diff --git a/accuknox_support.yaml b/accuknox_support.yaml
new file mode 100644
index 0000000..17bd212
--- /dev/null
+++ b/accuknox_support.yaml
@@ -0,0 +1,139 @@
+techniques:
+ MNO Roaming Partners : no
+ Implant Internal Image : no
+ Bypass home routing : no
+ Bid down UE : no
+ Internal resource search : no
+ Network Function Service Discovery : no
+ Network Flow Manipulation : no
+ 'Controller ' : no
+ vSwitch : no
+ Manipulate Virtual Network Function (VNF) Configuration : no
+ Escape to Host : yes
+ Memory Scraping : no
+ Application Layer Protocol : no
+ Local Accounts : no
+ Rootkit : no
+ Unauthorized software in NFVI : no
+ Service Exhaustion Flood : no
+ Registration of malicious network functions : no
+ Radio Jamming : no
+ 'Redirection of traffic via user plane network function ' : no
+ Fraudulent AMF registration for UE in UDM : no
+ Unauthorized access to Network Exposure Function (NEF) via token fraud : no
+ 5G-GUTI reuse : no
+ Radio Interface : no
+ Tunnel Endpoint ID (TEID) uniqueness failure : no
+ Remote Services : no
+ Supply Chain Compromise : no
+ Software Deployment Tools : no
+ Cloud Accounts : no
+ Malicious VNF Instantiation : no
+ Accessing Terminated VNF : no
+ Shared resource discovery : no
+ Malicious privileged container VNF Shared Resource Access : no
+ Malicious co-tenancy exploit of NFVI (Network Slice) : no
+ Network Slice infrastructure resource hijacking : no
+ Network Slice application resource hijacking : no
+ Network Sniffing : no
+ Traffic Duplication : no
+ Hardware Security Module Key Signing : no
+ Device Database Manipulation : no
+ Flooding of core network component : no
+ Abuse of Inter-operator Interfaces : no
+ Remote System Discovery : no
+ Network Service Discovery : no
+ Network Boundary Bridging : no
+ Vandalism of Network Infrastructure : no
+ Cabling and junction boxes : no
+ Radio Access Hardware : no
+ Edge servers : no
+ Theft of Assets : no
+ Core Network Function Signaling : no
+ 'Roaming and Interconnection ' : no
+ Subscriber Profile Identifier Discovery : no
+ Intercept Home Network via SUCI : no
+ Intercept bid-down SUPI : no
+ Passive radio signals observation : no
+ Self Location Measurement : no
+ Radio interface : no
+ Consume data allocation to deny or degrade service : no
+ Trigger fraud alert to deny service : no
+ Alter Subscriber Profile : no
+ Spoof network slice identifier : no
+ 'Discover network slice identifier ' : no
+ Falsify interconnect invoice : no
+ SIM cloning : no
+ 'Non-SBI ' : no
+ Transmitted Data Manipulation : no
+ Locate UE : no
+ Shared Network Function in slice : no
+ 'Service Based Interface ' : no
+ DOS a UE via gNB or NF signaling : no
+ Retrieve UE subscription data : no
+ Charging fraud via NF control : no
+ SIM Credential Theft : no
+ Network-side SMS collection : no
+ 'Charging Data Record (CDR) collection ' : no
+ NAS Exploit : no
+ gNodeB Component Manipulation : no
+ RAN Intelligent Controller (RIC) : no
+ xApp : no
+ rApp : no
+ Obtain subscriber identifier via NF : no
+ Protocol Tunneling : no
+ False Base Station or Access Point : no
+ Weaken Integrity : no
+ Exploit Public-Facing Application : no
+ Endpoint Denial of Service : no
+ Obtain Capabilities : no
+ Programable UE devices : no
+ Configurability of Fake Base Station or Access Point : no
+ Shared slice common control network function resource exhaustion : no
+ Exfiltration Over Unencrypted Non-C2 Protocol : no
+ Exfiltration Over Alternative Protocol : no
+ Acquire Infrastructure : no
+ Network Interfaces : no
+ Compromise Service Supply Chain : no
+ Intercept unencrypted SUPI : no
+ Exploit Semi-public Facing Application : no
+ Over-the-Air Input : no
+ Baseband API : no
+ Exploits : no
+ Operator Network : no
+ Network Access : no
+ UE Access via GTP-U : no
+ Discover TEID : no
+ UE DoS to AMF : no
+ GTP-U Abuse : no
+ Diameter signaling : no
+ Radio control manipulation via rogue xApps : no
+ IAB Denial of Service : no
+ Develop Capabilities : no
+ Stage Capabilities : no
+ Configure Operator Core Network : no
+ Silent SMS : no
+ Silent or spoofed paging : no
+ Alter ML Model : no
+ AI/ML training data and prediction poisoning : no
+ Compromise Software Supply Chain : no
+ Compromise Hardware Supply Chain : no
+ Hardware Additions : no
+ Tool : no
+ ' Radio Network Functions' : no
+ Transmit Spoofed Broadcast Message : no
+ 'Covert Exfiltration of Data Via DNS Request ' : no
+ Trusted Relationship : no
+ Impair Defenses : no
+ Gather Victim Host Information : no
+ Valid Accounts : no
+ Pre-OS Boot : no
+ Weaken Encryption : no
+ Container Administration Command : no
+ Automated Exfiltration : no
+ Credentials from Password Stores : no
+ Network Denial of Service : no
+ Adversary-in-the-Middle : no
+ Data Manipulation : no
+ Exploitation for Client Execution : no
+
\ No newline at end of file
diff --git a/cmd.go b/cmd.go
new file mode 100644
index 0000000..95656dd
--- /dev/null
+++ b/cmd.go
@@ -0,0 +1,90 @@
+package main
+
+import (
+ "fmt"
+ "os"
+)
+
+type Tactic struct {
+ Id string
+ Name string
+ Techniques []Technique
+}
+
+type Technique struct {
+ Name string
+ Id string
+ Support string
+}
+
+type displayT struct {
+ Tactics []Tactic
+}
+
+func main() {
+
+ // parse the yaml
+ var t T
+ t = *t.parseFightYaml()
+ var a A
+ a = *a.parseAccuknoxYaml()
+
+ // copy the support from the accuknox support yaml
+
+ // populate the display var which is input to template renderer
+ var d displayT
+ for _, tactic := range t.Tactics {
+ var t_d Tactic
+ t_d.Id = tactic.Id
+ t_d.Name = tactic.Name
+ for _, technique := range t.Techniques {
+ for _, tqt := range technique.Tactics {
+ if t_d.Id == tqt {
+ t_d.Techniques = append(t_d.Techniques, Technique{technique.Name, technique.ID, a.Techniques[technique.Name]})
+ }
+ }
+ }
+ d.Tactics = append(d.Tactics, t_d)
+ }
+
+ // print the struct
+ for _, tactic := range d.Tactics {
+ for _, technique := range tactic.Techniques {
+ fmt.Printf("%s: %s: %s\n", tactic.Name, technique.Name, technique.Support)
+ }
+ }
+
+ // open output file
+ fo, err := os.Create("index.html")
+ if err != nil {
+ panic(err)
+ }
+
+ defer func() {
+ if err := fo.Close(); err != nil {
+ panic(err)
+ }
+ }()
+
+ // render the template
+ d.generateAllTacticsPage(fo)
+
+ for _, tactic := range d.Tactics {
+
+ // open output file
+ fname := fmt.Sprintf("tactic-%s.html", tactic.Id)
+ fo, err := os.Create(fname)
+ if err != nil {
+ panic(err)
+ }
+
+ defer func() {
+ if err := fo.Close(); err != nil {
+ panic(err)
+ }
+ }()
+
+ // render the template
+ tactic.generateTechniquesPerTacticPage(fo)
+ }
+}
diff --git a/fight.yaml b/fight.yaml
new file mode 100644
index 0000000..f912129
--- /dev/null
+++ b/fight.yaml
@@ -0,0 +1,11769 @@
+case-studies: []
+data sources:
+- description: Computer software that provides low-level control for the hardware
+ and device(s) of a host, such as BIOS or UEFI/EFI
+ id: DS0001
+ name: Firmware
+ object-type: data source
+ techniques: []
+- description: A profile representing a user, device, service, or application used
+ to authenticate and access resources
+ id: DS0002
+ name: User Account
+ object-type: data source
+ techniques:
+ - FGT1078.003
+ - FGT1078.004
+ - FGT1020.001
+- description: 'Automated tasks that can be executed at a specific time or on a recurring
+ schedule running in the background (ex: Cron daemon, task scheduler, BITS)'
+ id: DS0003
+ name: Scheduled Job
+ object-type: data source
+ techniques: []
+- description: Information obtained (via shared or submitted samples) regarding malicious
+ software (droppers, backdoors, etc.) used by adversaries
+ id: DS0004
+ name: Malware Repository
+ object-type: data source
+ techniques: []
+- description: The infrastructure for management data and operations that enables
+ local and remote management of Windows personal computers and servers
+ id: DS0005
+ name: WMI
+ object-type: data source
+ techniques: []
+- description: Credential material, such as session cookies or tokens, used to authenticate
+ to web applications and services
+ id: DS0006
+ name: Web Credential
+ object-type: data source
+ techniques:
+ - FGT5034
+- description: A single file used to deploy a virtual machine/bootable disk into an
+ on-premise or third-party cloud environment
+ id: DS0007
+ name: Image
+ object-type: data source
+ techniques:
+ - FGT5039
+ - FGT1014
+ - FGT1542.501
+- description: A computer program, at the core of a computer OS, that resides in memory
+ and facilitates interactions between hardware and software components
+ id: DS0008
+ name: Kernel
+ object-type: data source
+ techniques:
+ - FGT1014
+ - FGT1542.501
+ - FGT1587.004
+- description: Instances of computer programs that are being executed by at least
+ one thread. Processes have memory space for process executables, loaded modules
+ (DLLs or shared libraries), and allocated memory regions containing everything
+ from user input to application-specific data structures
+ id: DS0009
+ name: Process
+ object-type: data source
+ techniques:
+ - FGT1611
+ - FGT1014
+ - FGT1542.501
+ - FGT1072
+ - FGT1611.501
+ - FGT1040
+- description: Data object storage infrastructure hosted on-premise or by third-party
+ providers, made available to users through network connections and/or APIs
+ id: DS0010
+ name: Cloud Storage
+ object-type: data source
+ techniques:
+ - FGT5034
+- description: Executable files consisting of one or more shared classes and interfaces,
+ such as portable executable (PE) format binaries/dynamic link libraries (DLL),
+ executable and linkable format (ELF) binaries/shared libraries, and Mach-O format
+ binaries/shared libraries
+ id: DS0011
+ name: Module
+ object-type: data source
+ techniques: []
+- description: A file or stream containing a list of commands, allowing them to be
+ launched in sequence
+ id: DS0012
+ name: Script
+ object-type: data source
+ techniques: []
+- description: Information from host telemetry providing insights about system status,
+ errors, or other notable functional activity
+ id: DS0013
+ name: Sensor Health
+ object-type: data source
+ techniques:
+ - FGT1542.501
+ - FGT1195
+ - FGT1599.501
+ - FGT1599.502
+ - FGT5038
+ - FGT1498.502
+ - FGT1195.003
+- description: A single unit of shared resources within a cluster, comprised of one
+ or more containers
+ id: DS0014
+ name: Pod
+ object-type: data source
+ techniques:
+ - FGT5013
+ - FGT5014
+- description: Events collected by third-party services such as mail servers, web
+ applications, or other appliances (not by the native OS or platform) Data sources
+ with information about the set of devices found within the network, along with
+ their current software and configurations
+ id: DS0015
+ name: Application Log
+ object-type: data source
+ techniques:
+ - FGT1199.501
+ - FGT5002
+ - FGT5003
+ - FGT5004
+ - FGT5004.001
+ - FGT5004.002
+ - FGT5039
+ - FGT5005
+ - FGT5007
+ - FGT5008
+ - FGT5011
+ - FGT1600.501
+ - FGT1072
+ - FGT5013
+ - FGT5014
+ - FGT1611.501
+ - FGT1599.501
+ - FGT1599.502
+ - FGT5038
+ - FGT1040
+ - FGT1555.501
+ - FGT5016
+ - FGT1557.502
+ - FGT5027
+ - FGT5028
+ - FGT1557.503
+ - FGT5012.005
+ - FGT5020
+ - FGT5032.002
+ - FGT5032.003
+ - FGT5019.003
+ - FGT5009.001
+ - FGT1499
+ - FGT1499
+ - FGT1048.003
+ - FGT5009.002
+ - FGT1600.502
+ - FGT5029
+ - FGT5037
+ - FGT5036
+- description: A non-volatile data storage device (hard drive, floppy disk, USB flash
+ drive) with at least one formatted partition, typically mounted to the file system
+ and/or assigned a drive letter
+ id: DS0016
+ name: Drive
+ object-type: data source
+ techniques: []
+- description: A directive given to a computer program, acting as an interpreter of
+ some kind, in order to perform a specific task
+ id: DS0017
+ name: Command
+ object-type: data source
+ techniques:
+ - FGT1021
+ - FGT5014
+ - FGT1040
+ - FGT1020.001
+ - FGT1048.501
+- description: 'A network security system, running locally on an endpoint or remotely
+ as a service (ex: cloud environment), that monitors and controls incoming/outgoing
+ network traffic based on predefined rules'
+ id: DS0018
+ name: Firewall
+ object-type: data source
+ techniques:
+ - FGT1498.501
+ - FGT1583.508
+- description: A computer process that is configured to execute continuously in the
+ background and perform system tasks, in some cases before any user has logged
+ in
+ id: DS0019
+ name: Service
+ object-type: data source
+ techniques:
+ - FGT1014
+ - FGT1542.501
+- description: A malicious online profile representing a user commonly used by adversaries
+ to social engineer or otherwise target victims
+ id: DS0021
+ name: Persona
+ object-type: data source
+ techniques: []
+- description: A computer resource object, managed by the I/O system, for storing
+ data (such as images, text, videos, computer programs, or any wide variety of
+ other media).
+ id: DS0022
+ name: File
+ object-type: data source
+ techniques:
+ - FGT1014
+ - FGT1542.501
+ - FGT1195
+ - FGT1020.001
+ - FGT5032.002
+ - FGT5032.003
+ - FGT1195.002
+ - FGT1195.003
+- description: Mechanisms that allow inter-process communication locally or over the
+ network. A named pipe is usually found as a file and processes attach to it
+ id: DS0023
+ name: Named Pipe
+ object-type: data source
+ techniques: []
+- description: A Windows OS hierarchical database that stores much of the information
+ and settings for software programs, hardware devices, user preferences, and operating-system
+ configurations
+ id: DS0024
+ name: Windows Registry
+ object-type: data source
+ techniques: []
+- description: Infrastructure, platforms, or software that are hosted on-premise or
+ by third-party providers, made available to users through network connections
+ and/or APIs
+ id: DS0025
+ name: Cloud Service
+ object-type: data source
+ techniques:
+ - FGT5032.002
+ - FGT5032.003
+ - FGT5034
+- description: A database and set of services that allows administrators to manage
+ permissions, access to network resources, and stored data objects (user, group,
+ application, or devices)
+ id: DS0026
+ name: Active Directory
+ object-type: data source
+ techniques: []
+- description: A computer program that operates or controls a particular type of device
+ that is attached to a computer. Provides a software interface to hardware devices,
+ enabling operating systems and other computer programs to access hardware functions
+ without needing to know precise details about the hardware being used
+ id: DS0027
+ name: Driver
+ object-type: data source
+ techniques: []
+- description: Logon occurring on a system or resource (local, domain, or cloud) to
+ which a user/device is gaining access after successful authentication and authorizaton
+ id: DS0028
+ name: Logon Session
+ object-type: data source
+ techniques:
+ - FGT5039
+ - FGT1078.003
+ - FGT1021
+ - FGT1078.004
+ - FGT1599.501
+ - FGT1599.502
+ - FGT5038
+ - FGT1020.001
+ - FGT1555.501
+ - FGT5029
+ - FGT5037
+ - FGT5036
+- description: 'Data transmitted across a network (ex: Web, DNS, Mail, File, etc.),
+ that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable
+ format (ex: PCAP)'
+ id: DS0029
+ name: Network Traffic
+ object-type: data source
+ techniques:
+ - FGT1199.501
+ - FGT5004
+ - FGT5004.001
+ - FGT5004.002
+ - FGT5039
+ - FGT5005
+ - FGT1014
+ - FGT1542.501
+ - FGT1600.501
+ - FGT5021
+ - FGT1021
+ - FGT1599.501
+ - FGT1599.502
+ - FGT5038
+ - FGT1020.001
+ - FGT1555.501
+ - FGT1018
+ - FGT1046
+ - FGT1599
+ - FGT1557.502
+ - FGT1557.503
+ - FGT1565.002
+ - FGT1565.002
+ - FGT1565.002
+ - FGT1572
+ - FGT5009
+ - FGT5009.001
+ - FGT1499
+ - FGT1499
+ - FGT1048.003
+ - FGT1048
+ - FGT5009.002
+ - FGT1600.502
+ - FGT5029
+ - FGT1572.501
+ - FGT5031
+ - FGT1498.503
+ - FGT1599.505
+ - FGT5012.008
+ - FGT5019.005
+ - FGT1200
+ - FGT1048.501
+- description: A virtual server environment which runs workloads, hosted on-premise
+ or by third-party cloud providers
+ id: DS0030
+ name: Instance
+ object-type: data source
+ techniques: []
+- description: A set of containerized computing resources that are managed together
+ but have separate nodes to execute various tasks and/or applications
+ id: DS0031
+ name: Cluster
+ object-type: data source
+ techniques: []
+- description: A standard unit of virtualized software that packages up code and all
+ its dependencies so the application runs quickly and reliably from one computing
+ environment to another
+ id: DS0032
+ name: Container
+ object-type: data source
+ techniques:
+ - FGT1611
+ - FGT5007
+ - FGT5013
+ - FGT5014
+ - FGT1611.501
+- description: A storage resource (typically a folder or drive) made available from
+ one host to others using network protocols, such as Server Message Block (SMB)
+ or Network File System (NFS)
+ id: DS0033
+ name: Network Share
+ object-type: data source
+ techniques: []
+- description: Block object storage hosted on-premise or by third-party providers,
+ typically made available to resources as virtualized hard drives
+ id: DS0034
+ name: Volume
+ object-type: data source
+ techniques:
+ - FGT1611
+ - FGT1611.501
+- description: Information obtained (commonly via active network traffic probes or
+ web crawling) regarding various types of resources and servers connected to the
+ public Internet
+ id: DS0035
+ name: Internet Scan
+ object-type: data source
+ techniques: []
+- description: A collection of multiple user accounts that share the same access rights
+ to the computer and/or network resources and have common security rights
+ id: DS0036
+ name: Group
+ object-type: data source
+ techniques: []
+- description: A digital document, which highlights information such as the owner's
+ identity, used to instill trust in public keys used while encrypting network communications
+ id: DS0037
+ name: Certificate
+ object-type: data source
+ techniques:
+ - FGT5034
+- description: 'Information obtained (commonly through registration or activity logs)
+ regarding one or more IP addresses registered with human readable names (ex: mitre.org)'
+ id: DS0038
+ name: Domain Name
+ object-type: data source
+ techniques: []
+- description: Monitoring ability to detect new ports, devices on the network
+ id: DS0039
+ name: Asset
+ object-type: data source
+ techniques:
+ - FGT1040
+ - FGT1200
+- description: Operational databases contain information about the status of the operational
+ process and associated devices, including any measurements, events, history, or
+ alarms that have occurred
+ id: DS0040
+ name: Operational Databases
+ object-type: data source
+ techniques:
+ - FGT5018
+ - FGT5018.002
+- description: RF spectrum monitoring equipment, optionally including direction finding
+ and geolocation
+ id: FGDS5001
+ name: RF Spectrum Monitor
+ object-type: data source
+ techniques:
+ - FGT5035
+- description: UE measurements of received power levels from all base stations nearby.
+ Report to operator gNB radio signals (sent to all UEs to enable them to select
+ gNB and connect) received at a given UE
+ id: FGDS5002
+ name: UE signal measurements
+ object-type: data source
+ techniques:
+ - FGT1557.501
+ - FGT5012.006
+ - FGT1583.501
+ - FGT1608.501
+ - FGT5012.007
+ - FGT1642.501
+- description: Audit charging system records for anomaly
+ id: FGDS5003
+ name: Charging anomaly
+ object-type: data source
+ techniques:
+ - FGT5021
+ - FGT5023
+- description: Scan voice calls for certain amount of losses to detect if the call
+ is made over internet (IP)
+ id: FGDS5004
+ name: Scan voice calls
+ object-type: data source
+ techniques: []
+- description: Keep track of SIM cards with unusual pattern
+ id: FGDS5005
+ name: SIM card pattern
+ object-type: data source
+ techniques:
+ - FGT5026
+- description: Monitor for excessive data usage; including using AI/ML
+ id: FGDS5006
+ name: UE data usage
+ object-type: data source
+ techniques:
+ - FGT1499.501
+ - FGT5025
+- description: Number of access requests received from UEs (or a single UE) at the
+ gNB. Keep track to avoid overload.
+ id: FGDS5007
+ name: UE access requests
+ object-type: data source
+ techniques:
+ - FGT1499.002
+ - FGT1499.002
+- description: Leaking IR.21 information on the Internet can be found
+ id: FGDS5008
+ name: Search Internet for leaks
+ object-type: data source
+ techniques:
+ - FGT1592.501
+- description: Maintain logs of access to operator O&M resources like IR.21 databases.
+ id: FGDS5009
+ name: Access to operator resource
+ object-type: data source
+ techniques:
+ - FGT1592.501
+ - FGT5015
+- description: UE transitions from 5GS to 4G/EPS with less or no security
+ id: FGDS5010
+ name: UE transition to less secure service
+ object-type: data source
+ techniques:
+ - FGT5019.002
+ - FGT5012.002
+ - FGT1040.501
+- description: Subscriber notifies service provider about DoS attack or other issues
+ id: FGDS5011
+ name: Subscriber notify provider
+ object-type: data source
+ techniques:
+ - FGT1499.502
+ - FGT5022
+ - FGT5025
+ - FGT1565.002
+ - FGT1499.503
+- description: Security Incident and event monitoring. Event logs recording user activities,
+ exceptions, faults and information security events should be produced, kept and
+ regularly reviewed
+ id: FGDS5012
+ name: SIEM
+ object-type: data source
+ techniques:
+ - FGT1525
+ - FGT5018.001
+ - FGT5018.003
+ - FGT5018.004
+ - FGT5017
+ - FGT1498.502
+- description: 'The UE can tell that there is a 5G cell site that it can hear, but
+ if it eventually gets connected to a 4G cell site '
+ id: FGDS5013
+ name: UE connecting to 4G
+ object-type: data source
+ techniques:
+ - FGT1562.501
+- description: Analyze SDN logs to detect unauthorized activity
+ id: FGDS5014
+ name: SDN Access Logs
+ object-type: data source
+ techniques:
+ - FGT5004
+ - FGT5004.001
+ - FGT5004.002
+- description: Automated hash verification of images
+ id: FGDS5015
+ name: Image verification
+ object-type: data source
+ techniques:
+ - FGT1525
+ - FGT5032.002
+ - FGT5032.003
+ - FGT1498.503
+ - FGT5034
+- description: Verify payload for GTP-U encapsulated packets
+ id: FGDS5016
+ name: Payload checking
+ object-type: data source
+ techniques:
+ - FGT1572.501
+ - FGT5031
+- description: Monitor gNB and core network logs for NULL scheme usage for SUCI protection.
+ id: FGDS5017
+ name: Monitor null scheme usage
+ object-type: data source
+ techniques:
+ - FGT5019.004
+- description: Monitor provisioning logs in core network for changes in home network
+ public key and home PLMN ID.
+ id: FGDS5018
+ name: Monitor provisioning logs
+ object-type: data source
+ techniques:
+ - FGT5019.004
+- description: Monitor when UE makes emergency call or when UE is moved to eNB in
+ NSA mode.
+ id: FGDS5019
+ name: Monitor operations logs
+ object-type: data source
+ techniques:
+ - FGT5019.004
+- description: Monitor gNB logs for unplanned network service outages.
+ id: FGDS5020
+ name: Monitor unplanned service outage
+ object-type: data source
+ techniques:
+ - FGT5024
+- description: Monitor all 3rd party application onboarding processes and use host
+ scanning to detect malware insertions.
+ id: FGDS5021
+ name: Monitor 3rd party application onboarding
+ object-type: data source
+ techniques:
+ - FGT5034
+- description: Monitor if any security configurations have been downgraded to weak
+ or no security.
+ id: FGDS5022
+ name: Monitor security configurations
+ object-type: data source
+ techniques:
+ - FGT1040
+ - FGT1565.002
+- description: Run at the UE side an application/tool to detect received silent SMS
+ messages
+ id: FGDS5102
+ name: Silent SMS detector
+ object-type: data source
+ techniques:
+ - FGT5019.006
+ - FGT5012.007
+- description: Automated policy compliance checks
+ id: FGDS5023
+ name: Audit policy violation
+ object-type: data source
+ techniques:
+ - FGT1498.502
+id: FiGHT
+mitigations:
+- description: Increase RACH resources on the gNB (bandwith, time slots)
+ id: FGM5021
+ name: Increase RACH (Random Access CHannel resources)
+ object-type: mitigation
+ techniques:
+ - FGT1499.002
+- description: When the subscriber affiliation is reflected in the home network identifier
+ (part of subscriber identifier), and would benefit from not being sent in the
+ clear, the subscriber's provider (home network) should be a proxy mobile network
+ operator - whose identifier does not reveal the true affiliation of the subscriber.
+ id: FGM5022
+ name: Proxy home network
+ object-type: mitigation
+ techniques:
+ - FGT5019.001
+- description: Perform periodic authentication and authorization of consumer NFs by
+ NRF
+ id: FGM5023
+ name: Periodic Authentication & Authorization of NFs
+ object-type: mitigation
+ techniques:
+ - FGT5007
+ - FGT5010
+ - FGT5012.004
+ - FGT1499.503
+ - FGT5023
+- description: Use strong data integrity protection algorithms.
+ id: FGM5024
+ name: Integrity protection of data communication
+ object-type: mitigation
+ techniques:
+ - FGT5004
+ - FGT5004.001
+ - FGT5004.002
+ - FGT1557.503
+ - FGT1565.002
+ - FGT1565.002
+ - FGT1565.002
+ - FGT1565.002
+ - FGT1557.504
+ - FGT1195.501
+ - FGT1572
+ - FGT5009.001
+ - FGT5009.002
+ - FGT1642.501
+ - FGT1048.501
+- description: Disable or remove an RF transmitter
+ id: FGM5001
+ name: Disable malicious transmitter
+ object-type: mitigation
+ techniques:
+ - FGT5035
+- description: User Equipment (UE) can reject e.g. RRC signaling such as RRC Release
+ with Redirect info, if not integrity protected.
+ id: FGM5002
+ name: Discard RAN signaling received without integrity protection
+ object-type: mitigation
+ techniques:
+ - FGT1562.501
+- description: NFs such as NRF should cross check with TLS layer before issuing token
+ to an NF
+ id: FGM5003
+ name: Cross check between application layer and transport layer
+ object-type: mitigation
+ techniques:
+ - FGT5003
+ - FGT5011
+ - FGT5027
+- description: Employ a SMS Router that intercepts incoming location queries (from
+ other operators), configured so that it can't be subverted.
+ id: FGM5004
+ name: Correctly configure SMS firewall
+ object-type: mitigation
+ techniques:
+ - FGT5002
+ - FGT5012.008
+ - FGT5019.005
+ - FGT5019.006
+ - FGT5012.007
+- description: 'Physical protection of: communications centers, Telecommunications
+ equipment room, Physically isolated operation areas, Equipment sited in other
+ carrier''s or partner''s premises, cable/fibers, junction boxes, '
+ id: FGM5005
+ name: Physical and environmental protection
+ object-type: mitigation
+ techniques:
+ - FGT5018
+ - FGT5018.001
+ - FGT5018.002
+ - FGT5018.003
+ - FGT5018.004
+ - FGT1498.502
+- description: This profile does not allow bidding down to 4G
+ id: FGM5006
+ name: Restrictive user profile
+ object-type: mitigation
+ techniques:
+ - FGT5019.002
+ - FGT5012.002
+ - FGT1040.501
+ - FGT5009.001
+- description: Subscription that includes unlimited data can prevent DoS due to exhausion
+ of data plan limits
+ id: FGM5007
+ name: Unlimited data plan
+ object-type: mitigation
+ techniques:
+ - FGT1499.501
+- description: On the UE, monitor installed applications for data usage and perform
+ throttling if necessary
+ id: FGM5008
+ name: Monitor installed applications for data usage
+ object-type: mitigation
+ techniques:
+ - FGT1499.501
+- description: Services are refreshed periodically and/or terminated after completion
+ of a request.
+ id: FGM5010
+ name: Non-Persistent Services
+ object-type: mitigation
+ techniques:
+ - FGT5029
+- description: Check if IMSI is served by the slice ID (NSSAI)
+ id: FGM5012
+ name: Slice ID check
+ object-type: mitigation
+ techniques:
+ - FGT5012.005
+- description: UDM/UDR should correctly implement UE authentication/registration status
+ updates.
+ id: FGM5013
+ name: Timely updates to UE status
+ object-type: mitigation
+ techniques:
+ - FGT5010
+- description: UDM can check whether a requesting AMF is likely to be the one serving
+ that UE.
+ id: FGM5014
+ name: UE location plausibility
+ object-type: mitigation
+ techniques:
+ - FGT5010
+- description: NEF should authorize API calls especially from external AFs for service
+ accesses
+ id: FGM5019
+ name: Authorize external API calls
+ object-type: mitigation
+ techniques:
+ - FGT5008
+ - FGT5011
+ - FGT5012.004
+ - FGT5019.003
+- description: Including EIR Equipment Identity Register
+ id: FGM5020
+ name: Secure subscriber repositories
+ object-type: mitigation
+ techniques:
+ - FGT5015
+ - FGT5022
+- description: Use zero trust principles for application/NF protection
+ id: FGM5033
+ name: Zero Trust
+ object-type: mitigation
+ techniques:
+ - FGT1040
+ - FGT5020
+- description: Separate repositositories must be maintained for development and production
+ software to avoid access and image slipovers
+ id: FGM5088
+ name: Separate repositories for development and production
+ object-type: mitigation
+ techniques:
+ - FGT1525
+- description: Use image name and hash to verify image during deployment
+ id: FGM5089
+ name: Verify image in deployment
+ object-type: mitigation
+ techniques:
+ - FGT1525
+ - FGT5017
+- description: Correlate logs between SDN controllers and network elements
+ id: FGM5090
+ name: Log correlation
+ object-type: mitigation
+ techniques:
+ - FGT1525
+ - FGT5004
+ - FGT5004.001
+ - FGT5004.002
+ - FGT5005
+- description: Enforce mutual authentication between SDN controller, network elements,
+ SDN controller and SDN application
+ id: FGM5091
+ name: Mutual authentication
+ object-type: mitigation
+ techniques:
+ - FGT5004
+ - FGT5004.001
+ - FGT5004.002
+ - FGT5034
+- description: 'UE warn user of lower security network. '
+ id: FGM5092
+ name: Warn user
+ object-type: mitigation
+ techniques:
+ - FGT1562.501
+- description: UDM/SIDF checks if SUCI freshness parameter from the same UE (with
+ same SUPI) is identical during SUCI deconcealment within a short period of time
+ id: FGM5093
+ name: SUCI freshness parameter
+ object-type: mitigation
+ techniques:
+ - FGT1499.502
+- description: Network (AMF) should allocate new 5G-GUTI whenever possible; UPF and
+ gNB should allocate unique Tunnel IDs. SMF should check newly allocated charging
+ IDs.
+ id: FGM5094
+ name: Allocate new 5G identifiers judiciously
+ object-type: mitigation
+ techniques:
+ - FGT5012.003
+ - FGT5021
+ - FGT5023
+- description: Verify if the TLS certificate is valid for the endpoint
+ id: FGM5095
+ name: TLS certificate check
+ object-type: mitigation
+ techniques:
+ - FGT1557.504
+- description: Disable usage of location on UE device
+ id: FGM5096
+ name: Disable UE location use
+ object-type: mitigation
+ techniques:
+ - FGT5012.002
+- description: Restrict UE to bid down (from 5G) or use of less secure system
+ id: FGM5097
+ name: Disable acceptance of a less secure system
+ object-type: mitigation
+ techniques:
+ - FGT1562.501
+- description: Use UE only when needed. Turn power off when not in use.
+ id: FGM5098
+ name: Reduce UE usage
+ object-type: mitigation
+ techniques:
+ - FGT5012.001
+- description: Move UE close to gNB or indoors to make geo-location harder
+ id: FGM5099
+ name: Move UE close to gNB
+ object-type: mitigation
+ techniques:
+ - FGT5035
+ - FGT5012.001
+- description: Raising the height of the UE may move it outside another RF source,
+ e.g. jammer
+ id: FGM5100
+ name: Raise height of UE
+ object-type: mitigation
+ techniques:
+ - FGT5035
+- description: Isolate CDR databases from the rest of the IT systems/NOC resources
+ id: FGM5101
+ name: Isolate CDR database
+ object-type: mitigation
+ techniques: []
+- description: Run at the UE side an application/tool to detect and not respond to
+ silent SMS messages
+ id: FGM5102
+ name: 'Silent SMS blocker '
+ object-type: mitigation
+ techniques:
+ - FGT5019.006
+ - FGT5012.007
+- description: Use a firewall or other rate limiter for signaling and user plane traffic
+ coming into 5G network
+ id: FGM5498
+ name: Limit incoming signaling and user plane traffic
+ object-type: mitigation
+ techniques:
+ - FGT1498.501
+ - FGT1572.501
+- description: Producer NF e.g. AUSF can rate limit authentication requests from the
+ same SUCI/SUPI too many times in a short period. Or NRF not respond to requests
+ after a given number of failed NSSAI lookups
+ id: FGM5499
+ name: Rate limiting by producer NF
+ object-type: mitigation
+ techniques:
+ - FGT1499.002
+ - FGT5028
+- description: E.g. restrict access to IR.21 database
+ id: FGM5500
+ name: Restrict access to operator OA&M resources
+ object-type: mitigation
+ techniques:
+ - FGT1592.501
+- description: Operator should deploy TLS proxies or firewalls on the SBA that can
+ inspect packets to detect anomalies
+ id: FGM5501
+ name: TLS proxy/firewalls with DPI on the SBA
+ object-type: mitigation
+ techniques:
+ - FGT5003
+ - FGT1437
+- description: 'Examples: employ home routing vs. local bypass.'
+ id: FGM5503
+ name: Increase control of home network for user plane
+ object-type: mitigation
+ techniques:
+ - FGT5025
+- description: 'Cloud compute, cloud storage and any serverless activity should be
+ isolated from other tenants '
+ id: FGM5504
+ name: Resource Isolation in virtualization environment
+ object-type: mitigation
+ techniques:
+ - FGT1583
+- description: Hardware mediated execution environment
+ id: FGM5505
+ name: Hardware mediated execution environment
+ object-type: mitigation
+ techniques:
+ - FGT1599.501
+ - FGT1599.502
+ - FGT5038
+ - FGT1583
+- description: Use of Network Slice Templates -Use of templates for network slicing
+ can enforce baseline security and isolation requirements. These templates can
+ be created for networks, compute and 5G slice functions deployments.
+ id: FGM5506
+ name: network slice templates
+ object-type: mitigation
+ techniques:
+ - FGT1599.501
+ - FGT1599.502
+ - FGT5038
+- description: Continuity of power supplies to equipment deployed in the field.
+ id: FGM5540
+ name: Power supplies
+ object-type: mitigation
+ techniques:
+ - FGT5018.001
+- description: Vulnerability scanning is used to find potentially exploitable software
+ vulnerabilities to remediate them.
+ id: M1016
+ name: Vulnerability Scanning
+ object-type: mitigation
+ techniques:
+ - FGT1195
+ - FGT1190
+ - FGT1499
+ - FGT1499
+ - FGT1195.002
+ - FGT1195.003
+- description: Train users to be aware of access or manipulation attempts by an adversary
+ to reduce the risk of successful spearphishing, social engineering, and other
+ techniques that involve user interaction.
+ id: M1017
+ name: User Training
+ object-type: mitigation
+ techniques:
+ - FGT1078.004
+ - FGT1555.501
+ - FGT5026
+ - FGT1195.501
+- description: Manage the creation, modification, use, and permissions associated
+ to user accounts.
+ id: M1018
+ name: User Account Management
+ object-type: mitigation
+ techniques:
+ - FGT1199.501
+ - FGT1014
+ - FGT1542.501
+ - FGT5007
+ - FGT1600.501
+ - FGT1021
+ - FGT1072
+ - FGT1078.004
+ - FGT5013
+ - FGT1609.501
+ - FGT5014
+ - FGT1611.501
+ - FGT1555.501
+ - FGT5009.001
+ - FGT5009.002
+ - FGT1600.502
+ - FGT5037
+ - FGT5036
+- description: Break and inspect SSL/TLS sessions to look at encrypted web traffic
+ for adversary activity.
+ id: M1020
+ name: SSL/TLS Inspection
+ object-type: mitigation
+ techniques:
+ - FGT1040
+ - FGT5027
+ - FGT1565.002
+- description: Restrict access by setting directory and file permissions that are
+ not specific to users or privileged accounts.
+ id: M1022
+ name: Restrict File and Directory Permissions
+ object-type: mitigation
+ techniques:
+ - FGT5004
+ - FGT5004.001
+ - FGT5004.002
+ - FGT1195.501
+- description: Manage the creation, modification, use, and permissions associated
+ to privileged accounts, including SYSTEM and root.
+ id: M1026
+ name: Privileged Account Management
+ object-type: mitigation
+ techniques:
+ - FGT1611
+ - FGT1078.003
+ - FGT1072
+ - FGT1078.004
+ - FGT1609.501
+ - FGT1599.501
+ - FGT1599.502
+ - FGT5038
+ - FGT1040
+ - FGT1020.001
+ - FGT1555.501
+ - FGT1599
+ - FGT5037
+ - FGT5036
+ - FGT1200
+- description: Set and enforce secure password policies for accounts.
