Bhadra Framework
Bhadra Threat Modeling Framework
Authors
| Authors and/or Contributors |
|---|
| Siddharth Prakash Rao |
| Silke Holtmanns |
| Tuomas Aura |
Attacks from UE
"Attacks from UE" refers to any technique that involves the attacks launched by the software or hardware components of the user equipment to send malicious traffic into the mobile network.
Internal MISP references
UUID 859055d9-08fe-4a05-ad2a-5846fce601d8 which can be used as unique global reference for Attacks from UE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0001 |
| kill_chain | ['bhadra-framework:Initial Access'] |
SIM-based attacks
The "SIM-based attacks" are the techniques that involve any physical smart cards, namely SIM from 2G, USIM from 3G, and UICC from 4G networks.
Internal MISP references
UUID 33ec6366-66e6-4502-8ee7-0b8d1c1f9c28 which can be used as unique global reference for SIM-based attacks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0002 |
| kill_chain | ['bhadra-framework:Initial Access'] |
Attacks from radio access network
The "attacks from radio access network" are the techniques where an adversary with radio capabilities impersonates the mobile network to the UE (or vice versa) and becomes a man-in-the-middle.
Internal MISP references
UUID 0451a939-e997-401d-8fc1-bb224982eb81 which can be used as unique global reference for Attacks from radio access network in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0003 |
| kill_chain | ['bhadra-framework:Initial Access'] |
Attacks from other mobile network
The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes
Internal MISP references
UUID 214ae387-da5f-4c97-8f89-0628e666e6aa which can be used as unique global reference for Attacks from other mobile network in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0004 |
| kill_chain | ['bhadra-framework:Initial Access'] |
Attacks with access to transport network
The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes
Internal MISP references
UUID 3a53c6ec-76d5-4f5e-9ba6-7f5d8905369c which can be used as unique global reference for Attacks with access to transport network in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0005 |
| kill_chain | ['bhadra-framework:Initial Access'] |
Attacks from IP-based network
The "attacks from IP-based attacks" techniques mostly are launched from the service and application network, which allows non operator entities to infuse malicious trac into an operator’s network.
Internal MISP references
UUID 4d68356b-9824-4bbf-bf99-54a64bccd0af which can be used as unique global reference for Attacks from IP-based network in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0006 |
| kill_chain | ['bhadra-framework:Initial Access'] |
Insider attacks and human errors
The "insider attacks and human errors" technique involve the intentional attacks and unintentional mistakes from human insiders with access to any component of the mobile communication ecosystem.
Internal MISP references
UUID 26cc4a99-339b-4145-8ecd-fdb74adbe5ff which can be used as unique global reference for Insider attacks and human errors in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0007 |
| kill_chain | ['bhadra-framework:Initial Access'] |
Infecting UE hardware or software
Retaining the foothold gained on the target system through the initial access by infecting UE hardware or software.
Internal MISP references
UUID 076f66c9-7822-4bac-9b1c-b4df52628d93 which can be used as unique global reference for Infecting UE hardware or software in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0008 |
| kill_chain | ['bhadra-framework:Persistence'] |
Infecting SIM cards
Retaining the foothold gained on the target system through the initial access by infecting SIM cards.
Internal MISP references
UUID 0c8c17de-0c46-42bc-9355-c9e615d42513 which can be used as unique global reference for Infecting SIM cards in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0009 |
| kill_chain | ['bhadra-framework:Persistence'] |
Spoofed radio network
Retaining the foothold gained on the target system through the initial access by radio network spoofing.
Internal MISP references
UUID 7a50a393-fc4a-4eae-b706-202b02aebc64 which can be used as unique global reference for Spoofed radio network in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0010 |
| kill_chain | ['bhadra-framework:Persistence'] |
Infecting network nodes
Retaining the foothold gained on the target system through the initial access by infecting network nodes.
Internal MISP references
UUID 57b4cb23-5ef6-483d-911b-07d416566c4c which can be used as unique global reference for Infecting network nodes in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0011 |
| kill_chain | ['bhadra-framework:Persistence'] |
Covert channels
Retaining the foothold gained on the target system through the initial access via covert channels.
