cqrenet/antifragile
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
antifragile/antifragile-consulting/reference/vertical-telco.md
Tomas Kracmar 763da003d3 Initial commit: antifragile cybersecurity consulting blueprint 
Complete repository of frameworks, playbooks, and assessment resources
for cybersecurity consultations focused on antifragile enterprise design.

Includes:
- Core philosophy and manifest (5 pillars)
- 12 modular engagement packages
- AI sovereignty and operations frameworks
- Zero-budget vulnerability discovery and hardening playbooks
- M365 E3 hardening and antifragile project plans
- Osquery sovereign discovery platform blueprint
- Perimeter scanning capability guide
- AI-assisted TVM blueprint for AI-powered adversaries
- Vertical specializations: banking, telco, power/utilities
- CIS Controls v8 and NIST CSF 2.0 mappings
- Risk registers and assessment templates
- C-suite conversation guide and business case templates
2026-05-09 16:53:22 +02:00

308 lines
17 KiB
Markdown
Raw Permalink Blame History

# Vertical Reference: Telecommunications
> *"A telco's network is its nervous system. Compromise it, and you do not just steal data—you control the medium through which a nation communicates."*
This document adapts the antifragile rapid modernisation approach for telecommunications providers—mobile network operators, fixed-line operators, internet service providers, and converged operators. These organizations manage national infrastructure, process massive volumes of subscriber data, and face adversaries ranging from criminal fraudsters to nation-state actors seeking communications intelligence.
---
## The Telecommunications Context
### What Makes Telco Different
| Factor | Enterprise Default | Telco Reality |
|--------|-------------------|---------------|
| Scale | Thousands of endpoints | Millions of subscribers, hundreds of thousands of network elements |
| Real-time requirement | Batch acceptable | Call setup, SMS, data sessions are real-time; latency matters |
| Regulatory driver | GDPR, industry standards | GDPR + NIS2 + telecom-specific security frameworks + national licensing conditions |
| Adversary motivation | Financial (ransomware, fraud) | Financial + espionage + surveillance + network disruption |
| Signaling exposure | Minimal | SS7, Diameter, GTP, SIP are exposed to hundreds of partner networks globally |
| Supply chain | Moderate | Extreme (equipment vendors from multiple geopolitical blocs, legacy switches, proprietary protocols) |
| Customer data depth | Personal data | Personal + location + communication patterns + device identity + lawful intercept capability |
### The Convergence Challenge
Telcos are converging previously separate networks:
- **Fixed and mobile** (FMC — Fixed Mobile Convergence)
- **IT and network** (cloud-native 5G core, NFV, SDN)
- **Consumer and enterprise** (unified platforms, shared infrastructure)
- **Communications and content** (streaming, advertising, IoT platforms)
Every convergence multiplies the attack surface and blurs accountability.
---
## Regulatory Landscape
### EU NIS2 Directive (2023)
Telcos are classified as **essential entities** under NIS2 with stringent obligations.
| NIS2 Requirement | Telco Application |
|-----------------|------------------|
| Risk management measures | Network-wide kill chain analysis; signaling security assessment |
| Supply chain security | Equipment vendor risk (especially high-risk vendors); firmware provenance |
| Incident reporting (24h → 72h) | Automated detection and reporting to national regulator and ENISA |
| Business continuity | Network resilience testing; disaster recovery for core network functions |
| Cryptography | Encryption for signaling, management, and subscriber data |
| MFA | Hardware tokens for all core network and network management access |
| Vulnerability handling | Rapid patching of network elements with service continuity planning |
### Telecom-Specific Security Frameworks
| Framework | Scope |
|-----------|-------|
| **ETSI EN 303 645** | Cybersecurity for consumer IoT devices (relevant for telco IoT offerings) |
| **GSMA FS.38** | Fraud and security framework for mobile operators |
| **GSMA Network Equipment Security Assurance Scheme (NESAS)** | Vendor security assessment for 5G equipment |
| **3GPP SA3** | Security architecture and procedures for mobile systems |
### National Telecom Security Frameworks
Many EU member states have additional national requirements:
- **Germany**: Telekommunikation-Sicherheitsverordnung (TSI)
- **UK**: Telecommunications (Security) Act 2021
- **France**: ANSSI guides for operators of vital importance
---
## The Antifragile Posture for Telecommunications
### Pillar 1: Structural Decoupling — Network Segmentation
**Principle**: The core network must be structurally isolated from internet-facing services, enterprise IT, and third-party APIs.