+ id: M1027
+ name: Password Policies
+ object-type: mitigation
+ techniques:
+ - FGT1078.003
+ - FGT1072
+ - FGT1078.004
+ - FGT1599
+- description: Use remote security log and sensitive file storage where access can
+ be controlled better to prevent exposure of intrusion detection log data or sensitive
+ information.
+ id: M1029
+ name: Remote Data Storage
+ object-type: mitigation
+ techniques:
+ - FGT1072
+- description: Architect sections of the network to isolate critical systems, functions,
+ or resources. Use physical and logical segmentation to prevent access to potentially
+ sensitive systems and information. Use a DMZ to contain any internet-facing services
+ that should not be exposed from the internal network. Configure separate virtual
+ private cloud (VPC) instances to isolate critical cloud systems.
+ id: M1030
+ name: Network Segmentation
+ object-type: mitigation
+ techniques:
+ - FGT1199.501
+ - FGT5004
+ - FGT5004.001
+ - FGT5004.002
+ - FGT5007
+ - FGT1072
+ - FGT5013
+ - FGT5014
+ - FGT1611.501
+ - FGT1599.501
+ - FGT1599.502
+ - FGT5038
+ - FGT1040
+ - FGT1018
+ - FGT1046
+ - FGT1557.502
+ - FGT1499.503
+ - FGT1195.501
+ - FGT1498.502
+ - FGT1583
+ - FGT5034
+ - FGT1200
+- description: Use intrusion detection signatures to block traffic at network boundaries.
+ id: M1031
+ name: Network Intrusion Prevention
+ object-type: mitigation
+ techniques:
+ - FGT1600.501
+ - FGT1018
+ - FGT1046
+ - FGT1572
+ - FGT5009.001
+ - FGT5009.002
+ - FGT1600.502
+ - FGT1572.501
+ - FGT5031
+ - FGT1048.501
+- description: Use two or more pieces of evidence to authenticate to a system; such
+ as username and password in addition to a token from a physical smart card or
+ token generator.
+ id: M1032
+ name: Multi-factor Authentication
+ object-type: mitigation
+ techniques:
+ - FGT1021
+ - FGT1072
+ - FGT1078.004
+ - FGT1599
+- description: Block users or groups from installing unapproved software.
+ id: M1033
+ name: Limit Software Installation
+ object-type: mitigation
+ techniques:
+ - FGT5039
+ - FGT5005
+ - FGT5032.002
+ - FGT5032.003
+ - FGT5034
+- description: Prevent access to file shares, remote access to systems, unnecessary
+ services. Mechanisms to limit access may include use of network concentrators,
+ RDP gateways, etc.
+ id: M1035
+ name: Limit Access to Resource Over Network
+ object-type: mitigation
+ techniques:
+ - FGT1525
+ - FGT5021
+ - FGT5013
+ - FGT1609.501
+ - FGT5014
+ - FGT1611.501
+ - FGT1599.501
+ - FGT1599.502
+ - FGT5038
+ - FGT1557.502
+ - FGT5032.002
+ - FGT5032.003
+- description: Use network appliances to filter ingress or egress traffic and perform
+ protocol-based filtering. Configure software on endpoints to filter network traffic.
+ id: M1037
+ name: Filter Network Traffic
+ object-type: mitigation
+ techniques:
+ - FGT1199.501
+ - FGT1599
+ - FGT5012.004
+ - FGT1557.502
+ - FGT1572
+ - FGT1499
+ - FGT1499
+ - FGT1048.003
+ - FGT1048
+ - FGT1583.508
+- description: Block execution of code on a system through application control, and/or
+ script blocking.
+ id: M1038
+ name: Execution Prevention
+ object-type: mitigation
+ techniques:
+ - FGT1611
+ - FGT1609.501
+- description: Use capabilities to prevent suspicious behavior patterns from occurring
+ on endpoint systems. This could include suspicious process, file, API call, etc.
+ behavior.
+ id: M1040
+ name: Behavior Prevention on Endpoint
+ object-type: mitigation
+ techniques:
+ - FGT5008
+ - FGT5011
+ - FGT1040
+- description: Protect sensitive information with strong encryption.
+ id: M1041
+ name: Encrypt Sensitive Information
+ object-type: mitigation
+ techniques:
+ - FGT5004
+ - FGT5004.001
+ - FGT5004.002
+ - FGT1600.501
+ - FGT1599.501
+ - FGT1599.502
+ - FGT5038
+ - FGT1040
+ - FGT1040
+ - FGT1020.001
+ - FGT5016
+ - FGT5012.002
+ - FGT1040.501
+ - FGT1557.503
+ - FGT1557.504
+ - FGT1195.501
+ - FGT1583
+ - FGT1600.502
+ - FGT5019.004
+ - FGT1572.501
+ - FGT5031
+ - FGT5037
+ - FGT5036
+- description: Remove or deny access to unnecessary and potentially vulnerable software
+ to prevent abuse by adversaries.
+ id: M1042
+ name: Disable or Remove Feature or Program
+ object-type: mitigation
+ techniques:
+ - FGT1018
+ - FGT1046
+- description: Use capabilities to prevent successful credential access by adversaries;
+ including blocking forms of credential dumping.
+ id: M1043
+ name: Credential Access Protection
+ object-type: mitigation
+ techniques:
+ - FGT1525
+ - FGT1600.501
+ - FGT1599
+ - FGT5032.002
+ - FGT5032.003
+ - FGT5009.001
+ - FGT5009.002
+ - FGT1600.502
+ - FGT5034
+- description: Enforce binary and application integrity with digital signature verification
+ to prevent untrusted code from executing.
+ id: M1045
+ name: Code Signing
+ object-type: mitigation
+ techniques:
+ - FGT1014
+ - FGT1542.501
+ - FGT5032.002
+ - FGT5032.003
+ - FGT5034
+ - FGT1195.002
+- description: Use secure methods to boot a system and verify the integrity of the
+ operating system and loading mechanisms.
+ id: M1046
+ name: Boot Integrity
+ object-type: mitigation
+ techniques:
+ - FGT1014
+ - FGT1542.501
+ - FGT1600.501
+ - FGT5009.002
+ - FGT1600.502
+- description: Perform audits or scans of systems, permissions, insecure software,
+ insecure configurations, etc. to identify potential weaknesses.
+ id: M1047
+ name: Audit
+ object-type: mitigation
+ techniques:
+ - FGT5039
+ - FGT5005
+ - FGT1014
+ - FGT1542.501
+ - FGT5008
+ - FGT5021
+ - FGT5013
+ - FGT5014
+ - FGT1611.501
+ - FGT1040
+ - FGT1557.504
+ - FGT5009
+ - FGT5037
+ - FGT5036
+ - FGT1200
+- description: Restrict execution of code to a virtual environment on or in transit
+ to an endpoint system.
+ id: M1048
+ name: Application Isolation and Sandboxing
+ object-type: mitigation
+ techniques:
+ - FGT1611
+- description: Use signatures or heuristics to detect malicious software.
+ id: M1049
+ name: Anti-virus & Anti-malware
+ object-type: mitigation
+ techniques:
+ - FGT1525
+ - FGT5001
+- description: Use capabilities to detect and block conditions that may lead to or
+ be indicative of a software exploit occurring.
+ id: M1050
+ name: Exploit Protection
+ object-type: mitigation
+ techniques:
+ - FGT1190
+ - FGT1499
+ - FGT1499
+ - FGT5029
+- description: Perform regular software updates to mitigate exploitation risk.
+ id: M1051
+ name: Update Software
+ object-type: mitigation
+ techniques:
+ - FGT1014
+ - FGT1542.501
+ - FGT1600.501
+ - FGT1195
+ - FGT1072
+ - FGT5009.002
+ - FGT1600.502
+ - FGT5029
+ - FGT1195.002
+ - FGT1195.003
+- description: Take and store data backups from end user systems and critical servers.
+ Ensure backup and storage systems are hardened and kept separate from the corporate
+ network to prevent compromise.
+ id: M1053
+ name: Data Backup
+ object-type: mitigation
+ techniques:
+ - FGT5004
+ - FGT5004.001
+ - FGT5004.002
+ - FGT5039
+- description: Implement configuration changes to software (other than the operating
+ system) to mitigate security risks associated to how the software operates.
+ id: M1054
+ name: Software Configuration
+ object-type: mitigation
+ techniques:
+ - FGT1199.501
+ - FGT5004
+ - FGT5004.001
+ - FGT5004.002
+ - FGT1040
+ - FGT5016
+- description: This category is used for any applicable mitigation activities that
+ apply to techniques occurring before an adversary gains Initial Access, such as
+ Reconnaissance and Resource Development techniques.
+ id: M1056
+ name: Pre-compromise
+ object-type: mitigation
+ techniques:
+ - FGT5016
+ - FGT1583.501
+ - FGT1588
+ - FGT1587.501
+ - FGT1587
+ - FGT1588.002
+ - FGT1588.501
+- description: Randomize TEID allocations.
+ id: FGM5507
+ name: TEID allocation
+ object-type: mitigation
+ techniques:
+ - FGT5031
+- description: 'Refresh TEID allocations frequently. '
+ id: FGM5508
+ name: Refresh TEIDs
+ object-type: mitigation
+ techniques:
+ - FGT5031
+- description: Filter encapsulated GTP-U packets received from UE.
+ id: FGM5509
+ name: Filter GTP-U packets
+ object-type: mitigation
+ techniques: []
+- description: Filter user plane packets received from UE which have destination address
+ set core NF's IP address.
+ id: FGM5510
+ name: Filter packets to core NF sent by UE
+ object-type: mitigation
+ techniques:
+ - FGT1599.505
+- description: Monitor NAS messages from UE for incorrect or very large header length.
+ id: FGM5511
+ name: Verify NAS messages from UE
+ object-type: mitigation
+ techniques:
+ - FGT1498.503
+- description: Use high availability feature for all core network functions.
+ id: FGM5512
+ name: Use high availability
+ object-type: mitigation
+ techniques:
+ - FGT1498.503
+- description: Use Diameter End-to-end Signaling Security (DESS)
+ id: FGM5513
+ name: Use DESS security
+ object-type: mitigation
+ techniques:
+ - FGT5012.008
+ - FGT5019.005
+- description: Minimize number of connections to eNB in NSA mode.
+ id: FGM5514
+ name: Minmize eNB connections
+ object-type: mitigation
+ techniques:
+ - FGT5019.004
+- description: Move mIAB node to another location to avoid RF jamming.
+ id: FGM5515
+ name: Move mIAB node
+ object-type: mitigation
+ techniques:
+ - FGT5024
+- description: 'Allow tokens with short lifetime to prevent AiTM attacks by replaying
+ stolen tokens. '
+ id: FGM5516
+ name: Make xApp sessions short lived
+ object-type: mitigation
+ techniques:
+ - FGT5034
+- description: Use application layer data obfuscation technique for example use of
+ Orbot as Tor proxy to send all traffic through Tor circuit.
+ id: FGM5517
+ name: Use obfuscation at application layer
+ object-type: mitigation
+ techniques:
+ - FGT1040.501
+ - FGT1195.002
+- description: APIs in the system should use secure access and data transport using
+ TLS 1.3 or latest.
+ id: M1009
+ name: Encrypt Network Traffic
+ object-type: mitigation
+ techniques:
+ - FGT5037
+ - FGT5036
+- description: 'Create and enforce resource policy; policy can include SLA, quotas,
+ QOS etc. '
+ id: FGM5518
+ name: Resource Policy enforcement
+ object-type: mitigation
+ techniques:
+ - FGT1498.502
+- description: 5G Operators should evaluate suppliers of services for their technical
+ and administrative controls to ensure that it meets minimum standards for assured
+ services. These evaluations may include SW, HD supply chain, personnel and process
+ used for service creation.
+ id: M0817
+ name: Supply chain management
+ object-type: mitigation
+ techniques:
+ - FGT1195.502
+ - FGT1195.002
+- description: 5G operators should integrate performance and change management from
+ their suppliers into their own OA&M tools to have complete visibility into service
+ id: FGM5519
+ name: Integrate Performance and Change Management
+ object-type: mitigation
+ techniques:
+ - FGT1195.502
+- description: Protect processes with high privileges that can be used to interact
+ with critical system components through use of protected process light, anti-process
+ injection defenses, or other process integrity enforcement measures.
+ id: M1025
+ name: Privileged Process Integrity
+ object-type: mitigation
+ techniques:
+ - FGT5032.002
+ - FGT5032.003
+name: FiGHT Threat Matrix
+tactics:
+- description: "The adversary is trying to gather information they can use to plan\
+ \ future operations.\r\n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0043/) "
+ id: TA0043
+ name: Reconnaissance
+ object-type: tactic
+- description: "The adversary is trying to establish resources they can use to support\
+ \ operations.\r\n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0042/) "
+ id: TA0042
+ name: Resource Development
+ object-type: tactic
+- description: "The adversary is trying to get into your network.\r\n[View Here at\
+ \ MITRE ATT&CK](https://attack.mitre.org/tactics/TA0001/)"
+ id: TA0001
+ name: Initial Access
+ object-type: tactic
+- description: "The adversary is trying to run malicious code.\r\n[View Here at MITRE\
+ \ ATT&CK](https://attack.mitre.org/tactics/TA0002/)"
+ id: TA0002
+ name: Execution
+ object-type: tactic
+- description: "The adversary is trying to maintain their foothold.\r\n[View Here\
+ \ at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0003/)"
+ id: TA0003
+ name: Persistence
+ object-type: tactic
+- description: "The adversary is trying to gain higher - level permissions.\r\n[View\
+ \ Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0004/)"
+ id: TA0004
+ name: Privilege Escalation
+ object-type: tactic
+- description: "The adversary is trying to avoid being detected.\r\n[View Here at\
+ \ MITRE ATT&CK](https://attack.mitre.org/tactics/TA0005/)"
+ id: TA0005
+ name: Defense Evasion
+ object-type: tactic
+- description: "The adversary is trying to steal account names and passwords.\r\n\
+ [View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0006/)"
+ id: TA0006
+ name: Credential Access
+ object-type: tactic
+- description: "The adversary is trying to figure out your environment.\r\n[View Here\
+ \ at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0007/)"
+ id: TA0007
+ name: Discovery
+ object-type: tactic
+- description: "The adversary is trying to move through your environment.\r\n[View\
+ \ Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0008/)"
+ id: TA0008
+ name: Lateral Movement
+ object-type: tactic
+- description: "The adversary is trying to gather data of interest to their goal.\r\
+ \n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0009/)"
+ id: TA0009
+ name: Collection
+ object-type: tactic
+- description: "The adversary is trying to communicate with compromised systems to\
+ \ control them.\r\n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0011/)"
+ id: TA0011
+ name: Command and Control
+ object-type: tactic
+- description: "The adversary is trying to steal data.\r\n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0010/)"
+ id: TA0010
+ name: Exfiltration
+ object-type: tactic
+- description: "The adversary is trying to manipulate, interrupt, or destroy your\
+ \ systems and data.\r\n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0040/)"
+ id: TA0040
+ name: Impact
+ object-type: tactic
+- description: The adversary is trying to obtain service without contractually paying
+ for it
+ id: TA5001
+ name: Fraud
+ object-type: tactic
+techniques:
+- access-required: service account, token, expanded privilege
+ architecture-segment: Roaming, Application Layer, Supply Chain
+ bluf: An adversary may breach or otherwise leverage a mobile network operator's
+ (MNO's) roaming partners or their service partners to gain access to subscriber's
+ services or obtain information about that subscriber from their home network.
+ criticalassets:
+ - Description: An adversary would want to compromise the cSEPP as it is the VPLMN
+ end-point for the N32c channel to the HPLMN.
+ Name: SEPP
+ - Description: An adversary would want to compromise the VPLMN UPF as it is used
+ as an endpoint on the roaming network for the N9 user plane interface between
+ UPFs.
+ Name: VPLMN UPF
+ - Description: "An adversary would want to compromise a trusted VAS with access\
+ \ to the MNO\u2019s core functions."
+ Name: VAS
+ description: " An adversary may breach or otherwise leverage a mobile network operator\u2019\
+ s (MNO\u2019s) roaming partners or their service partners to gain access to subscriber\u2019\
+ s services or obtain information about that subscriber from their home network.\
+ \ Since these relationships are of a more trusted nature, end-to-end security\
+ \ is not necessarily used.\r\n\r\nAn adversary may use the trusted relationship\
+ \ with other mobile network operators and their related service providers such\
+ \ as roaming hubs, roaming partners, national partners, SMS service providers,\
+ \ lookup services to gain access to subscriber information at the subscriber\u2019\
+ s home MNO. An adversary may take advantage of potentially weaker security at\
+ \ a roaming partner of a targeted MNO. The roaming MNO or their service partners\
+ \ could also be adversaries themselves. \r\n\r\nThese trusted relationships expose\
+ \ more interfaces to the roaming partner and their service providers than described\
+ \ in the related technique [FGT5029](/techniques/FGT5029). The information an\
+ \ adversary can obtain or modify about a subscriber and the subscriber\u2019s\
+ \ activity depends on the specific location and assets compromised and additional\
+ \ techniques used. Information such as location, call records, messages, etc.\
+ \ are potentially obtained. Adversary use of additional techniques to compromise\
+ \ the VPLMN UPF (N9 endpoint) may result in direct compromise of user plane data.\
+ \ The adversary may generate queries using specially crafted messages as described\
+ \ in [FGT5029](/techniques/FGT5029) or obtain credentials and operate as an apparently\
+ \ authorized partner would to collect information. Depending on the roaming partner\u2019\
+ s configuration, core functions may be directly exposed to service providers used\
+ \ by the roaming partner.\r\n\r\n"
+ detections:
+ - detects: Analysis of application logs on the HPLMN SEPP and PLMN NFs may indicate
+ unusual control channel activity.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Analysis of network traffic from VAS, and/or IPX may indicate unexpected
+ or unusual traffic.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1199.501
+ mitigations:
+ - fgmid: M1018
+ mitigates: Management of credentials used by partners to be scoped to the least
+ privilege can minimize potential abuse. Does not mitigate misuse within allowed
+ privileges.
+ name: User Account Management
+ - fgmid: M1030
+ mitigates: Minimize exposure of functions to only those partner functions that
+ need to access.
+ name: Network Segmentation
+ - fgmid: M1037
+ mitigates: Ensure communication with functions such as a SEPP is constrained to
+ necessary addresses, ports, and protocols.
+ name: Filter Network Traffic
+ - fgmid: M1054
+ mitigates: Validation of credentials properly can mitigate some AITM attacks and
+ ensure revoked/expired credentials are not allowed.
+ name: Software Configuration
+ name: MNO Roaming Partners
+ object-type: technique
+ platforms: SEPP
+ preconditions:
+ - Description: An adversary must already have compromised a trusted PLMN or one
+ of their service providers, e.g. IPX, VAS, etc.
+ Name: Compromised partner
+ - Description: An adversary may need compromised legitimate credentials that could
+ be used to obtain information from the MNO.
+ Name: Compromised credentials
+ - Description: An adversary may need to identify a vulnerability in an MNO network
+ function to send specially crafted requests to obtain initial access.
+ Name: Identified vulnerability
+ procedureexamples:
+ - Description: The service partner of the targeted MNO may themselves be targeted
+ as part of an attack chain using that roaming partners supply chain.
+ Name: Partner supply chain compromise
+ - Description: A roaming partner, may have an adversary with a privileged position
+ in the roaming or service partners organization and can use that position to
+ attempt additional techniques against the targeted MNO.
+ Name: Partner insider
+ references:
+ - \[1\] [5GS Roaming Guidelines Version 5.0 (non-confidential),
+ NG.113-v5.0, GSMA, December 2021](https://www.gsma.com/newsroom/wp-content/uploads//NG.113-v5.0.pdf)
+ - \[2\] [5G; Security Architecture and Procedures for 5G System,
+ TS 33.501 v16.10.0 Release 16, Sections 9.9, 13.1, 13.2, 3GPP, March 2022](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169)
+ - " \\[3\\] [ETSI White Paper No. 46 \u2013 MEC security: Status\
+ \ of standards support and future evolutions, 1st edition, ETSI, May 2021](https://www.etsi.org/images/files/ETSIWhitePapers/ETSI_WP_46-_MEC_security.pdf)"
+ - " \\[4\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ ,\_ October 2021](https://arxiv.org/abs/2108.11206\_\_)"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1199
+ tactics:
+ - TA0001
+ - TA0040
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: User or Administrative access to repository
+ addendums:
+ - "#### Addendum Name: Compromised image\r\n##### Architecture Segments: Virtualization,\
+ \ Cloud Service Provider, OA&M, Supply Chain\r\n An adversary may install a compromised\
+ \ image in a 5G environment to achieve persistence. This could be achieved by\
+ \ either poisoning an image repository, compromising the MANO, or other means.\r\
+ \n\r\nThe 5G Virtual Network Function (VNF) software is either developed in house\
+ \ or supplied by a product vendor. Typically, software is stored in a deployment\
+ \ repository for deployment or for an orchestrator to use as part of an automated\
+ \ workload deployment activity. An adversary may install a compromised image\
+ \ in the repository of 5G VNFs and or VM (Virtual Machine)/Container images to\
+ \ later establish Command and Control (C2) connection and subsequent modification,\
+ \ discovery, and exfiltration operations.\r\n\r\nManagement and Orchestration\
+ \ (MANO) is a framework for managing and orchestrating network functions virtualization\
+ \ (NFV) infrastructure, resources, and services. It provides a standard approach\
+ \ for the management and orchestration of network services in NFV environments,\
+ \ including the automation of tasks such as network service deployment, scaling,\
+ \ and network function lifecycle management. A poisoned image can be installed\
+ \ using compromised MANO tool set during image acquisition, repository manipulation\
+ \ or deployment and configuration scripts.\r\n\r\n"
+ architecture-segment: Virtualization, Cloud Service Provider, OA&M, Supply Chain
+ bluf: Adversaries may implant cloud or container images with malicious code to establish
+ persistence after gaining access to an environment.
+ criticalassets:
+ - Description: An adversary may target the 5G core network domain
+ Name: Core components
+ - Description: An adversary may target the 5G core network domain
+ Name: RAN components
+ - Description: An adversary may target CI/CD pipeline components
+ Name: SDN components
+ - Description: An adversary may target security and operations tools
+ Name: System tools
+ description: "Adversaries may implant cloud or container images with malicious code\
+ \ to establish persistence after gaining access to an environment.\r\n[To read\
+ \ more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1525)\r\
+ \n"
+ detections:
+ - detects: Analyze logs and other CI/CD events to detect unauthorized activity
+ fgdsid: FGDS5012
+ name: SIEM
+ - detects: An automated image hash verification should be performed
+ fgdsid: FGDS5015
+ name: Image verification
+ id: FGT1525
+ mitigations:
+ - fgmid: FGM5088
+ mitigates: Development and production repositories should be separated to avoid
+ access and image slipovers. Production repositories should be access controlled
+ for accounts responsible for deployments and operations accounts only.
+ name: Separate repositories for development and production
+ - fgmid: FGM5089
+ mitigates: In addition to image name, deployment tools must use hash and verify
+ image during deployment
+ name: Verify image in deployment
+ - fgmid: FGM5090
+ mitigates: Logs from tools and repository must be corelated to ensure unauthorized
+ activity is reported.
+ name: Log correlation
+ - fgmid: M1035
+ mitigates: Access to repositories should be restricted to known networks from
+ where any authorized actions need be executed.
+ name: Limit Access to Resource Over Network
+ - fgmid: M1043
+ mitigates: Restricted Permissions to add images to repositories for person and
+ non-person accounts
+ name: Credential Access Protection
+ - fgmid: M1049
+ mitigates: Manual or automated image creation and storage must include image hash
+ name: Anti-virus & Anti-malware
+ name: Implant Internal Image
+ object-type: technique
+ platforms: VM, Container, Azure/AWS, IaaS, SDN
+ postconditions:
+ - Description: A compromised image deployed in the production can lead to variety
+ of adversarial activities depending on what capabilities were added/deleted
+ from the image.
+ Name: A Compromised Image is deployed in production
+ preconditions:
+ - Description: An image can be manipulated, or a new image can be introduced to
+ have same impact. Privileged Access to tool or repo is required.
+ Name: Credential and Access to repository and or image creation tools (i.e. Docker)
+ references:
+ - \[1\] [ENISA THREAT LANDSCAPE FOR 5G NETWORKS, December 2020,
+ section 6.2. Accessed April 13, 2021](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks/)
+ - \[2\] [Docker Documentation, Security, Content in Trust](https://docs.docker.com/engine/security/trust/)
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0003
+ typecode: attack_technique_addendum
+- access-required: N/A
+ architecture-segment: Control Plane, Roaming
+ bluf: A adversary positioned in an operator network may send an SMS delivery location
+ query that will bypass the SMS home router of another operator, and which will
+ allow to get the location of the user device.
+ criticalassets:
+ - Description: 'Coarse location: In the form of routing info (MSC address)'
+ Name: UE location
+ description: " An adversary positioned in an operator network may send an SMS delivery\
+ \ location query that will bypass the SMS home router of another operator, allowing\
+ \ the adversary to get the location of the user device.\r\n\r\nSMS home routing\
+ \ bypassing is a technique that exploits incorrect implementation or configuration.\
+ \ An adversary sends an SMS delivery location query that does not get intercepted\
+ \ by the SMS home router, so it receives a response by providing the location\
+ \ of the adversary\u2019s target UE. \r\n \r\nThis technique is applicable to\
+ \ 3G, 4G, and 5G, since 5G systems still need to interconnect with SS7 networks.\
+ \ 5G supports both SMS over IP and SMS over NAS. The routes for SMS are still\
+ \ from SMSC (Short Message Service Center) to STP (Signaling Transfer Point) to\
+ \ either IP-SM-GW (IP Short Message Gateway) for SMS over IP or SMSF (SMS Function)\
+ \ for SMS over NAS. Refer to section 7.2 of [3].\r\n\r\n"
+ detections:
+ - detects: Logs of externally received messages requesting location of user or,
+ logs of outgoing responses to such messages can detect anomalies. Logs are on
+ the NF or functions which interface SMS home router such as MAP IWF or SMSC.
+ See Figure 27 of [3].
+ fgdsid: DS0015
+ name: Application Log
+ id: FGT5002
+ mitigations:
+ - fgmid: FGM5004
+ mitigates: Correctly configure SMS firewall in home network. [4]
+ name: Correctly configure SMS firewall
+ name: Bypass home routing
+ object-type: technique
+ platforms: 5G
+ preconditions:
+ - Description: Access to a host that could pass as belonging to a different operator
+ (roaming partner)
+ Name: Compromised SMS Center or STP
+ - Description: Access to the MSISDN of the user device
+ Name: "Get target user\u2019s phone number"
+ procedureexamples:
+ - Description: Incorrect implementation/configuration or compromised home SMS router
+ can allow bypass of the SMS location query messages. Deployed SMS router as
+ in Section 7.2.2 of [3]
+ Name: Send SMS location query via SS7 or Diameter
+ references:
+ - " \\[1\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ - " \\[2\\] [European Union Agency for Cybersecurity (ENISA),\
+ \ \u201CSignaling security in telecom SS7/Diameter/5G\u201D, March 2018](https://www.enisa.europa.eu/publications/signalling-security-in-telecom-ss7-diameter-5g\
+ \ )"
+ - " \\[3\\] [GSM Association, \u201COfficial Document NG.111\
+ \ - SMS Evolution\u201D, v2.0, Nov. 2020](https://www.gsma.com/newsroom/wp-content/uploads//NG.111-v2.0.pdf\
+ \ )"
+ - " \\[4\\] [Kirill Puzankov: \u201CHidden Agendas: bypassing\
+ \ GSMA recommendations on SS7 networks,\u201Daccessed on May 25, 2023](https://docplayer.net/136483279-Hidden-agendas-bypassing-gsma-recommendations-on-ss7-networks-kirill-puzankov.html)"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ tactics:
+ - TA0005
+ typecode: fight_technique
+- architecture-segment: RAN
+ bluf: An adversary may employ a fake base station to bid down (downgrade) the victim
+ UE to a less secure Radio Access Network in order to exploit vulnerabilities in
+ that network.
+ criticalassets:
+ - Description: Data that the UE sends to/from the network (including identifiers).
+ Name: User data
+ description: " An adversary may employ a false base station to bid down (downgrade)\
+ \ the victim UE to a less secure Radio Access Network in order to exploit the\
+ \ vulnerabilities in that network. \r\n\r\nAn adversary located between the victim\
+ \ UE and real base stations may jam the 5G radio frequencies and use the false\
+ \ base station to generate illegitimate over-the-air signaling to deny service\
+ \ to 5G and induce the UE to operate over a less secure radio access network,\
+ \ such as 3G, 4G. This requires a UE profile that permits attaching to networks\
+ \ other than 5G.\r\n\r\nWhen the security profile in the UE allows connection\
+ \ to a less secure service, adversary denies service to 5G, bids down victim UE\
+ \ to less secure network (4G or 3G) with illegitimate signaling. Then the adversary\
+ \ bids down the UE to 2G network and orders the UE to transmit with no or weak\
+ \ encryption/integrity protection. However, note that 5G (Release 15 and later)\
+ \ supports an anti-bid-down feature: during the Authentication and Key Agreement\
+ \ (AKA) procedure, the network sends to the UE an \u201CABBA\u201D parameter (Anti\
+ \ Bidding Down between Architectures), which indicates the security features that\
+ \ the network possesses. When this feature is enabled, the UE is not to attach\
+ \ to earlier generation networks.\r\n\r\nAlso known as downgrading, the bidding\
+ \ down enables the adversary to perform additional following techniques using\
+ \ over the air interfaces, such as eavesdropping of user SMS and voice calls,\
+ \ user data or signaling manipulation, and privacy breaches. These privacy breaches\
+ \ may include exposure of the IMSI, location tracking of user, and impersonation\
+ \ of a user. \r\n\r\n"
+ detections:
+ - detects: At the UE side, the UE can tell that there is a 5G cell site that it
+ can hear, but if it eventually gets connected to a 4G cell site, then it may
+ have suffered a bidding down attack
+ fgdsid: FGDS5013
+ name: UE connecting to 4G
+ id: FGT1562.501
+ mitigations:
+ - fgmid: FGM5002
+ mitigates: UE should discard RRC redirection messages that are not integrity protected,
+ and go search for other gNBs. UE should only accept to register to networks
+ that require mutual auth and strong encryption, also integrity protection of
+ user plane. See [2]
+ name: Discard RAN signaling received without integrity protection
+ - fgmid: FGM5092
+ mitigates: UE warns user of lower security network (and the user can take action
+ to limit data or type of data, or to disconnect).
+ name: Warn user
+ - fgmid: FGM5097
+ mitigates: Set security profile to prohibit bidding down to less secure service.
+ name: Disable acceptance of a less secure system
+ name: Bid down UE
+ object-type: technique
+ platforms: 5G RAN
+ postconditions:
+ - Description: UE is now vulnerable to 4G threats.
+ Name: UE is connected to a 4G network
+ preconditions:
+ - Description: Adversary has procured a UE and gNB under its control, and the victim
+ UE is nearby
+ Name: False base station with strong signal and UE system
+ procedureexamples:
+ - Description: "UEs tend to attach to gNBs which have better signal condition than\
+ \ the gNB the UE is currently attached. False gNB with stronger signal strength\
+ \ than legitimate gNBs lures UE to connect, then sends RRC redirection message\
+ \ that is not integrity protected, so that the UE can\u2019t check its legitimacy.\
+ \ This RRCRelease message has the instruction for the UE to attach to a 4G cell\
+ \ instead (i.e, RedirectInfo as E-UTRA Absolute Radio Frequency Channel Number\
+ \ (E-ARFCN)"
+ Name: False gNB redirects UE to 4G.
+ references:
+ - " \\[1\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ - " \\[2\\] [DEFCON 24 article \u201CForcing Targeted LTE Cellphone\
+ \ Into Unsafe Network\u201D](https://www.scribd.com/document/350156530/forcing-targeted-lte-cellphone-into-unsafe-network)"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1562
+ tactics:
+ - TA0005
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: OA&M
+ bluf: An adversary may gain access to an operator's roaming database (IR.21), which
+ can reveal the critical network assets of both the operator and its roaming partners.
+ criticalassets:
+ - Description: Information on the IP addresses of the mobile network nodes, along
+ with those of the interconnect/roaming nodes.
+ Name: Mobile network topology, interconnects.
+ - Description: Hostnames and IP addresses of core network functions like subscriber
+ databases and functions involved in roaming exchanges (e.g. Access and Mobility
+ Function (AMF)).
+ Name: IP addresses of core NFs
+ description: " An adversary may gain access to an operator's roaming database (IR.21),\
+ \ which can reveal the critical network assets of both the operator and its roaming\
+ \ partners.\r\n\r\nInternational Mobile Network Operators (MNOs) maintain information\
+ \ about their network infrastructure, roaming/interconnection configuration, and\
+ \ MNO partner billing agreements. This sensitive data is in a standardized format,\
+ \ under the name \u201CIR.21\u201D. GSMA (an operator forum) administers databases\
+ \ of IR.21 for all international MNO and allowing all MNOs access to it. This\
+ \ type of sensitive information is intended to be close held and not be publicly\
+ \ accessible; however, data leaks and insider attacks have occurred, and thus\
+ \ this information can be and has been used by adversaries in their discovery\
+ \ tactics.\r\n\r\n"
+ detections:
+ - detects: Leaking this information on the Internet is obvious
+ fgdsid: FGDS5008
+ name: Search Internet for leaks
+ - detects: Access to IR.21 file should be logged.
+ fgdsid: FGDS5009
+ name: Access to operator resource
+ id: FGT1592.501
+ mitigations:
+ - fgmid: FGM5500
+ mitigates: Control access to IR.21 files in GSMA. Host/application hosting this
+ file should guard against such leak.
+ name: Restrict access to operator OA&M resources
+ name: Internal resource search
+ object-type: technique
+ platforms: 5G Network
+ postconditions:
+ - Description: IP addresses of core network functions known
+ Name: Discovered IP addresses
+ preconditions:
+ - Description: Adversary needs to access the operator databases or GSMA repositories
+ Name: Access to GSMA account; in some cases, none.
+ procedureexamples:
+ - Description: Claro Americas, and Vivo telecom, had their IR.21 database accessible
+ from an internet in 2016 (reference no longer available)
+ Name: IR.21 accessible from the Internet
+ references:
+ - " \\[1\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT1592
+ tactics:
+ - TA0043
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: Control Plane, Network Slice
+ bluf: An adversary may query the Network Repository Function (NRF) to discover restricted Network
+ Function (NF) services to further target that NF.
+ criticalassets:
+ - Description: It is possible for example to find out whether an operator provides
+ services to a certain customer. Or whether a user is also part of a private
+ slice e.g. DoD. There is slice isolation assurance loss with this threat.
+ Name: Operator network components and services
+ description: " An adversary may query the Network Repository Function (NRF) to discover\
+ \ restricted Network Function (NF) services to further target that NF. \r\n\r\n\
+ All active NFs in an operator network are to be securely registered with the NRF.\
+ \ Part of this registration information includes the type of NF, the particular\
+ \ services that NF provides, IP addresses, etc. \r\n\r\nConsumer NFs query the\
+ \ NRF for Producers NFs they need to interact with, but the NRF is expected to\
+ \ check that the Consumer NF is authorized to discover such Producer NFs. This\
+ \ type of signaling to the NRF can be abused to identify and target one or more\
+ \ NFs of interest. The NRF is expected to check discovery requests against the\
+ \ sender\u2019s profile, but this is prone to misconfiguration and therefore might\
+ \ not protect the restricted NF services.\r\n\r\nIn network slicing, the same\
+ \ principles of NRFs apply, and service discovery is restricted per slice; however,\
+ \ NFs in one slice may have a legitimate need to communicate with NFs in another\
+ \ slice. If NF discovery authorization controls are not supported by the NRF,\
+ \ the NF instance in one slice can discover NF instances belonging to other slices.\
+ \ For example, an NF in one slice should not be inquiring about NFs in other slices,\
+ \ unless it needs to communicate with them. \r\n\r\n\r\n"
+ detections:
+ - detects: Logging of all access requests/inquiries to NFs
+ fgdsid: DS0015
+ name: Application Log
+ id: FGT5003
+ mitigations:
+ - fgmid: FGM5003
+ mitigates: 'Ensure cross-layer checks at the NRF, between the certificate presented
+ to it at the TLS connection setup stage and the identity and authorization requested
+ presented to it at the OAuth Token request stage.
+
+ Ensure the consumer is authorized to ask about this service.
+
+
+ Authorization follows need-to-know rules, such as:
+
+ 1. an NF cannot query for NFs in other network slices
+
+ 2. an NF can only query for NFs that it needs to communicate with.'
+ name: Cross check between application layer and transport layer
+ - fgmid: FGM5501
+ mitigates: Inspect proxy servers such as SCP (if deployed) for any suspicious
+ use of access tokens such as unauthorized re-direct or replay of tokens
+ name: TLS proxy/firewalls with DPI on the SBA
+ name: Network Function Service Discovery
+ object-type: technique
+ platforms: 5G Network
+ postconditions:
+ - Description: Information about what other services are provided by a given MNO
+ Name: Unauthorized probing of network services
+ preconditions:
+ - Description: NRF is by design open to connections from other network functions.
+ Control of another NF in the operator domain may be required.
+ Name: Access to NRF
+ - Description: SCP is compromised to hijack tokens.
+ Name: Access to SCP
+ procedureexamples:
+ - Description: A malicious NF can abuse access token issued by the NRF for one slice
+ to access another shared NF in a different slice. Clause H.2.2.1 of [2]
+ Name: Access token abuse
+ - Description: Access tokens can be hijacked by a compromised intermediate proxy
+ such as SCP (if deployed by operator). This attack can be followed by re-direct
+ or replay of access tokens. Clause 3.9 of [3]
+ Name: Access token hijack
+ references:
+ - " \\[1\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ - " \\[2\\] [3GPP Technical Report 33.926, \u201CSecurity Assurance\
+ \ Specification (SCAS) threats and critical assets in 3GPP network product classes\u201D\
+ , Release 17.](https://www.3gpp.org/DynaReport/33926.htm )"
+ - " \\[3\\] [Internet Engineering Task Force (IETF) \u201COAuth\
+ \ 2.0 Security Best Current Practice\u201D, draft-ietf-oauth-security-topics-05,\
+ \ June 2022.](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19)"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0007
+ typecode: fight_technique
+- access-required: User or Administrative access to repository
+ architecture-segment: Virtualization
+ bluf: An adversary may discover Software Defined Network (SDN) flow information,
+ which could then open opportunity for lateral movement and unauthorized changes
+ in the network.
