How Threat Intelligence Defends Telecommunications Against APTs

September 11, 2019 • The Recorded Future Team

Telecommunications plays a crucial role in society. Everybody, from government and military organizations to normal everyday citizens, depends on it.

Unfortunately, when something plays such a vital role, it tends to pique the interest of threat actors. Telecom infrastructure and companies are under constant attack from state-sponsored hackers, sophisticated APT groups, and even hacktivists.

Protecting telecom infrastructure is far from easy. Most telecom providers have highly complex network environments, including a huge number of endpoints, user accounts, and sophisticated and diverse infrastructure, all of which has to be protected against the most advanced cyber threats.

In this blog, we’ll take a closer look at cyber threats facing the telecom industry, and explain how providers can use threat intelligence to help protect their digital environments and critical infrastructure from sophisticated cyber threats.

Telecom Infrastructure Is a Top Target for Cyberattacks

Telecom providers face cyberattacks from two angles:

  1. Direct attacks from threat groups aiming to breach their networks
  2. Indirect attacks from groups targeting their end users

These attacks come in a variety of forms. According to Kaspersky Lab’s “Threat Intelligence Report for the Telecommunications Industry,” some of the most common attack vectors include:

  • Compromise of third-party organizations that have access to a provider’s systems
  • DDoS, including advanced distributed reflection denial of service (DrDoS) using standard network protocols and botnets consisting of compromised mobile and IoT devices
  • The exploitation of known and unknown vulnerabilities
  • Compromising customers using social engineering
  • Long-term espionage campaigns

Some of these attacks are indiscriminate and come from low-level criminals, but in many cases, telecom providers are targeted by highly sophisticated APT groups, which often have links to hostile nation-state governments. Insider attacks also present a source of risk.

Some of the most advanced threat groups known to target the telecommunications industry include:

  • Regin, who has focused primarily on the theft of sensitive data but is also capable of infiltrating GSM networks to use as a springboard to launch further sophisticated attacks
  • The Turla cyberespionage group, who has been known to compromise satellite internet links to obfuscate its physical location
  • Darkhotel APT, the suspected Chinese cyberespionage group that has been observed hijacking telecom infrastructure to enact targeted campaigns, often causing significant collateral damage

In general, APT attacks against telecom providers are used to conduct industrial espionage and disrupt important communications channels. However, there have also been documented cases of state-sponsored APT groups hijacking communications infrastructure to steal data and conduct espionage. And with such a high volume of sophisticated attacks coming in, it’s only natural that telecom providers experience breaches from time to time.

According to Ponemon’s “2018 Cost of Data Breach Study,” telecom providers take on average 173 days to detect a data breach, and 58 days to contain it. Incredibly, these figures actually place telecommunications in the top four industries overall — behind financial services, energy, and research — for speed of identification and containment.

One important thing to keep in mind, however, is that telecom providers are often targeted by highly sophisticated threat groups. As a result, there is a good chance that many successful breaches of telecom infrastructure are never detected at all. In terms of impact, breaches cost telecom providers on average $128 per record compromised and lead to a 2.9% customer churn rate.

Threat Intelligence for the Telecommunications Industry

Securing a large, complex organization against cyberattacks is never an easy task. Not only do organizations have limited resources to work with, but it’s also not even functionally possible to protect every system, network, and device against every possible attack vector.

Nevertheless, security teams at telecom providers do everything possible to attain the unattainable. And in doing so, they are confronted with hundreds of thousands — or even millions — of threat alerts per day. Even for the most talented and well-provisioned security teams, this can easily become overwhelming.

This is precisely the problem that threat intelligence addresses. It helps security teams at telecom providers make better decisions about how and where to allocate their resources, and empowers security professionals to quickly identify and address the highest-risk security alerts.

Common use cases include the following:

1. Identifying Critical Vulnerabilities

Vulnerability management has traditionally been treated as a numbers game. The more you patch, the better you’re doing. But telecom providers don’t have this luxury. They need to quickly identify the specific vulnerabilities that are most likely to be exploited so they can be patched first.

Threat intelligence helps vulnerability management professionals identify which vulnerabilities are actively being exploited and/or included in exploit kits. As a result, they can prioritize their time and resources based on actual risk, instead of working by numbers.

2. Making Better Decisions

Security teams at telecom providers naturally tend to have more substantial budgets than those in less-targeted industries. At the same time, though, there is a lot that needs to be done to properly secure their complex environments and infrastructure.

Threat intelligence helps telecom security leaders make informed decisions about where and how to invest their resources for maximum effect. Even better, it enables them to make decisions based on what’s happening in the industry now, not what was happening last month or last year.

3. Moving Beyond Reactive Security

While organizations in some industries can rely on primarily reactive security measures like firewalls, EDRs, and email filters, telecom providers have no such luxury. They have to constantly take proactive measures to identify and address areas of cyber risk that could be exploited by a determined attacker. This commonly involves techniques like internal hunting, advanced penetration testing, and red teaming.

But proactive security measures only work if they are properly directed. Real-time threat intelligence helps security teams understand the tactics, techniques, and procedures (TTPs) being used by threat groups right now, so they can focus their energy on the specific assets and systems most likely to be targeted, using the attack vectors most likely to be employed in a real-world attack.

Putting the ‘Persistent’ in APT

As we’ve seen, telecom providers are an extremely enticing target for APT groups — particularly those with nation-state connections. Not only are they an obvious target for industrial espionage, but compromising a telecom network can also enable skilled attackers to conduct highly sophisticated cyber campaigns against secondary targets. And because telecom providers are such a tempting target, you can bank on APT groups to keep targeting them and keep developing new and increasingly sophisticated TTPs to do it.

Threat intelligence helps telecom providers defend against APT group attacks by helping them make better decisions about where and how to invest their security resources. It also drastically improves the efficacy of proactive security measures like internal hunting, and helps security teams identify the specific infrastructure and techniques they should focus the most attention on.

Learn More

If your organization isn’t currently using threat intelligence, here’s an easy way to get started. Sign up for our free Cyber Daily newsletter, and you’ll receive the top cybersecurity intelligence direct to your inbox each morning. That includes:

  • Top targeted industries
  • Most active threat actors
  • Most exploited vulnerabilities
  • Trending malware
  • The latest suspicious IPs
  • And much more

Subscribe today and use this intelligence to keep your organization — and your customers’ data — safe from cyber threats.