Internal MISP references
UUID aede9e30-6186-45c3-aab6-819b9dd0ee3d which can be used as unique global reference for Covert channels in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0012 |
| kill_chain | ['bhadra-framework:Persistence'] |
Port scanning or sweeping
"Port scanning or sweeping" techniques to probe servers or hosts with open ports.
Internal MISP references
UUID 3db4bdba-4640-41d6-bd3e-de5ecb30c0a2 which can be used as unique global reference for Port scanning or sweeping in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0013 |
| kill_chain | ['bhadra-framework:Discovery'] |
Perimeter mapping
"perimeter mapping" techniques such as command-line utilities (e.g., nmap and whois), web-based lookup tools and official APIs provided by the Internet registrars that assign the ASNs using a wide range of publicly available sources.
Internal MISP references
UUID 91d150e3-c7a9-40d2-96a7-1a536f93cd82 which can be used as unique global reference for Perimeter mapping in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0014 |
| kill_chain | ['bhadra-framework:Discovery'] |
Threat intelligence gathering
"Threat intelligence gathering" using dedicated search engines (such as Censys, Shodan) to gather information about vulnerable devices or networks, or using advanced search options of traditional search engines.
Internal MISP references
UUID 4a8ec69a-36e1-4fb2-a908-c2313b70f226 which can be used as unique global reference for Threat intelligence gathering in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0015 |
| kill_chain | ['bhadra-framework:Discovery'] |
CN-specific scanning
"CN-specific scanning", used to scan nodes that are interconnected with protocols specific to the mobile communication domain (GTP, SCTP).
Internal MISP references
UUID 07603ccb-e810-495d-89d0-aeecedae880d which can be used as unique global reference for CN-specific scanning in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0016 |
| kill_chain | ['bhadra-framework:Discovery'] |
Internal resource search
"Internal resource search" refers to an insider with access to provider internal databases abusing the information as a discovery tactic.
Internal MISP references
UUID 82ae55dd-1123-488e-a9c5-64c333452446 which can be used as unique global reference for Internal resource search in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0017 |
| kill_chain | ['bhadra-framework:Discovery'] |
UE knocking
"UE knocking" refers to the technique that scans User Equipment, similarly to how IP endpoints and core network nodes are scanned or mapped.
Internal MISP references
UUID 7b38b259-e765-4c4c-85da-ff56c574a641 which can be used as unique global reference for UE knocking in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0018 |
| kill_chain | ['bhadra-framework:Discovery'] |
Exploit roaming agreements
"Exploit roaming agreements" is a technique exploited by evil mobile operators. Despite communication with operators is dependent on a roaming agreement being in place, an attacker that has gained a foothold with one operator, it can abuse the roaming agreements in place for lateral movement with all adjacent operators with agreements in place.
Internal MISP references
UUID 3b690fdc-f385-4cfa-a360-a26b4cbf3b00 which can be used as unique global reference for Exploit roaming agreements in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0019 |
| kill_chain | ['bhadra-framework:Lateral Movement'] |
Abusing interworking functionalities
"Abusing Inter-working functionalities" is a technique for adversaries to move between networks of different generations laterally
Internal MISP references
UUID cab3ece7-2e7b-416a-b779-62cf91a888e3 which can be used as unique global reference for Abusing interworking functionalities in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0020 |
| kill_chain | ['bhadra-framework:Lateral Movement'] |
Exploit platform & service-specific vulnerabilities
Once an attacker has gained a foothold in an operator, it can conduct privilege escalation and process injection for gaining administrative rights, password cracking of valid user accounts on the nodes, exploit vulnerabilities in databases and file systems, and take advantage of improper configurations of routers and switches.
Internal MISP references
UUID c1db9100-549c-4801-8be4-18817789afe4 which can be used as unique global reference for Exploit platform & service-specific vulnerabilities in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0021 |
| kill_chain | ['bhadra-framework:Lateral Movement'] |
SS7-based-attacks
Attacks abusing the SS7 protocol.
Internal MISP references
UUID 0d7a4177-5550-4954-9dae-ff2206a9f458 which can be used as unique global reference for SS7-based-attacks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0022 |
| kill_chain | ['bhadra-framework:Standard Protocol Misuse'] |
Diameter-based attacks
Attacks abusing the Diameter protocol.