+ criticalassets:
+ - Description: Adversary may target a particular network controller, network element,
+ CI/CD, security, and operations tools to manipulate SDN network flows.
+ Name: SDN Controller and Network Elements, operations, and security tools
+ - Description: Adversary may target configuration or network flow data
+ Name: SDN Configurations file, Network flow tables
+ description: " An adversary may discover Software Defined Network (SDN) flow information,\
+ \ which could then be used for lateral movement and unauthorized changes in the\
+ \ network.\r\n\r\nTo achieve this, an adversary must compromise an SDN element\
+ \ (e.g., controller, router, switch) to forge network data and launch other attacks,\
+ \ such as denial of service. While data forging could relate to data held by\
+ \ any component of an SDN (e.g., network switches, controllers and/or SDN applications),\
+ \ a threat specific to SDN consists of forging requests from accessible low level\
+ \ SDN controllers to upper-level ones. This could then drive the upper level\
+ \ controllers\u2019 decisions on how to redefine large parts of the network. In\
+ \ the literature, this scenario has been identified as a threat related to components\
+ \ in the data plane and the controller plane of any SDN network (IP-WAN, IP-LAN,\
+ \ RAN, Transport).\r\n\r\n\r\n"
+ detections:
+ - detects: Periodically audit SDN and Network element configuration and compare
+ with baseline configuration to detect unauthorized changes
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Periodically audit network flow tables to detect unauthorized changes
+ to flow data
+ fgdsid: DS0029
+ name: Network Traffic
+ - detects: Analyze logs to detect unauthorized activity
+ fgdsid: FGDS5014
+ name: SDN Access Logs
+ id: FGT5004
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Strong integrity protection method should be employed on APIs carrying
+ control plane traffic between Controller and network element as well as controller
+ and SDN application to avoid adversary in the middle threats
+ name: Integrity protection of data communication
+ - fgmid: FGM5090
+ mitigates: Logs from SDN Controller and network elements must be corelated to
+ ensure unauthorize activity is reported. Similarly, flow rules change log should
+ be reviewed and reconciled with authorized changes.
+ name: Log correlation
+ - fgmid: FGM5091
+ mitigates: Mutual authentication between the SDN controller and network elements. The
+ SDN controller and SDN application can be used to prevent unauthorized access
+ name: Mutual authentication
+ - fgmid: M1022
+ mitigates: 'Restricted Permissions to add images to SDN Controller and Network
+ Elements for person and non-person accounts.
+
+
+ Restrict permissions for person and non-person accounts to prevent flow rule
+ insertion or modification'
+ name: Restrict File and Directory Permissions
+ - fgmid: M1030
+ mitigates: Physical and logical segmentation can prevent lateral movements.
+ name: Network Segmentation
+ - fgmid: M1041
+ mitigates: Strong encryption should be used on APIs carrying control plane traffic
+ between Controller and network element as well as controller and SDN application
+ to avoid adversary in the middle threats
+ name: Encrypt Sensitive Information
+ - fgmid: M1053
+ mitigates: All SDN Configurations should be backed up and periodically audited
+ to see differences between running configuration and back up configurations
+ name: Data Backup
+ - fgmid: M1054
+ mitigates: Keep baseline configurations up to date to avoid loopholes due to stale
+ configuration or configuration drift.
+ name: Software Configuration
+ name: Network Flow Manipulation
+ object-type: technique
+ platforms: SDN
+ postconditions:
+ - Description: Network flow compromise can lead to DOS, or change the traffic pattern
+ and paths. Adversary may change the path for network sniffing or for MiTM activity.
+ Name: Network flow compromise
+ preconditions:
+ - Description: Privileged Access to SDN controller and Network elements
+ Name: Credential and Access to SDN Controller and network elements
+ references:
+ - " \\[1\\] [ENISA, \u201CThreat Landscape and Good Practice\
+ \ Guide for Software Defined Networks/5G\u201D, Jan. 2016](https://www.enisa.europa.eu/publications/sdn-threat-landscape\
+ \ )"
+ - " \\[2\\] [Scott-Hayward, S., O'Callaghan, G., & Sezer, S.\
+ \ \u201CSDN Security: A Survey\u201D. 2013 IEEE SDN for Future. Networks and Services\
+ \ (SDN4FNS) (pp. 1-7)](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6702c553&tag=1\
+ \ )"
+ - " \\[3\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0009
+ - TA0007
+ typecode: fight_technique
+- access-required: User or Administrative access to repository
+ architecture-segment: Virtualization
+ bluf: An adversary may use the compromised SDN controller or Control plane API to
+ modify network flow rules, or traffic management policies.
+ criticalassets:
+ - Description: Adversary may target a particular network controller, network element,
+ CI/CD, security, and operations tools to manipulate SDN network flows.
+ Name: SDN Controller and Network Elements, operations, and security tools
+ - Description: Adversary may target configuration to manipulate controller and network
+ element behavior
+ Name: SDN controller Configuration file
+ description: " An adversary may use the compromised SDN controller or Control plane\
+ \ API to modify network flow rules, or traffic management policies.\r\n\r\nAn\
+ \ SDN controller is a centralized control application for policy, device configuration,\
+ \ and traffic flow management. SDN controller compromise can allow an adversary\
+ \ to change the traffic path for offensive or defensive evasion purposes as well\
+ \ as cause denial of service to certain networks or end points. SDN Controller\
+ \ application is typically installed on a physical over virtual server and communicate\
+ \ northbound to other OAM applications as well as southbound to network switches.\
+ \ SDN controller acts as an Operating System for the Network in SDN architecture\
+ \ and is widely deployed in data centers and wide area network connections (SD-WAN).\r\
+ \n\r\n\r\n"
+ detections:
+ - detects: Periodically audit SDN and Network element configuration to detect unauthorized
+ changes
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Periodically audit network flow tables to detect unauthorized changes
+ to flow data
+ fgdsid: DS0029
+ name: Network Traffic
+ - detects: Analyze logs to detect unauthorized activity
+ fgdsid: FGDS5014
+ name: SDN Access Logs
+ id: FGT5004.001
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Strong integrity protection method should be employed on APIs carrying
+ control plane traffic between Controller and network element as well as controller
+ and SDN application to avoid adversary in the middle threats
+ name: Integrity protection of data communication
+ - fgmid: FGM5090
+ mitigates: Logs from SDN Controller and network elements must be corelated to
+ ensure unauthorize activity is reported. Similarly flow rules change log should
+ be reviewed and reconciled with authorized changes.
+ name: Log correlation
+ - fgmid: FGM5091
+ mitigates: Mutual authentication between SDN controller and network elements,
+ SDN controller and SDN application can prevent unauthorized access
+ name: Mutual authentication
+ - fgmid: M1022
+ mitigates: 'Restricted Permissions to add application images to SDN Controller
+ for person and non-person accounts.
+
+
+ Restricted permissions for person and non-person accounts to prevent flow rule
+ insertion or modification'
+ name: Restrict File and Directory Permissions
+ - fgmid: M1030
+ mitigates: Physical and logical segmentation can prevent lateral movements. Segmentation
+ techniques in the hosts and network will reduce the chances of lateral movement
+ to the control.
+ name: Network Segmentation
+ - fgmid: M1041
+ mitigates: Strong encryption should be used on APIs carrying control plane traffic
+ between Controller and network element as well as controller and SDN application
+ to avoid adversary in the middle threats
+ name: Encrypt Sensitive Information
+ - fgmid: M1053
+ mitigates: SDN controller configurations should be backed up and periodically
+ audited to see differences between running configuration and back up configurations
+ name: Data Backup
+ - fgmid: M1054
+ mitigates: Keep baseline configuration up to date to avoid loopholes due to stale
+ configuration or configuration drift.
+ name: Software Configuration
+ name: 'Controller '
+ object-type: technique
+ platforms: SDN Controller
+ postconditions:
+ - Description: Network flow compromise can lead to DOS, or change the traffic pattern
+ and paths. Adversary may change the path for network sniffing or for MiTM activity.
+ Name: Network flow compromise
+ preconditions:
+ - Description: Privileged Access to SDN controller via direct login or through SDN
+ control plane APIs
+ Name: Credential and Access to SDN Controller
+ references:
+ - " \\[1\\] [ENISA, \u201CThreat Landscape and Good Practice\
+ \ Guide for Software Defined Networks/5G\u201D, Jan. 2016](https://www.enisa.europa.eu/publications/sdn-threat-landscape\
+ \ )"
+ - " \\[2\\] [Scott-Hayward, S., O'Callaghan, G., & Sezer, S.\
+ \ \u201CSDN Security: A Survey\u201D. 2013 IEEE SDN for Future. Networks and Services\
+ \ (SDN4FNS) (pp. 1-7)](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6702553&tag=1\
+ \ )"
+ - " \\[3\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT5004
+ tactics:
+ - TA0009
+ - TA0007
+ typecode: fight_subtechnique
+- access-required: User or Administrative access to repository
+ architecture-segment: Virtualization
+ bluf: An adversary may compromise a vSwitch in an SDN network to manipulate the
+ network traffic or cause denial of service
+ criticalassets:
+ - Description: Adversary may target a particular network controller, network element,
+ CI/CD, security, and operations tools to manipulate SDN network flows in a vSwitch
+ Name: SDN vSwitch, operations, and security tools
+ - Description: Adversary may target configuration to manipulate vSwitch and network
+ behavior
+ Name: SDN vSwitch Configuration file
+ - Description: Network flows are stored in Network Flow tables, usually refer to
+ as route or switch tables that vSwitch uses to decide which packet forwarding
+ port to use for incoming packets
+ Name: SDN vSwitch flow table
+ description: " An adversary may compromise a vSwitch in an SDN network to manipulate\
+ \ the network traffic or cause denial of service\r\n\r\nAn SDN vSwitch is like\
+ \ a layer 2 switch that connects devices to the network and performs packet forwarding\
+ \ between the switch ports. This threat involves compromising an SDN vSwitch (an\
+ \ SDN device responsible for packet/data switching between different ingress and\
+ \ egress ports) to forge network data and launch other attacks (e.g., DoS). Adversary\
+ \ may target vSwitch configuration or directly manipulate network flow tables\
+ \ in memory to drive their decisions on how to redefine large parts of the network.\
+ \ \r\n\r\n\r\n"
+ detections:
+ - detects: Periodically audit SDN and Network element configuration and compare
+ with baseline configuration to detect unauthorized changes
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Periodically audit network flow tables to detect unauthorized changes
+ to flow data
+ fgdsid: DS0029
+ name: Network Traffic
+ - detects: Analyze logs to detect unauthorized activity
+ fgdsid: FGDS5014
+ name: SDN Access Logs
+ id: FGT5004.002
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Strong integrity protection method should be employed on APIs carrying
+ control plane traffic between Controller and network element as well as controller
+ and vSwitch to avoid adversary in the middle threats
+ name: Integrity protection of data communication
+ - fgmid: FGM5090
+ mitigates: Logs from SDN Controller and network elements must be correlated to
+ ensure unauthorized activity is reported. Similarly flow rules change log should
+ be reviewed and reconciled with authorized changes.
+ name: Log correlation
+ - fgmid: FGM5091
+ mitigates: Mutual authentication between SDN controller and vSwitch can prevent
+ unauthorized access
+ name: Mutual authentication
+ - fgmid: M1022
+ mitigates: 'Restricted Permissions to add application images to SDN vSwitch for
+ person and non-person accounts.
+
+
+ Restricted permissions for person and non-person accounts to prevent flow rule
+ insertion or modification directly on the vSwitch'
+ name: Restrict File and Directory Permissions
+ - fgmid: M1030
+ mitigates: Physical and logical segmentation can prevent lateral movements. Segmentation
+ techniques in the hosts and network will reduce the chances of lateral movement
+ to the control.
+ name: Network Segmentation
+ - fgmid: M1041
+ mitigates: Strong encryption should be used on APIs carrying control plane traffic
+ between Controller and network element as well as controller and vSwitch to
+ avoid adversary in the middle threats
+ name: Encrypt Sensitive Information
+ - fgmid: M1053
+ mitigates: SDN vSwitch configurations should be backed up and periodically audited
+ to see differences between running configuration and back up configurations
+ name: Data Backup
+ - fgmid: M1054
+ mitigates: Keep baseline configuration up to date to avoid loopholes due to stale
+ configuration or configuration drift.
+ name: Software Configuration
+ name: vSwitch
+ object-type: technique
+ platforms: SDN vSwitch, Network Element
+ postconditions:
+ - Description: Network flow compromise can lead to DOS or change the traffic pattern
+ and paths. Adversary may change the path for network sniffing or for AiTM activity.
+ Name: Network flow compromise
+ preconditions:
+ - Description: Privileged Access to SDN vSwitch via direct login or through SDN
+ control plane APIs
+ Name: Credential and Access to SDN vSwitch
+ references:
+ - " \\[1\\] [ENISA, \u201CThreat Landscape and Good Practice\
+ \ Guide for Software Defined Networks/5G\u201D, Jan. 2016](https://www.enisa.europa.eu/publications/sdn-threat-landscape\
+ \ )"
+ - " \\[2\\] [Scott-Hayward, S., O'Callaghan, G., & Sezer, S.\
+ \ \u201CSDN Security: A Survey\u201D. 2013 IEEE SDN for Future. Networks and Services\
+ \ (SDN4FNS) (pp. 1-7)](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6702553&tag=1\
+ \ )"
+ - " \\[3\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT5004
+ tactics:
+ - TA0009
+ - TA0007
+ typecode: fight_subtechnique
+- access-required: User or Administrative access to repository
+ architecture-segment: OA&M, Virtualization
+ bluf: Adversaries may bridge network boundaries by modifying a network device's
+ Virtual Network Function Configuration.
+ criticalassets:
+ - Description: Adversary may target a particular network controller, network element,
+ CI/CD, security to manipulate VNF behavior
+ Name: VNF orchestrators/managers
+ - Description: Adversary may target particular operations tools to manipulate VNF
+ behavior
+ Name: VNF operations tools
+ - Description: Adversary may target particular security tools to manipulate VNF
+ behavior
+ Name: VNF security tools
+ - Description: Adversary may target configuration in the VNF, stored in backups,
+ or part of the code
+ Name: VNF Configuration file
+ description: " Adversaries may bridge network boundaries by modifying a Virtual\
+ \ Network Function\u2019s Configuration.\r\n\r\nAny VNF that serves as a Middlebox\
+ \ or Proxy can be targeted by adversary for configuration exploits (Network Address\
+ \ Translation (NAT), Gateways, Security Edge Protection Proxies (SEPPs), IP Exchange\
+ \ (IPXs) entities). Configuration stored on the device determines the device behavior\
+ \ for middle boxes such as NAT or application GWs. Start up and run time configuration\
+ \ data can be manipulated for nefarious purposes. SDN VNF unauthorized configuration\
+ \ changes can lead modified 5G traffic flows and may bridge otherwise isolated\
+ \ slices. \r\n\r\n"
+ detections:
+ - detects: Image life cycle and runtime events
+ fgdsid: DS0007
+ name: Image
+ - detects: Audit configuration - Periodically audit VNF configuration to detect
+ unauthorized changes
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Access Logs - Analyze logs to detect unauthorized activity to VNF and
+ other tools used in lifecycle management and security of the VNF
+ fgdsid: DS0028
+ name: Logon Session
+ - detects: Audit network flow - Audit network flows to VNF and other tools used
+ in lifecycle management and security of the VNF
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT5039
+ mitigations:
+ - fgmid: M1033
+ mitigates: VNF Access Rights -Restricted Permissions to add images to VNFs (Network
+ Element) for person and non-person accounts
+ name: Limit Software Installation
+ - fgmid: M1047
+ mitigates: Logs from VNFs must be corelated with other OA&M and Security monitoring
+ tools to ensure unauthorize activity is reported. SEIM like system should be
+ deployed to correlate events.
+ name: Audit
+ - fgmid: M1053
+ mitigates: Configuration back ups -All VNF Configurations should be backed up
+ and periodically audited to see differences between running configuration and
+ back up configurations as well as comparison between configuration catalogue
+ and running instance
+ name: Data Backup
+ name: Manipulate Virtual Network Function (VNF) Configuration
+ object-type: technique
+ platforms: SDN vSwitch, Network Element
+ postconditions:
+ - Description: VNF compromise can lead to DOS or change in the traffic pattern and
+ paths.
+ Name: Unexpected and unusual VNF behavior
+ preconditions:
+ - Description: Privileged Access to VNF or VNF managers via direct login or through
+ Control Plane APIs
+ Name: Credential and Access
+ procedureexamples:
+ - Description: Active configuration changes can be made when direct access to VNF
+ or its element managers is available
+ Name: Active configuration changes
+ - Description: Configuration as a code repository or back up configuration store
+ can be manipulated to cause an NF to take compromised configuration upon reboot
+ or re-instantiation
+ Name: Stored or Coded configuration
+ references:
+ - " \\[1\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0005
+ typecode: fight_technique
+- addendums:
+ - "#### Addendum Name: VM and Container Breakout\r\n##### Architecture Segments:\
+ \ Virtualization, OA&M\r\n Adversary may be able to break out of VM/Container\
+ \ to host to compromise co-resident tenant VM/Container for discovery and exfiltration\
+ \ and host-based privilege escalation. \r\n\r\nVM guest OS may escapes from its\
+ \ VM encapsulation to interact directly with the hypervisor. This gives the adversary\
+ \ access to all VMs and, if guest privileges are high enough, the host machine\
+ \ as well. Although few if any instances are known, experts consider VM escape\
+ \ to be the most serious threat to VM security.\r\n\r\nSimilarly, a container\
+ \ may also create privileged access to Host file system or execution environment.\r\
+ \n\r\n5G deployments may include PNFs as well as VNFs. VNFs may be deployed over\
+ \ Type1 or Type2 VMs or as Containers over guest OS, or over a VM. Examples of\
+ \ 5G functions deployed as CNF due to scaling requirements may include 5G Core\
+ \ capabilities of AMF, SMF, UPF and RAN Capabilities of CU, DU, RIC, x-Apps, r-Apps.\
+ \ A container or VM escape can expose control and user plane traffic as well\
+ \ as credentials to allow adversary to further carry out attacks on the network.\r\
+ \n\r\n"
+ architecture-segment: Virtualization, OA&M
+ bluf: Adversaries may break out of a container to gain access to the underlying
+ host.
+ criticalassets:
+ - Description: Any capabilities deployed as VNF or CNF
+ Name: VNF, CNF
+ - Description: Host OS, VM host server becomes a bridging device between tenant
+ VMs and Containers if compromised
+ Name: VM, Contianer host
+ - Description: In addition to application data exposure, credential exposure is
+ usually a key target for adversary to open the doors for many other exploits.
+ Name: Credentials
+ description: "Adversaries may break out of a container to gain access to the underlying\
+ \ host.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1611)\r\
+ \n"
+ detections:
+ - detects: Monitor process creation and OS API execution activity.
+ fgdsid: DS0009
+ name: Process
+ - detects: Monitor for the deployment of suspicious or unknown container images
+ and pods in your environment, particularly containers running as root.
+ fgdsid: DS0032
+ name: Container
+ - detects: Monitor cluster-level (Kubernetes) data and events associated with changing
+ containers' volume configurations.
+ fgdsid: DS0034
+ name: Volume
+ id: FGT1611
+ mitigations:
+ - fgmid: M1026
+ mitigates: 'Rootless containers: Ensure containers are not running as root by
+ default. In Kubernetes environments, consider defining a Pod Security Policy
+ that prevents pods from running privileged containers.'
+ name: Privileged Account Management
+ - fgmid: M1038
+ mitigates: Use read-only containers, read-only file systems, and minimal images
+ when possible, to prevent the running of commands.
+ name: Execution Prevention
+ - fgmid: M1048
+ mitigates: Consider utilizing seccomp, seccomp-bpf, or a similar solution that
+ restricts certain system calls such as mount. In Kubernetes environments, consider
+ defining a Pod Security Policy that limits container access to host process
+ namespaces, the host network, and the host file system
+ name: Application Isolation and Sandboxing
+ name: Escape to Host
+ object-type: technique
+ platforms: Windows, Linux, MacOS
+ procedureexamples:
+ - Description: Container was configured to bind to the host root directory
+ Name: S0600
+ - Description: Hildegard used the BOtB tool that can break out of Container
+ Name: S0601
+ - Description: "Peirates\_can gain a reverse shell on a host node by mounting the\
+ \ Kubernetes hostPath."
+ Name: S0683
+ - Description: "Siliscape maps the hosts\u2019s C drive to the contianer by creating\
+ \ a global symbolic link of NtSetInformationSymbolicLink"
+ Name: S0623
+ - Description: TeamTNT has deployed privileged containers that mount the filesystem
+ of victim machine
+ Name: G0139
+ references:
+ - \[1\] [ETSI NFV SEC023, Container security spec (WIP) v004.](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC023_Container_Security_Spec)
+ - " \\[2\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ - " \\[3\\] [Github, \u201CAwesome VM exploit\u201D](https://github.com/WinMin/awesome-vm-exploit\
+ \ )"
+ - \[4\] [Project Zero](https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html
+ )
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0008
+ - TA0004
+ typecode: attack_technique_addendum
+- access-required: Administrative access, Access to install scraper malware
+ architecture-segment: Virtualization
+ bluf: An adversary may be able to read memory registers to discover privileged information
+ such as local password comparison, encryption key etc.
+ criticalassets:
+ - Description: Adversary may target a particular network controller, network element,
+ CI/CD, security, and operations tools to collect data
+ Name: SDN controller and network elements (or any target host)
+ - Description: Adversary may target configuration or network flow data
+ Name: SDN configurations file, Network flow tables
+ description: " An adversary may be able to read memory registers to discover privileged\
+ \ information such as local password comparison, encryption key etc.\r\n\r\nAn\
+ \ adversary can achieve this by scanning the physical memory used by a given software\
+ \ program. This will give the adversary access to any information that the program\
+ \ has access to, which could be sensitive. While memory scraping can affect components\
+ \ of any layer of the network, this type of threat has been primarily a focus\
+ \ of SDN application servers where the adversary can have greater advantage, if\
+ \ successful, in discovering sensitive information (credentials such as token\
+ \ and keys). \r\n\r\nAdversaries may use memory scraping to target different components\
+ \ of the core network, a core dump of an SDN controller (e.g. as the result of\
+ \ malicious software) can be used to exploit private data. Once successfully performed,\
+ \ memory scraping can be used to extract sensitive SDN data (e.g. flow rules at\
+ \ the northbound API).[2]\r\n\r\n"
+ detections:
+ - detects: Analyze logs to detect unauthorized activity
+ fgdsid: DS0015
+ name: Application Log
+ - detects: All inbound and outbound connections should be audited for unauthorized
+ activity
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT5005
+ mitigations:
+ - fgmid: FGM5090
+ mitigates: Logs from SDN controller and network elements must be correlated to
+ ensure unauthorize activity (file transfer, patch installs, process init) is
+ reported.
+ name: Log correlation
+ - fgmid: M1033
+ mitigates: Restrict permissions to add software to SDN controller and network
+ elements for person and non-person accounts
+ name: Limit Software Installation
+ - fgmid: M1047
+ mitigates: SDN controllers and network elements scanned for file changes and processes.
+ name: Audit
+ name: Memory Scraping
+ object-type: technique
+ platforms: SDN, Hosts
+ preconditions:
+ - Description: Privileged access to SDN controller and network elements to transfer
+ and install malware to the target host.
+ Name: Credential and access to SDN controller and network elements
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, section 6.2, December\
+ \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [ENISA, \u201CThreat Landscape and Good Practice\
+ \ Guide for Software Defined Networks/5G\u201D, Jan. 2016](https://www.enisa.europa.eu/publications/sdn-threat-landscape\
+ \ )"
+ - " \\[3\\] [ETSI GS NFV-SEC 009 V1.1.1, \u201CNFV Security:\n\
+ Report on use cases and technical approaches for multi-layer host administration\u201D\
+ , December 2015](https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/009/01.01.01_60/gs_nfv-sec009v010101p.pdf\
+ \ )"
+ - " \\[4\\] [N. Huq, \u201CPoS RAM Scraper Malware: Past, Present,\
+ \ and Future,\u201D Trend Micro, accessed May 25, 2023](https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf\
+ \ )"
+ - " \\[5\\] [J. Hizver, \u201CTaxonomic Modeling of Security\
+ \ Threats in Software Defined Networking\u201D, Blackhat Conference, Aug. 2015](https://www.blackhat.com/docs/us-15/materials/us-15-Hizver-Taxonomic-Modeling-Of-Security-Threats-In-Software-Defined-Networking-wp.pdf\
+ \ )"
+ - " \\[6\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ tactics:
+ - TA0009
+ typecode: fight_technique
+- access-required: NF Service Account credentials
+ addendums:
+ - "#### Addendum Name: Control plane signaling disguise for C2\r\n##### Architecture\
+ \ Segments: Control Plane\r\n An adversary may use Control Plane signaling between\
+ \ Network Functions (NFs) of the Service Based Architecture to disguise adversary\u2019\
+ s C2 communication.\r\n\r\nThe 5G NFs may implement TLS and HTTP/2 for their communications\
+ \ (e.g. via Service Based Interfaces), which means the traffic will be encrypted.\
+ \ This type of communication between authorized NFs may be used to avoid detection\
+ \ by using legitimate protocols and port numbers and encrypting that data. Encryption\
+ \ makes it difficult to employ detection techniques to identify suspicious traffic\
+ \ patterns. In addition, HTTP/2 optional parameters may be used to communicate\
+ \ between a core NF and an external application function via NEF or between\
+ \ an NF in visited PLMN and an NF in home PLMN via SEPP.\r\nIn the same fashion,\
+ \ an adversary may use encrypted channels between authenticated NFs to disguise\
+ \ C2 communication.\r\n\r\n"
+ architecture-segment: Control Plane
+ bluf: Adversaries may communicate using application layer protocols to avoid detection/network
+ filtering by blending in with existing traffic.
+ criticalassets:
+ - Description: IP addresses. FQDNs and TLS connections of core NFs are used for
+ nefarious purposes
+ Name: Operator resource identifiers and signaling
+ description: "Adversaries may communicate using application layer protocols to avoid\
+ \ detection/network filtering by blending in with existing traffic.\r\n[To read\
+ \ more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1437)\r\
+ \n"
+ detections: []
+ id: FGT1437
+ mitigations:
+ - fgmid: FGM5501
+ mitigates: "Employ TLS proxies with DPI firewalls. TLS proxy/firewall can employ\
+ \ DPI to decrypt the packets and send them off to their destination, but only\
+ \ after logging what the packet contains. \nThe firewalls/proxies connect to\
+ \ a SIEM whose data is being kept up to date with current threats. Service communication\
+ \ proxy (SCP) can be also used for this purpose."
+ name: TLS proxy/firewalls with DPI on the SBA
+ name: Application Layer Protocol
+ object-type: technique
+ platforms: 5G Network
+ procedureexamples:
+ - Description: 'The signaling AF to NEF to UDM and back from UDM to NEF to AF is
+ used in several procedures [1]. Example: NIDD (non-IP data delivery) (see clause
+ 4.25 of [2]), or VN (Virtual Network) group management. See clause 4.15.6 of
+ [2].'
+ Name: Third party app (AF) to Network Exposure Function (NEF) to Core NF used
+ as a data exfiltration channel
+ - Description: AMF in vPLMN communicates to AUSF in hPLMN during UE authentication.
+ This channel can be used to disguise C2 communication.
+ Name: An NF in vPLMN to an NF in hPLMN via SEPP
+ references:
+ - " \\[1\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ - " \\[2\\] [3rd Generation Partnership Project (3GPP) TS 23.502,\
+ \ \u201CProcedures for the 5G System (5GS); Stage 2 (Release 17)\u201D, Technical\
+ \ Specification, v17.4.0, March 2022.](https://www.3gpp.org/DynaReport/23502.htm)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0011
+ typecode: attack_technique_addendum
+- access-required: Administrative access
+ addendums:
+ - "#### Addendum Name: Infrastructure local account\r\n##### Architecture Segments:\
+ \ OA&M\r\n An adversary may use local administrative privileges to bypass network\
+ \ controls responsible for access controls and software to achieve persistence.\
+ \ \r\n\r\nIn a 5G deployment, unmanned locations or low security sites may be\
+ \ exposed to adversary using local communication, auxiliary or serial interfaces\
+ \ to gain access to device using device local account. \r\n\r\nAn adversary with\
+ \ a legitimate or compromised local network operator administrative account may\
+ \ perform unauthorized administration of devices and systems. Some devices always\
+ \ maintain local accounts in addition to networked IDAM/ICAM. Unauthorized administration\
+ \ of devices and systems can be done using these local administrative accounts.\
+ \ \r\n\r\n"
+ architecture-segment: OA&M
+ bluf: Adversaries may obtain and abuse credentials of a local account as a means
+ of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
+ criticalassets:
+ - Description: Any 5G, Network, OSS and Security capability deployed as PNF supporting
+ local accounts
+ Name: Physical Network Functions
+ - Description: Any Virtualization and Network host supporting local account
+ Name: Infrastructure servers
+ description: "Adversaries may obtain and abuse credentials of a local account as\
+ \ a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense\
+ \ Evasion.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1078/003)\r\
+ \n"
+ detections:
+ - detects: User Account authentication
+ fgdsid: DS0002
+ name: User Account
+ - detects: Logon session
+ fgdsid: DS0028
+ name: Logon Session
+ id: FGT1078.003
+ mitigations:
+ - fgmid: M1026
+ mitigates: Privileged account management
+ name: Privileged Account Management
+ - fgmid: M1027
+ mitigates: Passwords Policies to ensure secure local accounts across all devices
+ that necessitate local accounts
+ name: Password Policies
+ name: Local Accounts
+ object-type: technique
+ platforms: Infrastructure, PNF
+ references:
+ - " \\[1\\] [ENISA \u201CThreat Landscape and Good Practice Guide\
+ \ for Software Defined Networks/5G\u201D, Jan. 2016, Table 1, and 2](https://www.enisa.europa.eu/publications/sdn-threat-landscape)"
+ - " \\[2\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ ,\_ October 2021](https://arxiv.org/abs/2108.11206\_\_)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ subtechnique-of: FGT1078
+ tactics:
+ - TA0003
+ typecode: attack_subtechnique_addendum
+- access-required: Administrative access
+ addendums:
+ - "#### Addendum Name: Unauthorized software in NFVI\r\n##### Architecture Segments:\
+ \ Virtualization, OA&M\r\n An adversary may implant rootkits in the Network Function\
+ \ Virtualization Infrastructure (NFVI) that will hide the presence of programs,\
+ \ files, network connections, services, drivers, and other system components.\r\
+ \n\r\nRootkits are a special type of malware designed to remain hidden on a target\
+ \ computer. These Rootkits can be created for hardware and firmware for CMOS and\
+ \ other chips, Kernel, Memory, and Applications. \r\n\r\nAdversaries may implant\
+ \ rootkits during device manufacturing process, use compromised CI/CD pipeline,\
+ \ direct access to device to implant rootkits in the Cloud, MEC, RAN, UE components.\r\
+ \n\r\nAdversaries may use rootkit compromise for other actions such as credential\
+ \ dumping, configuration changes, or attack other components in the network. Rootkits\
+ \ are hard to detect and may not be easily identified by end point protection\
+ \ software. Host suspected of rootkit infection may need to be quarantined and\
+ \ rebuilt from scratch with known good software.\r\n\r\n"
+ architecture-segment: Virtualization, OA&M
+ bluf: Adversaries may use rootkits to hide the presence of programs, files, network
+ connections, services, drivers, and other system components.
+ criticalassets:
+ - Description: NFVI components that support virtualization and network connecting
+ the virtual functions.
+ Name: Physical, Virtual, and cloud native functions
+ - Description: Any compute entity that supports data processing functions, including
+ Linux/Windows hosts, VMs, and or specialty equipment that has address and interacts
+ with other NFVI elements.
+ Name: Hosts
+ description: "Adversaries may use rootkits to hide the presence of programs, files,\
+ \ network connections, services, drivers, and other system components.\r\n[To\
+ \ read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1014)\r\
+ \n"
+ detections:
+ - detects: Software image inconsistency. Signature and checksum mismatch
+ fgdsid: DS0007
+ name: Image
+ - detects: Kernel executing unknown processes or unauthorized processes not typical
+ of the host.
+ fgdsid: DS0008
+ name: Kernel
+ - detects: Active processes or process log may reveal unauthorized activity due
+ to rootkits
+ fgdsid: DS0009
+ name: Process
+ - detects: Background services not typically associated with the host
+ fgdsid: DS0019
+ name: Service
+ - detects: File changes of any sort that cannot be traced back to authorized change.
+ fgdsid: DS0022
+ name: File
+ - detects: Network traffic pattern may reveal remote C2 communication from rootkit
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1014
+ mitigations:
+ - fgmid: M1018
+ mitigates: User Account Management
+ name: User Account Management
+ - fgmid: M1045
+ mitigates: Code Signing
+ name: Code Signing
+ - fgmid: M1046
+ mitigates: Boot integrity
+ name: Boot Integrity
+ - fgmid: M1047
+ mitigates: System audits can reveal anomalous behavior that may be caused by rootkits.
+ name: Audit
+ - fgmid: M1051
+ mitigates: Update Software
+ name: Update Software
+ name: Rootkit
+ object-type: technique
+ platforms: Infrastructure, PNF, VNF Hosts
+ references:
+ - \[1\] [ETSI NFV SEC025, Secure E2E VNF & NS management spec
+ (WIP) v006, retrieved April 26, 2021](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_%26_NS_management)
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0005
+ typecode: attack_technique_addendum
+- access-required: Administrative access
+ architecture-segment: Virtualization, OA&M
+ bluf: An adversary may implant malware in the Network Function Virtualization Infrastructure
+ (NFVI) that will load during the pre-boot sequence to achieve persistence.
+ criticalassets:
+ - Description: Any network functions within NFVI sphere of responsibility
+ Name: Physical, Virtual, and Cloud Native Functions
+ - Description: Any hosts in NFVI within 5G security zone or in CI/CD pipeline, security
+ and OSS tools
+ Name: Hosts
+ description: " An adversary may implant malware in the Network Function Virtualization\
+ \ Infrastructure (NFVI) that will load during the pre-boot sequence to achieve\
+ \ persistence.\r\n\r\nAn adversary may implant unauthorized software in the NFVI\
+ \ to persist in the boot sequence or launch malicious software. 5G VNF deployments\
+ \ rely on underlying NFVI (Kubernetes, Openstack) resources and do not offer any\
+ \ checks of their own to validate resources. Possibilities exist to add malware\
+ \ in deployment pipelines, image building and storage process and thru add on\
+ \ tools. Unless Hardware Mediated Execution Environment (HMEE) is used to validate\
+ \ host resources, malware inserted during boot process may not be easily detected.\
+ \ \r\n\r\n"
+ detections:
+ - detects: Software image inconsistency. Signature and checksum mismatch
+ fgdsid: DS0007
+ name: Image
+ - detects: Kernel executing unknow processes or unauthorized processes not typical
+ of the host.
+ fgdsid: DS0008
+ name: Kernel
+ - detects: Active processes or process log may reveal unauthorized activity due
+ to rootkits
+ fgdsid: DS0009
+ name: Process
+ - detects: Degraded performance; system may have reboots, or unexpected performance
+ degradation, may be slow to respond to inputs.
+ fgdsid: DS0013
+ name: Sensor Health
+ - detects: Background services not typically associated with the host
+ fgdsid: DS0019
+ name: Service
+ - detects: File changes of any sort that cannot be traced back to authorized change.
+ fgdsid: DS0022
+ name: File
+ - detects: Network traffic pattern may reveal remote C2 communication from rootkit
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1542.501
+ mitigations:
+ - fgmid: M1018
+ mitigates: User Account Management, active monitoring of access attempts to CI/CD
+ tools
+ name: User Account Management
+ - fgmid: M1045
+ mitigates: Code Signing of all 5G NF and infra node software
+ name: Code Signing
+ - fgmid: M1046
+ mitigates: Boot integrity, TPM and remote attestation
+ name: Boot Integrity
+ - fgmid: M1047
+ mitigates: System audits can reveal anomalous behavior that may be caused by rootkits. Audits
+ of software repositories
+ name: Audit
+ - fgmid: M1051
+ mitigates: Update Software for 5G NF and infra node software
+ name: Update Software
+ name: Unauthorized software in NFVI
+ object-type: technique
+ platforms: Infrastructure, PNF, VNF Hosts
+ references:
+ - \[1\] [ETSI NFV SEC025, Secure E2E VNF & NS management spec
+ (WIP) v006, retrieved April 26, 2021](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_%26_NS_management)
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1542
+ tactics:
+ - TA0003
+ - TA0005
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: 'Radio access, '
+ addendums:
+ - "#### Addendum Name: Base station flood with fictitious access requests\r\n#####\
+ \ Architecture Segments: Control Plane\r\n An adversary may transmit an overwhelming\
+ \ number of access requests to a gNB to degrade the ability of legitimate UE to\
+ \ obtain access.\r\n\r\nAn adversary transmits large number of access requests\
+ \ over Random Access CHannel (RACH) to degrade the ability of legitimate UE to\
+ \ obtain access from the gNB. May be done via a compromised UE or a fake UE.\r\
+ \n\r\n\r\n"
+ - "#### Addendum Name: UDM DOS via SUCI replay\r\n##### Architecture Segments: Control\
+ \ Plane\r\n An adversary may use a device (user or base station) to replay registration\
+ \ requests with valid a Subscription Concealed Identifier (SUCI) in order to degrade\
+ \ the availability of UDM to other device users.\r\n\r\nAn adversary may intercept\
+ \ a legitimate SUCI sent by a legitimate device to a base station. The adversary\
+ \ can then replay this SUCI in a registration request towards the network many\
+ \ times, possibly from a fake base station or UE being used to send to the core\
+ \ network. This will cause the core network function in charge of deconcealment\
+ \ of the SUCI, namely the UDM-SIDF (Unified Data Management - Subscription Identifier\
+ \ De-Concealing Function), to work on this computationally intensive asymmetric\
+ \ cryptographic operation. A Denial of Service attack on the UDM can cause the\
+ \ available processing power of the UDM to decrease and thus impact its ability\
+ \ to respond to the requests of legitimate UEs.\r\n\r\n"
+ architecture-segment: Control Plane
+ bluf: Adversaries may target the different network services provided by systems
+ to conduct a denial of service (DoS).