**Antifragile Moves**:
| Layer | Isolation Requirement |
|-------|----------------------|
| **Core network** | Signaling (MME, AMF, HSS/UDM, PCRF/PCF) on dedicated network; no direct internet access |
| **Radio access network (RAN)** | gNodeB / eNodeB management plane separated from user plane; no direct core access from RAN management |
| **Customer-facing services** | BSS (billing, CRM), OSS (operations), customer portals in DMZ with strict core access controls |
| **Enterprise services** | MPLS, SD-WAN, dedicated APNs on isolated infrastructure segments |
| **IoT platforms** | Dedicated network slice or APN; no direct subscriber data access without API gateway |
| **Interconnect** | SS7, Diameter, SIP, GTP signaling firewalls at every partner boundary |
### Pillar 2: Optionality Preservation — Vendor and Protocol Independence
**Principle**: Telcos depend on a small number of equipment vendors for core network functions. This concentration is a strategic vulnerability.
**Antifragile Moves**:
- **Multi-vendor RAN**: Open RAN architectures reduce dependency on single radio vendors
- **Cloud-native core portability**: 5G core deployed on container platforms portable across cloud providers
- **Protocol abstraction**: API gateways abstract subscriber-facing services from core network protocols
- **Vendor exit architecture**: Technical ability to replace core network vendor within defined timeframe
- **Firmware diversity**: Avoid identical firmware versions across all instances of a network element
### Pillar 3: Stress-to-Signal Conversion — Fraud and Attack Intelligence
**Principle**: Telcos process billions of transactions. Every fraud attempt, signaling anomaly, and attack probe is intelligence that should improve defences.
**Antifragile Moves**:
- **Real-time fraud detection**: Local AI models on call detail records, signaling data, and subscriber behaviour
- **Signaling anomaly detection**: SS7/Diameter/GTP firewalls with behavioural analysis
- **SIM swap detection**: Correlate SIM changes with account access, device fingerprint, and location
- **Wangiri / IRSF detection**: Identify missed-call fraud and international revenue share fraud patterns
- **Fraud-to-structure pipeline**: Every confirmed fraud case produces control improvement
### Pillar 4: Sovereign Intelligence — Subscriber Data Never Leaves
**Principle**: Subscriber data (location, communication patterns, device identity, web browsing) is among the most sensitive data a state or criminal actor can access.
**Antifragile Moves**:
- **Local AI for network optimization**: Traffic prediction, energy saving, capacity planning on local infrastructure
- **Closed-loop fraud models**: Train on proprietary CDR and signaling data without cloud exfiltration
- **On-premise lawful intercept management**: Strict control over intercept capabilities; no third-party access
- **Data minimization for analytics**: Aggregate where possible; pseudonymize where individual analysis required
**The executive framing**:
> *"Your subscribers' location history, communication patterns, and digital behaviour are a map of your society. Sending that data to a cloud AI for 'network optimization' is not a technology partnership. It is an intelligence transfer. Local models. Local hardware. Local accountability."*
### Pillar 5: Asymmetric Payoff — Resilience at Scale
**Principle**: Telco failures affect millions instantly. Small investments in redundancy and rapid recovery yield massive reductions in societal and financial impact.
**Antifragile Moves**:
- **Distributed core architecture**: 5G core functions geographically distributed; failure of one data centre does not disable a region
- **Automated failover**: Base station controllers, DNS, and authentication functions with sub-minute failover
- **Synthetic monitoring**: Continuous health checks from subscriber perspective (call setup, data throughput, SMS delivery)
- **Chaos engineering on non-real-time systems**: Test resilience of billing, provisioning, and analytics without impacting calls
---
## Signaling Security
### SS7 and SIGTRAN
SS7 is the legacy signaling protocol connecting mobile networks globally. It was designed without security and remains vulnerable:
| Vulnerability | Risk | Control |
|--------------|------|---------|
| Location tracking | Subscriber location exposed to any SS7 peer | SS7 firewall with location query filtering; home routing for SMS |
| Call/SMS interception | Forwarding rules modified remotely | SS7 firewall with message screening; MAP operation filtering |
| Fraud (CLID spoofing) | Caller ID manipulated for fraud | SS7 firewall with consistency checks; whitelist trusted partners |
| Denial of service | Flood of signaling messages | Rate limiting; anomaly detection; SS7 firewall with DDoS mitigation |
**Action**: Deploy SS7/STP firewalls (e.g., Oracle, Procera, Mavenir) with strict filtering rules. Monitor for anomalous signaling patterns.