Internal MISP references
UUID 3ceb439f-ceb0-479e-af04-fcc4202cde83 which can be used as unique global reference for Diameter-based attacks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0023 |
| kill_chain | ['bhadra-framework:Standard Protocol Misuse'] |
GTP-based attacks
Attacks abusing the GTP protocol.
Internal MISP references
UUID 080d4c95-8a02-455b-8a77-6fda59bda347 which can be used as unique global reference for GTP-based attacks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0024 |
| kill_chain | ['bhadra-framework:Standard Protocol Misuse'] |
DNS-based attacks
DNS based attacks.
Internal MISP references
UUID a747a969-36a8-4c7d-bdd1-bdb4cd1d84ac which can be used as unique global reference for DNS-based attacks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0025 |
| kill_chain | ['bhadra-framework:Standard Protocol Misuse'] |
Pre-AKA attacks
Attack techniques that take place during the unencrypted communication that occurs prior to the AKA protocol.
Internal MISP references
UUID cf58df7a-b02d-45b5-b947-03b5dab5dc7d which can be used as unique global reference for Pre-AKA attacks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0026 |
| kill_chain | ['bhadra-framework:Standard Protocol Misuse'] |
Security audit camouflage
The operating systems, software, and services used on the network nodes are prone to security vulnerabilities and installation of unwanted malware. Although operators conduct routine security audits to track and patch the vulnerabilities or remove the malware from the infected nodes, their effectiveness is not known to the public. Any means by which an adversary can remain undetected from such audits are referred to as the security audit camouflage technique.
Internal MISP references
UUID 61295e27-1797-45b1-8459-864f8dbad2f7 which can be used as unique global reference for Security audit camouflage in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0027 |
| kill_chain | ['bhadra-framework:Defense Evasion'] |
Blacklist evasion
Mobile operators employ several defenses in terms of securing their network traffic. For instance, operators maintain a whitelist of IPs and GTs of nodes from their own infrastructure and their partner operators (as agreed in IR 21), and traffic from only these nodes are processed. Similarly, a blacklist is also maintained to control spam due to configuration errors and malicious traffic. Anything from the blacklist is banned from entering the operator’s network. Such defense mechanisms may defend against unsolicited traffic from external networks (e.g., from the public Internet and SAN), but it barely serves its purpose in the case of attacks from inter-operator communications. Since most of the communication protocols are unauthenticated in nature, an aacker with knowledge of identifiers of the allowed nodes (i.e. gained during the discovery phase) can impersonate their identity. We call it the blacklist evasion technique.
Internal MISP references
UUID 48388815-3a22-406e-beeb-68d5429d6f0d which can be used as unique global reference for Blacklist evasion in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0028 |
| kill_chain | ['bhadra-framework:Defense Evasion'] |
Middlebox misconfiguration exploits
NAT middleboxes are used for separating private networks of mobile operators from public Internet works as the second line of defense. However, studies have shown that the middleboxes deployed by operators are prone to misconfigurations that allow adversaries to infiltrate malicious traffic into mobile networks e.g., by spoofing the IP headers. Some of the other NAT vulnerabilities lie in IPv4-to-IPv6 address mapping logic, which can be exploited by adversaries to exhaust the resources, wipe out the mapping, or to assist with blacklist evasion. Adversaries use such middlebox misconfiguration exploit techniques to launch denial-of-service or over-billing attacks.
Internal MISP references
UUID 619cd33a-6b2f-4999-95e5-a051a139ae37 which can be used as unique global reference for Middlebox misconfiguration exploits in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0029 |
| kill_chain | ['bhadra-framework:Defense Evasion'] |
Bypass Firewall
Adversaries (e.g., evil operators) can for example exploit the implicit trust between roaming partners as a bypass firewall technique.
Internal MISP references
UUID 691dbd3c-cceb-4bf8-b9a3-bf7eb6282145 which can be used as unique global reference for Bypass Firewall in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0030 |
| kill_chain | ['bhadra-framework:Defense Evasion'] |
Bypass homerouting
SMS home routing is a defense mechanism, where an additional SMS router intervenes in external location queries for SMS deliveries, and the roaming network takes the responsibility of delivering the SMS without providing location information to the external entity. Although many operators have implemented SMS home routing solutions, there are no silver bullets. If the SMS routers are incorrectly configured, adversaries can hide SMS delivery location queries within other messages so that the SMS home router fails to process them. We refer to it as the bypass home routing technique.