+ criticalassets:
+ - Description: Adversary targets access requests in Random Access CHannel (RACH)
+ Name: RACH
+ - Description: UDM/SIDF resources are used for de-concealment of SUCI sent by legitimate
+ UEs
+ Name: UDM/SIDF resources
+ description: "Adversaries may target the different network services provided by\
+ \ systems to conduct a denial of service (DoS).\r\n[To read more, please see the\
+ \ MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1499/002)\r\
+ \n"
+ detections:
+ - detects: Excessive number of access requests received at gNB.
+ fgdsid: FGDS5007
+ name: UE access requests
+ - detects: Excessive number of SUCI containing requests received at the AMF. UDM
+ slow response
+ fgdsid: FGDS5007
+ name: UE access requests
+ id: FGT1499.002
+ mitigations:
+ - fgmid: FGM5021
+ mitigates: Increase RACH resources.
+ name: Increase RACH (Random Access CHannel resources)
+ - fgmid: FGM5499
+ mitigates: Rate limiting of incoming messages at NFs. The Security Anchor Function
+ (SEAF) or the Authentication Server Function (AUSF), which are NFs upstream
+ from SIDF, can apply rate limiting if they receive the same SUCI multiple times
+ within a short period.
+ name: Rate limiting by producer NF
+ name: Service Exhaustion Flood
+ object-type: technique
+ platforms: 5G RAN, 5G
+ postconditions:
+ - Description: Legitimate UEs have low probability of successfully requesting access
+ Name: Less service for legitimate UEs
+ - Description: Legitimate UEs have low probability of successfully obtaining access
+ Name: Less service for legitimate UEs
+ preconditions:
+ - Description: Adversary must be able to transmit to gNB with sufficient power to
+ be received.
+ Name: Transmit to gNB with sufficient power to succeed in flooding.
+ - Description: Access to fake Base Station or fake UE to replay SUCI
+ Name: Acquire base station or UE
+ procedureexamples:
+ - Description: Adversary transmits an overwhelming number of access requests over
+ Random Access CHannel (RACH) to degrade the ability of legitimate UE to obtain
+ access. May be done via a compromised UE or a SDR running OAI-5G modified software.
+ Name: ' Access request flooding'
+ - Description: 'SUCI is replayed by fake or compromised UE or gNB to the network.
+
+
+ UDM needs to process repeated SUCI messages from the same UE which will eventually
+ drain resources of UDM and cause DoS attack on legitimate UE. Sections 5.2.2.1.2
+ & 5.2.2.2.2 of [1]'
+ Name: SUCI replay
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[1\\] [3rd Generation Partnership Project (3GPP) TR 33.846:\
+ \ \u201CStudy on Authentication Enhancements in the 5G System\u201D, Technical\
+ \ Report, v17.0.0, Dec. 2021.](https://www.3gpp.org/DynaReport/33846.htm )"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ subtechnique-of: FGT1499
+ tactics:
+ - TA0040
+ typecode: attack_subtechnique_addendum
+- access-required: admin
+ architecture-segment: OA&M, Control Plane
+ bluf: 'An adversary, such as an insider to the MNO or vendor, could install a malicious
+ NF into the core network, in order to launch other attacks or get access to information. '
+ criticalassets:
+ - Description: Network services provided to UEs.
+ Name: Network services
+ description: " An adversary, such as an insider to the MNO or vendor, may install\
+ \ a malicious NF into the core network, in order to launch other attacks or get\
+ \ access to information. \r\n\r\nAn adversary could introduce an unauthorized\
+ \ network function (NF) or function embedding trojan malware in the service base\
+ \ architecture (SBA) by registering it in the NRF, in order to exploit other APIs.\
+ \ A clone of a legitimate NF can also be used to register itself in the NRF. The\
+ \ new NF can be deployed as a PNF, cloud VNF or containerized NF. This adversary\
+ \ could be an insider (to the MNO) or a vendor or service provider. By having\
+ \ an unauthorized network function installed or activated, an adversary may gain\
+ \ access to resources in the network to perform other type of attacks such as\
+ \ Denial of Service, the distribution of malicious software, or obtaining sensitive\
+ \ information.\r\n\r\n\r\n"
+ detections:
+ - detects: Monitor application logs of core NFs.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Monitor for newly constructed containers that may deploy a container
+ into an environment to facilitate execution or evade defenses.
+ fgdsid: DS0032
+ name: Container
+ id: FGT5007
+ mitigations:
+ - fgmid: FGM5023
+ mitigates: Cross check newly registered NFs. Out of band mechanism for cross checking
+ new NFs that are registered in NRF are as expected by network administrator.
+ NRF may use additional OAuth2.0 token information.
+ name: Periodic Authentication & Authorization of NFs
+ - fgmid: M1018
+ mitigates: Enforce the principle of least privilege by limiting container dashboard
+ access to only the necessary users.
+ name: User Account Management
+ - fgmid: M1030
+ mitigates: Deny direct remote access to internal systems through the use of network
+ proxies, gateways, and firewalls.
+ name: Network Segmentation
+ name: Registration of malicious network functions
+ object-type: technique
+ platforms: 5G
+ procedureexamples:
+ - Description: 'Rogue or cloned NF calls Nnrf_NF Management API to register one
+ of these functions: AMF, SMF, UDM, AUSF, NEF, PCF, SMSF, NSSF, UPF, etc. Clause
+ 5.2.7 of [3]'
+ Name: Unauthorized use of API
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, November 2019.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks\
+ \ )"
+ - " \\[3\\] [3rd Generation Partnership Project (3GPP) TS 23.502,\
+ \ \u201CProcedures for the 5G System (5GS); Stage 2 (Release 17)\u201D, Technical\
+ \ Specification, v17.4.0, March 2022.](https://www.3gpp.org/DynaReport/23502.htm)"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0002
+ typecode: fight_technique
+- architecture-segment: RAN, O-RAN
+ bluf: An adversary transmits radio signals to degrade reception and demodulation
+ of signals to the UE or gNB/eNB.
+ criticalassets:
+ - Description: UE and gNB basic operations.
+ Name: Radio receivers at base station and user equipment
+ description: " An adversary transmits radio signals to degrade reception and demodulation\
+ \ of signals to the UE or gNB/eNB. \r\n\r\nConsists of numerous methods, including\
+ \ noise jamming, generating false synchronization signals, and replaying modified\
+ \ portions of legitimate signals to degrade demodulation. Jamming in 5G (NR) is\
+ \ different from 3G and similar to 4G, but at high level the same principles are\
+ \ applied. This technique is similar to the ATT&CK for Mobile technique T1464.\r\
+ \n\r\n\r\n"
+ detections:
+ - detects: Identify source and location of jammer.
+ fgdsid: FGDS5001
+ name: RF Spectrum Monitor
+ id: FGT5035
+ mitigations:
+ - fgmid: FGM5001
+ mitigates: Disable jamming source.
+ name: Disable malicious transmitter
+ - fgmid: FGM5099
+ mitigates: Move user equipment closer to base station to overpower jamming signal.
+ name: Move UE close to gNB
+ - fgmid: FGM5100
+ mitigates: Increase height of User Equipment to avoid jamming signal.
+ name: Raise height of UE
+ name: Radio Jamming
+ object-type: technique
+ platforms: 5G radio access
+ procedureexamples:
+ - Description: Jammer device is used to perform noise jamming of the radio interface,
+ See [1].
+ Name: Noise jamming via jammer device
+ - Description: 'Rogue UE sends fake uplink synchronization signals to the gNB:
+
+
+ Sounding Reference Signal (SRS)
+
+
+ Phase Tracking Reference Signal (PTRS)
+
+
+ Demodulation Reference Signal (DMRS)'
+ Name: False synchronization signals
+ - Description: Fake base station replays modified portions of legitimate signals
+ from gNB or towards gNB.
+ Name: Replay legitimate signals
+ references:
+ - " \\[1\\] [Y. Arjoune and S. Faruque, \u201CSmart Jamming Attacks\
+ \ in 5G New Radio: A Review\u201D (2020), 10th Annual Computing and Communication\
+ \ Workshop and Conference (CCWC)](https://ieeexplore.ieee.org/abstract/document/9031175/\
+ \ )"
+ - " \\[2\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[3\\] [Lichtman, et al. \u201C5G NR Jamming, Spoofing,\
+ \ and Sniffing: Threat Assessment and Mitigation\u201D (2018), 2018 IEEE International\
+ \ Conference on Communications Workshops](https://arxiv.org/pdf/1803.03845.pdf)"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ tactics:
+ - TA0040
+ typecode: fight_technique
+- access-required: N/A
+ architecture-segment: User Plane
+ bluf: An adversary can divert user plane traffic for one or more UEs via a user-plane
+ function, to monitor user data
+ criticalassets:
+ - Description: All user plane subscriber data
+ Name: Subscriber data
+ description: " An adversary can divert user plane traffic for one or more UEs via\
+ \ a user-plane function, to monitor user data.\r\n\r\nTraffic diversion is a threat\
+ \ relating to network elements of the user plane. A compromised or misconfigured\
+ \ NF (as documented in the procedures below: UPF, SMF, \u2026) is used to send\
+ \ or cause to send a command to a user plane (routing) function that results in\
+ \ altering the traffic flow. This threat involves compromising a network element\
+ \ to divert traffic flows and allow a malicious actor to eavesdrop on user traffic.\
+ \ \r\n\r\nAn adversary positioned between the UE and the UPF may intercept unprotected\
+ \ data packets and change the destination IP address of the packets, so that the\
+ \ UPF ends up sending them to a different data network. \r\n\r\nRedirection attacks\
+ \ on the core network result in not only communication interception, but also\
+ \ in billing discrepancies.\r\n\r\n\r\n"
+ detections:
+ - detects: Monitor AF to NEF APIs for illegitimate traffic redirection requests.
+ Monitor Nnef_TrafficInfluence_Update API calls from AF to NEF for traffic redirection
+ requests to unauthorized DNN & S-NSSAI.
+ fgdsid: DS0015
+ name: Application Log
+ id: FGT5008
+ mitigations:
+ - fgmid: FGM5019
+ mitigates: Authorize all API calls by external AFs to NEF
+ name: Authorize external API calls
+ - fgmid: M1040
+ mitigates: Monitor internal API calls between NFs for suspicious activities
+ name: Behavior Prevention on Endpoint
+ - fgmid: M1047
+ mitigates: Audit insecure NF configurations
+ name: Audit
+ name: 'Redirection of traffic via user plane network function '
+ object-type: technique
+ platforms: 5G Network
+ postconditions:
+ - Description: If an adversary redirects to their own server, they can access the subscriber
+ data, who will not be aware that the traffic is being intercepted.
+ Name: Subscriber data intercept
+ preconditions:
+ - Description: An adversary must have control of the UPF IP address or a UPF
+ Name: Acquire UPF IP address/control
+ - Description: An adversary must first control the SMF or NEF, or AF
+ Name: Control SMF/NEF/AF
+ procedureexamples:
+ - Description: "An adversary controlling the SMF can redirect existing UE traffic\
+ \ by sending to UPF a N4 Session Modification Request (or: selecting another\
+ \ UPF- or, by sending to UPF another \u201CRedirect server\u201D [which the\
+ \ adversary controls] in the FAR in the N4 session (\u201CThe UPF reports to\
+ \ the SMF whether it supports traffic redirection enforcement in the UPF through\
+ \ the \u2018UP-Function Features\u2019 IE.\u201D [6]) Clause 5.8.2.3.3 of [5]\n\
+ \nSimilarly, the SMF can send a session modification request to the UPF and\
+ \ redirect UE traffic. See clauses 4.4.1.2 & 4.4.1.3 of [4]."
+ Name: Rogue or misconfigured SMF
+ - Description: "The \u201CApplication Function influence on traffic routing\u201D\
+ \ service is designed for MEC applications for local processing of data traffic\
+ \ in order to reduce latency. However, this capability can be misused by rogue\
+ \ AF or rogue/misconfigured NEF. The traffic redirection occurs after the NEF\
+ \ takes action that affects the UPF behavior. Clause 5.6.7 Table 5.6.7-1 first\
+ \ row \u201CTraffic Description\u201D of [5], clause 4.3.6 of [4]."
+ Name: Rogue AF or rogue/misconfigured NEF
+ - Description: "An adversary positioned e.g. on a router can exploit the fact that\
+ \ the N3 interface may not use IPSec protection. In this case, a UE\u2019s uplink\
+ \ data may be sent to a different data network or destination in the data network:\
+ \ the adversary intercepts the UE packets encapsulated in GTP-U tunnel, and\
+ \ changes the destination IP address."
+ Name: Access on N3 interface
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [ENISA \u201CThreat Landscape for 5G Networks Report\u201D\
+ , Nov 2019.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks)"
+ - " \\[3\\] [\u201CBhadra framework\u201D: S.P. Rao, S. Holtmanns,\
+ \ T. Aura, \u201CThreat modeling framework for mobile communication systems\u201D\
+ ](https://arxiv.org/abs/2005.05110v1 )"
+ - " \\[4\\] [3GPP TS 23.502 \u201CTechnical Specification Group\
+ \ Services and System Aspects; Procedures for the 5G System (5GS)\u201D.](https://www.3gpp.org/DynaReport/23502.htm)"
+ - " \\[5\\] [3GPP TS 23.501 \u201CTechnical Specification Group\
+ \ Services and System Aspects; System architecture for the 5G System (5GS)\u201D\
+ .](https://www.3gpp.org/DynaReport/23501.htm)"
+ - " \\[6\\] [\u201CUltra Cloud Core 5G User Plane Function, Release\
+ \ 2020.02 - Configuration and Administration Guide\u201D, Cisco Systems, Accessed\
+ \ May 25, 2023](https://www.cisco.com/c/en/us/td/docs/wireless/ucc/upf/Ultra-Cloud-Core-5G-UPF-Config-Guide.html)"
+ - " \\[7\\] [\u201C5G Security Issues.\u201D Positive Technologies](https://www.gsma.com/membership/resources/positive-technologies-5g-security-issues/)"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0009
+ - TA0040
+ typecode: fight_technique
+- access-required: admin
+ architecture-segment: Control Plane
+ bluf: An adversary-controlled AMF registers itself in the UDM as serving a victim
+ UE in order to pave the way for other attacks such as fraud or UE subscription
+ data retrieval.
+ criticalassets:
+ - Description: Functionality of this core network function
+ Name: UDM functionality
+ - Description: Data (user plane or signaling) belonging to the UE
+ Name: UE data
+ - Description: Physical geo-location (coarse or fine) of the UE
+ Name: UE location
+ description: " An adversary-controlled AMF registers itself in the UDM as serving\
+ \ a victim UE in order to pave the way for other attacks such as fraud or UE subscription\
+ \ data retrieval. \r\n\r\nA UE can be legitimately de-registered or be caused\
+ \ to de-register. The UDM is the core network function that holds the current\
+ \ registration status and data of an UE. UEs register with an AMF, which then\
+ \ becomes its serving AMF. An adversary can exploit an incorrectly implemented\
+ \ UDM that does not update the authentication status of a UE upon a de-registration\
+ \ event, or that allows the authentication status to be incorrect. This flaw allows\
+ \ a malicious AMF to register itself in UDM (via Nudm_UECM_Registration Request\
+ \ API call). That is, an adversary controlling an AMF can register that AMF Identifier\
+ \ in the UDM as the serving AMF for that UE. \r\n\r\nThis technique also applies\
+ \ to the SMF and SMSF (SMS Function), not just AMF, using the same API to the\
+ \ UDM. \r\n\r\nFor an adversary to achieve this, a UDM must be incorrectly implemented.\
+ \ The improperly configured UDM needs to be able to perform all of the basic functions,\
+ \ except that it does not mark a UE as de-registered when it powers off or goes\
+ \ to airplane mode or is legitimately (or illegitimately) de-registered by the\
+ \ network.\r\n \r\n"
+ detections: []
+ id: FGT5010
+ mitigations:
+ - fgmid: FGM5023
+ mitigates: "Periodic authentication / authorization of NF consumer e.g. AMF by\
+ \ NRF will help detect rogue AMFs. \nNot currently in 3GPP/GSMA (TBC) specs,\
+ \ but it can be enhanced. It\u2019s process management (OA&M)"
+ name: Periodic Authentication & Authorization of NFs
+ - fgmid: FGM5013
+ mitigates: Implement security as per clause 6.1.9 of [4], namely OAuth2.0
+ name: Timely updates to UE status
+ - fgmid: FGM5014
+ mitigates: Cross check whether the requesting AMF is likely to be the one serving
+ that UE now. Validate the expected geography of where UE actually may be, in
+ comparison to the area that the requester AMF is supposed to serve.
+ name: UE location plausibility
+ name: Fraudulent AMF registration for UE in UDM
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: A rogue AMF could mount other attacks on the victim UE, but the UE
+ is not currently registered on the network. For example, the AMF can ask the
+ LMF for the location of that UE; this may work if the UE is actually registered
+ to this network, otherwise, it will return the last known location.
+ Name: Follow on attacks by rogue AMF
+ preconditions:
+ - Description: If the UDM does not store the authentication status of a UE, or the
+ authentication status is incorrect
+ Name: Faulty UDM implementation
+ procedureexamples:
+ - Description: An adversary in control of an AMF registers that AMF in UDM (via
+ Nudm_UECM_Registration Request) as serving a given UE that de-registered. If
+ the UDM implementation does not update the authentication status of UEs as de-registered,
+ it will accept that AMF. The adversary-controlled AMF can then potentially perform
+ additional hostile actions such as fraud, claiming to have provided services
+ for the UE, or obtaining other UE information from the UDM such as subscriber
+ data, or asking for the UE location from the LMF (Location Management Function).
+ Name: Adversary registers an AMF it controls as the one serving a given UE that
+ just de-registered
+ references:
+ - " \\[1\\] [3rd Generation Partnership Project (3GPP) TR 33.926:\
+ \ \u201CSecurity Assurance Specification (SCAS) threats and critical assets in\
+ \ 3GPP network product classes\u201D, Technical Report, v17.3.0, Dec. 2021, clause\
+ \ E.2.2.3](https://www.3gpp.org/DynaReport/33926.htm )"
+ - " \\[2\\] [3rd Generation Partnership Project (3GPP) TR 33.846,\u201D\
+ \ Study on authentication enhancements in the 5G System (5GS)\u201D, Technical\
+ \ Report, v17.0.0, December 2021, clause 5.3.1.2](https://www.3gpp.org/DynaReport/33846.htm\
+ \ )"
+ - " \\[3\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[4\\] [3GPP TS 29.503: \u201C5G System; Unified Data Management\
+ \ Services; Stage 3\u201D](https://www.3gpp.org/DynaReport/29503.htm)"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0009
+ typecode: fight_technique
+- access-required: admin
+ architecture-segment: Control Plane
+ bluf: 'An adversary controlling an (external) Application Function (AF) presents
+ a fraudulent OAuth access token to access Network Exposure Function (NEF) services. '
+ criticalassets:
+ - Description: Network services exposed by NEF
+ Name: Operator Services
+ description: " An adversary controlling an (external) Application Function (AF)\
+ \ may present a fraudulent OAuth access token to access Network Exposure Function\
+ \ (NEF) services. \r\n\r\nA mobile network operator has access to a variety of\
+ \ user and network data by virtue of the services it provides to subscribers.\
+ \ As a business extension, some of these capabilities, events and data can be\
+ \ offered to other partner business entities. The Network Exposure Function securely\
+ \ exposes such cellular network services to authorized third-party applications.\
+ \ The standard mandates TLS between NEF and AF and authorization via OAuth 2.0.\r\
+ \n\r\nExamples of the data that can be shared are: device analytics, user traffic\
+ \ routing, device location and mobility events: for example, notifications are\
+ \ sent whenever a user (which is e.g. part of a group subscribed to a third party\
+ \ service) enters a certain geographical perimeter (e.g. a mall or campus), since\
+ \ the operator keeps track of the base stations to which devices are connected.\r\
+ \n\r\nA malicious AF with a fraudulent (stolen, altered, or constructed) access\
+ \ token may invoke the NEF services arbitrarily. \r\n\r\n\r\n"
+ detections:
+ - detects: Logs of connection attempts to NEF
+ fgdsid: DS0015
+ name: Application Log
+ id: FGT5011
+ mitigations:
+ - fgmid: FGM5003
+ mitigates: Ensure NEF checks AF credentials across layers (TLS, OAuth2.0), and
+ has a list (provided out of band) with all the allowed AF by unique identifier
+ (or type of AF), and to which service they are allowed access (this access may
+ be general, not per UE).
+ name: Cross check between application layer and transport layer
+ - fgmid: FGM5019
+ mitigates: NEF should authorize API calls from external AFs for all service accesses,
+ via OAuth token verification.
+ name: Authorize external API calls
+ - fgmid: M1040
+ mitigates: Prevent suspicious API calls
+ name: Behavior Prevention on Endpoint
+ name: Unauthorized access to Network Exposure Function (NEF) via token fraud
+ object-type: technique
+ platforms: 5G Network
+ postconditions:
+ - Description: Adversary has access to network services exposed by NEF
+ Name: Network services exposed by NEF
+ preconditions:
+ - Description: Access to some MNO services to gain knowledge about tokens to access
+ the NEF
+ Name: MNO service access
+ procedureexamples:
+ - Description: An adversary may conduct OAuth2.0 attacks that are applicable to
+ machine-to-machine communication (not email phishing type attacks). Fraudulent
+ token is mentioned in section I.2.2.2 of [1]. Other threats are listed in [2].
+ Name: OAuth 2.0 attacks
+ references:
+ - \[1\] [3GPP TR 33.926 Security Assurance Specification (SCAS)
+ threats and critical assets in 3GPP network product classes.](https://www.3gpp.org/DynaReport/33926.htm)
+ - " \\[2\\] [Internet Engineering Task Force, IETF RFC 6819 \u201C\
+ OAuth 2.0 Threat Model and Security Considerations\u201D, Jan. 2013.](https://datatracker.ietf.org/doc/html/rfc6819\
+ \ )"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0008
+ - TA0001
+ typecode: fight_technique
+- access-required: Air interface
+ architecture-segment: Control Plane, RAN
+ bluf: Adversary can track a device (get cell-level location) by listening for the
+ same device ID being sent to the network.
+ criticalassets:
+ - Description: Location is accurate to a cell area, since the sniffer device has
+ to be close enough to hear the UE send its 5G GUTI
+ Name: UE location
+ description: " An adversary can track a device (get cell-level location) by listening\
+ \ for the same device ID being sent to the network. \r\n\r\nThe AMF handles UE\
+ \ registration every time the UE connects to the network anew. As part of this\
+ \ registration, a 5G Globally Unique Temporary Identifier (5G-GUTI) is assigned\
+ \ to the UE, so as to protect the UE permanent identifier. The UE sends this identifier\
+ \ in the clear to the network as part of service procedures it initiates, and\
+ \ so this identifier can be eavesdropped by any UE or wireless sniffer nearby.\r\
+ \n\r\nThis is a passive attack. If AMF doesn't allocate a new 5G-GUTI in certain\
+ \ registration scenarios, an adversary could keep on tracking the user using the\
+ \ old 5G-GUTI after these registration procedures. This attack has been observed\
+ \ in 4G where the UE were allocated the same GUTI. \r\n\r\n"
+ detections: []
+ id: FGT5012.003
+ mitigations:
+ - fgmid: FGM5094
+ mitigates: Ensure AMF implementation allocates new 5G-GUTI every time possible.
+ name: Allocate new 5G identifiers judiciously
+ name: 5G-GUTI reuse
+ object-type: technique
+ platforms: 5G radio access
+ preconditions:
+ - Description: Adversary must be present in the same area where the UE is located.
+ Name: Adversary present in the vicinity of victim UE
+ procedureexamples:
+ - Description: "Reportedly several operators do not re-allocate GUTI with every\
+ \ UE registration, or they do not re-allocate often enough or they use predictable\
+ \ pattern, as in [1], [2]. \nExact 5G-GUTI refresh mechanism is left to implementation.\
+ \ Mandatory refresh of 5G-GUTI is to be done by AMF for initial registration,\
+ \ mobility registration update and network-initiated service request message\
+ \ due to paging, see clause 6.12.3 of [3].\nIt is not necessary for the adversary\
+ \ to have a UE to listen, a simpler listening device suffices."
+ Name: Listen in for re-used 5G-GUTIs to determine UE presence in that area.
+ references:
+ - " \\[1\\] [B. Hong, S. Bae, Y. Kim, \u201CGUTI Reallocation\
+ \ Demystified: Cellular Location Tracking with Changing Temporary Identifier\u201D\
+ , NDSS Symposium, 2018.](https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_02A-4_Hong_paper.pdf\
+ \ )"
+ - " \\[2\\] [3rd Generation Partnership Project (3GPP) TR 33.926:\
+ \ \u201CSecurity Assurance Specification (SCAS) threats and critical assets in\
+ \ 3GPP network product classes\u201D, Technical Report, v17.3.0, December. 2021,\
+ \ clause K.2.7.1](https://www.3gpp.org/DynaReport/33926.htm )"
+ - " \\[3\\] [3rd Generation Partnership Project (3GPP) TR 33.501:\
+ \ \u201CSecurity architecture and procedures for 5G system\u201D, Technical Specification,\
+ \ v17.5.0, March 2022](https://www.3gpp.org/DynaReport/33501.htm )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT5012
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- access-required: None
+ architecture-segment: RAN, Control Plane, User Plane
+ bluf: An adversary may alter network signaling so as to disable encryption over
+ the radio interface, thus allowing for eavesdropping of user data or signaling
+ on that interface.
+ criticalassets:
+ - Description: UE user plane data privacy.
+ Name: UE data
+ - Description: UE signaling data privacy
+ Name: UE signaling
+ description: " An adversary may alter network signaling so as to disable encryption\
+ \ over the radio interface, thus allowing for eavesdropping of user data or signaling\
+ \ on that interface.\r\n\r\nThe protection of the radio interface link is chosen\
+ \ by the network when the User Equipment (UE) first registers to the network.\
+ \ Normally, all data and signaling is encrypted. However, under some circumstances\
+ \ (e.g. emergency calls, when the UE is not registered in the serving network),\
+ \ no encryption keys can be derived and so no encryption is applied\u2014in this\
+ \ case the algorithm is called NULL. \r\n\r\nSeveral procedures and interfaces\
+ \ can be implemented incorrectly or misused and may result in use of the NULL\
+ \ encryption algorithm to protect user signaling -- Non-Access Stratum (NAS) or\
+ \ Access Stratum (AS) Control Plane (CP) -- ; or user data -- AS User Pane (UP)\
+ \ -- over the radio interface. These can be followed by another adversarial behavior\
+ \ whereby eavesdropping can be done over the air interface for data and signaling.\r\
+ \n\r\n"
+ detections:
+ - detects: Check configuration changes in gNB, SMF, AMF; Configuration audits by
+ OSS/BSS.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Inspect radio traffic and watch for unauthorized changes as the packets
+ move through the interfaces.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1600.501
+ mitigations:
+ - fgmid: M1018
+ mitigates: Network element security safeguards for gNBs, AMFs and SMFs. Includes
+ measures in clause 5.3.4 of [2] for gNBs (e.g. software updates, OA&M access
+ security, secure boot)
+ name: User Account Management
+ - fgmid: M1031
+ mitigates: Implement network intrusion prevention methods
+ name: Network Intrusion Prevention
+ - fgmid: M1041
+ mitigates: Ensure gNB implementation and SMF implementations are both checking
+ the UE CP and UP security policy against the most trustworthy source and taking
+ action to not enable NULL encryption except for emergency calls
+ name: Encrypt Sensitive Information
+ - fgmid: M1043
+ mitigates: Implement credential access protection methods
+ name: Credential Access Protection
+ - fgmid: M1046
+ mitigates: Network element security safeguards for gNBs, AMFs and SMFs. Includes
+ measures in clause 5.3.4 of [2] for gNBs (e.g. software updates, OA&M access
+ security, secure boot)
+ name: Boot Integrity
+ - fgmid: M1051
+ mitigates: Network element security safeguards for gNBs, AMFs and SMFs. Includes
+ measures in clause 5.3.4 of [2] for gNBs (e.g. software updates, OA&M access
+ security, secure boot)
+ name: Update Software
+ name: Radio Interface
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: 'Control Plane: All UE signaling data may be revealed if both NAS
+ and AS CP (RRC) security algorithms are weakened.
+
+
+ User Plane: Subscriber (user plane) data may be revealed if AS UP security algorithms
+ are weakened.'
+ Name: UE data unprotected on air interface
+ preconditions:
+ - Description: "A rogue gNB may be required to change the UE\u2019s CP and UP supported\
+ \ algorithms to NULL. It\u2019s easier to achieve control over a gNB than over\
+ \ the AMF or SMF itself. But then if the AMF and SMF are not rogue just not\
+ \ configured to do these additional checks, then control over a rogue gNB is\
+ \ sufficient.\nThis attack is possible with only control over the AMF, in which\
+ \ case the algorithm for CP and UP protection is changed to NULL."
+ Name: Rogue or misconfigured AMF or SMF or gNB
+ procedureexamples:
+ - Description: "Adversary (e.g. with fake gNB) intentionally configures NULL encryption\
+ \ algorithm to have highest priority in gNB. These algorithms are sent to the\
+ \ UE in the (Access Stratum) AS Security Mode Command. Normally the activation\
+ \ of algorithms for the AS is done by the gNB based on that policy received\
+ \ from the SMF, but a fake gNB can ignore the SMF. Clauses 6.7.3 & D.1 of [2].\n\
+ \nAdversary with control over a legitimate gNB, and who currently serves the\
+ \ UE, tells the SMF that the UE Control Plane (CP) and User Plane (UP) policy\
+ \ is NULL encryption, and the (legitimate but not correctly implemented) SMF\
+ \ doesn\u2019t check that against the locally-stored UE UP policy and lets the\
+ \ CP and UP data be transmitted with NULL encryption. Clause 6.6.1 of [2]"
+ Name: Fake or misconfigured base station
+ - Description: 'Adversary makes the unauthorized change in the SMF CP and UP local
+ policy to enable NULL encryption for CP & UP traffic.
+
+ Alternatively, adversary exploits an SMF that is not implemented to check (for
+ every UE it serves) that the algorithm received from gNB (which may be compromised
+ or fake) matches the (more trusted) local policy. That local policy in turn
+ should be checked that it is the same as the UE policy stored in the UDM, which
+ has the higher trust. Any of these failures can result in the SMF enabling the
+ CP and UP traffic over the radio interface to use NULL encryption.'
+ Name: Rogue or misconfigured Session Management Function (SMF)
+ - Description: "Adversary with control over AMF (or control over the configuration\
+ \ of AMF) can affect UE procedures such as NAS Security Mode Command, such that\
+ \ the UE's NAS data is not protected, i.e. prioritize NULL algorithm for either\
+ \ NAS encryption or integrity.\n \nThis can be followed by another attack behavior\
+ \ whereby eavesdropping can be done over the air interface for data and signaling.\
+ \ Clauses 5.3.2 and 5.5.1 of [2]"
+ Name: Rogue or misconfigured Access and Mobility Management Function (AMF) non-roaming
+ - Description: "Compromised source AMF sends incorrect UE context information to\
+ \ legitimate target AMF during either (a) Initial registration and roaming or\
+ \ (b) Handover (N2 based). \nThe source AMF sends NULL encryption algorithm\
+ \ information as part of the \u201CUEContextTransfer\u201D (initial registration\
+ \ and roaming) or \u201CCreateUEContext\u201D (N2 handover) service request\
+ \ messages. All UE data will be sent in cleartext after registration or handover\
+ \ is completed. Clauses 4.2.2.2.2, 4.9.1.3.1 and 5.2.2.1 of [3] The element\
+ \ in the UE context is the ueSecurityCapability which the rogue AMF sets to\
+ \ NULL only."
+ Name: Rogue or misconfigured AMF during roaming/handover
+ - Description: "Compromised source MME/AMF sends incorrect UE context information\
+ \ to legitimate target AMF during EPS to 5GS handover and roaming with and without\
+ \ N26 interface.\n\nSource AMF sends NULL encryption algorithm information as\
+ \ part of the \u201CUEContextTransfer\u201D or \n\u201CRelocateUEContext\u201D\
+ \ service request messages. All UE data will be sent in clear text after roaming\
+ \ or handover is completed. Clauses 4.11.1.2.2.2, 4.11.1.3.3, 4.11.2.3 and 5.2.2.1\
+ \ of [3] The element in the UE context is the ueSecurityCapability which the\
+ \ rogue AMF sets to NULL only."
+ Name: Rogue or misconfigured AMF/MME during EPS roaming/handover
+ references:
+ - " \\[1\\] [3GPP TR 33.926 \u201CSecurity Assurance Specification\
+ \ (SCAS) threats and critical assets in 3GPP network product classes\u201D.](https://www.3gpp.org/DynaReport/33926.htm\
+ \ )"
+ - " \\[2\\] [3GPP TS 33.501 \u201CSecurity architecture and procedures\
+ \ for 5G System\u201D.](https://www.3gpp.org/DynaReport/33501.htm )"
+ - " \\[3\\] [3GPP TS 23.502 \u201CProcedures for the 5G System\
+ \ (5GS)\u201D.](https://www.3gpp.org/DynaReport/23502.htm )"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1600
+ tactics:
+ - TA0005
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: User Plane
+ bluf: An adversary controlling a user-plane function (gNB or UPF) disrupts user
+ traffic by assigning the new traffic a TEID already in use.
+ criticalassets:
+ - Description: Billing data of legitimate UE
+ Name: UE billing data
+ - Description: "UE\u2019s reception of its data is disrupted."
+ Name: UE data interruption
+ description: " An adversary controlling a user-plane function (gNB or UPF) may disrupt\
+ \ user traffic by assigning the new traffic a TEID already in use.\r\n\r\nThe\
+ \ Tunnel Identifier, TEID, is part of the Core Network Tunnel information and\
+ \ is assigned locally by the UPF and also by the gNB/ng-eNB for user plane routing\
+ \ for each UE served. The failure to guarantee the uniqueness of the TEID for\
+ \ a PDU session results in interruption of the routing of the user traffic. It\
+ \ also creates charging errors. If multiple PDU sessions were to share the same\
+ \ TEID at the same time, the counts for the network usage of a single PDU session\
+ \ will be in fact the counts for the network usage of multiple sessions, creating\
+ \ charging errors.\r\n\r\nRogue or erroneous configuration/implementation in gNB\
+ \ or UPF can cause an existing TEID to be assigned to a new PDU session. This\
+ \ can also happen during EPS to 5GS handover or roaming.\r\n\r\n"
+ detections:
+ - detects: Packet inspection over the N3 interface. If two packets are seen to have
+ the same TEID on the RAN to UPF interface, then it can be verified that they
+ indeed belong to the same UE. It may be difficult to detect as it is per UE
+ and per PDU session.
+ fgdsid: DS0029
+ name: Network Traffic
+ - detects: Charging system reports anomaly of subscriber CDRs. Periodic CDR audits
+ can detect anomaly.
+ fgdsid: FGDS5003
+ name: Charging anomaly
+ id: FGT5021
+ mitigations:
+ - fgmid: FGM5094
+ mitigates: Ensure UPF and gNB/NG-eNB check for uniqueness for every new TEID they
+ allocate locally. The newly assigned TEID must not have been in use in the past
+ given certain amount of time (which should be set to the reasonable maximum
+ tunnel lifetimes observed).
+ name: Allocate new 5G identifiers judiciously
+ - fgmid: M1035
+ mitigates: Limit Access to Resource Over Network
+ name: Limit Access to Resource Over Network
+ - fgmid: M1047
+ mitigates: The UPF and g/eNB must keep a log of the TEIDs currently in use (which
+ they assigned), and purge TEIDs once the tunnel is torn down. This log must
+ be checked every time a new TEID is allocated.
+ name: Audit
+ name: Tunnel Endpoint ID (TEID) uniqueness failure
+ object-type: technique
+ platforms: 5G Network
+ postconditions:
+ - Description: UE user plane data gets disrupted
+ Name: UE data disruption
+ - Description: Incorrect subscribers' charging records are generated
+ Name: Incorrect charging
+ preconditions:
+ - Description: Faulty implementation at gNB or UPF ; or, control over gNB, and UPF
+ Name: Control or misconfiguration of gNB or UPF
+ procedureexamples:
+ - Description: 'Rogue or wrong configuration/implementation in gNB or UPF can cause
+ existing TEID to be assigned to a new N3 reference point or PDU session. Clause
+ J.2.2.2 of [1]
+
+
+ Duplicate TEID allocation can happen during EPS to 5GS handover or roaming.
+
+
+ Duplicate TEID can cause traffic disruption, charging issues and eavesdropping
+ of legitimate subscriber data by adversary. Clause 5.8.2.3 of [2], clause 4.11.1.2.2
+ of [3]'
+ Name: Rogue or misconfigured gNB or UPF
+ references:
+ - " \\[1\\] [3GPP TR 33.926 \u201CSecurity Assurance Specification\
+ \ (SCAS) threats and critical assets in 3GPP network product classes\u201D.](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3002)"
+ - " \\[2\\] [3GPP TS 23.501 \u201CSystem architecture for the\
+ \ 5G System (5GS)\u201D.](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3144)"
+ - " \\[3\\] [3GPP TS 23.502, \u201CProcedures for the 5G System\
+ \ (5GS); Stage 2 (Release 17)\u201D, Technical Specification, v17.4.0, March 2022.](https://www.3gpp.org/DynaReport/23502.htm\_\
+ )"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0040
+ typecode: fight_technique
+- access-required: User, Administrative access
+ addendums:
+ - "#### Addendum Name: VNF Access Services\r\n##### Architecture Segments: OA&M\r\
+ \n Adversary may use non-functional remote communication interfaces (SNMP/RPC,\
+ \ SSH) to change host configuration to enable host compromise.\r\n\r\nCloud tenants\
+ \ may deploy additional network services with their containers in their containers\
+ \ along with the main functionality of the 5G Virtual Network Function (VNF).\
+ \ These services can be deployed as part of the VNF itself, since they allow\
+ \ for VNF monitoring or remote configuration. To this end, it is possible that\
+ \ possibly unsafe remote access services such as SSH may be deployed into the\
+ \ containers. If these network services are directly accessible over the Internet\
+ \ (or from another tenant of the CaaS), then they are vulnerable to intrusion\
+ \ attacks. For example, adversaries may attempt to guess access credentials or\
+ \ to exploit known vulnerabilities in the management services APIs. If successful,\
+ \ the adversary now can use the access to this container through these services\
+ \ for additional follow-on techniques.\r\n\r\n"
+ architecture-segment: OA&M
+ bluf: Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078)
+ to log into a service that accepts remote connections, such as telnet, SSH, and
+ VNC.
