Overcoming shortfalls in telecom threat intelligence

  • The telecoms sector is doing quite well in terms of sharing and using threat intelligence, notes HardenStance founder and principal analyst Patrick Donegan 
  • But there’s a lot of room for improvement, particularly in terms of internal communications and terminology
  • An approach to standardizing and updating information on ‘threat actors’ akin to the MITRE ATT&CK Framework model would help the telecoms sector, according to industry experts
  • As with other areas of the telecom sector, automation is critical

It’s easy to say “more needs to be done” to shore up cyber security defences in the telecoms sector, but very hard to identify and articulate what can and should be done. That’s why HardenStance founder and principal analyst Patrick Donegan, who has been tracking and reporting on IT and telecom security for more than a decade, hosted the recent Telecom Threat Intelligence Summit, which highlighted some of the information-sharing challenges facing the telecom sector and the actions that could be taken to help network operators with their security strategies and processes. 

The key takeaway from the Summit is that the vital information gathered by telco security teams needs to be shared more broadly, especially with other parts of their own companies, and (critically) needs to be shared in a way that can be understood by others: Currently, information about cyber threats in the telecom industry is described and shared in a way that is not compatible with the language and processes used in the enterprise IT security sector, and while the telecom sector is currently doing quite well in terms of sharing and using threat intelligence compared with other verticals, alignment with the enterprise IT security world would be very beneficial, Donegan notes in his report that summarizes the key takeaways from the Summit (which can be found here). 

“Most glaringly, telecom sector stakeholders don’t have anything that compares with the MITRE ATT&CK Framework’s open source model for standardizing and updating information on threat actors and their Tactics, Techniques and Procedures (TTPs). Several speakers stated how important it is for the mobile networks industry to bridge this gap,” notes Donegan in his report. 

Of course, the telecom sector is different from the enterprise IT sector in a number of key ways, not only in the language and protocols it uses but also in terms of regulation and the importance placed on key ‘pillars’ (in telecom, availability is as important as confidentiality and integrity, while it’s less critical in enterprise IT). This is why Roland Dobbins, Principal Engineer at Netscout, suggested that a customized “ATT&CK-like” framework with a strong emphasis on availability “would be a real boon for the industry.”

Even creating such a framework and associated processes would only be one (albeit significant) piece of the puzzle: Ultimately there needs to be significant internal support and resources allocated to threat intelligence within the network operator community, and the industry could look to the financial sector to see how a coordinated and well-resourced effort can have an impact on security outcomes, notes the report. 

And just sharing lots of information isn’t the answer either, as was pointed out by Dr Ed Amoroso, CEO of Tag Cyber and former Chief Security Officer at AT&T. He says there are a number of misconceptions about threat intelligence that are not helping the situation, with the main one being that simply sharing information, and as much of it as possible, will solve everything – “It’s not the quantity or the availability of data [that is the problem], it’s the quality... I get very nervous when anyone says they need more data – telcos are not sitting around saying they wish they had more data,” he noted.

Amoroso also added that there’s a misconception that everyone in the telecoms industry is ready, willing and able to share threat intelligence and information with others – from his own experience he knows that competitive rivalries can lead network operators to hold back information that might otherwise help peers. 

His experience also allowed Amoroso to note how important machine learning-based automation will be to telco security strategies. “If we can get to the point where the feeds that come in become data, and we learn from that data, that seems like the perfect connection... feed, intelligence, platform and then auto-updates – this can happen in telecom. I’m not as convinced about other sectors, but the telecom industry gets this. That’s where I think the contribution can be most meaningful from the telecom community,” stated Amoroso.

The GSM Association is one of the industry organizations seeking to help operators automate their cyber security processes, with David Rogers, Chairman of the GSMA’s Fraud and Security Group (FASG), noting that universal APIs for operators and other parties would be useful and that the Association could play a role in hosting them.   

There are plenty of other important takeaways from the report, including references to threat intelligence success within the telecom sector such as the Malware Information Sharing Platform (MISP) – aka the Open Source Threat Intelligence and Sharing Platform – which Thomas Tschersich, Chief Security Officer at Deutsche Telekom, described as DT’s “most important” sharing platform.

The report provides a great snapshot of the key threat intelligence considerations for the telecom sector right now, and it can be accessed at the HardenStance website. The industry is awash with reports, but this one should be near the top of everyone’s reading list. 

- Ray Le Maistre, Editorial Director, TelecomTV

Email Newsletters

Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.