contribute state that their legal framework does not allow them to share information. Or that the risk of information leakage is considered too high, and therefore too risky for their organization or partners.

On the practical side, it is often cited that they do not have relevant information that could be shared, or that there are neither time nor resources to process or contribute indicators. Sometimes they will also use different models of classification or different tools to share information that are tied to a specific format. Some of these topics are covered in the ISO/IEC 27000 series of standard, it provides best practice recommendations for information security management.

Contributing is Easy!

The core functionality of MISP is sharing. Everyone can be a consumer and/or a contributor/producer. Users get quick results without the obligation to contribute. The access to the tool is designed to be low threshold so that people can quickly become familiar with the system. MISP has a variety of features to help users create, collaborate, and share threat information – such as flexible sharing groups, automatic correlation, free-text import help, event distribution, and proposals. Many export formats are provided, and a rich set of MISP modules to add extension, import and export functionalities is also available.

The correlation functions, for instance, are a brilliant tool for analysts. They are needed to confirm a finding (e.g. is it the same campaign?), to support an analysis (e.g. do other analysts have the same hypothesis?), to confirm a particular aspect (e.g. are sinkhole IP addresses used for one campaign?), or simply to find out if this threat is new or known in the community. Contributors can use the UI, API, or freetext import to add events and attributes. Contributions can be made directly by creating an event, and colleagues can also suggest attribute updates to the event owner. MISP includes a flexible tagging scheme where users can choose from more than 42 existing taxonomies or they can create their own.

One’s Detection is Another’s Prevention

MISP is just a tool. A tool which is as transparent as possible to build and maintain trust and support contributors. What counts are the contributions of everyone during the sharing process. The MISP project combines open-source software, open standards, best practices and communities to make information sharing a reality. We can only encourage every mobile network operator to actively use the GSMA MISP: it is a service provided free to the GSMA membership!

We stand behind the motto: One organization’s detection is another’s prevention. The fraud landscape and the pressure on individual MNOs is growing, especially due to the technology shift to 5G. Even if a different impression might have been created in the media: 5G networks are not secure by default. Like all complex networks, they require good security design and constant vigilance. In order to meet three challenges at once: complying with national and international regulations, avoiding data and revenue loss, and protecting the brand image, it is imperative for MNOs to ensure the reliability and security of their mobile services.

An Ounce of Prevention is Better than a Pound of Cure

With the help of the latest technologies and together with the GSMA, we are working on more efficient solutions. Consequently, we are keeping an eye on upgrading security aspects. The good news is, in the near future there will be an easy-to-use platform to tell in a very automated and a very curated way the details of high-risk numbers, suspicious number ranges, MCC/MNC codes and operator IP-ranges. Stay tuned for new developments from the house of RoamsysNext.

Since 2009 RoamsysNext has been specializing in the software development and project management as the GSMA’s exclusive provider of RAEX solutions providing superior service and competitive pricing. With our Wholesale Roaming Manager, we help MNOs converge roaming partner information and relationships in a precise and secure way with an all-in-one solution from test SIM cards, over tariff, document and contact management. Additionally, we help to strengthen the core network by spotting missing and incorrect configurations and vulnerabilities with the Network Configuration Optimizer. Further audits are essential to make sure that the correct configurations are implemented in every network node.

Already more than 700 MNOs across the globe trust in our tools and services. If you are interested in our products just reach out at info@roamsys.com. We are always happy to help, and we will always find great solutions to your requests.

Gabriele Lieser joined RoamsysNext in 2020 as Customer Success Manager to strengthen the bonds with our increasing number of customers and to support the marketing team. Gabriele has a strong background in corporate sales. She studied at the universities of Trier (Germany) and Manitoba (Canada) and is incorporated in the RoamsysNext Client Service team.

How to Stay Secure

What can MNOs do to stand up to the ever-growing tide of telecom fraud and protect their assets? Stay alert, use great tools, collaborate with other market players, and take the fight to the fraudsters.

Telecom Fraud Hurts

Telecom fraud is a rapidly growing area that has serious effects on national critical infrastructure (civil, healthcare, energy, agriculture...) and wider industrial processes.

  • RMX_Insights_Template21

How to Choose a Signaling Firewall Wisely

In times of global turbulences and increasing fraud attacks the decision for a sophisticated signaling firewall becomes more and more a priority. Some general considerations help to narrow down the choice.

Two-Factor Authentication rules!

For some time now, we have introduced 2FA and have contributed our share to provide more secure access to our tools. Norbert Becker, Head of Software Development, picks up the thread and provides engaging insights into his area of responsibility.

  • RoamsysNext Insights - Wholesale Roaming Manager

Introducing: The RoamsysNext Wholesale Roaming Manager

The RoamsysNext Wholesale Roaming Manager provides powerful collaboration and reporting tools for all roaming partner relationships by converging everything from service openings to the user’s roaming footprint, test SIM cards and tariffs, document and contact management.

We’re in this together

In the second part of our interview with Alexandre De Oliveira, POST Luxembourg Cyberforce, he highlights major pain points in fraud detection and stresses the importance of global information sharing via the GSMA T-ISAC initiative.

Mastering today’s Fraud Landscape

Learn how Alexandre De Oliveira’s team at POST Luxembourg Cyberforce is mastering today’s fraud landscape with penetration tests, security assessments, the Telecom Intrusion Detection System (TIDS) and the Telecom Security Scanner (TSS).

How to avoid configuration errors

Hardening the network is a good way to get configuration errors under control. Introducing smart firewall rules and consistently updating these rules can be very time-consuming, but it’s a crucial measure to be taken.

  • RoamsysNext Insights 9: Interview with Hendrik Hoehndorf

Making a Stand against Fraud

In an insightful interview, our CTO, Hendrik Hoehndorf, speaks about further GSMA initiatives on fraud detection and prevention such as the MISP (Malware Information Sharing Platform) and T-ISAC (Telecommunication Information Sharing and Analysis Centre).

  • RoamsysNext Insights

Let’s talk about data quality

Most fraud and security issues are caused by misconfigured network nodes. This article shows, how RoamsysNext treats this problem on their quest for data quality.