+ criticalassets:
+ - Description: 5G or RAN Network functions including VNF and PNFs
+ Name: Network functions
+ - Description: Virtualized 5G environment relies on underlying compute and SDN network
+ elements which may be of interest to adversary
+ Name: Hosts, VMs, or Infrastructure elements
+ description: "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078)\
+ \ to log into a service that accepts remote connections, such as telnet, SSH,\
+ \ and VNC.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1021)\r\
+ \n"
+ detections:
+ - detects: Audit command logs
+ fgdsid: DS0017
+ name: Command
+ - detects: 5G NFs have defined interfaces, any other session establishment activity
+ may be unauthorized. Monitor traffic patterns and session sources along with
+ blocked/denied activity.
+ fgdsid: DS0028
+ name: Logon Session
+ - detects: Monitor network traffic for expected and unexpected attempted and established
+ connections
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1021
+ mitigations:
+ - fgmid: M1018
+ mitigates: Limit the accounts that may use remote services. Limit the permissions
+ for accounts that are at higher risk of compromise; for example, configure SSH
+ so users can only run specific programs.
+ name: User Account Management
+ - fgmid: M1032
+ mitigates: Use multi-factor authentication on remote service logons where possible.
+ name: Multi-factor Authentication
+ name: Remote Services
+ object-type: technique
+ platforms: PNF, VNF Hosts
+ references:
+ - " \\[1\\] [Fraunhofer AISEC, \u201CThreat Analysis of Container-as-a-Service\
+ \ for Network Function \u201C, Retrieved April 28 2022](https://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Publikationen/Studien_TechReports/englisch/caas_threat_analysis_wp.pdf)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0008
+ - TA0007
+ typecode: attack_technique_addendum
+- access-required: User/NPE/Administrative access
+ addendums:
+ - "#### Addendum Name: 5G Supply Chain Compromise\r\n##### Architecture Segments:\
+ \ OA&M, Virtualization, RAN, O-RAN\r\n Adversaries may manipulate products or\
+ \ product delivery mechanisms prior to deployment in an MNO\u2019s production\
+ \ environment for the purpose of data or system compromise.\r\n\r\n5G deployments\
+ \ are expected to have various deployment models comprise of vendor supplied VNF/CNFs,\
+ \ open-source software, and dedicated physical appliances from suppliers as well\
+ \ as white label hardware. It is also expected that 5G services to end-consumer\
+ \ may include third party services to support resources required by 5G Core and\
+ \ RAN elements such as third party back haul, MEC or commercial Cloud data centers\
+ \ resources. The resources also include O-RAN elements such as O-DU, O-RU and\
+ \ O-CU. Adversary may use a software, hardware, or service supply chain to insert\
+ \ compromised components (binaries, Firmware, compromised processing chips) in\
+ \ the supply chain of a targeted MNO or taint entire supply chain first to have\
+ \ option to select a target from victims receiving compromised products. Opensource\
+ \ communities may be vulnerable to accidental or intentional compromise. These\
+ \ days a lot of reputable vendors also use open-source components in their license\
+ \ products, Opensource community may become a conduit to a target victim.\r\n\r\
+ \n"
+ architecture-segment: OA&M, Virtualization, RAN, O-RAN
+ bluf: "Adversaries may manipulate products or product delivery mechanisms prior\
+ \ to receipt by a final consumer for the purpose of data or system compromise.\n\
+ \nSupply chain compromise can take place at any stage of the supply chain including:\n\
+ \n* Manipulation of development tools\n* Manipulation of a development environment\n\
+ * Manipulation of source code repositories (public or private)\n* Manipulation\
+ \ of source code in open-source dependencies\n* Manipulation of software update/distribution\
+ \ mechanisms\n* Compromised/infected system images (multiple cases of removable\
+ \ media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric\
+ \ USB Malware) \n* Replacement of legitimate software with modified versions\n\
+ * Sales of modified/counterfeit products to legitimate distributors\n* Shipment\
+ \ interdiction\n\nWhile supply chain compromise can impact any component of hardware\
+ \ or software, adversaries looking to gain execution have often focused on malicious\
+ \ additions to legitimate software in software distribution or update channels.(Citation:\
+ \ Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five\
+ \ SK 2011) Targeting may be specific to a desired victim set or malicious software\
+ \ may be distributed to a broad set of consumers but only move on to additional\
+ \ tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation:\
+ \ Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects\
+ \ that are used as dependencies in many applications may also be targeted as a\
+ \ means to add malicious code to users of the dependency.(Citation: Trendmicro\
+ \ NPM Compromise)."
+ criticalassets:
+ - Description: Network functions are prime target to impact 5G communication services
+ Name: CORE, RAN VNFs
+ - Description: OSS tools have privileged access and broad reachability and may be
+ used to change configuration of the network by adversary.
+ Name: OSS Tools
+ - Description: Security tools have privileged access and broad reachability may
+ be used to evade defenses and allow for lateral movements by the adversary
+ Name: Security tools
+ - Description: CI/CD tools may be used for inserting malware or poisoned images
+ as well as change the network elements deployed and their behavior.
+ Name: CI/CD Tools
+ description: "Adversaries may manipulate products or product delivery mechanisms\
+ \ prior to receipt by a final consumer for the purpose of data or system compromise.\n\
+ \nSupply chain compromise can take place at any stage of the supply chain including:\n\
+ \n* Manipulation of development tools\n* Manipulation of a development environment\n\
+ * Manipulation of source code repositories (public or private)\n* Manipulation\
+ \ of source code in open-source dependencies\n* Manipulation of software update/distribution\
+ \ mechanisms\n* Compromised/infected system images (multiple cases of removable\
+ \ media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric\
+ \ USB Malware) \n* Replacement of legitimate software with modified versions\n\
+ * Sales of modified/counterfeit products to legitimate distributors\n* Shipment\
+ \ interdiction\n\nWhile supply chain compromise can impact any component of hardware\
+ \ or software, adversaries looking to gain execution have often focused on malicious\
+ \ additions to legitimate software in software distribution or update channels.(Citation:\
+ \ Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five\
+ \ SK 2011) Targeting may be specific to a desired victim set or malicious software\
+ \ may be distributed to a broad set of consumers but only move on to additional\
+ \ tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation:\
+ \ Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects\
+ \ that are used as dependencies in many applications may also be targeted as a\
+ \ means to add malicious code to users of the dependency.(Citation: Trendmicro\
+ \ NPM Compromise).\r\n[To read more, please see the MITRE ATT&CK page for this\
+ \ technique](https://attack.mitre.org/techniques/T1195)\r\n"
+ detections:
+ - detects: Perform physical inspection of hardware to look for potential tampering.
+ Perform integrity checking on pre-OS boot mechanisms that can be manipulated
+ for malicious purposes and compare against known good baseline behavior.
+ fgdsid: DS0013
+ name: Sensor Health
+ - detects: Use verification of distributed binaries through hash checking or other
+ integrity checking mechanisms. Scan downloads for malicious signatures and attempt
+ to test software and updates prior to deployment while taking note of potential
+ suspicious activity.
+ fgdsid: DS0022
+ name: File
+ id: FGT1195
+ mitigations:
+ - fgmid: M1016
+ mitigates: Vulnerability Scanning of software before it is brought into MNO environment
+ as well as regular scans to detect abnormal behavior
+ name: Vulnerability Scanning
+ - fgmid: M1051
+ mitigates: Update Software regularly
+ name: Update Software
+ name: Supply Chain Compromise
+ object-type: technique
+ platforms: Infrastructure, CI/CD, OA&M Tools, VNFs
+ references:
+ - " \\[1\\] [ETSI NFV SEC001, \u201CNetwork Functions Virtualization\
+ \ (NFV); NFV Security; Problem Statement\u201D, Jan. 2014, section 6.9](https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf\
+ \ )"
+ - \[2\] [The Untold Story of the Boldest Supply-Chain Hack Ever](https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/)
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0001
+ - TA0006
+ typecode: attack_technique_addendum
+- access-required: User/NPE/Administrative access
+ addendums:
+ - "#### Addendum Name: 5G Orchestration and Deployment Tools\r\n##### Architecture\
+ \ Segments: OA&M, Virtualization, Supply Chain, RAN, UE\r\n An adversary may use\
+ \ CI/CD tools to gain access to production hosts/VNFs for discovery, data exfiltration\
+ \ and for deployment of lateral movements tools. \r\n\r\nIn 5G deployments, MNO\u2019\
+ s development and deployment tools offer a conduit to 5G production RAN and Core\
+ \ network functions. CI/CD tools have a greater access to Software during development\
+ \ lifecycle, an adversary may be able to find a back door to software in production\
+ \ environment- a very similar scenario to SolarWinds hack, where compromised software\
+ \ was deployed on thousands of hosts via a software upgrade carrying compromised\
+ \ image. \r\n\r\nManagement and Orchestration is a framework for managing and\
+ \ orchestrating network functions virtualization (NFV) infrastructure, resources,\
+ \ and services. It provides a standard approach for the management and orchestration\
+ \ of network services in NFV environments, including the automation of tasks such\
+ \ as network service deployment, scaling, and network function lifecycle management.\
+ \ MANO toolset if misconfigured or APIs not properly secured can provide an attack\
+ \ vector to adversary with grave consequences to network and its services.\r\n\
+ \r\n"
+ architecture-segment: OA&M, Virtualization, Supply Chain, RAN, UE
+ bluf: Adversaries may gain access to and use third-party software suites installed
+ within an enterprise network, such as administration, monitoring, and deployment
+ systems, to move laterally through the network.
+ criticalassets:
+ - Description: Software development and deployment tools in MNO (and supplier) environments
+ Name: CI/CD Tools
+ - Description: Scanning, monitoring, and end point protection tools
+ Name: Security Tools
+ - Description: Operation and system support tools
+ Name: OSS Tools
+ description: "Adversaries may gain access to and use third-party software suites\
+ \ installed within an enterprise network, such as administration, monitoring,\
+ \ and deployment systems, to move laterally through the network.\r\n[To read more,\
+ \ please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1072)\r\
+ \n"
+ detections:
+ - detects: Monitor for newly executed processes that do not correlate to known good
+ software. Analyze the process execution trees, historical activities from the
+ third-party application (such as what types of files are usually pushed), and
+ the resulting activities or events from the file/binary/script pushed to systems.
+ fgdsid: DS0009
+ name: Process
+ - detects: Often these third-party applications will have logs of their own that
+ can be collected and correlated with other data from the environment. Ensure
+ that third-party application logs are on-boarded to the enterprise logging system
+ and the logs are regularly reviewed. Audit software deployment logs and look
+ for suspicious or unauthorized activity. A system not typically used to push
+ software to clients that suddenly is used for such a task outside of a known
+ admin function may be suspicious. Monitor account login activity on these applications
+ to detect suspicious/abnormal usage. Perform application deployment at regular
+ times so that irregular deployment activity stands out.
+ fgdsid: DS0015
+ name: Application Log
+ id: FGT1072
+ mitigations:
+ - fgmid: M1018
+ mitigates: User Account Management, limited and least privileged user accounts
+ name: User Account Management
+ - fgmid: M1026
+ mitigates: Privileged Account Management, unique, least privileged accounts and
+ regularly audit access attempts audits
+ name: Privileged Account Management
+ - fgmid: M1027
+ mitigates: Password Policies, no credential sharing, create traceability
+ name: Password Policies
+ - fgmid: M1029
+ mitigates: Remote Data Storage, restrict access and monitor repository activity
+ name: Remote Data Storage
+ - fgmid: M1030
+ mitigates: Network Segmentation allows limit movements, insert application aware
+ firewalls between segments
+ name: Network Segmentation
+ - fgmid: M1032
+ mitigates: Multi-factor Authentication adds additional layer of security for compromised
+ credentials as well as increased accountability
+ name: Multi-factor Authentication
+ - fgmid: M1051
+ mitigates: Update Software regularly to eliminate persistence
+ name: Update Software
+ name: Software Deployment Tools
+ object-type: technique
+ platforms: 'Infrastructure, PNF, VNF Hosts, '
+ procedureexamples:
+ - Description: "Silence\_has used RAdmin, a remote software tool used to remotely\
+ \ control workstations and ATMs"
+ Name: '[G0091](https://attack.mitre.org/groups/G0091)'
+ - Description: "It is believed that a patch management system for an anti-virus\
+ \ product commonly installed among targeted companies was used to distribute\
+ \ the\_Wiper\_malware"
+ Name: '[S0041](https://attack.mitre.org/software/S0041)'
+ references:
+ - " \\[1\\] [ETSI NFV SEC001, \u201CNetwork Functions Virtualization\
+ \ (NFV); NFV Security; Problem Statement\u201D, Jan. 2014, section 6.9](https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf\
+ \ )"
+ - " \\[2\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ ,\_ October 2021](https://arxiv.org/abs/2108.11206\_\_)"
+ - \[3\] [Dell SecureWorks. (2013, March 21). Wiper Malware Analysis
+ Attacking Korean Financial Sector. Retrieved May 13, 2015.](http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/)
+ - " \\[4\\] [Silence \u2013 a new Trojan attacking financial\
+ \ organizations (accessed 06/20/2023)](https://securelist.com/the-silence/83009/)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0002
+ - TA0008
+ typecode: attack_technique_addendum
+- access-required: User/NPE/Administrative access
+ addendums:
+ - "#### Addendum Name: Container Management- Unauthorized access\r\n##### Architecture\
+ \ Segments: Virtualization, OA&M, RAN, O-RAN\r\n An adversary may use privileged\
+ \ accounts of valid, role-based accounts for management services to gain access\
+ \ to network elements.\r\n\r\nAn adversary may also use a valid account with excessive\
+ \ privileges (i.e., does not follow least privilege policy) to gain access to\
+ \ container execution environment. If access rights are not tailored to specific\
+ \ needs of users, the risk to attack container execution increases.\r\n\r\nInternal\
+ \ or external adversary may gain access to management account credentials (e.g.\
+ \ due to weak account management practices) allowing access to VNF containers\
+ \ for persistence, and defense evasion.\r\n\r\n"
+ architecture-segment: Virtualization, OA&M, RAN, O-RAN
+ bluf: Valid accounts in cloud environments may allow adversaries to perform actions
+ to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
+ criticalassets:
+ - Description: RAN and Core CNFs
+ Name: Containerized network functions
+ - Description: Cloud, Kubernetes, or Openstack administrative controllers
+ Name: Cloud/virtualized container Management controllers
+ description: "Valid accounts in cloud environments may allow adversaries to perform\
+ \ actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense\
+ \ Evasion.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1078/004)\r\
+ \n"
+ detections:
+ - detects: Monitor user account authentication activity. Monitor the activity of
+ cloud accounts to detect abnormal or malicious behavior, such as accessing information
+ outside of the normal function of the account or account usage at atypical hours. Repeated
+ attempts may be indictive of password guessing or brute force password cracking. Password
+ policies supporting lockout requiring administrative reset may help.
+ fgdsid: DS0002
+ name: User Account
+ - detects: Monitor for suspicious account behavior across cloud services that share
+ account. Logon session logs and meta data helps determine if the session was
+ an authorized activity.
+ fgdsid: DS0028
+ name: Logon Session
+ id: FGT1078.004
+ mitigations:
+ - fgmid: M1017
+ mitigates: Applications may send push notifications to verify a login as a form
+ of multi-factor authentication (MFA). Train users to only accept valid push
+ notifications and to report suspicious push notifications.
+ name: User Training
+ - fgmid: M1018
+ mitigates: Periodically review user accounts and remove those that are inactive
+ or unnecessary. Limit the ability for user accounts to create additional accounts.
+ name: User Account Management
+ - fgmid: M1026
+ mitigates: Review privileged cloud account permission levels routinely to look
+ for those that could allow an adversary to gain wide access.
+ name: Privileged Account Management
+ - fgmid: M1027
+ mitigates: Ensure that cloud accounts, particularly privileged accounts, have
+ complex, unique passwords across all systems on the network. Passwords and access
+ keys should be rotated regularly. This limits the amount of time credentials
+ can be used to access resources if a credential is compromised without your
+ knowledge. Rotate access keys regularly.
+ name: Password Policies
+ - fgmid: M1032
+ mitigates: Use multi-factor authentication for cloud and virtualization OSS accounts
+ used for VNF deployments, especially privileged accounts.
+ name: Multi-factor Authentication
+ name: Cloud Accounts
+ object-type: technique
+ platforms: Infrastructure, CI/CD, OA&M Tools
+ procedureexamples:
+ - Description: Peirates is a post-exploitation Kubernetes exploitation framework
+ with a focus on gathering service account tokens for lateral movement and privilege
+ escalation. The tool is written in GoLang and publicly available on GitHub
+ Name: S0683
+ references:
+ - \[1\] [ETSI NFV SEC023, Container Security Spec, section 5.4.4,
+ Accessed 6/27/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC023_Container_Security_Spec/NFV-SEC023v005.zip)
+ - \[2\] [Peirates](https://github.com/inguardians/peirates)
+ - " \\[3\\] [Kubernetes Used in Brute-Force Attacks Tied to Russia\u2019\
+ s APT28](https://vulners.com/threatpost/THREATPOST:B25070E6CF075EEA6B20C4D8D25ADBE8)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ subtechnique-of: FGT1078
+ tactics:
+ - TA0005
+ - TA0003
+ - TA0004
+ - TA0001
+ typecode: attack_subtechnique_addendum
+- access-required: User/NPE/Administrative access, compromised Keys/tokens
+ architecture-segment: OA&M, Virtualization
+ bluf: An adversary may use a fake or compromised container management controller
+ to deploy fake VNFs to collect information from the network.
+ criticalassets:
+ - Description: Container and container engine may expose privileged information
+ to adversary directly from process or through container engine.
+ Name: Container and Container engines
+ - Description: In Container management architecture (Kubernetes for example) adversary
+ may use Kublet commands or API proxy to gain access to information and control
+ of the container.
+ Name: Container Management Controller system
+ - Description: NF orchestrators
+ Name: NFO
+ description: " An adversary may use a fake or compromised container management controller\
+ \ to deploy fake VNFs to collect information from the network.\r\n\r\nInstantiation\
+ \ of malicious Virtual Network Functions (VNF) can also be achieved by compromised\
+ \ VIM by inclusion of concealed software within legitimate (Virtual Infrastructure\
+ \ Manager) VIM, or allocating virtual resources for fake instances, or using malicious\
+ \ or compromised identity provider (reuses the same identity for several VNFs\
+ \ with same key pair without knowledge of MANO). Adversary may use malicious attestation\
+ \ server attacks, etc. VNF instantiation may allow adversary to register VNF with\
+ \ 5G core to launch further attacks. \r\n\r\n"
+ detections:
+ - detects: Monitor POD creation and modification events.
+ fgdsid: DS0014
+ name: Pod
+ - detects: Audit application logs (NFVO, VIM). Configuration management databases
+ (CMDB) and other asset management systems may help with the detection of computer
+ systems or network devices that should not exist on a network.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Monitor container creation, container start events
+ fgdsid: DS0032
+ name: Container
+ id: FGT5013
+ mitigations:
+ - fgmid: M1018
+ mitigates: Enforce the principle of least privilege by limiting container dashboard
+ access to only the necessary users.
+ name: User Account Management
+ - fgmid: M1030
+ mitigates: Deny direct remote access to internal systems through the use of network
+ proxies, gateways, and firewalls.
+ name: Network Segmentation
+ - fgmid: M1035
+ mitigates: Limit communications with the container service to local Unix sockets
+ or remote access via SSH. Require secure port access to communicate with the
+ APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes
+ API Server, and container orchestration web applications.
+ name: Limit Access to Resource Over Network
+ - fgmid: M1047
+ mitigates: Scan images before deployment, and block those that are not in compliance
+ with security policies. In Kubernetes environments, the admission controller
+ can be used to validate images after a container deployment request is authenticated
+ but before the container is deployed.
+ name: Audit
+ name: Malicious VNF Instantiation
+ object-type: technique
+ platforms: ICAM, CI/CD, OA&M Tools
+ procedureexamples:
+ - Description: "Peirates can deploy a pod that mounts its node\u2019s root file\
+ \ system, then execute a command to create a reverse shell on the node"
+ Name: S0683
+ - Description: Doki was run through a deployed container
+ Name: S0600
+ - Description: TeamTNT has deployed different types of containers into victim environments
+ to facilitate execution.
+ Name: G0139
+ references:
+ - ' \[1\] [ETSI NFV SEC025, Secure End-to-End VNF and NS management
+ specification
+
+ Release 4, section 4.4.3, accessed 6/28/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_&_NS_management/NFV-SEC025v0012.zip)'
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_technique
+- access-required: User/NPE/Administrative access, compromised Keys/tokens
+ architecture-segment: OA&M, Virtualization
+ bluf: An adversary may use an NFVI controller to gain access to data from a suspended
+ or stopped VNF to extract sensitive information.
+ criticalassets:
+ - Description: Container and container engine may expose privileged information
+ to adversary directly from process or thru container engine.
+ Name: Container and Container engines
+ - Description: In Container management architecture (Kubernetes for example) adversary
+ may use Kublet commands or API proxy to gain access to information and control
+ of the container.
+ Name: Container Management Controller system
+ description: " An adversary may use an NFVI controller to gain access to data from\
+ \ a suspended or stopped VNF to extract sensitive information.\r\n\r\nA container\
+ \ administration service such as the Docker daemon, the Kubernetes API server,\
+ \ or the kubelet may allow remote management of containers within an environment.\
+ \ An unauthorized access to terminated/suspended VNF in NFVI can expose data\
+ \ not erased from a state change process. This may include virtual resources released\
+ \ from a terminated VNF or from a VNF that has released resources after a move\
+ \ or a scaling process. This may also enable inclusion of concealed software in\
+ \ NFVI to prevent the deletion/erasure of data and states of the VNF that has\
+ \ been terminated. Data may include application data, cryptographic keys (service\
+ \ accounts).\r\n\r\n\r\n"
+ detections: []
+ id: FGT1609.501
+ mitigations:
+ - fgmid: M1018
+ mitigates: Enforce authentication and role-based access control on the container
+ service to restrict users to the least privileges required.
+ name: User Account Management
+ - fgmid: M1026
+ mitigates: In Kubernetes environments, consider defining a Pod Security Policy
+ that prevents pods from running privileged containers
+ name: Privileged Account Management
+ - fgmid: M1035
+ mitigates: Limit communications with the container service to local Unix sockets
+ or remote access via SSH. Require secure port access to communicate with the
+ APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes
+ API Server
+ name: Limit Access to Resource Over Network
+ - fgmid: M1038
+ mitigates: Use read-only containers, read-only file systems, and minimal images
+ when possible to prevent the execution of commands.
+ name: Execution Prevention
+ name: Accessing Terminated VNF
+ object-type: technique
+ platforms: CI/CD, OA&M Tools
+ procedureexamples:
+ - Description: Peirates can use kubectl or the Kubernetes API to run commands.
+ Name: Kubectl
+ - Description: Siloscape can send kubectl commands to victim clusters through an
+ IRC channel and can run kubectl locally to spread once within a victim cluster.
+ Name: Kubectl via IRC channels
+ references:
+ - ' \[1\] [ETSI NFV SEC025, Secure End-to-End VNF and NS management
+ specification
+
+ Release 4, section 4.4.6, accessed 6/28/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_&_NS_management/NFV-SEC025v0012.zip)'
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1609
+ tactics:
+ - TA0006
+ - TA0007
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: User/NPE/Administrative access
+ architecture-segment: Virtualization, OA&M
+ bluf: An adversary running a malicious Virtual Network Function (VNF) may identify
+ network resources co-resident on the same physical host.
+ criticalassets:
+ - Description: Adversary may identify high value 5G network functions targets for
+ its exploits
+ Name: VNF identity
+ - Description: Adversary may identify RAN, Core or slice VNFs for further exploits.
+ Name: Network identity
+ description: " An adversary running a malicious Virtual Network Function (VNF) may\
+ \ identify network resources co-resident on the same physical host.\r\n\r\nAn\
+ \ adversary may identify a VNF in shared resource by observing protocols or standard\
+ \ ports in use on the node. A hardware and network resource separation is required\
+ \ to provide isolation and protection from an adversary mapping capabilities in\
+ \ the network for certain VNF/VNFc (container).\r\n\r\n"
+ detections:
+ - detects: Monitor POD creation and modification events.
+ fgdsid: DS0014
+ name: Pod
+ - detects: Audit application logs (NFVO, VIM). Configuration management databases
+ (CMDB) and other asset management systems may help with the detection of computer
+ systems or network devices that should not exist on a network.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Monitor command history on VNFs and hosts
+ fgdsid: DS0017
+ name: Command
+ - detects: Monitor container creation, container start events
+ fgdsid: DS0032
+ name: Container
+ id: FGT5014
+ mitigations:
+ - fgmid: M1018
+ mitigates: Enforce the principle of least privilege by limiting container dashboard
+ access to only the necessary users.
+ name: User Account Management
+ - fgmid: M1030
+ mitigates: Deny direct remote access to internal systems through the use of network
+ proxies, gateways, and firewalls. Segment execution environment with node and
+ network.
+ name: Network Segmentation
+ - fgmid: M1035
+ mitigates: Limit communications with the container service to local Unix sockets
+ or remote access via SSH. Require secure port access to communicate with the
+ APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes
+ API Server, and container orchestration web applications.
+ name: Limit Access to Resource Over Network
+ - fgmid: M1047
+ mitigates: Scan images before deployment, and block those that are not in compliance
+ with security policies. In Kubernetes environments, the admission controller
+ can be used to validate images after a container deployment request is authenticated
+ but before the container is deployed.
+ name: Audit
+ name: Shared resource discovery
+ object-type: technique
+ platforms: virtualization, CI/CD, OA&M Tools
+ procedureexamples:
+ - Description: "Peirates can deploy a pod that mounts its node\u2019s root file\
+ \ system, then execute a command to create a reverse shell on the node"
+ Name: S0683
+ - Description: Doki was run through a deployed container
+ Name: S0600
+ - Description: TeamTNT has deployed different types of containers into victim environments
+ to facilitate execution.
+ Name: G0139
+ references:
+ - ' \[1\] [Network Functions Virtualisation (NFV) Release 4;
+
+ Security;Isolation and trust domain specification
+
+ Release 4, section 4.2.1, Access 4/12/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain)'
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0007
+ typecode: fight_technique
+- access-required: User/NPE/Administrative access
+ architecture-segment: OA&M, Virtualization
+ bluf: An adversary may compromise a target Virtual Network Function (VNF) to gain
+ unauthorized access to the data from the underlying resources shared with other
+ VNFs.
+ criticalassets:
+ - Description: Adversary may identify high value 5G network functions targets for
+ its exploits
+ Name: VNF and VNF Data
+ description: " An adversary may compromise a target Virtual Network Function (VNF)\
+ \ to gain unauthorized access to the data from the underlying resources shared\
+ \ with other VNFs.\r\n\r\nA malicious VNF instantiated in the VNF infrastructure\
+ \ may be able to access the resources reserved for another tenant VNF, if root\
+ \ or escalated privilege is gained due to misconfiguration of host or container.\
+ \ This exploitation can lead to unauthorized data access in shared resources.\
+ \ Multiple techniques can be used to isolate VNF or VNFc (container) where sharing\
+ \ virtualization resources is a business requirement to ensure a co-resident compromised\
+ \ or malicious VNF/VNFc cannot access shared resources or read data therein.\r\
+ \n\r\n\r\n"
+ detections:
+ - detects: Monitor process activity on node, hosts and VNFs.
+ fgdsid: DS0009
+ name: Process
+ - detects: Audit application logs (NFVO, VIM). Configuration management databases
+ (CMDB) and other asset management systems may help with the detection of computer
+ systems or network devices that should not exist on a network.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Monitor container creation, container start events
+ fgdsid: DS0032
+ name: Container
+ - detects: Monitor volume or storage modifications, attachment or read actions.
+ fgdsid: DS0034
+ name: Volume
+ id: FGT1611.501
+ mitigations:
+ - fgmid: M1018
+ mitigates: Enforce the principle of least privilege by limiting container dashboard
+ access to only the necessary users.
+ name: User Account Management
+ - fgmid: M1030
+ mitigates: Deny direct remote access to internal systems through the use of network
+ proxies, gateways, and firewalls. Segment execution environment with node and
+ network.
+ name: Network Segmentation
+ - fgmid: M1035
+ mitigates: Limit communications with the container service to local Unix sockets
+ or remote access via SSH. Require secure port access to communicate with the
+ APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes
+ API Server, and container orchestration web applications.
+ name: Limit Access to Resource Over Network
+ - fgmid: M1047
+ mitigates: Scan images before deployment, and block those that are not in compliance
+ with security policies. In Kubernetes environments, the admission controller
+ can be used to validate images after a container deployment request is authenticated
+ but before the container is deployed.
+ name: Audit
+ name: Malicious privileged container VNF Shared Resource Access
+ object-type: technique
+ platforms: CI/CD, OA&M Tools
+ procedureexamples:
+ - Description: "Peirates can deploy a pod that mounts its node\u2019s root file\
+ \ system, then execute a command to create a reverse shell on the node"
+ Name: S0683
+ - Description: Doki was run through a deployed container
+ Name: S0600
+ - Description: TeamTNT has deployed different types of containers into victim environments
+ to facilitate execution.
+ Name: G0139
+ references:
+ - ' \[1\] [Network Functions Virtualisation (NFV) Release 4;
+
+ Security; Isolation and trust domain specification
+
+ Release 4, section 4.2.1, Accessed 4/12/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain)'
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1611
+ tactics:
+ - TA0004
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: User/NPE/Administrative access
+ architecture-segment: Network Slice, Cloud Service Provider
+ bluf: 'Adversaries may gain unauthorized access to information via a Virtual Network
+ Function (VNF) shared for service designed for two different slices. '
+ criticalassets:
+ - Description: NFVI includes orchestrators, network managers, and network elements
+ Name: NFVI
+ - Description: 5G Core, RAN and NON-SBI functions, virtual resources supporting
+ VNF
+ Name: VNFs
+ - Description: Network slice SLA data, some information may be exposed if application
+ functions are shared
+ Name: Slice Control and User Plane data
+ - Description: The application related data and sensitive parameters associated
+ with a VNF
+ Name: VNF application data and sensitive parameters
+ description: " Adversaries may gain unauthorized access to information via a Virtual\
+ \ Network Function (VNF) shared for service designed for two different slices.\r\
+ \n\r\n5G functions deployment and slice creation is supported by NFVI resources.\
+ \ Network Function Virtualization Infrastructure (NFVI) can be exploited by compromise\
+ \ or abuse of trust on a VNF Orchestrator (VNFO) or VNF Manager (VNFM). An adversary\
+ \ may be able to create a network slice (NS) using the VNF (Common VNF) of a target\
+ \ Slice or create slice resources that share the NFVI resources of the target\
+ \ slice. Malicious co-tenancy activities can lead to unauthorized access to data,\
+ \ misuse of resources, or management actions. \r\n\r\n"
+ detections:
+ - detects: Monitor systems performance
+ fgdsid: DS0013
+ name: Sensor Health
+ - detects: Audit logs - Auditing logs for security, authentication and authorization
+ activity, host access, hosts, virtualization orchestrator and managers can reveal
+ behavioral anomalies
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Audit Policy Violations - Automated user and resource policy compliance
+ checks and instrumentation to alert on violation attempts
+ fgdsid: DS0028
+ name: Logon Session
+ - detects: Monitor network flows
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1599.501
+ mitigations:
+ - fgmid: FGM5505
+ mitigates: Hardware Mediated Execution Environment -Employ secure, hardware- based
+ execution integrity as part of host/server design
+ name: Hardware mediated execution environment
+ - fgmid: FGM5506
+ mitigates: Use of Network Slice Templates -Use of templates for network slicing
+ can enforce baseline security and isolation requirements. These templates can
+ be created for networks, compute and 5G slice functions deployments.
+ name: network slice templates
+ - fgmid: M1026
+ mitigates: Least Privilege Access Control Policy - Access control policies should
+ be granular to allow for optimal access to service requirements.
+ name: Privileged Account Management
+ - fgmid: M1030
+ mitigates: 'Security and Trust zones -Security and trust zones can help isolate
+ resources and can be mapped to business needs.
+
+ Micro and Nano segmentation- Implementing segmentation policy at granular level,
+ network and compute resources can prevent some co-residency threats when mapped
+ to SLAs, Users, and Resource policies.
+
+
+ Physical separation- Hardware, network, and point of presence can be separated
+ to provide additional isolation.'
+ name: Network Segmentation
+ - fgmid: M1035
+ mitigates: Resource Policy enforcement -Create and enforce resource policy; policy
+ can include SLA, quotas, QOS etc.
+ name: Limit Access to Resource Over Network
+ - fgmid: M1041
+ mitigates: Encryption can be used to protect data at rest and in transit
+ name: Encrypt Sensitive Information
+ name: Malicious co-tenancy exploit of NFVI (Network Slice)
+ object-type: technique
+ platforms: OA&M, Virtualization, Slice
+ procedureexamples:
+ - Description: A legitimate tenant 1 uses the Os-ma-nfvo interface to read the NS
+ information of another tenant 2 sharing the NFVO. The tenant 1 may get sensitive
+ information on the NS topology for a NS of a competitor (tenant 2).
+ Name: Create Malicious Co-Tenancy
+ - Description: A malicious tenant on-boards unused NS/VNF just to consume on-boarding
+ resources (e.g. fill the NS and VNF registries or software image repository)
+ to limit the space available for other tenant.
+ Name: Consume on-boarding resources
+ - Description: A malicious tenant uses the Os-ma-nfvo interface to manage the NSs
+ of another tenant. For example, this malicious tenant may scale down the NS
+ of a competitor to get more resources for his own NS or scale up to increase
+ resource cost of another tenant.
+ Name: Manipulate network slices of another tenant
+ references:
+ - \[1\] [ETSI NFV SEC026 Isolation and trust domain specification,
+ section 4.2.2](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain)
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1599
+ tactics:
+ - TA0005
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: User/NPE/Administrative access
+ architecture-segment: Network Slice, Cloud Service Provider
+ bluf: Adversaries may use a less secure slice to gain access to information in a
+ more secure slice that uses the VNF (Common VNF) built on common infrastructure
+ to misuse resources allocated to target VNFs or slice.
+ criticalassets:
+ - Description: NFVI includes orchestrators, network managers, and network elements
+ Name: NFVI
+ - Description: 5G Core, RAN and NON-SBI functions, virtual resources supporting
+ VNF
+ Name: VNFs
+ - Description: Network slice SLA data, some information may be exposed if application
+ functions are shared
+ Name: Slice Control and User Plane data
+ - Description: The application related data and sensitive parameters associated
+ with a VNF
+ Name: VNF application data and sensitive parameters
+ - Description: LI application server manages user activity monitoring requests and
+ monitoring set up of the user voice calls, SMS and data
+ Name: VNF Lawful Interception (LI) data
+ description: " Adversaries may use a less secure slice to gain access to information\
+ \ in a more secure slice that uses the VNF (Common VNF) built on common infrastructure\
+ \ to misuse resources allocated to target VNFs or slice.\r\n\r\nA compromised\
+ \ (intentionally or simply misconfigured) VNF instantiated in one slice subnet\
+ \ may access resources of another slice subnet. A common Network function Virtualization\
+ \ Orchestrator (NFVO) or Virtualized Infrastructure Manager (VIM) without proper\
+ \ safeguards may allow an adversary to starve a target slice or VNFs of the resources\
+ \ it needs to meet the SLA and to create opportunities information exposure.\r\
+ \n\r\n\r\n\r\n"
+ detections:
+ - detects: Monitor systems performance
+ fgdsid: DS0013
+ name: Sensor Health
+ - detects: Audit logs - Auditing logs for security, authentication and authorization
+ activity, host access, hosts, virtualization orchestrator and managers can reveal
+ behavioral anomalies
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Audit Policy Violations - Automated user and resource policy compliance
+ checks and instrumentation to alert on violation attempts
+ fgdsid: DS0028
+ name: Logon Session
+ - detects: Monitor network flows
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1599.502
+ mitigations:
+ - fgmid: FGM5505
+ mitigates: Hardware Mediated Execution Environment -Employ secure, hardware- based
+ execution integrity as part of host/server design
+ name: Hardware mediated execution environment
+ - fgmid: FGM5506
+ mitigates: Use of Network Slice Templates -Use of templates for network slicing
+ can enforce baseline security and isolation requirements. These templates can
+ be created for networks, compute and 5G slice functions deployments.
+ name: network slice templates
+ - fgmid: M1026
+ mitigates: Least Privilege Access Control Policy - Access control policies should
+ be granular to allow for optimal access to service requirements.
+ name: Privileged Account Management
+ - fgmid: M1030
+ mitigates: 'Security and Trust zones -Security and trust zones can help isolate
+ resources and can be mapped to business needs.
+
+ Micro and Nano segmentation- Implementing segmentation policy at granular level,
+ network and compute resources can prevent some co-residency threats when mapped
+ to SLAs, Users, and Resource policies.
+
+
+ Physical separation- Hardware, network, and point of presence can be separated
+ to provide additional isolation.'
+ name: Network Segmentation
+ - fgmid: M1035
+ mitigates: Resource Policy enforcement -Create and enforce resource policy; policy
+ can include SLA, quotas, QOS etc.