### Diameter and GTP
Diameter (LTE) and GTP (GPRS Tunneling Protocol) have replaced some SS7 functions but introduce their own vulnerabilities:
| Vulnerability | Risk | Control |
|--------------|------|---------|
| Diameter impersonation | Fake HSS/PCRF responses | Diameter edge agent with mutual authentication |
| GTP tunnel hijacking | Subscriber session takeover | GTP firewall; tunnel endpoint validation |
| Interconnect bypass | Roaming fraud via fake partner | Roaming hub validation; partner security assessment |
### SIP Security (VoLTE/VoNR / IMS)
The IP Multimedia Subsystem (IMS) enables voice over LTE/5G using SIP.
- **SIP firewall**: Filter malformed messages, prevent enumeration, block unauthorized registration
- **Toll fraud prevention**: Restrict international calling routes; detect anomalous call patterns
- **SPIT prevention**: Voice spam detection and filtering
---
## 5G Security Specifics
### 5G Core (5GC) Architecture
5G introduces a cloud-native, service-based architecture (SBA) with new security considerations:
| Element | Security Consideration |
|---------|----------------------|
| **AMF (Access and Mobility Management Function)** | Authentication gateway; compromise enables subscriber impersonation |
| **SMF (Session Management Function)** | Controls data sessions; compromise enables traffic redirection |
| **UPF (User Plane Function)** | Data forwarding; must be distributed and physically secured |
| **AUSF (Authentication Server Function)** | 5G-AKA authentication; keys must be HSM-protected |
| **UDM (Unified Data Management)** | Subscriber database; encryption at rest and strict access control |
| **PCF (Policy Control Function)** | QoS and charging policies; integrity critical for revenue assurance |
| **NRF (NF Repository Function)** | Service discovery; compromise enables man-in-the-middle between network functions |
**Security controls**:
- **TLS 1.3** for all service-based interfaces (SBI)
- **OAuth 2.0** for NF-to-NF authentication
- **Network slice isolation**: Strict separation between enterprise, consumer, and IoT slices
- **Edge security**: MEC (Multi-Access Edge Computing) nodes are physically distributed and harder to secure
### Network Slicing
Network slicing creates logical separation on shared physical infrastructure.
- **Slice isolation is logical, not physical**: A hypervisor compromise can bridge slices
- **Action**: Micro-segmentation between slices; independent encryption keys per slice
- **Action**: Slice-specific monitoring and anomaly detection
- **Action**: Independent security policies per slice (enterprise slice stricter than consumer)
---
## The Rapid Modernisation Plan: Telco Variant
### Phase 1: Hygiene (Days 0-30)
In addition to standard hygiene:
| Action | Owner | Deliverable |
|--------|-------|-------------|
| Inventory all network elements: RAN, core, transport, OSS, BSS | Network Engineering | Network asset inventory with vendor and firmware versions |
| Map all signaling interconnects: SS7, Diameter, GTP, SIP | Network Security | Interconnect matrix with partner security assessment |
| Audit roaming partner access and security posture | Roaming / Security | Partner risk register |
| Inventory subscriber data flows and storage locations | Data Protection / Security | Data flow map with residency verification |
| Identify all network management interfaces with internet exposure | Network Security | Exposure list with remediation plan |
### Phase 2: Control (Days 30-60)
| Action | Owner | Deliverable |
|--------|-------|-------------|
| Deploy signaling firewalls (SS7, Diameter, GTP, SIP) | Network Security | Firewall ruleset with anomaly detection |
| Implement network slice security policies | 5G Core Team | Slice isolation validation report |
| Harden network management: dedicated NOC access, MFA, session recording | Operations / Security | NOC access control operational |
| Encrypt management traffic across all network layers | Network Engineering | Encryption coverage report |
| Patch critical network elements with service continuity planning | Network Engineering | Patch schedule with rollback procedures |
### Phase 3: Sovereignty (Days 60-90)
| Action | Owner | Deliverable |
|--------|-------|-------------|
