The 5G Opportunity – from the Cyber Criminal’s Perspective
The transition to 5G is almost too good to be true for cyber criminals. It offers vastly expanded opportunities for hacking and mayhem and they hardly have to lift a finger to take advantage of it.
First, consider the security implications of 5G. As I discussed in my last blog, the transition to 5GC and multi-access edge compute (MEC) will be characterized by an increasingly complex landscape of multi-generational technologies and fragmented security functions. Mobile operators won’t switch to 5GC overnight; they’ll continue to operate legacy 3G/4G infrastructure for years to come, just as they’ll need to support IPv4 traffic long after they’ve completed their own internal IPv6 conversion. The more different, overlapping technologies you have to manage, maintain, and integrate, the more likely it is for gaps and lapses to leave openings for hackers.
Meanwhile, the move to MEC will also mean shifting from hardened centralized data centers to hundreds or thousands of much smaller nodes at the network edge, each needing its own set of firewalls, DDoS detection/mitigation, ADC, CGN, traffic steering, load balancing, and so on. That’s a lot to squeeze into a 5G cell site with limited space and power, and it’s a lot of devices to replicate and manage across the distributed infrastructure.
Put simply: the attack surface of the modern mobile operator is the stuff hacker dreams are made of.
It Doesn’t take a Genius
While mobile operators are investing billions of dollars in next-generation technologies and network professionals are ramping up on new skill sets, hackers already have everything they need to make the most of the 5G era. The black market offers an ample supply of automation tools and cloud services that can make any run-of-the-mill crook as lethal as a criminal mastermind. Exploding numbers of connected devices offer ready recruits for botnet armies and malware drops. The latest 5G smartphones promise streaming up to 100 Mbps and can receive downloads as fast as 10 Gbps, and they’re malware magnets as they roam across unknown WiFi and third-party app stores. The 23 billion IoT devices expected by 2025 will be far from uniform in their adherence to GSMA guidelines, password hygiene, and other security best practices.
As hackers use high-speed 5G networks to launch their attacks, they’ll also be able to exploit the known vulnerabilities of 3G and 4G, such as GTP, still lingering in the multi-generational operator environment.
The Dangers of DDoS
Regular readers of A10 Networks’ State of DDoS Weapons reports are all too familiar with the growing size, frequency, and sophistication of these lethal attacks. In the most recent report, we tracked 10 million devices that have been compromised and can be used as DDoS weapons. The number of attacks tripled in 2020, due in large part to the successful recruitment of IoT devices, including incidents that were concerning both for their large size and, in other cases, their small size.
On one end of the spectrum, we saw a 2.3 Tbps attack against AWS in June 2020, a scale that even one of the world’s largest technology companies would be challenged to handle. On the other end, three-quarters of 2020 attacks were under 5 Gpbs. Small-scale DDoS attacks can be especially problematic because they’re small enough to fly under the operator’s radar but are still capable of devastating an enterprise. And it might not be an option for the operator to simply shut down the affected node. What if that same node also served critical services for other downstream customers, such as applications for telemedicine, smart mobility, or public security?
Refactoring Security for 5G
Given the reshaped landscape of the 5G era, and the rising size and frequency of DDoS attacks, service providers have to rethink their approach to protection. In the past, some sought to simply “outrun” the attack—over-provisioning the network elements that might be impacted, like DNS infrastructure, SGW, or PGW, or installing large DDoS mitigation appliances, in hopes of absorbing the traffic. However, with attacks surging beyond 2 Tbps, even a heavily equipped centralized data center would strain to keep up, and a MEC node wouldn’t stand a chance against an attack even as small as 12 Gbps. Instead, you need to take a strategic approach to detection and mitigation.
The first thing to understand is that not all DDoS attacks pose the same dangers or challenges. A full 80 percent of the 10 million DDoS weapons tracked by A10 use the same five protocols, making them relatively easy to detect and mitigate. Many of these are high-volume, high-impact attacks that are technically simple and can be defended with measures such as anomaly filtering, blackholing, rate limiting, and IP blocking by destination. The same can be said of the lowest-volume attacks.
The real challenge comes with attacks in the middle of the volume scale, where attacks are neither exceptionally large or small, but tend to be more technically complex, multi-vector attacks using less common protocols. Here, more sophisticated techniques are called for, including pattern recognition, zero day automation, and more complex multi-stage mitigation rules. Operators need to be able to quickly determine which traffic is malicious and which is legitimate and respond just as fast. Because these attacks often target individual subscribers, not just the network as a whole, mitigation must be applied with a scalpel, not a sledgehammer. Operators have to be able to separate out the traffic going to that subscriber for mitigation while allowing other good traffic to pass unimpeded, and dropping bad traffic entirely.
The move to 5G doesn’t have to be a dream come true for cyber criminals, and it doesn’t have to be a security nightmare for mobile operators. With the right methods and tools, you can keep hackers out of your evolving network infrastructure to protect your customers and your business. To learn more check out this Heavy Reading 5G survey whitepaper.