+ name: Limit Access to Resource Over Network
+ - fgmid: M1041
+ mitigates: Encryption can be used to protect data at rest and in transit
+ name: Encrypt Sensitive Information
+ name: Network Slice infrastructure resource hijacking
+ object-type: technique
+ platforms: Slice, CSP
+ procedureexamples:
+ - Description: If a service provider uses network slicing and creates two slice
+ subnets by creating network service instances on the same NFV environment (i.e.
+ the same NFVO and functional blocks) and thus being built with resources of
+ the same NFVI-PoP(s), this may lead to unauthorized access to resources/data
+ of another slice.
+ Name: Use of common virtual orchestrators and infrastructure managers
+ references:
+ - \[1\] [ETSI NFV SEC026 Isolation and trust domain specification,
+ section 4.2.3](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain)
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1599
+ tactics:
+ - TA0005
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: User/NPE/Administrative access
+ architecture-segment: Network Slice, OA&M, Virtualization
+ bluf: An adversary may use compromised container management SW (or account) in MANO
+ domain to gain access to target VNFs and its resources for unauthorized access
+ to resources/data of another slice in NFVI or resource exhaustion of target application
+ resulting in denial of service.
+ criticalassets:
+ - Description: NFVI includes orchestrators, network managers, and network elements
+ Name: NFVI
+ - Description: 5G Core, RAN and Non-SBI functions, virtual resources supporting
+ VNF
+ Name: VNFs
+ - Description: Network slice SLA data, some information may be exposed if application
+ functions are shared
+ Name: Slice Control and User Plane data
+ - Description: The application related data and sensitive parameters associated
+ with a VNF
+ Name: VNF application data and sensitive parameters
+ description: " An adversary may use compromised container management SW (or account)\
+ \ in MANO domain to gain access to target VNFs and its resources for unauthorized\
+ \ access to resources/data of another slice in NFVI or resource exhaustion of\
+ \ target application resulting in denial of service.\r\n\r\nNetwork Slice has\
+ \ a logical boundary, and within NS certain performance SLAs are guaranteed. \
+ \ A malicious software or adversarial actions in the NFV-MANO, modifies the affinity\
+ \ and anti-affinity rules for the constituents of VNFs/NSs in the catalogue or\
+ \ during an instantiation operation requested to the VIM, modifying the virtual\
+ \ resource isolation needs for these VNFs/NSs and enabling further attacks. This\
+ \ can result in placing adversary\u2019s virtualized application on the same VM\
+ \ or container engine as target NF and allow for further attacks of container\
+ \ or VM escape or resource exhaustion.\r\n\r\n"
+ detections:
+ - detects: Monitor systems performance
+ fgdsid: DS0013
+ name: Sensor Health
+ - detects: Audit logs - Auditing logs for security, authentication and authorization
+ activity, host access, hosts, virtualization orchestrator and managers can reveal
+ behavioral anomalies
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Audit Policy Violations - Automated user and resource policy compliance
+ checks and instrumentation to alert on violation attempts
+ fgdsid: DS0028
+ name: Logon Session
+ - detects: Monitor network flows
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT5038
+ mitigations:
+ - fgmid: FGM5505
+ mitigates: Hardware Mediated Execution Environment -Employ secure, hardware- based
+ execution integrity as part of host/server design (M1041).
+ name: Hardware mediated execution environment
+ - fgmid: FGM5506
+ mitigates: Use of Network Slice Templates -Use of templates for network slicing
+ can enforce baseline security and isolation requirements. These templates can
+ be created for networks, compute and 5G slice functions deployments.
+ name: network slice templates
+ - fgmid: M1026
+ mitigates: Least Privilege Access Control Policy - Access control policies should
+ be granular to allow for optimal access to service requirements.
+ name: Privileged Account Management
+ - fgmid: M1030
+ mitigates: 'Security and Trust zones -Security and trust zones can help isolate
+ resources and can be mapped to business needs.
+
+ Micro and Nano segmentation- Implementing segmentation policy at granular level,
+ network and compute resources can prevent some co-residency threats when mapped
+ to SLAs, Users, and Resource policies.
+
+
+ Physical separation- Hardware, network, and point of presence can be separated
+ to provide additional isolation.'
+ name: Network Segmentation
+ - fgmid: M1035
+ mitigates: Resource Policy enforcement -Create and enforce resource policy; policy
+ can include SLA, quotas, QOS etc.
+ name: Limit Access to Resource Over Network
+ - fgmid: M1041
+ mitigates: Encryption can be used to protect data at rest and in transit
+ name: Encrypt Sensitive Information
+ name: Network Slice application resource hijacking
+ object-type: technique
+ platforms: Slice
+ references:
+ - " \\[1\\] [Fraunhofer AISEC, \u201CThreat Analysis of Container-as-a-Service\
+ \ for Network Function, accessed April 28, 2021](https://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Publikationen/Studien_TechReports/englisch/caas_threat_analysis_wp.pdf)"
+ status: This is a theoretical behavior
+ tactics:
+ - TA0040
+ typecode: fight_technique
+- access-required: User/NPE/Administrative access
+ addendums:
+ - "#### Addendum Name: Network Elements\r\n##### Architecture Segments: User Plane,\
+ \ Control Plane, Roaming, Virtualization\r\n Adversaries may sniff network traffic\
+ \ to capture information about 5G environment, control and user plane data including\
+ \ authentication material, equipment identifiers.\r\n\r\nA compromise of network\
+ \ function (NF) supporting Service based (SBI), Non-Service Based (non-SBI), Roaming\
+ \ interfaces, and virtual network elements may allow an adversary to capture network\
+ \ traffic. \r\n\r\n\r\n The following Network interfaces are in the scope of\
+ \ this technique addendum:\r\n\r\n1.\t\u201CNon-SBI\u201D (non-Service Based Interface)\
+ \ network interfaces are within 5G core and RAN, and between the RAN and the 5G\
+ \ Core (e.g. N2, N3, N4, Xn). \r\n\r\n2.\tSBI network interfaces are between core\
+ \ NFs within an operator network; they use REST APIs.\r\n\r\n3.\tRoaming and interconnect\
+ \ interfaces, including IPX, are between network operators (between SEPPs, or\
+ \ other interworking functions like AMF/MME (N26) and between UPFs (N9)).\r\n\r\
+ \nAn adversary with access to the non-SBI interfaces not using encryption can\
+ \ monitor traffic exchange and obtain UE information such as user identifiers,\
+ \ serving network identifiers, and location info. \r\n\r\nThe adversary with access\
+ \ to the SBI links, may eavesdrop signaling messages if TLS encryption is not\
+ \ enabled. This leads to disclosure of UE authentication and authorization information,\
+ \ and NF IP addresses and other topology information.\r\n\r\nThe adversary positioned\
+ \ on an IPX node may collect data over the N32 interface while a UE is roaming,\
+ \ if a SEPP has used encryption on some parts of the messages sent, or used a\
+ \ weak cipher for JWE encryption. Similarly, an adversary positioned on a SEPP\
+ \ can observe or easily decrypt signaling messages sent on the N32 interface.\r\
+ \n\r\nSimilarly, if the EPC interworking interface N26 for non-roaming is not\
+ \ encrypted, all subscriber signaling data may be exposed to adversary.\r\n\r\n\
+ Adversary may also use compromised virtualized network elements to (vSwitch/vRouter,\
+ \ Virtual Firewalls) to span traffic to a sniffing port for access to traffic\
+ \ flows and user/system data. In a virtualized environment access can be gained\
+ \ much more easily as the servers making up a function are more likely to be physically\
+ \ and virtually distributed and the SDN vSwitch would allow an adversary to fork\
+ \ IP packets flowing between hosts remotely much more easily. Such forking is\
+ \ very difficult to detect or prevent from within a 3GPP NF or VM, and adversaries\
+ \ may be able to read data in transit. \r\n\r\nAn adversary may utilize these\
+ \ observations for several follow-on techniques.\r\n\r\n"
+ - "#### Addendum Name: Fronthaul\r\n##### Architecture Segments: User Plane, Control\
+ \ Plane, Roaming, Virtualization\r\n Adversaries may sniff network traffic to\
+ \ capture information about fronthaul user plane.\r\n\r\nORAN Alliance has defined\
+ \ the open fronthaul interface which connects one O-DU to one or more O-RUs inside\
+ \ the gNB. The fronthaul interface makes it possible to distribute the physical\
+ \ layer functionalities between RU and DU, and to control RU operations from DU.\
+ \ ORAN Alliance has selected a specific configuration (split 7.2x) for splitting\
+ \ of the physical layer among those proposed by 3GPP. The lower part of the physical\
+ \ layer (low PHY) resides in RU and performs Orthogonal Frequency Division Multiplexing\
+ \ (OFDM) phase compensation, inverse FFT and Cyclic Prefix (CP) insertion for\
+ \ frequency-to-time conversion in downlink, and FFT and CP removal in uplink.\
+ \ The physical layer in DU (high PHY) performs scrambling, modulation, layer mapping,\
+ \ and resource element mapping. Fronthaul consists of four types of interfaces:\
+ \ Control or C plane is used to carry control plane messages, User or U plane\
+ \ is used to carry user plane data, Synchronization or S plane is used to carry\
+ \ timing information and Management or M plane is used to carry management data.\r\
+ \n\r\nO-RAN fronthaul interface needs to implement strict performance requirements\
+ \ which includes very high throughput and very low latency. See clause 4.4 of\
+ \ [2]. Some security features may not be implemented by MNOs to meet those requirements\
+ \ and to reduce processing delay. Hence, Adversary on the Side (AoTS) attack on\
+ \ open fronthaul interface is possible which results in passive eavesdropping\
+ \ of U plane data. The adversary may use a simple sniffer device to monitor all\
+ \ U plane communications which is normally not encrypted at lower 3 layers (RLC,\
+ \ MAC and PHY). Confidentiality and integrity protection requirements are not\
+ \ specified by ORAN alliance for control, user and synchronization (CUS) planes,\
+ \ and those are mandatory for M plane. See clause 6.1 of [2] and clause 5.4 of\
+ \ [3].\r\n\r\nNote: The user plane data in PDCP and above layers remains encrypted\
+ \ on Fronthaul U plane and this eavesdrop attack will not impact any of those\
+ \ data unless PDCP security is also broken by the adversary.\r\n\r\n"
+ architecture-segment: User Plane, Control Plane, Roaming, Virtualization
+ bluf: Adversaries may sniff network traffic to capture information about an environment,
+ including authentication material passed over the network.
+ criticalassets:
+ - Description: Sensitive User signaling such as authentication data, user location
+ for the N32 interface
+ Name: UE data on roaming signaling interface
+ - Description: User data for the N9 interface
+ Name: UE data on roaming user plane interface
+ - Description: Signaling data, provisioning data, service discovery
+ Name: UP, CP Data
+ - Description: Sensitive subscriber user plane data will be available to the adversary.
+ Name: Sensitive subscriber data
+ description: "Adversaries may sniff network traffic to capture information about\
+ \ an environment, including authentication material passed over the network.\r\
+ \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1040)\r\
+ \n"
+ detections:
+ - detects: Monitor processes which may sniff data.
+ fgdsid: DS0009
+ name: Process
+ - detects: Monitor for allowed modifications relative to the agreed upon modifications
+ per roaming agreements and agreements with IPX.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Monitor commands given to NFs which may help data sniffing.
+ fgdsid: DS0017
+ name: Command
+ - detects: Monitoring ability to detect new ports, devices on the network
+ fgdsid: DS0039
+ name: Asset
+ - detects: Monitor if security configurations in O-RU and O-DU are downgraded to
+ weak or no security levels.
+ fgdsid: FGDS5022
+ name: Monitor security configurations
+ id: FGT1040
+ mitigations:
+ - fgmid: FGM5033
+ mitigates: Use zero trust for NF protection
+ name: Zero Trust
+ - fgmid: M1020
+ mitigates: Encrypt using TLS all links between NFs and between NF and SCP
+ name: SSL/TLS Inspection
+ - fgmid: M1040
+ mitigates: Monitor to ensure configurations do not change from acceptable options
+ name: Behavior Prevention on Endpoint
+ - fgmid: M1041
+ mitigates: 'Non-SBI: Use encryption (IPSec) on these interfaces. Sections 9.2,
+ 9.3, 9.4, 9.8, 9.9 of [2], and for N26 interfaces, see 4.3.1. of [3].
+
+
+ SBI: Encrypt using TLS all links between NFs and between NF and SCP if one is
+ deployed. TLS must use certificates for both client and server, and the certificate
+ must include the SBA node type and must be checked against what the expectation
+ is for that other party. The TLS profile should adhere to those in TS 33.210
+ [9]. IPSec can be optionally used to protect TLS traffic further at a lower
+ layer. Section 13.1.0 of [2] and also [8], [9].
+
+
+ Roaming: For SEPP, see sections 4.2.3.3, 4.3., 4.4. of [4], and sections 13.1
+ and 13.2 of [2].'
+ name: Encrypt Sensitive Information
+ - fgmid: M1054
+ mitigates: Ensure for MNO services that serve roaming partners that the minimum
+ acceptable configuration is adequate and complies with [2] TS 33.501 clause
+ 13.2.4.9.
+ name: Software Configuration
+ - fgmid: M1026
+ mitigates: Implement strong access control for all types of interfaces on originating
+ switch and any intermediary devices on the fronthaul.
+ name: Privileged Account Management
+ - fgmid: M1030
+ mitigates: Implement network segmentation.
+ name: Network Segmentation
+ - fgmid: M1041
+ mitigates: Ensure fronthaul user plane data is protected with strong encryption
+ algorithm. This will have performance impact on devices implementing it.
+ name: Encrypt Sensitive Information
+ - fgmid: M1047
+ mitigates: Perform hardware and software installation audits of all O-RAN open
+ fronthaul components.
+ name: Audit
+ name: Network Sniffing
+ object-type: technique
+ platforms: 5G Network, RAN
+ postconditions:
+ - Description: As a follow-on attack, adversary may launch application layer fingerprinting
+ attack based on the data collected at MAC and RLC layers. [See FGT1040.501]
+ Name: Application layer finger printing
+ preconditions:
+ - Description: Adversary must have physical access to open fronthaul network to
+ collect data.
+ Name: Adversary has access to open fronthaul network.
+ procedureexamples:
+ - Description: Adversary with access to the non-SBI interfaces (Xn, N2, N3, N4,
+ N9) not using encryption can monitor traffic exchange and obtain UE information
+ such as user identifiers, serving network identifiers, and location info. Non-SBI
+ interfaces may not be encrypted for at least user plane or for control plane
+ packets. See sections D.2.2., L.2.2., L.2.3 of [1]
+ Name: Non-SBI compromise
+ - Description: The adversary with access to the SBI links, for example, with control
+ over the 5G Service Communication Proxy (SCP) or a network infrastructure node
+ (proxy, router, switch), may eavesdrop signaling messages if TLS encryption
+ is not enabled. This leads to disclosure of UE authentication and authorization
+ information, and NF IP addresses and other topology information. See [6], [7].
+ Name: SBI node compromise
+ - Description: 'Adversary positioned on an IPX node can observe UE data if in the
+ clear or easily decrypted: If a SEPP has not properly removed clear text information
+ elements (IE) when replacing them with encrypted versions consistent with the
+ previously negotiated protection policy or if the SEPP used a weak cipher for
+ JWE encryption. See section G.2.4 of [1].'
+ Name: IPX node compromise
+ - Description: The adversary positioned on a SEPP, can observe information elements
+ on the N32c interface including cipher suites used, keys, protection policies
+ exchanged, and error messages received from the peer SEPP. Observations on
+ the N32f interface include cell ID and Physical Cell ID, SUPI, NF to NF signaling
+ for a given victim UE. An adversary may utilize these observations for a number
+ of follow-on techniques.
+ Name: SEPP compromise
+ - Description: 'Adversary launches AoTS attack on open fronthaul U plane data traffic
+ by using a simple sniffer device. The fronthaul U plane data usually does not
+ have encryption due to stringent performance requirements. Hence an eavesdrop
+ attack is possible by a simple device.
+
+
+ This attack can only eavesdrop on user plane data below PDCP layer. Any user
+ plane data in PDCP and above layers are not impacted by this attack. See clause
+ 5.4.1.2, T-UPLANE-01 of [1], clause 6.1 of [2] and clause 5.4 of [3].'
+ Name: Eavesdrop on U plane data on open fronthaul interface.
+ references:
+ - " \\[1\\] [3GPP TR 33.926 \u201CSecurity Assurance Specification\
+ \ (SCAS) threats and critical assets in 3GPP network product classes\u201D, March\
+ \ 2022](https://www.3gpp.org/DynaReport/33926.htm)"
+ - " \\[2\\] [3rd Generation Partnership Project (3GPP), \u201C\
+ Security Architecture and Procedures for 5G System\u201D, TS 33.501 v16.10.0 Release\
+ \ 16, March 2022](https://www.3gpp.org/DynaReport/33501.htm)"
+ - " \\[3\\] [3GPP TS 23.501 \u201CSystem architecture for the\
+ \ 5G System (5GS)\u201D, March 2022](https://www.3gpp.org/DynaReport/23501.htm)"
+ - " \\[4\\] [3rd Generation Partnership Project (3GPP), \u201C\
+ 5G Security Assurance Specification (SCAS) for the Security Edge Protection Proxy\
+ \ (SEPP) network product class\u201D, TS 33.517, ver. 17.0.0, Jun. 2021](https://www.3gpp.org/DynaReport/33517.htm)"
+ - " \\[5\\] [G. Green, \u201C5G Security when Roaming \u2013\
+ \ Part 2,\u201D Mpirical, Lancaster, UK, May 21,2021](https://www.mpirical.com/blog/5g-security-when-roaming-part-2)"
+ - " \\[6\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ - \[7\] [G. Koien, "On Threats to the 5G Service Based Architecture",
+ 2021.](https://www.researchgate.net/publication/349455036_On_Threats_to_the_5G_Service_Based_Architecture)
+ - " \\[8\\] [\u201CThe Transport Layer Security (TLS) Protocol\u201D\
+ , Version 1.2. RFC 5246](https://www.ietf.org/rfc/rfc5246.txt)"
+ - " \\[9\\] [3GPP TS 33.210 \u201CNetwork Domain Security (NDS);\
+ \ IP network layer security\u201D](https://www.3gpp.org/DynaReport/33210.htm)"
+ - " \\[10\\] [3GPP TR 33.848 \u201CStudy on Security Impacts\
+ \ of Virtualization\u201D. (WIP) Section 5.15.2](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3574)"
+ - \[1\] [O-RAN Threat Model 6.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[2\] [O-RAN WG4 Control, User, and Synchronization Plane Specification
+ 12.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[3\] [O-RAN WG4 Management Plane Specification 12.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0007
+ - TA0009
+ - TA0006
+ typecode: attack_technique_addendum
+- access-required: User/NPE/Administrative access
+ addendums:
+ - "#### Addendum Name: Network traffic duplication\r\n##### Architecture Segments:\
+ \ OA&M, Virtualization\r\n An adversary may use compromised virtualized network\
+ \ elements to (vSwitch, vRouter, Virtual Firewalls) to span traffic to sniffing\
+ \ port for access to user plane and control plane data.\r\n\r\nIn a virtualized\
+ \ environment, access can be gained much more easily as the servers making up\
+ \ a function are more likely to be virtually distributed and the SDN vSwitch would\
+ \ allow an adversary to fork IP packets flowing much more easily between hosts\
+ \ remotely. Most network devices/software have capabilities for traffic duplication\
+ \ for troubleshooting or legal purposes (Lawful Interception). Such forking is\
+ \ very difficult to detect or prevent from within a 3GPP NF or VM. An adversary\
+ \ could read data in transit without being detected by application monitoring\
+ \ software.\r\n\r\n"
+ architecture-segment: OA&M, Virtualization
+ bluf: Adversaries may leverage traffic mirroring in order to automate data exfiltration
+ over compromised infrastructure.
+ criticalassets:
+ - Description: Virtual switch, Virtual Router, Virtual Firewalls, Virtual Load Balancers,
+ SDN Controllers
+ Name: Virtual elements
+ description: "Adversaries may leverage traffic mirroring in order to automate data\
+ \ exfiltration over compromised infrastructure.\r\n[To read more, please see the\
+ \ MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1020/001)\r\
+ \n"
+ detections:
+ - detects: Monitor all user accounts accessing network devices to detect abnormal
+ activity
+ fgdsid: DS0002
+ name: User Account
+ - detects: Monitor Command executions on the devices
+ fgdsid: DS0017
+ name: Command
+ - detects: Network elements use active and start up configuration files, monitoring
+ configuration drifts can reveal abnormal activity
+ fgdsid: DS0022
+ name: File
+ - detects: Monitor log on sessions and escalation to higher privilege activity on
+ the devices
+ fgdsid: DS0028
+ name: Logon Session
+ - detects: Monitor network traffic for new traffic flows, analyze socket connections
+ and protocol used to determine abnormal behavior.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1020.001
+ mitigations:
+ - fgmid: M1026
+ mitigates: Manage accounts with privilege to make changes either in the device
+ or its controller.
+ name: Privileged Account Management
+ - fgmid: M1041
+ mitigates: Encrypt sensitive data flows for Control plane and User plane traffic
+ name: Encrypt Sensitive Information
+ name: Traffic Duplication
+ object-type: technique
+ platforms: 5G
+ references:
+ - ' \[1\] [3GPP TR 33.848 Security Impacts of Virtualization,
+
+ Section 5.15.2](https://www.3gpp.org/DynaReport/33848.htm)'
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ subtechnique-of: FGT1020
+ tactics:
+ - TA0007
+ - TA0010
+ typecode: attack_subtechnique_addendum
+- access-required: Service Account
+ architecture-segment: Application Layer
+ bluf: Adversaries may gain unauthorized access to a Hardware Security Module (HSMs)
+ to sign keys and/or other derived key material that can be used to achieve additional
+ goals.
+ criticalassets:
+ - Description: A physical computing device that safeguards and manages digital key
+ material, performs operations such as encryption and decryption, signature generation.
+ Name: HSM
+ description: " Adversaries may gain unauthorized access to a Hardware Security Module\
+ \ (HSM) to sign keys and/or other derived key material that can be used to achieve\
+ \ additional goals. \r\n\r\nAn HSM is a hardware component that handles keying\
+ \ material (storage, computation). They can take the form of a plug-in card or\
+ \ an external device that attaches directly to a server. An HSM contains secure\
+ \ crypto-processor chips. MNOs use HSM\r\nappliances as a Root of Trust to secure\
+ \ their PKI infrastructure, which is used to sign certificates for gNBs and NFs.\
+ \ \r\n\r\nAlthough an HSM protects key material from compromise and from export\
+ \ if configured properly, an adversary may obtain privileges allowing them to\
+ \ utilize a legitimate HSM functions, e.g., through PKCS #11 function calls, Cryptoki\
+ \ library, etc., such that an adversary may obtain signatures and derivative key\
+ \ material seen as legitimate by other MNO NFs. \r\n\r\n"
+ detections:
+ - detects: Analyze the application logs for access from appropriate NFs and appropriate/typical
+ use
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Analyze access logs for appropriate use by admins
+ fgdsid: DS0028
+ name: Logon Session
+ - detects: Monitor for activity from unexpected sources
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1555.501
+ mitigations:
+ - fgmid: M1017
+ mitigates: Train users to be aware of access or manipulation attempts by an adversary
+ to reduce the risk of unauthorized access to the HSM
+ name: User Training
+ - fgmid: M1018
+ mitigates: Restrict users of HSM to minimal privileges from only permitted NFs
+ name: User Account Management
+ - fgmid: M1026
+ mitigates: Ensure administrative accounts for HSM are carefully managed to minimize
+ potential admin credential compromise. This may include use of privileged access
+ workstations, privileged account management solutions, separation of duties
+ approaches, etc.
+ name: Privileged Account Management
+ name: Hardware Security Module Key Signing
+ object-type: technique
+ platforms: HSM
+ postconditions:
+ - Description: Adversary would have the ability to perform signing and cryptographic
+ operations that would permit the adversary to masquerade as a legitimate authorized
+ user and perform operations against NFs.
+ Name: Adversary is able to perform crypto operations fraudulenty.
+ preconditions:
+ - Description: Adversary acquires credentials with legitimate privileges to conduct
+ operations using the HSM. Adversary has a position to initiate transactions
+ with the HSM.
+ Name: Obtain service account credentials
+ procedureexamples:
+ - Description: An adversary would compromise a function or service that has privileges
+ to perform operations using the HSM and use other techniques to obtain the credentials.
+ The adversary may perform operations from the compromised environment or exfiltrate
+ the credentials to another system to perform the operations and conduct further
+ activities.
+ Name: Credential compromise
+ references:
+ - " \\[1\\] [Baseline Security Controls\_\u2013NO-009, FS.31\
+ \ version 2.0,GSMA, February 2020](https://www.gsma.com/security/wp-content/uploads/2020/02/FS.31-v2.0.pdf)"
+ - \[2\] [A New Trust Model For The 5G Era, Thales, October 2020](https://cpl.thalesgroup.com/sites/default/files/content/research_reports_white_papers/field_document/2020-10/New-Trust-Model-For-5G-Era-WP.pdf)
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1555
+ tactics:
+ - TA0006
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: Control Plane
+ bluf: An adversary may compromise the Equipment Identity Register (EIR) function
+ and adds new equipment, modifies status (ok vs. stolen or prohibited) of mobile
+ device.
+ criticalassets:
+ - Description: Device databases should be kept from tampering.
+ Name: Integrity of device database
+ - Description: UE status should be kept accurate.
+ Name: User equipment status integrity
+ description: " An adversary may compromise\_the Equipment Identity Register (EIR)\
+ \ function and\_adds new equipment, modifies status (ok vs. stolen or prohibited)\
+ \ of mobile device.\r\n\r\nEIR is an optional component (applicable to 3G, 4G,\
+ \ 5G) storing the status of a mobile equipment and optionally which Permanent\
+ \ Equipment Identifier (PEI) it is allowed to use. Compromising it can allow an\
+ \ adversary to modify status of devices (e.g. \"stolen\", \"prohibited'). \r\n\
+ \r\nNote: Modifying the EIR does not affect the subscription data such as access\
+ \ to network slice, customer data, or allow fraudulent use of service. \r\n\r\n"
+ detections:
+ - detects: Difficult to detect unauthorized changes. Inspect logs of what changes
+ were made and by whom in the EIR
+ fgdsid: FGDS5009
+ name: Access to operator resource
+ id: FGT5015
+ mitigations:
+ - fgmid: FGM5020
+ mitigates: Secure EIR
+ name: Secure subscriber repositories
+ name: Device Database Manipulation
+ object-type: technique
+ platforms: 5G Network
+ procedureexamples:
+ - Description: 'Reference [1], DC-003, calls for the MNOs to employ an EIR. The
+ rest of the attack is theoretical: an adversary may modify some of the entries
+ in the EIR database, e.g. device status (stolen, etc.)
+
+
+ The AMF is the only function that checks the EIR based on PEI, upon UE registration
+ (using the API N5g-eir_EquipmentIdentityCheck_Get).'
+ Name: EIR database compromise
+ references:
+ - " \\[1\\] [GSM Association, \u201CGSM Association Official\
+ \ Document FS.31, Baseline Security Controls.\u201D, v3.0, Sep. 2023](https://www.gsma.com/security/resources/fs-31-gsma-baseline-security-controls\
+ \ )"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0040
+ typecode: fight_technique
+- access-required: N/A
+ architecture-segment: Control Plane, Network Slice
+ bluf: An adversary-controlled UE may send high volumes of signaling messages to
+ core network functions in order to cause a denial of service.
+ criticalassets:
+ - Description: AMF functionality serving the UEs should be available always.
+ Name: Network services (AMF)
+ description: " An adversary-controlled UE may send high volumes of signaling messages\
+ \ to core network functions in order to cause a denial of service.\r\n\r\nUpon\
+ \ power on or coming out of flight mode, a UE needs to register with 5G network\
+ \ in order to get services from the network. After it gets connected to the network,\
+ \ UE sends several signaling messages to maintain the connection and to request\
+ \ new services. If any of those signaling messages are sent repeatedly to 5G network,\
+ \ the network spends its resources to process those request messages, which may\
+ \ overwhelm some critical Network Functions (NFs) such as Access and Mobility\
+ \ Function (AMF).\r\n\r\nA malicious UE sends repeated Attach requests which cause\
+ \ AMF to start many registrations. Alternatively, when a load balancing Service\
+ \ Communication Proxy (SCP) is not employed, an adversary in the network sends\
+ \ many otherwise-legitimate control messages to a NF so as to overload it. Network\
+ \ service is degraded for all other users in that area (served by AMF).\r\n\r\n"
+ detections:
+ - detects: Application layer DoS attack detection mechanism can be used to detect
+ repeated attempt of UE attach-detach cycle within a short period.
+ fgdsid: DS0018
+ name: Firewall
+ id: FGT1498.501
+ mitigations:
+ - fgmid: FGM5498
+ mitigates: 'Employ a firewall or other rate control box on the N2 interface [from
+ RAN to AMF]
+
+
+ (May not be available in the market). Employ a NAS-MM (Non-access stratum Mobility
+ Mgmt) application layer proxy at the edge of the network, having the capability
+ to limit UE request rate.
+
+ In addition, SCP can act as load balancer between the service consumer (AMF)
+ and service producer (UDM). (Annex E of [2])'
+ name: Limit incoming signaling and user plane traffic
+ name: Flooding of core network component
+ object-type: technique
+ platforms: 5G network
+ postconditions:
+ - Description: 'If AMF services are down, all services for the existing UEs which
+ use NAS layer will not be available. For example: mobility, session management
+ (QoS etc.), PDU session set up / tear down, SMS over NAS, location management.
+ New UE connection attempts will also fail when AMF services are down. Clause
+ 8.2.2.1 of [2].'
+ Name: AMF service will not be available to legitimate users during attack.
+ procedureexamples:
+ - Description: "Because network slices and network functions can be shared, malicious\
+ \ UE can create control plane storms.\n\nAMF Message Flooding for a shared slice\
+ \ with shared NFs:\n(1) An initial AMF validates if the user (UE) is allowed\
+ \ to access the subscribed S-NSSAI: AMF contacts the UDM to request the UE\u2019\
+ s Slice Selection Subscription data. The initial UDM may contact the UDR for\
+ \ the UE's Slice Selection Subscription data, then provides the data to the\
+ \ AMF.\n(2) During the t0 to t-delta time interval that it takes to perform\
+ \ (1), the UE drops the initial AMF then re-attaches to the AMF, restarting\
+ \ the validation.\n(3) The UE recursively performs (2), which recursively performs\
+ \ (1), creating a \"UE-AMF-UDM-UDR-AMF\" message storm sandwiched in between\
+ \ an \"Attach-Detach\" storm.\n(4) Since this is a shared slice with shared\
+ \ NFs, the control plane storm (Attach-UE-AMF-UDM-UDR-AMF-Detach-Attach-recursively\
+ \ repeat) creates a DoS condition."
+ Name: Control plane signaling storm from (at least) one malicious UE
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - ' \[2\] [3GPP TS 23.501: System architecture for the 5G System
+ (5GS)](https://www.3gpp.org/DynaReport/23501.htm )'
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT1498
+ tactics:
+ - TA0040
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: Roaming
+ bluf: An adversary exploits interconnection/interworking between MNOs to obtain
+ information about roaming user sessions or commit fraud.
+ criticalassets:
+ - Description: Adversaries may need to compromise a vSEPP to perform certain activities
+ to ensure they look legitimate.
+ Name: SEPP
+ - Description: Adversaries may need to compromise a vPLMN NF to perform certain
+ activities to ensure they look legitimate
+ Name: NFs in the vPLMN
+ - Description: Adversary will need to compromise keys used to sign IE modifications
+ at IPX
+ Name: IPX signing keys
+ description: " An adversary exploits interconnection/interworking between MNOs to\
+ \ obtain information about roaming user sessions or commit fraud. \r\n\r\nThe\
+ \ adversary with a position on a trusted partners environment, see [FGT1199.501](/techniques/FGT1199.501),\
+ \ is in a position to send legitimate looking messages to a PLMN interfaces and\
+ \ network functions and modify, in some circumstances, legitimate messages. Through\
+ \ these messages, the adversary may obtain sensitive information about the PLMN\u2019\
+ s subscribers. With the ability to send messages seen by the PLMN as legitimate,\
+ \ the trusted partner may also commit fraud.\r\n\r\n\r\n\r\n"
+ detections:
+ - detects: Monitor for use of IE modification by IPX and respond when unexpected
+ IE modifications are seen.
+ fgdsid: DS0015
+ name: Application Log
+ id: FGT5016
+ mitigations:
+ - fgmid: M1041
+ mitigates: Block or limit cipher choices used for JWS. Use of weak JWS ciphers
+ could allow unauthorized disclosure
+ name: Encrypt Sensitive Information
+ - fgmid: M1054
+ mitigates: Block unauthorized IE modifications by IPX. Allow only communication
+ where authorized IpxId is not NULL
+ name: Software Configuration
+ - fgmid: M1056
+ mitigates: Avoid using PRINS and use direct SEPP-SEPP with HTTP/s. Use of the
+ SEPP to SEPP solution instead of allowing an IPX to potentially observe and
+ manipulate information avoids the problem. A future SEPP hub solution may also
+ mitigate this risk by providing a more scalable SEPP to SEPP solution.
+ name: Pre-compromise
+ name: Abuse of Inter-operator Interfaces
+ object-type: technique
+ platforms: IPX, SEPP, VAS
+ preconditions:
+ - Description: Adversary will need to compromise keys used to sign IE modifications
+ at IPX
+ Name: IPX key compromise
+ - Description: Compromise of the initiating SEPP, typically the VPLMN SEPP, would
+ permit an adversary to establish a protection policy that would allow IPX modification.
+ Name: Compromise of initiating SEPP
+ procedureexamples:
+ - Description: In one approach, the adversary, in a position on an IPX, could modify
+ the messages between the vPLMN (visited PLMN) and hPLMN (home PLMN) if PRINS
+ is used, resulting in possible information modification and/or disclosure. Modification
+ of an Information element (IE) could enable possible denial of service and/or
+ information disclosure and this is addressed in [FGT5029](/techniques/FGT5029).
+ Name: Manipulate data between two PLMNs
+ - Description: If the adversary controls a vPLMN SEPP they may modify signaling
+ on N32 and/or generate requests to hPLMN NFs. The adversary controlled vSEPP
+ could terminate TLS connections to hPLMN NFs and proxy requests as an adversary-in-the-middle,
+ see [FGT1557.502](/techniques/FGT1557.502). Legitimate looking requests that
+ could result in information disclosure or fraud may involve Value Added Service
+ (VAS), e.g., VAS providing SEPP to the VPLMN
+ Name: Compromise SEPP and modify signaling it sends
+ references:
+ - " \\[1\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ - " \\[2\\] [\u201CSecurity Assurance Specification (SCAS) threats\
+ \ and critical assets in 3GPP network product classes,\u201D 3rd Generation Partnership\
+ \ Project (3GPP), TR 33.926 ver.17.3.0, Dec. 2021, sec. G.2.4.1-G.2.4.2](https://www.3gpp.org/DynaReport/33926.htm)"
+ - " \\[3\\] [G. Green, \u201C5G Security when Roaming \u2013\
+ \ Part 2,\u201D Mpirical, Lancaster, UK, May 21, 2021](https://www.mpirical.com/blog/5g-security-when-roaming-part-2)"
+ - " \\[4\\] [\u201CSecurity architecture and procedures for 5G\
+ \ System,\u201D 3GPP, TS 33.501 ver. 16.3.0, July 2020, Sec. 13.1.2,13.2](https://www.3gpp.org/DynaReport/33501.htm)"
+ - " \\[5\\] [\u201C5G System; Public Land Mobile Network (PLMN)\
+ \ Interconnection; Stage 3,\u201D 3GPP, TS 29.573 ver.16.9.0, March 2022](https://www.3gpp.org/DynaReport/29573.htm)"
+ - " \\[6\\] [P.Tommassen, \u201C5G Security When Roaming,\u201D\
+ \ iBasis, October 6, 2020](https://ibasis.com/5g-security-when-roaming/)"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0009
+ - TA5001
+ typecode: fight_technique
+- addendums:
+ - "#### Addendum Name: Core-network scanning\r\n##### Architecture Segments: OA&M\r\
+ \n An adversary may discover operator network related information (identifiers).\
+ \ \r\n\r\nAdversaries may attempt to get a listing of earlier generation systems\
+ \ (e.g. 3G) that do not use IP address, hostname, but instead, other identifiers,\
+ \ such as point codes (like IP addresses for SS7 protocols, point to point) and\
+ \ Global Titles. Examples are GTScan, SigPloit, SCTPScan and GTPScan. \r\n\r\n\
+ Note: This is scanning for 3G, 4G and 5G core components address info. This is\
+ \ scanning for open ports to determine protocol use without compromising the host/NF.\r\
+ \n\r\n"
+ architecture-segment: OA&M
+ bluf: Adversaries may attempt to get a listing of other systems by IP address, hostname,
+ or other logical identifier on a network that may be used for Lateral Movement
+ from the current system.
+ criticalassets:
+ - Description: Data (IP address or FQDN, ports) relating to network nodes.
+ Name: MNO core network component data.
+ description: "Adversaries may attempt to get a listing of other systems by IP address,\
+ \ hostname, or other logical identifier on a network that may be used for Lateral\
+ \ Movement from the current system.\r\n[To read more, please see the MITRE ATT&CK\
+ \ page for this technique](https://attack.mitre.org/techniques/T1018)\r\n"
+ detections:
+ - detects: SIEM tools using network firewalls. Detect port scanners.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1018
+ mitigations:
+ - fgmid: M1030
+ mitigates: Ensure proper network segmentation is followed to protect critical
+ servers and devices.
+ name: Network Segmentation
+ - fgmid: M1031
+ mitigates: Use network intrusion detection/prevention systems to detect and prevent
+ remote service scans.
+ name: Network Intrusion Prevention
+ - fgmid: M1042
+ mitigates: Ensure that unnecessary ports and services are closed to prevent risk
+ of discovery and potential exploitation.
