It’s 3 a.m. Do You Know What Your Network Is Doing?
A Counterintelligence Use Case to Monitor Your Network
There is growing concern among network operators and governments about how networks today are being used for structured intellectual property theft, surgical and mass scale espionage, and blatant violations of sanctions and export controls. Network operators are concerned about the privacy of their networks and their subscribers. Governments are concerned about the security of confidential data that is crossing networks around the world and the potential exploitation of that infrastructure to gain unauthorized access to that data.
As a result, there is an increasing need for a multi-vendor approach in core networks. Now more than ever, operators require the ability to “watch the watchers” and operate within the standards of international law to give governments confidence in the security of their networks.
What Has Happened?
Though concerns regarding some infrastructure vendors have been brewing for some time, a sequence of events in the latter part of 2018 quickly changed the playing field. A growing number of countries began to enact policies with specific vendors in mind in a move to ensure the security of data within telecommunication networks. This trend began in the US, with New Zealand, Australia, UK, India, Japan, Taiwan, France, and Germany following suit.
Structured intellectual property theft has been around for a long time; all vendors and operators in the industry know about this. For operators, it was perhaps not a large concern; it brought serious competition to the legacy infrastructure vendors in the market, and thus lowered the prices, which was a boon for the operators.
Espionage, on the other hand, was never really seen as a major issue by network operators; in their eyes, this was an area of concern for governments that bore the responsibility of national, or even international, security. There were times where operators were incentivized to engage with the issue directly, but for the most part, their “best effort” seemed adequate, and the seductive pricing from new vendors was more attractive than these small regulatory nuisances. Many network operators built dedicated networks as part of government contracts. However, the economics of building today's networks do not allow this, which is why network slicing is such a huge issue in 5G networks.
Recently, a much more politically charged violation has arisen that has directly impacted infrastructure vendors. Some vendors have been accused of circumventing sanctions that have been imposed on a number of countries (e.g., Iran, North Korea, Syria, and Cuba) by the international community. These countries are under export controls for good reasons, and reasons that subscribers care about, so there is significant reputational risk for the operators to select or maintain business relationships with the vendors in question. Network operators don’t want to be seen doing business with vendors who are supporting oppressive regimes, human rights violations, etc.
All of these issues, combined with significantly increased pressure from the national security arms of various world governments, are now coming to bear in a very tangible way with regards to network vendor selection. The larger the group of countries concerned about these issues, the harder it is for other countries to explain why they aren’t following suit. With the massive investment required to build new networks, it’s difficult (not to mention costly) to make a purchasing decision today only to have to immediately reverse that decision.
How Can Sandvine Help?
Sandvine has been an independent player in fixed, mobile, cable, and satellite packet cores since 2001. Our corporate history is an international story, with roots in Sweden, Canada, and the US; we have no political ties to any specific government. Our technology is exceedingly relevant in the discussion around national security. For 18 years, we’ve been the clear leader in network intelligence. There is simply no other vendor in the market that can provide a more comprehensive picture of the traffic flowing through networks worldwide.
New Requirement: Network Counterintelligence
Knowing how networks operate, we can accurately speculate about how espionage would happen in the packet core today. Let’s assume that it’s simple for a vendor to hide hard-coded instructions in the software to receive command and control (C&C) instructions from somewhere on the internet to spy on the data traffic for all, or some, specific individuals. This is most easily done in a gateway, where the specific individuals are known (by name, phone number, etc.), and all their data plane traffic is flowing, such as the GGSN/P-GW in a 3G/4G network, or a CMTS in a cable network. Since these devices are by their very nature both addressable and available on the common internet, it’s hard to argue that this C&C traffic is firewalled or blocked or has to be directed to private management networks.
The other necessary mechanism is output. For espionage to be useful, data needs to be sent from the operator’s network – potentially vast amounts of data (depending on the use case). “Luckily” for the perpetrator, these devices would already be sending terabytes of data per hour to the internet, so hiding some other data in there masquerading as “normal” internet traffic is not hard.
Technically speaking, armed with the phone number of a targeted individual, a command could then be sent to these gateways, and the perpetrator would easily be able to stream the individual’s traffic back, tunneled, encrypted, or masqueraded to avoid detection; even the effort of subterfuge is unnecessary in this case. Very few operators would be looking to see these very minor anomalies even if it was in the clear.
If this kind of vendor espionage is happening, would we know about it? Unless you’ve deployed a use case to catch this specific type of traffic, and have the right tools to do so, there is just no way of identifying it – it’s not going to stand out from any other type of traffic.
Is this espionage truly happening? The short answer is, there’s no way to know right now. We doubt that the current body of evidence, if there is any, will ever be clearly presented to the world. What we do know is that it’s time to start actively working against this. The question needs to be answered, and Sandvine has the technology that can help operators identify and stop these activities.
Sandvine's Counterintelligence Use Case
Sandvine provides telco-grade, scalable products for both the control plane and data plane. To counteract incidents of espionage, we would do two distinct things:
a. Identify and subsequently block the C&C traffic coming from the internet (or from subscribers) that is injecting espionage commands into the infrastructure vendor’s components. To identify such traffic, we would be looking for packets and flows from suspicious hosts and suspicious applications that trigger a new behavior in the infrastructure components. This traffic does not necessarily need to be addressed to and from the components themselves, because the C&C commands would flow “through” these components.
b. Sandvine would use a combination of various methods for finding this outbound espionage data. Not all traffic generated by the gateway itself would be related to espionage; it could be vendor call home data for monitoring purposes, licensing information, etc. But such traffic would be controlled, in order not to generate false positives. The main technique used would be comparing the traffic south of the gateway A to north of the gateway B. Any traffic in B, which is not in A, would be highly suspicious. Correlating traffic at the application, flow, and subscriber levels is where Sandvine’s Active Network Intelligence really shines.
Sandvine can help provide peace of mind about what is happening in your network. We can deliver in terms of our traditional role of identifying how your network is delivering service to your subscribers, and also confirming that your network is secure from outside influences. If you are interested in exploring this as a way to protect your network infrastructure, please feel to reach out and let us know.