Beyond COVID-19 in Threat Intelligence
More than a year in this global pandemic, more needs to be done about Threat Intelligence
It is the summer of 2021, more than a year into dealing with the global pandemic cause by COVID-19 has past, and we are starting to see “the light at the end of tunnel”, as more people are getting vaccinated and country restrictions are being lifted. A breath of fresh air is given to countries as tourism will become possible due to the joint efforts of the EEA community to achieve the standard of a “COVID-19 Passport”. However, even though we are getting back to some sort of “past normality” or simply adapting to a “new normality”, the eagerness of achieving such feature has been the catalyst of new threats, reinstating the importance of Threat Intelligence features in our infrastructures. As people are becoming to be “mobile” again, mobile networks and operators have to be ready to take a proactive stance as to deal with such issues. With that in mind, how can Threat Intelligence help to this end?
Previously, we have talked about how COVID-19 and Threat Intelligence (TI) have brought new cybersecurity challenges, such as using the pandemic as an exposing factor, having individuals falling into these “traps” without the usual protection from the secure infrastructures of their work environments, making both enterprises and operators adapting their security flow [1][2].
Now, as various studies have shown the increase in productivity in the “work from home” or “remote work” situation and the shift in preference from the workforce itself to those scenarios and adding to the fact that the population is getting vaccinated making countries easing restrictions, the mobile environment will experience a resurgence in traffic and with that, the current threats that are still exploiting weak or unsecured infrastructure.
Added to that, we have to consider two new potential threat topics: Vaccination and the COVID Vaccine Passport. Cybercriminals will use these as the new attack verticals given the eagerness of the society to get back to some sort of normality but also the “disinformation” surrounding it. As it was before, Threat Intelligence will have a major role as to prevent these new verticals to have a major outreach and mitigate possible network infrastructure compromises.
What is Threat Intelligence?
Threat Intelligence is collecting and analysing information about indicators of past, current, and future cyber threats, which enables organisations to take action to protect their assets, networks, and the entire organisation. At the Secure 5G4IoT Lab (a collaboration between Oslo Metropolitan University – OsloMet, Telenor, and Wolffia), we are developing unique technology to collect and analyse large amount of data to deliver relevant cyber threat insights in real time. We aggregate this rich intelligence with any other threat data feeds, internal or external, to bring about proactive defence against any emergent threats.
The work needed in Mobile TI
Still, some work needs be done as to broaden the range of attacks that can be detected and documented in a mobile network, namely having resources to catalog Flooding and Zero-Day Attacks. This is due to the diversity and number of devices that can be connected to a mobile network, especially as we’re now witnessing the deployment of 5G networks, IoT devices are also part of this aggregation, and they are used for daily-life situations more frequently, but suffer in secure mechanisms, making them easy to be exploitable.
- Flooding Attack: An attack that focuses on generating an excessive amount of traffic leading to over consumption of the networks’ resources.
- Zero-Day Attack: An attack on a software/hardware vulnerability and exploit that an attacker as become aware, but the developer/manufacturer has yet to address/mitigate it.
Why is this important?
Still to this day, we still experience issues such as these:
- Wangiri: A fraudulent scam in which you receive a “one ring” call from a foreign number in hopes that the target calls back and charge it extra as it turns out to be a premium number – this practice is still very common [3] and a lot of (elderly) people is still susceptible to this practice.
- Flubot [4]: An attack in which a target may receive a text message with a link from a supposable “trustworthy” entity when in fact it is another to obtain one’s personal information.
And now, giving these new threat topics, cyber attackers may adapt their approach and impersonate healthcare centers/institutions with the premise of booking a vaccination appointment or to check one’s vaccination status. But beyond that, we also must “expect the unexpected”, as new threats are always surfacing and adaptations have to made when considering a mobile operator’s security workflow, as the timespan or the lifetime of an attack is now a deciding factor.
Threat Intelligence in Mobile will accommodate the documentation and registry of exploits and attack patterns such as these and others that are unique to this environment. With this information, other operators around the world can be aware of these behaviours and simply stop them to be further deployed. At CONCORDIA, we are currently working on designing a framework and establish a set of guidelines in while mobile operators can share more easily and in a more accessible way so that mitigation actions can be taken as soon as possible and limit these cybercrime activities, from the way to single out specific phone numbers used for robocalling, to fully document all the phases associate to attacks that can happen in the network.
Conclusion
If COVID-19 gave us an overall paradigm shift in the way enterprises, operators and service providers have to deal with security as they are no longer confined to their environment, the “new normality” will still bring us security challenges that we’re yet to address fully on mobile networks. Threat Intelligence will become a more robust tool that will accommodate on larger scale the spectrum of attacks that this specific environment faces, given the multitude of devices that use the infrastructure on the daily and goes to show the importance and the need of continuous research, development and adoption, in which CONCORDIA hopes to be a major contributor to that end.
- [1] COVID-19, Telecommuting and Threat Intelligence, CONCORDIA Blog, 2020 – https://www.concordia-h2020.eu/blog-post/covid-19-telecommuting-and-threat-intelligence/
- [2] Threat Intelligence and Operation Resilience, CONCORDIA Blog, 2020 – https://www.concordia-h2020.eu/blog-post/threat-intelligence-and-operation-resilience/
- [3] Norwegians hit by a wave of fraud, Telenor (My News Desk), Published 19 January 2021 – https://www.mynewsdesk.com/uk/telenor/pressreleases/norwegians-hit-by-a-wave-of-fraud-200-dot-000-calls-from-north-korea-3065401
- [4] Threat actors use mockups of popular apps to spread teabot and flubot malware on Android, Bitdefender, Published 1 June 2021 – https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/
We are a dedicated consortium of more than 50 partners (whose purpose is to lead the boosting Europe’s cybersecurity future. If you are interested in cybersecurity, make sure that you follow us on our communication channels because we will lead its future.
- Website: https://www.concordia-h2020.eu
- Email: contact@concordia-h2020.eu
- Twitter: https://twitter.com/concordiah2020
- LinkedIn: https://www.linkedin.com/in/concordia-h2020/
- Facebook: https://www.facebook.com/concordia.eu/
(By Prof. Dr. Thanh van Do, TELENOR Research, Norway)