+ name: Disable or Remove Feature or Program
+ name: Remote System Discovery
+ object-type: technique
+ platforms: 5G Network
+ postconditions:
+ - Description: Adversary now knows identifiers of some network nodes, and so these
+ nodes can now be spoofed or targeted for Denial of Service.
+ Name: Identifier of some network nodes is known
+ preconditions:
+ - Description: Adversaries need access to such tools.
+ Name: Access to scanning tool
+ procedureexamples:
+ - Description: Adversaries may employ pen testing tools such as GTScan, SigPloit,
+ SCTPScan and GTPScan.
+ Name: Use of pen testing tools.
+ references:
+ - " \\[1\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0007
+ typecode: attack_technique_addendum
+- addendums:
+ - "#### Addendum Name: Core-network scanning\r\n##### Architecture Segments: OA&M\r\
+ \n An adversary may discover operator network related information (identifiers).\
+ \ \r\n\r\nAdversaries may attempt to get a listing of earlier generation systems\
+ \ (e.g. 3G) that do not use IP address, hostname, but instead, other identifiers,\
+ \ such as point codes (like IP addresses for SS7 protocols, point to point) and\
+ \ Global Titles. Examples are GTScan, SigPloit, SCTPScan and GTPScan. \r\n\r\n\
+ Note: This is scanning for 3G, 4G and 5G core components address info. This is\
+ \ scanning for open ports to determine protocol use without compromising the host/NF.\r\
+ \n\r\n"
+ architecture-segment: OA&M
+ bluf: Adversaries may attempt to get a listing of services running on remote hosts
+ and local network infrastructure devices, including those that may be vulnerable
+ to remote software exploitation.
+ criticalassets:
+ - Description: Data (IP address or FQDN, ports) relating to network nodes.
+ Name: MNO core network component data.
+ description: "Adversaries may attempt to get a listing of services running on remote\
+ \ hosts and local network infrastructure devices, including those that may be\
+ \ vulnerable to remote software exploitation.\r\n[To read more, please see the\
+ \ MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1046)\r\
+ \n"
+ detections:
+ - detects: SIEM tools using network firewalls. Detect port scanners.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1046
+ mitigations:
+ - fgmid: M1030
+ mitigates: Ensure proper network segmentation is followed to protect critical
+ servers and devices.
+ name: Network Segmentation
+ - fgmid: M1031
+ mitigates: Use network intrusion detection/prevention systems to detect and prevent
+ remote service scans.
+ name: Network Intrusion Prevention
+ - fgmid: M1042
+ mitigates: Ensure that unnecessary ports and services are closed to prevent risk
+ of discovery and potential exploitation.
+ name: Disable or Remove Feature or Program
+ name: Network Service Discovery
+ object-type: technique
+ platforms: 5G Network
+ postconditions:
+ - Description: Adversary now knows identifiers of some network nodes, and so these
+ nodes can now be spoofed or targeted for Denial of Service.
+ Name: Identifier of some network nodes revealed
+ preconditions:
+ - Description: Adversaries need access to such tools.
+ Name: Access to scanning tool
+ procedureexamples:
+ - Description: Adversaries may employ pen testing tools such as GTScan, SigPloit,
+ SCTPScan and GTPScan.
+ Name: Use of pen testing tools.
+ references:
+ - " \\[1\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0007
+ typecode: attack_technique_addendum
+- access-required: User/NPE/Administrative access
+ addendums:
+ - "#### Addendum Name: Compromise Network Isolation\r\n##### Architecture Segments:\
+ \ OA&M, Virtualization, Network Slice\r\n An adversary may compromise network\
+ \ separation controls to gain access to one or more of the 5G security zones or\
+ \ networks. \r\n\r\n5G is a system of systems and may be composed of several\
+ \ network and security zones, as well as slices. A compromise of controls placed\
+ \ to maintain security zones or network segmentation based on IP networks, application\
+ \ groups or slices may allow an adversary to gain unauthorized access to networks\
+ \ or services. This may occur at a Core, RAN, Cloud or Slice boundary.\r\n\r\n\
+ Once the adversary has infiltrated the internals of the network, it has ample\
+ \ opportunities and a much broader attack surface to explore. The adversary can,\
+ \ e.g., conduct privilege escalation and process injection for gaining administrative\
+ \ rights, attempt password cracking of valid user accounts on the nodes, exploit\
+ \ vulnerabilities in databases and file systems, and take advantage of improper\
+ \ configurations of routers and switches.\r\n\r\nThe boundaries of a network and\
+ \ its security zones can exist between various technologies, such as 4G and 5G,\
+ \ or between different partners, such as private networks, mobile operators, or\
+ \ Mobile Virtual Network Operators (MVNOs). These boundaries can also exist between\
+ \ different network components, such as radio access, core, edge, and cloud, as\
+ \ well as between national or international links and operator cores, and service\
+ \ providers or operator cores.\r\nIn some cases, firewalls may be used to separate\
+ \ these zones, such as SS7 protocol, Diameter protocol, 5G APIs, enhanced SCP\
+ \ (Service Communication Proxy), IP (Internet Protocol), SIP (Session Initiation\
+ \ Protocol), and GTP (GPRS Tunneling Protocols) firewalls. Alternatively, an interworking\
+ \ function may be used to translate one protocol into another. However, it's important\
+ \ to note that privileged access is not always necessary to bypass a firewall\
+ \ or exploit an interworking function. Often, insufficient filtering may be the\
+ \ cause, or the filtering may not be sufficiently deep.\r\n\r\n\r\n"
+ architecture-segment: OA&M, Virtualization, Network Slice
+ bluf: Adversaries may bridge network boundaries by compromising perimeter network
+ devices or internal devices responsible for network segmentation.
+ criticalassets:
+ - Description: Devices enforcing network segmentation and creating perimeter for
+ applications may include firewalls, SDN controllers, or Proxies.
+ Name: Devices enforcing segmentation controls
+ description: "Adversaries may bridge network boundaries by compromising perimeter\
+ \ network devices or internal devices responsible for network segmentation.\r\n\
+ [To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1599)\r\
+ \n"
+ detections:
+ - detects: Network Traffic should be monitored for traffic flows and messaging contents
+ to determine abnormal activity.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1599
+ mitigations:
+ - fgmid: M1026
+ mitigates: Manage accounts for privileged users for the security zones in the
+ 5G network.
+ name: Privileged Account Management
+ - fgmid: M1027
+ mitigates: "Password Policies \u2013 follow NIST Guidelines. This may also include\
+ \ token policies if security tokens are used."
+ name: Password Policies
+ - fgmid: M1032
+ mitigates: Enable Multi-factor Authentication for privileged users
+ name: Multi-factor Authentication
+ - fgmid: M1037
+ mitigates: Filter Network Traffic, per protocol
+ name: Filter Network Traffic
+ - fgmid: M1043
+ mitigates: Protect credentials of management entities
+ name: Credential Access Protection
+ name: Network Boundary Bridging
+ object-type: technique
+ platforms: OA&M
+ postconditions:
+ - Description: If network boundaries are breached, monitoring system may detect
+ unusual network flow
+ Name: Unusual network traffic flows
+ - Description: Adversary may attempt to discover networks and live hosts on the
+ networks
+ Name: Network mapping activity
+ - Description: Adversary may attempt connect to hosts in the target network after
+ profiling hosts and network mapping.
+ Name: Connection attempts from unusual hosts
+ preconditions:
+ - Description: Privileged access to device implementing the network separation controls
+ Name: Privileged access
+ procedureexamples:
+ - Description: "An adversary may impersonate a trusted source (roaming partner or\
+ \ VAS) to avoid filtering by firewall, and to transport data in and out of the\
+ \ targeted operator\u2019s network. ([1])"
+ Name: Impersonate roaming partner/VAS (Value Added Service) provider
+ - Description: An adversary may abuse the remote service offered for network MANO
+ tools, to make configuration changes to SDN flow tables and cause packet filtering
+ to not detect flow across boundaries. ([2])
+ Name: MANO abuse to change SDN (Software Defined Networking) configuration
+ references:
+ - " \\[1\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ - " \\[2\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0005
+ typecode: attack_technique_addendum
+- access-required: Physical
+ architecture-segment: Physical & Environmental
+ bluf: 'An adversary aims to destroy, expose, alter, disable, steal, or gain unauthorized
+ access to physical assets such as infrastructure, hardware, or interconnection,
+ affecting QoS or service availability. '
+ criticalassets:
+ - Description: Radio access units, information and communications technology equipment,
+ optical interconnection facilities, cloud data center, edge computing facilities
+ Name: Physical infrastructure
+ description: " An adversary aims to destroy, expose, alter, disable, steal, or gain\
+ \ unauthorized access to physical assets such as infrastructure, hardware, or\
+ \ interconnection, affecting Quality of Service (QoS) or service availability.\
+ \ \r\n\r\nActions taken by actors aimed at destroying, disabling, or stealing\
+ \ physical assets supporting the 5G Network. A physical attack to 5G critical\
+ \ assets may disrupt, interfere, and ultimately cause unavailability of the network\
+ \ service. Despite the existence of physical protection mechanisms (e.g., physical\
+ \ surveillance and surveillance cameras, security locks, security guards), physical\
+ \ breaches and insider threat attacks may still occur.\r\n\r\n\r\n"
+ detections:
+ - detects: Asset tracking tools. Security Management and Detection
+ fgdsid: DS0040
+ name: Operational Databases
+ id: FGT5018
+ mitigations:
+ - fgmid: FGM5005
+ mitigates: 'Communications Centers.
+
+ Communication centers should provide a full set of physical and environmental
+ controls aimed to assure access control, monitoring, continuity of operations
+ and protection against environmental disasters.'
+ name: Physical and environmental protection
+ name: Vandalism of Network Infrastructure
+ object-type: technique
+ platforms: Physical
+ postconditions:
+ - Description: Destruction or damage of these assets may cause an unavailability
+ of resources.
+ Name: Service unavailability
+ - Description: Destruction or damage of these assets may cause information destruction.
+ Name: Information destruction
+ preconditions:
+ - Description: "Improper physical security of Data Centers / Telecommunication equipment\
+ \ room. \n\nImproper isolation of physical security perimeter between tenants.\n\
+ \nImproper environmental protection controls.\n\nInadequate / defective security\
+ \ devices."
+ Name: Improper physical security of 5G core component infrastructure
+ - Description: "Improper physical security of telecommunications equipment rooms\
+ \ and equipment sited in partners\u2019 or users\u2019 premises.\n\nImproper\
+ \ physical security of physically isolated operation areas.\n\nInadequate /\
+ \ defective security devices."
+ Name: gNB component infrastructure
+ - Description: 'Improper physical security of telecommunications equipment rooms.
+
+
+ Improper physical security of physically isolated operations areas.
+
+
+ Inadequate / defective security devices.'
+ Name: NFVI
+ - Description: 'Unprotected data center interconnection channels.
+
+
+ Improper physical security perimeter or isolation between tenants.'
+ Name: SDN
+ - Description: 'Improper physical and environmental security of edge computing facilities
+
+
+ Improper security monitoring of edge computing facilities
+
+
+ Insecure service environment.'
+ Name: MEC host
+ procedureexamples:
+ - Description: Unauthorized access, destruction of assets and impairment of operations
+ Name: Communication center
+ - Description: Unauthorized access, destruction of assets and impairment of operations
+ Name: Telecommunications equipment room
+ - Description: Unauthorized access, destruction of assets and impairment of operations
+ Name: Physically isolated operation areas
+ - Description: unauthorized access, destruction of assets and impairment of operations
+ Name: Equipment sited in other carrier's or partner's premises
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, November 2019.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks\
+ \ )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ tactics:
+ - TA0040
+ typecode: fight_technique
+- access-required: None
+ architecture-segment: Physical & Environmental
+ bluf: An adversary targets unprotected cables and junction boxes in order to disrupt
+ service.
+ criticalassets:
+ - Description: Data cables used in the operator network infrastructure
+ Name: Data cables
+ - Description: Power cables used in the operator network infrastructure
+ Name: Power cables
+ description: " An adversary targets unprotected cables and junction boxes in order\
+ \ to disrupt service.\r\n \r\nFibers routed between pieces of equipment without\
+ \ proper physical protection are susceptible to damage, which can critically affect\
+ \ network reliability.\r\n\r\n"
+ detections:
+ - detects: 'Security Incident and event monitoring
+
+ Event logs recording user activities, exceptions, faults and information security
+ events should be produced, kept and regularly reviewed. Additional considerations:
+ development of use-case specific alert rules, integration and correlation of
+ data at all levels (network, application), integration and correlation with
+ service provider-level monitoring mechanisms.'
+ fgdsid: FGDS5012
+ name: SIEM
+ id: FGT5018.001
+ mitigations:
+ - fgmid: FGM5005
+ mitigates: 'Secure junction boxes.
+
+ Optical fiber junction boxes / splice closures should only be accessible to
+ maintenance personnel and maintenance vehicles. A closure should be located
+ away from high traffic or conditions that could cause damage to the closure
+ or injury to personnel. [2] 11.2.3 advocates for cabling security.'
+ name: Physical and environmental protection
+ - fgmid: FGM5540
+ mitigates: Power supply facilities in the isolated area such as mobile base stations
+ should preferably provide an uninterruptible power supply with capacity for
+ all loading and capable of withstanding primary power supply failures for the
+ duration of likely outages. If that is impossible, a mechanism to provide uninterruptible
+ power to critical equipment should be installed. Batteries may need to be augmented
+ with a private electric generator, especially in isolated areas.
+ name: Power supplies
+ name: Cabling and junction boxes
+ object-type: technique
+ platforms: Data transmission infrastructure and power supply
+ postconditions:
+ - Description: Destruction or damage of these assets may cause an unavailability
+ of resources.
+ Name: Service unavailability
+ - Description: Destruction or damage of these assets may cause information destruction
+ Name: Information destruction
+ preconditions:
+ - Description: Fibers routed between pieces of equipment without proper protection
+ are susceptible to damage, which can critically affect network reliability.
+ The fiber cable management system should therefore ensure that every fiber is
+ protected from physical damage.
+ Name: Unprotected cables
+ - Description: Lack of protection of junction boxes / splice closures. Improper
+ cable routing also causes increased congestion in the termination panel and
+ the cableways, increasing the possibility of bend radius violations and long-term
+ failure.
+ Name: ' Unprotected junction boxes'
+ procedureexamples:
+ - Description: An adversary may damage cabling and junction boxes
+ Name: Disrupt service via physical damage
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, page 210, December\
+ \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [ISO/IEC 27011:(2016), \u201CInformation technology\
+ \ \u2014 Security techniques \u2014 Code of practice for Information security\
+ \ controls based on ISO/IEC 27002 for telecommunications organizations\u201D](https://www.iso.org/obp/ui/#iso:std:iso-iec:27011:ed-2:v1:en\
+ \ )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT5018
+ tactics:
+ - TA0040
+ typecode: fight_subtechnique
+- access-required: Physical
+ architecture-segment: Physical & Environmental
+ bluf: An adversary uses unrestricted access to exploit, damage, or destroy Radio
+ Access hardware that lack adequate security
+ criticalassets:
+ - Description: ' RAN-CU & DU, C-RAN MEC and mmWave equipment'
+ Name: Radio access hardware (gNB)
+ description: " An adversary uses unrestricted access to exploit, damage, or destroy\
+ \ Radio Access hardware that lack adequate security.\r\n\r\nThe use of small-cell\
+ \ antennas requires hardware to be placed in highly accessible locations, such\
+ \ as, commercial and residential buildings, ground-level structures, and existing\
+ \ street furniture (bus stops, info kiosks, and billboards). These solutions count\
+ \ on sharing site spaces in existing infrastructure to reduce costs due to the\
+ \ increased amount of hardware required to maintain Quality of Service (QoS).\r\
+ \n\r\n"
+ detections:
+ - detects: 'Event logs recording user activities, exceptions, faults and information
+ security events should be produced, kept and regularly reviewed. Additional
+ considerations: development of use-case specific alert rules, integration and
+ correlation of data at all levels (network, application), integration and correlation
+ with service provider-level monitoring mechanisms.'
+ fgdsid: DS0040
+ name: Operational Databases
+ id: FGT5018.002
+ mitigations:
+ - fgmid: FGM5005
+ mitigates: Sites should be provided with a full set of physical and environmental
+ controls aimed to assure access control, monitoring, continuity of operations
+ and protection against vandalism.
+ name: Physical and environmental protection
+ name: Radio Access Hardware
+ object-type: technique
+ platforms: Radio access hardware
+ postconditions:
+ - Description: Destruction or damage of these assets may cause unavailability of
+ resources
+ Name: Service unavailability
+ - Description: Destruction or damage of these assets may cause information destruction
+ Name: Information destruction
+ preconditions:
+ - Description: Despite the virtualized structure of the 5G network and all involved
+ network functions, there will be a strong dependency on the physical infrastructure,
+ especially in the initial migration/hybrid 5G deployments.
+ Name: Improper physical security of radio access hardware
+ procedureexamples:
+ - Description: Classified as a deliberate physical attack, this threat relates to
+ actions taken by actors aimed at destroying, disabling or stealing physical
+ assets supporting the 5G Network. A physical attack to 5G critical assets may
+ disrupt, interfere and ultimately cause unavailability of the network service.
+ Despite the existence of physical protection mechanisms (e.g., physical surveillance
+ and surveillance cameras, security locks, security guards), physical breaches
+ and insider threat attacks may still occur.
+ Name: Physical sabotage/vandalism of the network infrastructure
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, page 202, December\
+ \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [El-Shorbagy, A.-moniem. \u201C5G Technology and\
+ \ the Future of Architecture\u201D. Procedia Computer Science, (2021), volume\
+ \ 182, p121\u2013131.](https://doi.org/10.1016/j.procs.2021.02.017 )"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT5018
+ tactics:
+ - TA0040
+ typecode: fight_subtechnique
+- access-required: None
+ architecture-segment: Physical & Environmental
+ bluf: An adversary may seek physical access to isolated/remote edge servers using
+ covert methods of entry with the intent to damage or destroy edge computing facilities,
+ gaining unauthorized access at system level as an entry point to all hosted resources,
+ theft of data on local storage, vandalism, and sabotage.
+ criticalassets:
+ - Description: Destruction of edge computing facilities, unauthorized access at
+ system level as an entry point to all hosted resources, theft of data on local
+ storage, vandalism and/or sabotage of equipment.
+ Name: Edge facility equipment
+ description: " An adversary may seek physical access to isolated/remote edge servers\
+ \ using covert methods of entry with the intent to damage or destroy edge computing\
+ \ facilities, gaining unauthorized access at system level as an entry point to\
+ \ all hosted resources, theft of data on local storage, vandalism, and sabotage.\r\
+ \n\r\nEdge computing facilities are, by their nature, seated in geographically\
+ \ distributed locations. Normally, the first choice will be communications shelters\
+ \ already operated by MNO. While communications shelters have physical security\
+ \ controls in place, these are calibrated to risks associated with communication\
+ \ equipment value. An additional risk assessment is needed to assess suitability\
+ \ in the context of additional risks incurred by presence of computing facilities\
+ \ and data.\r\n\r\n"
+ detections:
+ - detects: 'Event logs recording user activities, exceptions, faults and information
+ security events should be produced, kept and regularly reviewed. Additional
+ considerations: development of use-case specific alert rules, integration and
+ correlation of data at all levels (network, application), integration and correlation
+ with service provider-level monitoring mechanisms.'
+ fgdsid: FGDS5012
+ name: SIEM
+ id: FGT5018.003
+ mitigations:
+ - fgmid: FGM5005
+ mitigates: Edge sites should be provided with a full set of physical and environmental
+ controls aimed to assure access control, monitoring, continuity of operations
+ and protection against environmental disasters. Failure to do so may lead to
+ unauthorized access, destruction of assets and impairment of operations.
+ name: Physical and environmental protection
+ name: Edge servers
+ object-type: technique
+ platforms: Edge server
+ postconditions:
+ - Description: Destruction of assets, unauthorized access, theft of data on local
+ storage, vandalism, sabotage
+ Name: Service unavailability
+ - Description: Destruction or damage of these assets may cause information destruction
+ Name: Information destruction
+ preconditions:
+ - Description: 'Mobile-edge computing have to be integrated in the network-wide
+ Security Incident and Monitoring System, but with additional considerations:
+ development of use-case specific alert rules, integration and correlation of
+ data at all levels (network, application), integration and correlation with
+ service provider -level monitoring mechanisms. Failure to do so may leave advanced
+ or sustained threats undetected, as well as technical failures or malfunctions
+ of local resources.'
+ Name: Improper security monitoring of edge computing facilities
+ procedureexamples:
+ - Description: Adversary may obtain physical access to remote edge servers and cause
+ damage to them.
+ Name: Damage edge servers
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, page 202, December\
+ \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [ISO/IEC 27011:(2016), \u201CInformation technology\
+ \ \u2014 Security techniques \u2014 Code of practice for Information security\
+ \ controls based on ISO/IEC 27002 for telecommunications organizations\u201D](https://www.iso.org/obp/ui/#iso:std:iso-iec:27011:ed-2:v1:en)"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT5018
+ tactics:
+ - TA0040
+ typecode: fight_subtechnique
+- access-required: Physical
+ architecture-segment: Physical & Environmental
+ bluf: An adversary accesses a shared site, or remote location, with intent to steal
+ valuable materials (such as copper, batteries, and fuel) for resale.
+ criticalassets:
+ - Description: Physical assets and commodities used by the mobile network operators
+ in their infrastructure.
+ Name: Physical assets and commodities
+ description: " An adversary accesses a shared site, or remote location, with intent\
+ \ to steal valuable materials (such as copper, batteries, and fuel) for resale.\r\
+ \n\r\nAs towers are often located in remote locations, base stations are prime\
+ \ marks for thieves and vandals in search of an easy target. These sites contain\
+ \ a wealth of valuable copper wire, high-performance batteries, and fuel. Thieves\
+ \ and vandals take advantage of remote locations of cell sites by trespassing\
+ \ freely, without the fear of being identified. Copper wires and battery theft\
+ \ exploit the second-hand market fueled by the worldwide demand for these goods.\r\
+ \n\r\n"
+ detections:
+ - detects: 'Event logs recording user activities, exceptions, faults and information
+ security events should be produced, kept and regularly reviewed. Additional
+ considerations: development of use-case specific alert rules, integration and
+ correlation of data at all levels (network, application), integration and correlation
+ with service provider-level monitoring mechanisms.'
+ fgdsid: FGDS5012
+ name: SIEM
+ id: FGT5018.004
+ mitigations:
+ - fgmid: FGM5005
+ mitigates: 'Implement physical and environmental controls
+
+ Shared/Remote sites should be provided with a full set of physical and environmental
+ controls aimed to assure access control, monitoring, continuity of operations
+ and protection against environmental disasters. Failure to do so may lead to
+ unauthorized access, destruction of assets and impairment of operations.'
+ name: Physical and environmental protection
+ name: Theft of Assets
+ object-type: technique
+ platforms: remote/shared location physical assets
+ postconditions:
+ - Description: Theft of these assets may cause an unavailability of resources.
+ Name: Service unavailability
+ - Description: Theft of these assets may cause an increase in maintenance costs
+ for the operator.
+ Name: Increased maintenance costs
+ preconditions:
+ - Description: 'Remote/shared sites have to be integrated in the network-wide Security
+ Incident and Monitoring System, but with additional considerations: development
+ of use-case specific alert rules, integration and correlation of data at all
+ levels (network, application), integration and correlation with service provider
+ -level monitoring mechanisms. Failure to do so may leave advanced or sustained
+ threats undetected, as well as technical failures or malfunctions of local resources.'
+ Name: Improper security monitoring of remote/shared facilities
+ procedureexamples:
+ - Description: "Copper\u2019s value transforms remote cellular base stations into\
+ \ prime targets for thieves. The costs for telecom and tower operators to replace\
+ \ the cost of the cable and damage to the site can be thousands of dollars per\
+ \ incident. This is not taking into consideration the additional costs of loss\
+ \ of network service. Even the theft of a small amount of copper can cause extensive\
+ \ damage to site equipment, costing cell towers owners thousands of dollars\
+ \ in repairs, replacement, and network downtime. There are several expensive\
+ \ copper items at cell sites that are very attractive to thieves, such as the\
+ \ ground wires, copper grounding busbars, and waveguides"
+ Name: Cable/Copper Theft
+ - Description: Battery theft can easily become the root cause of cell services outage.
+ Similarly, to the case of cable theft, telecom towers are increasingly affected
+ by the rise of battery theft and vandalism incidents.
+ Name: Battery Theft
+ - Description: Fuel is a major asset at telecom sites that can easily and directly
+ be sold by thieves. The threat of diesel theft is widespread in many emerging
+ markets and even in the rural areas of the developed markets.
+ Name: ' Fuel Theft'
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, page 202, December\
+ \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [Baars, J. \u201CWhite Paper - Telecom Sites Physical\
+ \ Security\u201D, December 2019, Asentria](https://www.asentria.com/blog/telecom-sites-physical-security-white-paper/.\
+ \ )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT5018
+ tactics:
+ - TA0040
+ typecode: fight_subtechnique
+- access-required: admin/user
+ architecture-segment: Control Plane
+ bluf: An adversary in the core network exploits signaling protocols to obtain the
+ location of the UE.
+ criticalassets:
+ - Description: NEF, AMF, SMF, UPF, NWDAF, GMLC, LMF
+ Name: Operator network components
+ - Description: UE/Subscriber geographical location
+ Name: UE location
+ description: " An adversary in the core network exploits signaling protocols to\
+ \ obtain the location of the UE. \r\n\r\nUser location tracking is part of normal\
+ \ cellular operation. Adversaries with access to core network or a core network\
+ \ function (NF) can misuse signaling protocols (e.g., SS7, GTP and Diameter or\
+ \ the SBI API calls), or exploit vulnerabilities in the signaling plane, in order\
+ \ to obtain location information for a given UE.\r\n\r\nNote: In case of 3G/4G\
+ \ core networks using SS7, this technique is covered by [ATT&CK Mobile T1430.002\
+ \ Location Tracking: Impersonate SS7 nodes]().\r\n \r\n\r\n"
+ detections: []
+ id: FGT5012.004
+ mitigations:
+ - fgmid: FGM5023
+ mitigates: Periodic authentication / authorization of NF consumer e.g. AMF by
+ NRF will help detect rogue AMFs. Not currently in 3GPP specs, but it can be
+ enhanced.
+ name: Periodic Authentication & Authorization of NFs
+ - fgmid: FGM5019
+ mitigates: NEF authorizes 3rd party AFs for location service using policy. Nnef_Location
+ API called by AF should be authorized properly. AF uses GPSI as UE identity.
+ name: Authorize external API calls
+ - fgmid: M1037
+ mitigates: Filter out request messages that come from external (to the operator)
+ sources to guard against SS7 attacks.
+ name: Filter Network Traffic
+ name: Core Network Function Signaling
+ object-type: technique
+ platforms: 5G
+ preconditions:
+ - Description: Adversary may pretend to be an operator supporting only earlier generations.
+ Name: Access to SS7 network
+ - Description: Adversary has to gain control of one core NF.
+ Name: "Access to operator\u2019s network function"
+ - Description: UE identifier required for all Core network function abuse.
+ Name: Knowledge of the UE SUPI or GPSI 5G-GUTI of target UE
+ procedureexamples:
+ - Description: "From [3], there were recent successful attacks on SS7 whereby an\
+ \ attacker with access to the SS7 interconnection can find a user\u2019s location,\
+ \ as well as billing data and Short Message Service (SMS) messages. In addition,\
+ \ the attacker can also eavesdrop on user data."
+ Name: Adversary uses SS7 interconnect (IWF) to a 5G network without protection
+ (firewalls, etc). to obtain UE location information
+ - Description: The AMF gets UE location legitimately from LMF (Nlmf-loc API). Clause
+ 8.3 of [5]. In addition, an adversary can modify AMF behavior so that it doesn't
+ allocate a new 5G-GUTI to a given UE, so that that UE can be tracked via listening
+ devices in the area, see [FGT5012.003](/techniques/FGT5012.003).
+ Name: 'Adversary gains control of a core NF to get location info for a given UE:
+ AMF case'
+ - Description: Incorrect implementation/configuration in NEF can allow a rogue application
+ function (AF) to access UE location information using LMF services. Clause 6.1.2
+ of [5].
+ Name: 'Adversary gains control of a core NF to get location info for a given UE:
+ AF case'
+ - Description: "The SMF can obtain a UE's location whenever the AMF sends it a PDU\
+ \ update request: Nsmf_PDUSession_UpdateSMContextRequest (which contains UE\
+ \ location info, which can be: E-UTRA or NR cell id, location timestamp, \u201C\
+ geographicalInformation\u201D in hex format as in TS 23.032, only ellipsoid\
+ \ point with uncertainty circle.). Clause 5.2.8.2.6 of [4]."
+ Name: 'Adversary gains control of a core NF to get location info for a given UE:
+ SMF case'
+ - Description: The UDM can legitimately ask the AMF for the location of a UE using
+ Namf_Location service. Clause 5.2.2.1 of [4].
+ Name: 'Adversary gains control of a core NF to get location info for a given UE:
+ UDM case'
+ - Description: The UPF has access to serving cell ID for UEs that are actively sending
+ data (RRC connected).
+ Name: 'Adversary gains control of a core NF to get location info for a given UE:
+ UPF case'
+ - Description: 'The NEF can legitimately ask AMF Namf_EventExposure or ask GMLC
+ directly - then GMLC gives the NEF a location report (Note: NEFs serve as location
+ proxies to internal and external AFs in the same way GMLCs serve as proxies
+ to external LCS clients). Clause 5.2.2.1 of [4].'
+ Name: 'Adversary gains control of a core NF to get location info for a given UE:
+ NEF case'
+ - Description: The NWDAF can get coarse UE location by subscribing to events from
+ AMF. Clause 5.2.2.1 of [4].
+ Name: 'Adversary gains control of a core NF to get location info for a given UE:
+ NWDAF case'
+ - Description: The GMLC can legitimately ask the AMF for the location of a given
+ UE using Namf_Location service. Clause 5.2.2.1 of [4].
+ Name: 'Adversary gains control of a core NF to get location info for a given UE:
+ GMLC case'
+ - Description: The LMF can initiate location procedure with the UE. Clauses 6.11.1,
+ 6.11.2, 6.11.3 of [5].
+ Name: 'Adversary gains control of a core NF to get location info for a given UE:
+ LMF case'
+ references:
+ - " \\[1\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ - " \\[2\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ ,\_ October 2021](https://arxiv.org/abs/2108.11206\_\_)"
+ - " \\[3\\] [S. Holtmanns, S. P. Rao, I. Oliver, \u201CUser location\
+ \ tracking attacks for LTE networks using the interworking functionality\u201D\
+ , 2016 IFIP Networking Conference.](https://ieeexplore.ieee.org/document/7497239\
+ \ )"
+ - " \\[4\\] [3GPP TS 23.502 \u201CProcedures for the 5G System\
+ \ (5GS)\u201D](https://www.3gpp.org/DynaReport/23502.htm)"
+ - " \\[5\\] [3GPP TS 23.273 \u201C5G System (5GS) Location Services\
+ \ (LCS)\u201D](https://www.3gpp.org/DynaReport/23273.htm)"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT5012
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- access-required: admin
+ architecture-segment: Roaming
+ bluf: An adversary may attempt to position themselves between two mobile network
+ operators as an adversary in the middle (AITM) to support follow-on behaviors
+ such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).
+ criticalassets:
+ - Description: Adversary would target the SEPP
+ Name: SEPP function
+ description: " An adversary may attempt to position themselves between two mobile\
+ \ network operators as an adversary in the middle (AITM) to support follow-on\
+ \ behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data\
+ \ Manipulation](/techniques/FGT1565.002).\r\n\r\nRoaming and interconnect interfaces,\
+ \ including IPX, are between network operators, namely: between Security Edge\
+ \ Protection Proxy (SEPP)s, or between interworking functions like Access and\
+ \ Mobility Management Function (AMF) / 4G Mobility Management Function (MME) (N26\
+ \ interface), or between User Plane Function (UPF)s (N9 interface).\r\n\r\nAn\
+ \ adversary with control of the Visited Public Land Mobile Network (VPLMN) SEPP\
+ \ may obtain roaming subscriber information by providing fraudulent signaling\
+ \ information to the Home PLMN (HPLMN) and collect information about the roaming\
+ \ subscriber. The adversary could be an insider on a VPLMN that is a roaming partner,\
+ \ having connections to the HPLMN via one or more IPX providers or directly between\
+ \ V-SEPP and H-SEPP. The HPLMN trusts the info from the VPLMN, but it is being\
+ \ sent fraudulently by the VPLMN. The V-SEPP may also be located at a Value-Added-Services\
+ \ (VAS) provider [1] where compromise of the VAS is a pre-condition instead of\
+ \ compromise of the VPLMN.\r\n\r\nThe adversary may possibly achieve an AITM position\
+ \ on an IP Exchange (IPX) network used by either the home PLMN or the visited\
+ \ PLMN and through which the roaming traffic may flow. The adversary may attempt\
+ \ to control a device in the path or re-direct traffic to a device the adversary\
+ \ controls.\r\n\r\n"
+ detections:
+ - detects: Monitor for access to SEPP application/appliance for unexpected access.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Analyze network traffic to/from SEPP to determine if from unexpected
+ source/dest and consistent with expected traffic from other operators.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1557.502
+ mitigations:
+ - fgmid: M1030
+ mitigates: Limit network exposure of vSEPP from other core services in hPLMN
+ name: Network Segmentation
+ - fgmid: M1035
+ mitigates: Minimize access to vSEPP from limited locations such as a privileged
+ access workstation
+ name: Limit Access to Resource Over Network
+ - fgmid: M1037
+ mitigates: Ensure only traffic from expected sources can reach the SEPP
+ name: Filter Network Traffic
+ name: 'Roaming and Interconnection '
+ object-type: technique
+ platforms: SEPP, VAS, IPX
+ preconditions:
+ - Description: Adversary would need to be in control of the vSEPP which may be managed
+ by a VAS
+ Name: SEPP control
+ references:
+ - " \\[1\\] [P.Tommassen, \u201C5G Security When Roaming,\u201D\
+ \ iBasis, October 6, 2020](https://ibasis.com/5g-security-when-roaming/)"
+ - " \\[2\\] [\u201C5G System; Public Land Mobile Network (PLMN)\
+ \ Interconnection; Stage 3,\u201D 3GPP, TS 29.573 ver.16.9.0, March 2022](https://www.3gpp.org/DynaReport/29573.htm\_\
+ )"
+ - " \\[3\\] [\u201CSecurity architecture and procedures for 5G\
+ \ System,\u201D 3GPP, TS 33.501 ver. 16.3.0, July 2020, Sec. 13.1.2,13.2](https://www.3gpp.org/DynaReport/33501.htm)"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1557
+ tactics:
+ - TA0009
+ - TA0006
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: RAN, Control Plane
+ bluf: An adversary may discover the permanent subscriber identifier via various
+ means
+ criticalassets:
+ - Description: UE/User IMSI, SUPI
+ Name: UE Permanent identifier
+ description: " An adversary may obtain a UE permanent identifier via various means.\r\
+ \n\r\nAn adversary may obtain UE identifying information from 5G UEs after the\
+ \ UE has been bid down (downgraded) to a lower security protocol e.g. 4G, since\
+ \ in 4G and 3G it is possible for the network to ask the UE to send its IMSI (International\
+ \ Subscriber Identifier) in the clear over the radio interface. The UE identity\
+ \ can also be obtained by the adversary if NULL scheme is used for Subscriber\
+ \ Permanent Identifier (SUPI) concealment.\r\n\r\nThe 5G UE sends an encrypted\
+ \ identifier (called Subscriber Concealed Identifier (SUCI)) over the radio interface\
+ \ as part of the initial registration to the 5G network. Some non-UE specific\
+ \ information is part of the Subscriber Permanent Identifier or SUPI and is not\
+ \ encrypted (e.g., home network name).\r\n\r\n"
+ detections: []
+ id: FGT5019
+ mitigations: []
+ name: Subscriber Profile Identifier Discovery
+ object-type: technique
+ platforms: 5G
+ procedureexamples:
+ - Description: Adversary may use the radio access network to determine the IMSI
+ of a particular UE is in the area.
+ Name: Use radio access to obtain UE permanent identifier
+ - Description: Adversary may use the core network signaling find the IMSI of a particular
+ UE, given e.g., MSISDN
+ Name: Use core network signaling to obtain UE permanent identifier
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_technique
+- architecture-segment: RAN
+ bluf: 'An adversary may intercept unencrypted radio transmissions of a UE''s SUCI
+ to identify the home network of the UE. '
+ criticalassets:
+ - Description: Home network identifier is sent unconcealed by UE over the air per
+ standard. UE privacy such as its home network location is revealed to the adversary
+ when UE is roaming in another country or region.
+ Name: UE privacy
+ description: " An adversary may intercept unencrypted radio transmissions of a UE\u2019\
+ s SUCI to identify the home network of the UE. \r\n\r\nAdversary can tell what\
+ \ the home network of UE is from the unencrypted portion of the Subscriber Concealed\
+ \ Identity (SUCI), which is normally sent over the radio interface by a UE seeking\
+ \ to connect. This can be of value to an adversary when the home location is unusual.\
+ \ \r\n\r\nBackground information: In 5G, the UE\u2019s permanent identity, SUPI\
+ \ (Subscriber Permanent Identifier), includes a home network identifier and a\
+ \ user-specific identifier, and is never sent unencrypted over the radio interface.\
+ \ Instead, a SUCI is sent when the UE goes through initial registration to the\
+ \ serving network procedures; this de-concealment operation can only be done by\
+ \ the UE\u2019s home network. However, the Home Network identifier part of the\
+ \ SUCI is sent unencrypted, so that the serving network (while UE is roaming in\
+ \ another country or region) knows how to route the registration message to UE\u2019\
+ s home network for authentication. The home network may constitute sensitive information\
+ \ in some special cases. \r\n\r\n"
+ detections: []
+ id: FGT5019.001
+ mitigations:
+ - fgmid: FGM5022
+ mitigates: When the subscriber affiliation is reflected in the home network identifier
+ (part of subscriber identifier) and would benefit from not being sent in the
+ clear, the subscriber's provider (home network) should be a proxy mobile network
+ operator - whose identifier does not reveal the true affiliation of the subscriber.