| Deploy local AI for fraud detection and network anomaly detection | AI / Security | Fraud detection pilot with false positive tuning |
| Validate core network disaster recovery and failover | Operations | Failover test report with recovery times |
| Conduct signaling security tabletop exercise | Security / Network | Exercise report with structural improvements |
| Implement firmware integrity monitoring for network elements | Network Security | Baseline hashes for critical firmware |
| Test lawful intercept process security and audit | Legal / Security | LI audit report |
### Phase 4: Antifragility (Days 90-180)
| Action | Owner | Deliverable |
|--------|-------|-------------|
| Red team exercise including signaling and core network reconnaissance | Security | Red team report with kill chain |
| Chaos engineering on OSS/BSS systems | Resilience | Experiment findings |
| Vendor exit architecture for critical network platforms | Procurement / Engineering | 90-day transition plan per critical vendor |
| Cross-training: NOC staff on manual procedures | Operations | Training completion metrics |
| Participate in sector ISAC and GSMA intelligence sharing | Security | Threat intelligence integration report |
---
## Subscriber Data and Privacy
Telcos hold massive PII datasets with unique sensitivity:
| Data Type | Sensitivity | Control |
|-----------|------------|---------|
| **Location data** | Extreme: real-time and historical location | Strict access control; pseudonymization for analytics; retain only as legally required |
| **Call detail records (CDR)** | High: communication patterns | Encryption at rest; audit all access; data minimization |
| **Internet browsing (DNS, DPI)** | High: digital behavior | Aggregate where possible; DPI for security only with legal review |
| **Device identity (IMEI, IMSI)** | Moderate: device tracking | Secure storage; restrict access to fraud and network operations |
| **Lawful intercept data** | Extreme: legal and ethical | Strict chain of custody; independent audit; minimal retention |
**GDPR implications**:
- Subscriber data processing must have clear legal basis
- Data retention periods must be justified and enforced
- Subject access requests must be fulfillable across all systems
- Data breach notification: 72 hours to regulator
---
## M365 in Telecommunications
Corporate telco functions use M365 but must be separated from network operations.
| Consideration | Telco Requirement |
|--------------|------------------|
| **Data residency** | Subscriber data must remain in national/EU boundaries; verify M365 tenant location |
| **Conditional access** | Block admin access from non-corporate devices; geo-restrict privileged accounts |
| **Guest access** | Strictly vet all guests; prohibit in tenant with network engineering data |
| **Teams / SharePoint** | Never used for network topology, subscriber data, or security incident details |
| **Mobile device management** | Sales and field engineer devices Intune-managed; restricted app installation |
| **Email security** | EOP baseline; Defender for Office 365 P2 strongly recommended due to phishing targeting |
See [M365 E3 Hardening](../playbooks/m365-e3-hardening.md) for tactical hardening, and apply these overlays.
---
## Evidence Package for Regulators
| Requirement | Evidence from Antifragile Program |
|------------|----------------------------------|
| NIS2 risk management | Kill chain analysis, T0 asset classification, signaling security assessment |
| NIS2 incident handling | IR runbooks, signaling-specific response procedures, quarterly drill reports |
| NIS2 business continuity | Core network failover test reports, disaster recovery validation |
| NIS2 supply chain security | Vendor risk register (especially high-risk vendors), firmware provenance |
| NIS2 encryption | Encryption coverage for signaling, management, and subscriber data |
| NIS2 vulnerability handling | Vulnerability scan reports with network-impact prioritization |
| Telecom licensing | Lawful intercept audit, subscriber data protection evidence, network resilience metrics |
---
*Previous: [Vertical: Power and Utilities](vertical-power-utilities.md)*
*Next: [Vertical: Banking](vertical-banking.md)*
Reference in New Issue View Git Blame Copy Permalink