Internal MISP references
UUID 50018fa5-0dd5-40f9-949a-2942f286aef6 which can be used as unique global reference for Bypass homerouting in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0031 |
| kill_chain | ['bhadra-framework:Defense Evasion'] |
Downgrading
Attacks on the radio access networks are well-studied and newer generations are designed to address the weaknesses in previous generations. Usage of weak cryptographic primitives, lack of integrity protection of the radio channels, and one-sided authentication (only from the network) remain as the problem of mostly GSM only radio communication. So, radio link attackers use downgrading as an attack technique to block service over newer generations and accept to serve only in the GSM radio network. The downgrading technique works similarly in the core network, where the adversary accepts to serve only in SS7-based signaling instead of Diameterbased signaling. Using interworking functions for inter-generation communication translation could make the downgrading attacks much easier.
Internal MISP references
UUID c3dbbd41-0292-4c1a-be2a-0550427f9e19 which can be used as unique global reference for Downgrading in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0032 |
| kill_chain | ['bhadra-framework:Defense Evasion'] |
Redirection
Redirection technique is a variant of the downgrading technique, where an adversary forcefully routes the traffic through networks or components that are under its control. By redirecting traffic to an unsafe network, the adversary can intercept mobile communication (e.g., calls and SMS) on the RAN part. Redirection attacks on the core network result in not only communication interception, but also in billing discrepancies, as an adversary can route the calls of a mobile user from its home network through a foreign network on a higher call rate.
Internal MISP references
UUID 2a33a0c5-5cdc-4735-861e-2f847340e393 which can be used as unique global reference for Redirection in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0033 |
| kill_chain | ['bhadra-framework:Defense Evasion'] |
UE Protection evasion
Protection on the UE is mainly available in the form of antivirus apps as a defense against viruses and malware that steals sensitive information (e.g., banking credentials and user passwords) or track user activities. Simple visual cues on UE (such as notifications) could also be a protection mechanism by itself. Unfortunately, mobile network-based attacks cannot be detected or defended effectively from UE’s side by traditional antivirus apps, and such attacks do not trigger any visual signs. Although there are attempts for defending against radio link attacks, including citywide studies to detect IMSI catchers, their effectiveness is still under debate. Similarly, there are recent attempts to detect signaling attacks using distance bounding protocol run from a UE. However, such solutions are still in the research phase, and their effectiveness on a large scale is still untested. To this end, the absence of robust detection and defense mechanisms on the UE is, in fact, an evasion mechanism for an adversary. We refer to them as UE protection evasion techniques.
Internal MISP references
UUID b22ac4f7-66d6-425e-a0a4-9c399d258056 which can be used as unique global reference for UE Protection evasion in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0034 |
| kill_chain | ['bhadra-framework:Defense Evasion'] |
Admin credentials
Stealing legitimate admin credentials for critical nodes is beneficial for the adversary to increase its chances of persistence to the target or masquerade its activities.
Internal MISP references
UUID 05d14025-b326-4772-827c-c054af6dbc56 which can be used as unique global reference for Admin credentials in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0035 |
| kill_chain | ['bhadra-framework:Collection'] |
User-specific identifiers
User-specific identifiers such as IMSI and IMEI are an indicator for who owns UE with a specific subscription and where a UE is located physically. Since mobile users always keep their mobile phones physically near them, an adversary with the knowledge of these permanent identifiers will be able to determine whether or not a user is in a specific location. On the other hand, temporary identifiers (e.g., TMSI and GUTI) are used to reduce the usage of permanent identifiers like IMSI over radio channels. Although the temporary identifiers are supposed to change frequently and expected to live for a short period, research has shown that it is not the case
Internal MISP references
UUID def80301-2b64-477d-a7d4-a75b455b8803 which can be used as unique global reference for User-specific identifiers in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0036 |
| kill_chain | ['bhadra-framework:Collection'] |
User-specific data
Adversaries can collect several types of user-specific data, such as the content of SMS and calls, location dumps from base stations, call and billing records, and browsing-related data (such as DNS queries and unencrypted browsing sessions).
