20.5k unique visitors in the last 3 days

New Threat Intelligence Framework for Mobile Comms

Cathal Mc Daid of Enea explained why he led the development of a newly-published threat classification system with the assistance of Ericsson, Huawei and Mobileum.

The Mobile Threat Intelligence Framework (MoTIF) is designed to classify threat actors who attack mobile networks per an announcement from Cathal Mc Daid, VP of Technology at Enea and Chair of the GSMA’s MoTIF group.

The IT security industry already uses threat intelligence frameworks to classify what an adversary has done. Some examples are ATT&CK® from MITRE and the Cyber Kill Chain developed by Lockheed Martin. These frameworks generally take the perspective of adversaries and serve to break down what it is an adversary has done…

…The need for a framework like this in the mobile telecoms industry has been evident for some time. Unlike the IT security industry, the mobile industry has not had a way to classify and deconstruct the various tactics and techniques used by adversaries in this space. Basically, we have been lacking a language to describe the activity of threat actors attacking mobile industry targets by explaining their tactics and techniques in a formal, machine-readable way. An example of this is the Russian-linked signalling network threat actor called HiddenArt. Due to the use of signalling networks and techniques specific to mobile technology, such an attack and the associated threat actor behaviour would be impossible to represent using existing frameworks like MITRE ATT&CK®.

A widely-accepted classification system should help businesses to realize when they have been subjected to the same kinds of attacks as others, and hence whether the same bad actors are responsible for them. This will also help the identification of new kinds of attacks and promote the development of new mitigations.

The development of MoTIF began in early 2022, though it was originally hoped to adapt an existing IT threat classification framework instead of creating a new one from scratch. The MoTIF team concluded that other frameworks lacked concepts that are essential for describing mobile network security. Different threat frameworks already intended for use by the mobile telecoms industry had failed to gain any traction. The team decided to create a new framework based on intelligence already accumulated through the GSMA’s Fraud and Security Group (FASG), although the new framework borrowed from the principles and structures of MITRE ATT&CK®.

Version 1 of MoTIF consists of two parts, only one of which is available to the public. The principles document defines techniques used in the framework and explains how MoTIF can be represented in STIX, a structured language for describing cyber threats. Only GSMA members will be permitted to see the second part, which explains how to apply MoTIF with reference to examples.

Making some content exclusive to GSMA members gives me pause. The GSMA has shown itself to be an avaricious organization. Meanwhile, the limitations of MITRE ATT&CK were already somewhat addressed by the publication of MITRE FiGHT in 2022. MITRE FiGHT is focused on 5G, so it can be argued that a more comprehensive framework is needed for older generations of networks. That argument has merit, but it also illustrates how long the GSMA has paid insufficient interest to network security.

Much of the GSMA’s recent work on security and fraud prevention has a lot more to do with the dramatic reduction in its revenues during recent years, having peaked at USD250mn in 2019 but since fallen to a current annual baseline of approximately USD150mn. They like to present themselves as a cuddly nonprofit but the multimillion dollar salaries of their top execs are many times greater than those of world leaders like the President of the USA. The GSMA’s complicated legal status — a registered nonprofit entity in the USA, a head office in the UK, but ultimately incorporated in the haven of Switzerland — suggests more complicated motivations than simply doing good. The GSMA has already shown a willingness to compete directly with members of its own fraud and security community, so there is reason to fear that MoTIF could be another attempt to gain a monopolistic advantage where the GSMA and its preferred commercial partners will charge businesses for access to information that GSMA members donated for free.

The establishment of the MoTIF framework is to be welcomed, especially as it is long overdue. But let us be circumspect about how such resources may be used in practice. We all now depend on the security of networks. Their security is too important to be monopolized. Too many governments have been lackadaisical, expecting that the private sector to bear rapidly increasing costs associated with national security whilst simultaneously squeezing the same businesses for as much tax as possible. Organizations like the GSMA court the favor of politicians but they spent little money on the pursuit of improved security when their conference revenues were shooting upwards during the decade before the COVID pandemic.

When it comes to network security, you can divine the GSMA’s real motives each time they slavishly praise the largest Chinese network vendors. The best thing that can happen to MoTIF is that this initiative be taken over by an international private-public partnership whose only goal is the security of all. It is regrettable that no such entity currently exists.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email