Internal MISP references
UUID bc6b5be2-5fe9-47d9-88a0-6351add40396 which can be used as unique global reference for User-specific data in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0037 |
| kill_chain | ['bhadra-framework:Collection'] |
Network-specific identifiers
Adversaries aim to collect network-specific identifiers such as GTs and IPs of critical nodes and Tunnel Endpoint Identifier (TEID) of GTP tunnels from operators’ networks
Internal MISP references
UUID 78a19125-c8c8-42f5-9196-b19cf0e8f4e6 which can be used as unique global reference for Network-specific identifiers in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0038 |
| kill_chain | ['bhadra-framework:Collection'] |
Network-specific data
Adversaries may also be interested in network-specific data that are obtained mainly during the execution of discovery tactics. Such data includes, e.g., the network topology, the trust relationship between different nodes, routing metadata, and sensitive documents
Internal MISP references
UUID 3918796d-343c-454f-8375-18a99708c987 which can be used as unique global reference for Network-specific data in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0039 |
| kill_chain | ['bhadra-framework:Collection'] |
Location tracking
Attacker is able to track the location of the target end-user.
Internal MISP references
UUID e6503faf-cccc-48a8-84dd-9e839a273396 which can be used as unique global reference for Location tracking in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0040 |
| kill_chain | ['bhadra-framework:Impact'] |
Calls eavesdropping
Attacker is able to eavesdrop on calls.
Internal MISP references
UUID 4ce359fb-91d4-4129-a3f9-5a19566a3f33 which can be used as unique global reference for Calls eavesdropping in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0041 |
| kill_chain | ['bhadra-framework:Impact'] |
SMS interception
Attacker is able to intercept SMS messages.
Internal MISP references
UUID d75f062b-c6c0-4152-a9ac-d65511675648 which can be used as unique global reference for SMS interception in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0042 |
| kill_chain | ['bhadra-framework:Impact'] |
Data interception
Attacker is able to intercept or modify internet traffic.
Internal MISP references
UUID a9bb7cf3-5cc8-45e2-a4df-e45b2bfc73d4 which can be used as unique global reference for Data interception in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0043 |
| kill_chain | ['bhadra-framework:Impact'] |
Billing frauds
Billing frauds refer to various types of attacks where an adversary causes financial discrepancies for operators.
Internal MISP references
UUID 872363fc-427d-410a-a016-a1a91fb3b5d2 which can be used as unique global reference for Billing frauds in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0044 |
| kill_chain | ['bhadra-framework:Impact'] |
DoS - network
The attacker can create signaling havoc in specific nodes of operators by repeatedly triggering resource allocation or revocation requests.
Internal MISP references
UUID 3498fc4b-d9d1-4481-ad30-f3fe3f3f70fa which can be used as unique global reference for DoS - network in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0045 |
| kill_chain | ['bhadra-framework:Impact'] |
DoS - user
The attacker can cause denial of service to mobile users.
Internal MISP references
UUID 94aa2097-ef18-4060-933f-b17b775fcaa5 which can be used as unique global reference for DoS - user in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0046 |
| kill_chain | ['bhadra-framework:Impact'] |
Identity-related attacks
Identity-based attacks involve attack techniques using userand network-specific identifiers. Identity-based attacks cause harm to the privacy of mobile users and produce fraudulent traffic that incurs a financial loss to operators. In most cases, identity-based attacks are used in impersonation, where an adversary impersonates a legitimate mobile user to the core network without possessing appropriate credentials, for example, to avail free mobile services. Most of the signaling attacks that use SS7 are also fall into this category. In other cases, identitybased attacks involve identity mapping, where the adversaries map temporary identifiers (e.g., TMSI and GUTI) to permanent identifiers (e.g., IMSI or MSISDN). In rare cases, the IMSI can further be mapped to social media identities.
Internal MISP references
UUID 800d26bb-844d-4730-ba8a-c19469017d8f which can be used as unique global reference for Identity-related attacks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | T0047 |
| kill_chain | ['bhadra-framework:Impact'] |