+ name: Proxy home network
+ name: Intercept Home Network via SUCI
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: When home network is unusual (e.g., US home network in Afghanistan),
+ allows attacker to identify UE as target of interest for geolocation, degradation
+ of service, loss of traffic confidentiality, or physical attack.
+ Name: Target association
+ preconditions:
+ - Description: Adversary requires sufficient signal to noise and interference ratio
+ and must be present in the same area as the UE.
+ Name: Ability to receive SUCI over the air
+ procedureexamples:
+ - Description: "Receive SUCI and extract the field \u201Chome network identifier\u201D\
+ , which is never concealed."
+ Name: Intercept home network over the radio interface
+ references:
+ - " \\[1\\] [3GPP TS 23.003: \"Numbering, Addressing and Identification\u201D\
+ , Version 17.6.0, Section 2.2B](https://www.3gpp.org/DynaReport/23003.htm )"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT5019
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- architecture-segment: RAN
+ bluf: An adversary may intercept the UE permanent identifier (SUPI) from a UE that
+ is bid down to a less secure protocol.
+ criticalassets:
+ - Description: Unique and non-transient user identity
+ Name: UE identifier
+ description: " An adversary may intercept the UE permanent identifier (SUPI) from\
+ \ a UE that is bid down to a less secure protocol. \r\n\r\nThe UE SUPI constitutes\
+ \ key data that identifies UE as target of interest for other follow-on behaviors\
+ \ such as geolocation, degradation of service, loss of traffic confidentiality,\
+ \ or physical attack. From the network side, the SUPI can be used to obtain other\
+ \ sensitive information about this UE.\r\n\r\nBackground information: In 5G, the\
+ \ UE\u2019s permanent identity, SUPI (Subscriber Permanent Identifier), is never\
+ \ sent unencrypted over the radio interface. In WiFi, 3G and 4G however, the UE\u2019\
+ s permanent identity IMSI may be sent unencrypted over the radio interface (e.g.\
+ \ in cases where the serving network is not able to identify the UE via a temporary\
+ \ identifier). In 5G, SUPI can be either IMSI or Network Access Identifier (NAI).\
+ \ See clause 2.2A of [3].\r\n\r\nWhen a 5G UE\u2019s Radio Capability profile\
+ \ allows the bidding down of the cellular protocol from 5G to 4G or 3G or WiFi\
+ \ an adversary can take advantage of this. The adversary first denies service\
+ \ to 5G and bids down victim UE to less secure protocol, for example by using\
+ \ a fake base station. Then, the adversary actively interrogates or passively\
+ \ intercepts unencrypted International Mobile Subscriber Identifier (IMSI) for\
+ \ 2G/3G/4G or Media Access Control (MAC) for WiFi.\r\n\r\n"
+ detections:
+ - detects: UE transitions to less secure service
+ fgdsid: FGDS5010
+ name: UE transition to less secure service
+ id: FGT5019.002
+ mitigations:
+ - fgmid: FGM5006
+ mitigates: Restrictive user security profile can dictate that the UE will refuse
+ to networks that are not 5G. The prevention of bidding-down is achieved via
+ user security profile stored in the UE.
+ name: Restrictive user profile
+ name: Intercept bid-down SUPI
+ object-type: technique
+ platforms: 5G radio
+ postconditions:
+ - Description: Allows an adversary to identify UE as target of interest for geolocation,
+ degradation of service, loss of traffic confidentiality, or physical attack.
+ Name: Target association
+ preconditions:
+ - Description: User security profile must allow bidding down.
+ Name: Permissive user security profile
+ - Description: Denying service to 5G and bidding down (e.g. from a fake or compromised
+ base station) must have occurred for this 5G UE. Adversary must be present in
+ the same area as the UE.
+ Name: Bid down operation successful
+ procedureexamples:
+ - Description: Adversary with fake or compromised base station sends an Identity
+ Request NAS message to the UE to get back the SUPI. This occurs after the UE
+ has been bid down from 5G. Clause 5.4.4 of [2]
+ Name: Obtain permanent UE identifier SUPI from bid-down UE
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [3GPP TS 24.301 \u201CNon-Access-Stratum (NAS) protocol\
+ \ for Evolved Packet System (EPS)\u201D; Stage 3](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1072)"
+ - " \\[3\\] [3GPP TS 23.003: \"Numbering, Addressing and Identification\u201D\
+ , Version 17.6.0, Section 2.2B](https://www.3gpp.org/DynaReport/23003.htm )"
+ status: This is a theoretical behavior
+ subtechnique-of: FGT5019
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- access-required: None
+ architecture-segment: RAN
+ bluf: An adversary may non-cooperatively geolocate a UE from UE radio signals externals.
+ criticalassets:
+ - Description: UE/subscriber geographical location
+ Name: UE location
+ description: " An adversary may non-cooperatively geolocate a UE from UE radio signal\
+ \ externals.\r\n\r\nAn adversary may geolocate an unknown UE by using Radio access\
+ \ technology or \u201CRF externals\u201D, such as Direction of Arrival, Time of\
+ \ Arrival, Frequency of Arrival, Time Difference of Arrival, and Frequency Difference\
+ \ of Arrival of UE signals, or the 5G New Radio (5G NR) multi RTT (Round trip\
+ \ time) and angle-based methods, or non-3GPP access data (e.g. WiFi access points/IP\
+ \ addresses).\r\n\r\nThe UE does its own geolocation from base station transmissions,\
+ \ but an adversary with multiple receivers can geolocate a UE from the differential\
+ \ time of arrival of UE transmitted signal events completely independently of\
+ \ the process the UE is doing to geo-locate itself. \r\n\r\n"
+ detections: []
+ id: FGT5012.001
+ mitigations:
+ - fgmid: FGM5098
+ mitigates: Reduce usage. Use UE only when needed. Turn UE off if not needed for
+ period of time.
+ name: Reduce UE usage
+ - fgmid: FGM5099
+ mitigates: Move UE closer to base station and/or reduce height of UE above terrain
+ and/or move indoors or into multipath environment.
+ name: Move UE close to gNB
+ name: Passive radio signals observation
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Geolocation can make electronic attack for degradation of service
+ more effective, bidding down to defeat ID and traffic confidentiality more effective,
+ and can expose subscriber to physical attack.
+ Name: Subsequent attack
+ preconditions:
+ - Description: Attacker must have radio line-of-sight to target for most accurate
+ geolocation.
+ Name: Line-of-sight
+ procedureexamples:
+ - Description: Adversary geolocates unknown UE using some combination of Direction
+ of Arrival, Time-of-Arrival, and/or Frequency-of-Arrival of UE signal externals.
+ Name: Externals geolocation
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [X. Hu et.al. \u201CA Systematic Analysis Method\
+ \ for 5G Non-Access Stratum Signaling Security\u201D, IEEE Access, August 2019.](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
+ \ )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT5012
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- access-required: RAN
+ architecture-segment: RAN
+ bluf: An adversary may elicit location reports from UE that is bid down to less
+ secure format or passively observes location reports from UE employing null encryption.
+ criticalassets:
+ - Description: UE/Subscriber geographical location
+ Name: UE location
+ description: " An adversary may elicit location reports from UE that is bid down\
+ \ to less secure format or may passively observe location reports from UE employing\
+ \ null encryption.\r\n\r\nAn adversary may eavesdrop messages exchanged between\
+ \ the UE and the network, if encryption for the radio interface is not employed.\
+ \ These messages of interest contain location reports that the UE sends to the\
+ \ network upon (legitimate) request from the network. \r\n\r\n"
+ detections:
+ - detects: Subscriber transitions to less secure service.
+ fgdsid: FGDS5010
+ name: UE transition to less secure service
+ id: FGT5012.002
+ mitigations:
+ - fgmid: FGM5006
+ mitigates: Restrictive subscriber security profile. Do not use unencrypted systems.
+ Set subscriber security profile to prohibit bidding down to less secure service.
+ name: Restrictive user profile
+ - fgmid: FGM5096
+ mitigates: "Disable location on UE device for all applications which use UE\u2019\
+ s physical location. This is only a partial mitigation because location measurements\
+ \ will be sent by the UE to gNB."
+ name: Disable UE location use
+ - fgmid: M1041
+ mitigates: Avoid systems that employ null encryption. De-register when only NULL
+ encryption is offered
+ name: Encrypt Sensitive Information
+ name: Self Location Measurement
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Geolocation can make electronic attack for degradation of service
+ more effective, bidding down to defeat ID and traffic confidentiality more effective,
+ and can expose subscriber to physical attack.
+ Name: Subsequent attack
+ preconditions:
+ - Description: Subscriber security profile must allow bidding down to less secure
+ format OR system does not employ over-the-air encryption.
+ Name: Permissive subscriber security profile OR system does not employ over-the-air
+ encryption.
+ - Description: Adversary must be present in the same area where the UE is located.
+ Name: Adversary present in the vicinity of victim UE
+ procedureexamples:
+ - Description: Victim UE is using a 5G system with null encryption or is bid down
+ to a less secure protocol. UE geolocation or geolocation measurement data is
+ passively observed or, if bid down, actively ordered through illegitimate signaling.
+ Name: Self-location measurement
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT5012
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- architecture-segment: RAN, O-RAN
+ bluf: An adversary may eavesdrop on unencrypted sensitive subscriber data to capture
+ information to and from a UE that has been bid down to a less secure format, such
+ as Wi-Fi or an earlier mobile network generation.
+ criticalassets:
+ - Description: All user plane data sent by UE over the air can be intercepted in
+ the clear.
+ Name: User plane traffic confidentiality
+ - Description: UE/subscriber geographical location.
+ Name: UE location
+ - Description: All signaling data (not NAS) including measurement reports sent by
+ UE over the air can be intercepted in the clear.
+ Name: Signaling traffic confidentiality
+ - Description: "UE\u2019s private information is leaked to the adversary such as\
+ \ which websites they are using and the time and day the websites are visited."
+ Name: "UE\u2019s internet usage pattern"
+ description: " An adversary may eavesdrop on unencrypted sensitive subscriber data\
+ \ on the air interface to capture information and to fingerprint application layer\
+ \ usage pattern of victim UE.\r\n\r\nAn adversary may employ a back-to-back fake\
+ \ gNB-UE combination to eavesdrop on the communication and relay communication\
+ \ between the intended recipient and the intended source, over the radio interface.\
+ \ \r\n\r\nThis attack assumes a successful bid down UE attack or else the network\
+ \ uses no (\u201CNULL\u201D) encryption on the radio interface.\r\n\r\nLTE layer\
+ \ 2 RLC/MAC metadata (e.g. PDCP packet length) may be eavesdropped by adversary\
+ \ on the air interface as all layer 2 data below PDCP layer are sent without encryption\
+ \ in LTE. Once the metadata is collected, an Artificial Intelligence/Machine learning\
+ \ (AI/ML) tool can be used to track which websites the UE applications are using\
+ \ even though PDCP and higher layer data are encrypted. The adversary must be\
+ \ in the same area where the victim UE is located to sniff the downlink air link\
+ \ messages sent to UE from gNB. The same attack is possible in 5G as layer 2 protocols\
+ \ have not changed in the 5G 3GPP specification.\r\n\r\n"
+ detections:
+ - detects: UE transitions to less secure service. UE responds to requests that were
+ not sent by legitimate network.
+ fgdsid: FGDS5010
+ name: UE transition to less secure service
+ id: FGT1040.501
+ mitigations:
+ - fgmid: FGM5006
+ mitigates: Set security profile in the UE to prohibit bidding down to less secure
+ service.
+ name: Restrictive user profile
+ - fgmid: M1041
+ mitigates: Avoid systems that employ null encryption. De-register when only NULL
+ encryption is offered.
+ name: Encrypt Sensitive Information
+ - fgmid: FGM5517
+ mitigates: 'Obfuscation can be done at the application layer to avoid fingerprint
+ detection of UE''s internet usage. An example of application layer obfuscation
+ is to use Orbot as Tor proxy that sends and receives all traffic through a Tor
+ circuit. This is not highly effective as some metadata can still be used to
+ fingerprint applications.
+
+
+ Encryption of metadata such as PDCP length can be done to prevent this attack.
+ It introduces large overhead on UE and hence it is not proposed in the 3GPP
+ [6].'
+ name: Use obfuscation at application layer
+ name: Radio interface
+ object-type: technique
+ platforms: 5G RAN
+ postconditions:
+ - Description: Transient technique. Works only as long as adversary is able to retain
+ connection.
+ Name: Temporary loss of subscriber data confidentiality.
+ - Description: Further attacks are possible on the victim UE based on the data collected,
+ e.g. bank fraud or attacks from social media sites.
+ Name: "Further attacks based on UE\u2019s internet usage"
+ preconditions:
+ - Description: Subscriber security profile in the UE must allow bidding down to
+ less secure service OR system must employ null encryption.
+ Name: Permissive subscriber security profile in the UE OR system employs null
+ encryption.
+ - Description: See [FGT1562.501](/techniques/FGT1562.501).
+ Name: "Successful \u201CBid down UE\u201D attack"
+ - Description: Adversary must be positioned in the same area as the victim UE with
+ an airlink message sniffer device to collect the downlink data sent by gNB to
+ the UE.
+ Name: Adversary in the same vicinity as victim UE
+ procedureexamples:
+ - Description: 'The adversary employs a back-to-back fake gNB-UE combination.
+
+ After a successful bidding down attack, all sensitive subscriber data (CP &
+ UP) including location data may be visible to the adversary. See [2], clause
+ 6.7.4 of [3], and [4].'
+ Name: Eavesdrop on air interface for a given UE
+ - Description: Alternatively, if the 5G system employs null encryption, all subscriber
+ data traffic (CP & UP) including location data can be collected in the clear.
+ Clause 4.4 of [1].
+ Name: Eavesdrop on air interface for any UE
+ - Description: Adversary collects layer 2 metadata of downlink data sent to the
+ victim UE from gNB using an airlink sniffer device. Then it processes the metadata
+ using an ML classifier such as k-NN. The classifier can reveal with high accuracy
+ which websites are visited by the UE application [5]. It is a passive attack.
+ Name: Passive collection of airlink messages leads to UE application fingerprinting
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [Hu, X. et al: \u201CA Systematic Analysis Method\
+ \ for 5G Non-Access Stratum Signalling Security\u201D, August 2019](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
+ \ )"
+ - " \\[3\\] [3GPP TS33.501 \u201CSecurity architecture and procedures\
+ \ for 5G System\u201D.](https://www.3gpp.org/DynaReport/33501.htm)"
+ - " \\[4\\] [Zaenab D. Shakir, J. Zec, I. Kostanic, \u201CPosition\
+ \ location based on measurement reports in LTE cellular networks\u201D, 2018 IEEE\
+ \ 19th Wireless and Microwave Technology Conference (WAMICON), 2018.](https://ieeexplore.ieee.org/document/8363501\
+ \ )"
+ - " \\[5\\] [ACM article, : \u201CImproving 4G/5G air interface\
+ \ security: A survey of existing attacks on different LTE layers\u201D.](https://dl.acm.org/doi/abs/10.1016/j.comnet.2021.108532)"
+ - " \\[6\\] [ACM article, Katharina Kohls et al: \u201CLost traffic\
+ \ encryption: fingerprinting LTE/4G traffic on layer two\u201D.](https://dl.acm.org/doi/10.1145/3317549.3323416)"
+ - " \\[7\\] [L. Zhai et al: \u201CIdentify What You are Doing:\
+ \ Smartphone Apps Fingerprinting on Cellular Network Traffic\u201D.](https://ieeexplore.ieee.org/document/9631415)"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT1040
+ tactics:
+ - TA0009
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: RAN
+ bluf: An adversary may position itself on the radio interface, to support follow-on
+ behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data
+ Manipulation](/techniques/FGT1565.002).
+ criticalassets:
+ - Description: All signaling transmitted to and from subscriber can be modified
+ or intercepted in the clear
+ Name: Subscriber signaling
+ - Description: UE/subscriber geographical location can be intercepted.
+ Name: UE location
+ - Description: All data and voice transmitted to and from subscriber can be modified
+ or intercepted in the clear
+ Name: Subscriber traffic
+ description: " An adversary may position itself on the radio interface, to support\
+ \ follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted\
+ \ Data Manipulation](/techniques/FGT1565.002).\r\n\r\nAdversary can deploy a fake\
+ \ gNB, eNB (a 4G base station) or WiFi access point, or a back-to-back fake gNB-UE\
+ \ combination to act as an adversary-in-the-middle, in order to intercept, inject\
+ \ and possibly modify communication and relay communication to and from intended\
+ \ recipient over the radio interface. \r\n\r\nThis attack assumes the following\
+ \ to have taken place: the UE has been bid-down (see [Bid down UE](/techniques/FGT1562.501))\
+ \ to a less secure Radio Access Network such as 4G, or the UE connects to an eNB\
+ \ because the network is 5G Non-Standalone, or due to EPS fallback, or the UE\
+ \ connects to a WiFi access point (to access 5G services).\r\n\r\n"
+ detections:
+ - detects: UE measurements of received power levels from all base stations nearby,
+ and their identifiers Reference clause 6.24 of [3]
+ fgdsid: FGDS5002
+ name: UE signal measurements
+ id: FGT1557.501
+ mitigations: []
+ name: Radio interface
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Transient technique; works only as long as adversary-in-the-middle
+ is able to retain connection.
+ Name: Temporary loss of subscriber data confidentiality or integrity.
+ preconditions:
+ - Description: Subscriber security profile must allow bidding down to less secure
+ service OR system must employ null integrity or encryption.
+ Name: Permissive subscriber security profile OR system employs null integrity
+ or encryption.
+ procedureexamples:
+ - Description: The adversary employs a back to back gNB-UE combination. When UE
+ security profile allows bidding down, or the UE connects to 4G due to EPS fallback,
+ or to WiFi, an adversary acts as an adversary-in-the-middle to intercept and
+ possibly modify communication to and from intended recipient.
+ Name: Adversary-in-the-Middle on air interface for a given UE
+ - Description: Alternatively, if the 5G system employs null integrity or encryption,
+ subscriber data traffic can be eavesdropped or modified in transit over the
+ air interface
+ Name: Adversary-in-the-Middle on air interface for any UE
+ - Description: "Adversary uses a fake base station to broadcast spoofed configuration\
+ \ messages to UEs nearby. Reference [3] (appendix B) contains a taxonomy of\
+ \ attacks against 5G UEs, passive and active. One concerns message attacks (fake\
+ \ MIB/SIB \u2013 Master Information Block/System Information Block)"
+ Name: Spoofed configuration messages from fake base station
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, section 4.4, December\
+ \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [Hu, X. et al: \u201CA Systematic Analysis Method\
+ \ for 5G Non-Access Stratum Signalling Security\u201D, August 2019](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
+ \ )"
+ - " \\[3\\] [3rd Generation Partnership Project (3GPP) TR 33.809:\
+ \ \u201CStudy on 5G security enhancements against False Base Stations (FBS)\u201D\
+ , Technical Report, v0.18.0, February 2022.](https://www.3gpp.org/DynaReport/33809.htm\
+ \ )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT1557
+ tactics:
+ - TA0009
+ - TA0006
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: UE
+ bluf: A malicious app consumes subscriber data allocation so as to deny or degrade
+ service to that UE
+ criticalassets:
+ - Description: Communications is denied until additional data usage is purchased.
+ Name: Assured user communications
+ description: " A malicious app consumes subscriber data allocation to deny or degrade\
+ \ service to that UE. \r\n\r\nA malicious application might consume a UE's limited\
+ \ data plan, denying or throttling service.\r\n\r\n\r\n"
+ detections:
+ - detects: Excessive data usage reported by UE or service provider.
+ fgdsid: FGDS5006
+ name: UE data usage
+ id: FGT1499.501
+ mitigations:
+ - fgmid: FGM5007
+ mitigates: Unlimited data plan. Attack is mitigated with a true unlimited data
+ plan
+ name: Unlimited data plan
+ - fgmid: FGM5008
+ mitigates: Monitor installed applications on UE for data usage.
+ name: Monitor installed applications for data usage
+ name: Consume data allocation to deny or degrade service
+ object-type: technique
+ platforms: 5G UE
+ postconditions:
+ - Description: Sustained degraded communication of legitimate UEs until additional
+ data is purchased.
+ Name: Degraded communication of legitimate UEs.
+ preconditions:
+ - Description: There are several methods to achieve this
+ Name: A malicious app or set of apps have to have been installed on the UE
+ procedureexamples:
+ - Description: Convince user to download or maliciously introduce application that
+ consumes excessive data
+ Name: Malicious data consumption application
+ references:
+ - \[1\] [Android devices ensnared in DDoS botnet, Feb. 2021](https://www.zdnet.com/article/android-devices-ensnared-in-ddos-botnet/
+ )
+ - \[2\] [Massive Android DDoS Botnet Derailed, Aug. 2017](https://www.darkreading.com/attacks-breaches/massive-android-ddos-botnet-derailed)
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1499
+ tactics:
+ - TA0040
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: RAN
+ bluf: An adversary may trigger a fraud alert by sending fake registrations for a
+ given UE.
+ criticalassets:
+ - Description: Communications is denied
+ Name: Assured user communications
+ description: " An adversary may trigger a fraud alert by sending fake registrations\
+ \ for a given UE.\r\n\r\nAn adversary might deny RAN access to a UE by triggering\
+ \ a fraud alert through attempting simultaneous registrations at geographically\
+ \ impossible locations. When the UE security profile allows, the adversary can\
+ \ illegitimately use a known Subscription Permanent Identifier (SUPI) or, if a\
+ \ valid Subscription Concealed Identifier (SUCI) is known, use a legitimate SUCI\
+ \ for false registrations. \r\n\r\n"
+ detections:
+ - detects: Subscriber contacts service provider to determine why service is denied.
+ fgdsid: FGDS5011
+ name: Subscriber notify provider
+ id: FGT1499.502
+ mitigations:
+ - fgmid: FGM5093
+ mitigates: UDM/SIDF checks the freshness parameter of SUCI received from the same
+ UE (having the same SUPI). If replayed by adversary within a short period of
+ time, freshness test will fail.
+ name: SUCI freshness parameter
+ name: Trigger fraud alert to deny service
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Denial of service continues until service provider is convinced there
+ is no fraud.
+ Name: Sustained denial of service
+ preconditions:
+ - Description: There are several methods to achieve this by capturing over the air
+ messages using a wireless sniffer.
+ Name: A valid SUPI or SUCI must be intercepted by attacker.
+ procedureexamples:
+ - Description: "Adversary may capture a registration attempt for a given UE, then\
+ \ replay it right away to a gNB much further away \u2013 so that the network\
+ \ receives two registrations at about the same time e.g. from two regions far\
+ \ away: New York and Georgia. \nThe network will trigger a fraud alert. Thus,\
+ \ RAN access may be denied to that victim UE because of the attempted simultaneous\
+ \ registrations at geographically impossible locations."
+ Name: "Adversary replays registration attempt for a victim UE to a gNB much further\
+ \ away (\u201Cgeographically impossible\u201D)."
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1499
+ tactics:
+ - TA0040
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: Control Plane, OA&M
+ bluf: An adversary may alter the subscriber profile to achieve fraud, via SBI (Service
+ Based Interfaces) or OA&M interfaces.
+ criticalassets:
+ - Description: UE voice and data records accuracy
+ Name: UE call/data records
+ - Description: The UE static profile data
+ Name: UE static profile
+ description: " An adversary may alter the subscriber profile to achieve fraud, via\
+ \ SBI (Service Based Interfaces) or OA&M interfaces.\r\n\r\nThe subscriber profile\
+ \ is a mostly static set of data relating to a device, such as: phone number,\
+ \ group membership, data access configuration, and others. The dynamic data is\
+ \ the serving AMF (which is associated with a very coarse geographical location).\
+ \ This profile resides in the UDM. If the UDM is compromised, it can make any\
+ \ change to the user profile. The AMF serving the UE can get a fresh copy of the\
+ \ subscriber profile. \r\n\r\nAnother type of profile is the \u201CUE context\u201D\
+ , and is also held at the UDM; it is a dynamic (valid for a session) set of data\
+ \ relating to the current state of the UE. The UE context can be modified in the\
+ \ UDM legitimately by certain NF such as AMF and SMF.\r\n\r\nAn adversary in the\
+ \ core network (e.g. in control of a core NF such as AMF, UDM or PCF) can retrieve\
+ \ subscriber profile from the repository UDM/UDR, and may be able to alter at\
+ \ least part of it, e.g., AMF can update the serving AMF entry. The UDM can naturally\
+ \ alter any portion of the profile.\r\n\r\nAn OA&M based attack (adversary has\
+ \ access to the provisioning interface) on the UDM/UDR would allow all changes\
+ \ to the UE profile (e.g., change from post-paid to pre-paid or vice-versa).\r\
+ \n\r\n"
+ detections:
+ - detects: Subscriber contacts Customer service to complain (in some limited cases)
+ fgdsid: FGDS5011
+ name: Subscriber notify provider
+ id: FGT5022
+ mitigations:
+ - fgmid: FGM5020
+ mitigates: Secure subscriber repositories
+ name: Secure subscriber repositories
+ name: Alter Subscriber Profile
+ object-type: technique
+ platforms: 5G Network
+ procedureexamples:
+ - Description: 'AMF/SMF can use Nudm_UECM_Update to modify UE context in the UDM.
+ AMF or SMF can change some parameters in the UE context (which is like a subscriber
+ profile, but valid only for a session; Clause 5.2.3.2.5 of [3]. The parameters
+ are: PEI (Permanent Equipment Identifier), analyticsID (for NWDAF), UE capabilities,
+ Intersystem continuity context, SMF FQDN'
+ Name: AMF or SMF modifies UE context.
+ - Description: "Rogue AF/NEF via UDM can modify UE\u2019s configuration for a given\
+ \ external service (e.g. pay for video for a game today). When the victim UE\
+ \ changes state from idle mode to connected mode, it will receive the modified\
+ \ services which may be inferior to the services originally provisioned. Example:\
+ \ NEF can use Nudm_ParameterProvision update service to update UE subscription\
+ \ data. Clause 5.6.2.2 of [4] & clauses 4.15.6.2, 4.15.6.3, 4.15.6.3a of [3]."
+ Name: "Rogue AF/NEF modifies UE\u2019s configuration for a given external service."
+ - Description: Compromised GUI or CLI based attack on subscriber database in UDR
+ Name: Compromised OA&M can modify subscriber profile data in UDR
+ references:
+ - " \\[1\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ - " \\[2\\] [S. Holtmanns, I. Oliver and Y. Miche, \u201CMobile\
+ \ Subscriber Profile Data Privacy Breach via 4G Diameter Interconnection\u201D\
+ , 2017.](https://www.riverpublishers.com/journal_read_html_article.php?j=JICTS/6/3/4\
+ \ )"
+ - " \\[3\\] [3GPP TS 23.502, \u201CProcedures for the 5G System\
+ \ (5GS); Stage 2 (Release 17)\u201D, Technical Specification, v17.4.0, March 2022.\_\
+ section 4.11.1.2.2](https://www.3gpp.org/DynaReport/23502.htm\_)"
+ - " \\[4\\] [3GPP TS 29.503, \u201C5G System; Unified Data Management\
+ \ Services; Stage 3\u201D](https://www.3gpp.org/DynaReport/29503.htm)"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA5001
+ typecode: fight_technique
+- architecture-segment: Network Slice
+ bluf: 'An adversary controlling a Network Function (NF) or slice can gain access
+ to a different network slice data by interacting with other NFs. '
+ criticalassets:
+ - Description: "UE (served by that slice) related information. Slice specific configuration\
+ \ \u2013 e.g. what NFs are part of it and SLAs of the slice."
+ Name: Confidentiality of slice-specific resources
+ - Description: The functionality of any core NF that is shared between slices (AMF,
+ SMF, PCF,.. )
+ Name: Core NFs
+ description: " An adversary controlling a Network Function (NF) or slice can gain\
+ \ access to a different network slice data by interacting with other NFs. \r\n\
+ \r\nEvery network slice has an identifier, part of which is sensitive just like\
+ \ a UE permanent identifier. If this Slice Differentiator (SD) is discovered,\
+ \ then a malicious NF and/or malicious slice can use the guessed SD to gain unauthorized\
+ \ information or resource access to that victim slice. This is done by tricking\
+ \ the NRF to issue a token for a slice that the requestor NF is not authorized\
+ \ to access, then using that token to get information from the shared NF. It is\
+ \ assumed that the shared NF is serving both own slice and the victim slice.\r\
+ \n\r\n"
+ detections:
+ - detects: Check logs of requests/responses at the shared NF. E.g., each entry should
+ contain UE ID (SUPI), NF consumer that requested it, slice Ids of both.
+ fgdsid: DS0015
+ name: Application Log
+ id: FGT5027
+ mitigations:
+ - fgmid: FGM5003
+ mitigates: The attack can be mitigated if the NRF performs additional checks.
+ The NRF authorizes the NF service consumer to obtain tokens only for authorized
+ slice(s). (3GPP SA3 investigating as of early 2022). A cross check with the
+ TLS certificate of requester should be performed as well at the NRF.
+ name: Cross check between application layer and transport layer
+ - fgmid: M1020
+ mitigates: Inspect TLS layer encryption
+ name: SSL/TLS Inspection
+ name: Spoof network slice identifier
+ object-type: technique
+ platforms: 5G network
+ preconditions:
+ - Description: See [FGT5028](/techniques/FGT5028)
+ Name: Slice identifier was discovered
+ - Description: This is common in practice
+ Name: Two slices share one common NF
+ - Description: This is implicit in the standards that do not mandate this check.
+ Name: NRF does not check requester slice identifier and the target (consumer)
+ slice identifier.
+ procedureexamples:
+ - Description: "A malicious NF and/or malicious slice can use the guessed identifier\
+ \ Slice Differentiator (SD) to gain unauthorized information or resource access\
+ \ to a different slice. The NF asks the NRF for an OAuth token for an NF in\
+ \ that other slice. The reason is the requested SD (actually, the entire NSSAI)\
+ \ is included in the OAuth token without verification whether requester is allowed\
+ \ access to it. The NRF issues that OAuth token because it is for a producer\
+ \ NF that serves both the requester\u2019s slice and the targeted (victim) slice.\
+ \ \nThis seems to be a poor approach to access control- one that relies on knowing\
+ \ an identifier, and so access is given if that identifier\u2014presumably kept\
+ \ secret\u2014is found out. See section 3.1.3.1 of [1]."
+ Name: Adversary NF in one slice uses guessed slice identifier of another slice
+ to gain unauthorized access to resources in that slice.
+ references:
+ - ' \[1\] [AdaptiveMobile Security, "A Slice in Time: Slicing Security
+ in 5G Core Networks", 17032021-v1.00](https://info.adaptivemobile.com/network-slicing-security)'
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0005
+ - TA0009
+ typecode: fight_technique
+- architecture-segment: Network Slice
+ bluf: An adversary may guess the identifier of a different network slice, which
+ allows for follow-on behaviors against that slice that require that identifier.
+ criticalassets:
+ - Description: Confidentiality of slice specific resources.
+ Name: Slice-specific resources
+ - Description: AMF and UDM have NSSAI information. AMF requests and UDM responds.
+ Name: AMF and UDM
+ description: " An adversary may guess the identifier of a different network slice,\
+ \ which allows for follow-on behaviors against that slice that require that identifier.\r\
+ \n\r\nThe NSSAI is a slice identifier. It contains two elements: a Slice Service\
+ \ Type (SST) (several 3GPP defined values) and a Slice Differentiator (SD), which\
+ \ should be unique within that type. Consumer NFs may need to access services\
+ \ of Producer NFs belonging to a different slice. Any \u201Cconsumer NF\u201D\
+ \ can ask the Network Repository Function (NRF) for an OAuth token towards this\
+ \ goal, but it must include the Slice identity-- which contains a SD \u2013 in\
+ \ the request.\r\n\r\nIn Release 16 or earlier, the SD was not mandatory and random.\
+ \ Hence \u201Cbrute forcing\u201D or \"enumeration\" can be used to guess the\
+ \ SD. Thus if the consumer NF is compromised and wants to discover other slice\
+ \ IDs, it can ask the NRF for OAuth tokens but with guessed slice identities,\
+ \ until a valid one is returned.\r\n\r\n"
+ detections:
+ - detects: 'Logs at the NRF of failed NSSAI lookups. If a NF asks for NSSAIs that
+ do not exist, then flag that or take action.
+
+
+ AMF can ask the UDM about NSSAIs legitimately. Keep AMF and UDM logs of transactions
+ involving asks about NSSAIs.'
+ fgdsid: DS0015
+ name: Application Log
+ id: FGT5028
+ mitigations:
+ - fgmid: FGM5499
+ mitigates: NRF protection against brute-force attacks. NRF should not respond
+ to requests after a given number of failed NSSAI lookups (See detections).
+ name: Rate limiting by producer NF
+ name: 'Discover network slice identifier '
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Now the adversary knows the SD of a given slice it is not authorized
+ to contact.
+ Name: Unauthorized disclosure of SD/NSSAI
+ preconditions:
+ - Description: 'For NF discovery service, clause 5.2.7.1 of [3] lists the following
+ service consumers: AMF, SMF, PCF, NEF, NSSF, SMSF, AUSF, CHF, NRF, NWDAF, I-CSCF,
+ SCSCF, IMS-AS, SCP, UDM, AF, DCCF, MBSF, 5G DDNMF, TSCTSF.'
+ Name: Compromise of core consumer NF
+ procedureexamples:
+ - Description: "Any \u201Cconsumer NF\u201D can ask the NRF for information with\
+ \ a guessed slice identifier, until a non-error response is returned. The NRF\
+ \ services that are candidates for this operation are ([2]): discovery and Access\
+ \ token (Nnrf_NFDiscovery and Nnrf_AccessToken). For the Discovery service,\
+ \ in the GET NF instances, the parameters can be included \u201Cplmn-specific-snssai-list\u201D\
+ , which contains the S-NSSAIs that are served by the NF supposedly being discovered.\
+ \ Then the 200OK result contains the NFProfile, which includes the S-NSSAIs.\
+ \ Section 3.1.3 of [1]."
+ Name: An adversary in control of a network function asks the NRF for a token for
+ a guessed SD until a legitimate response is received.
+ references:
+ - ' \[1\] [AdaptiveMobile Security, "A Slice in Time: Slicing Security
+ in 5G Core Networks", 17032021-v1.00.](https://info.adaptivemobile.com/network-slicing-security)'
+ - " \\[2\\] [3rd Generation Partnership Project (3GPP) TS 29.510,\
+ \ \u201C; Network function repository services; Stage 3\u201D, v17.4.0, Dec 2021.](https://www.3gpp.org/DynaReport/29510.htm)"
+ - " \\[3\\] [3GPP TS 23.502 \u201CProcedures for the 5G System\
+ \ (5GS); Stage 2\u201D](https://www.3gpp.org/DynaReport/23502.htm)"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0007
+ typecode: fight_technique
+- architecture-segment: Roaming
+ bluf: 'An adversary in a roaming partner operator may send altered service usage
+ for a given UE to the home operator of that UE. '
+ criticalassets:
+ - Description: Operator loses revenue.
+ Name: Operator revenue
+ description: " An adversary in a roaming partner operator may send altered service\
+ \ usage for a given UE to the home operator of that UE.\r\n\r\nService fraud involves\
+ \ bypassing controls to gain access to services or resources which the adversary\
+ \ is not entitled to or charged for. This applies to 3G, 4G and 5G.\r\nA dishonest\
+ \ roaming partner could falsify a UE service usage or route traffic through several\
+ \ partner networks inducing high termination fees to claim revenue in the form\
+ \ of service charges.\r\n\r\n"
+ detections:
+ - detects: Usage data analysis via AI/ML
+ fgdsid: FGDS5006
+ name: UE data usage
+ - detects: Cross-check with subscriber services (if subscriber complains).
+ fgdsid: FGDS5011
+ name: Subscriber notify provider
+ id: FGT5025
+ mitigations:
+ - fgmid: FGM5503
+ mitigates: Employ home-routing instead of local breakout for user traffic (but
+ this means more delay and lower quality of service).
+ name: Increase control of home network for user plane
+ name: Falsify interconnect invoice
+ object-type: technique
+ platforms: 5G
+ procedureexamples:
+ - Description: Signaling fraud may be undertaken by a partner operator, via false
+ charging over international signaling interconnection. Clause 5.3 of [1]. Reference
+ [2] mentions service fraud.
+ Name: False charging
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, November 2019.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks\
+ \ )"
+ - " \\[2\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ tactics:
+ - TA5001
+ typecode: fight_technique
+- architecture-segment: UE
+ bluf: Adversary may clone a SIM card (namely the IMSI, credential stored therein)
+ and use it fraudulently to obtain telecom service at the expense of the user of
+ the device with that legitimate SIM card
+ criticalassets:
+ - Description: SUPI, master secret key K etc.
+ Name: Subscriber sensitive data
+ description: " Adversary may clone a SIM card (namely the SUPI, credential stored\
+ \ therein) and use it fraudulently to obtain telecom service at the expense of\
+ \ the user of the device with that legitimate SIM card.\r\n\r\nNote 1: This threat\
+ \ is applicable to 3G, 4G and 5G. It may or may not be possible depending on how\
+ \ secure the SIM/USIM card is. Some manufacturers of lower tier USIMs may leave\
+ \ their devices vulnerable.\r\n\r\nNote 2: USIM card technology is independent\
+ \ of 3GPP generations. Releases 15, 16 brought improvements to the USIM technology.\
+ \ \r\n\r\nNote 3: If two devices (one legitimate, one cloned SIM) from two different\
+ \ locations attempt to connect to that home operator at the same time, both will\
+ \ be dropped as a precaution against the suspected SIM cloning. \r\n\r\n"
+ detections:
+ - detects: Investigate unusual USIM card patterns.
+ fgdsid: FGDS5005
+ name: SIM card pattern
+ id: FGT5026
+ mitigations:
+ - fgmid: M1017
+ mitigates: M(V)NO procures USIM cards from reputable manufacturers, and oversees
+ delivery process.
+ name: User Training
+ name: SIM cloning
+ object-type: technique
+ platforms: 5G UE
+ postconditions:
+ - Description: "With the cloned USIM card, adversary now has access to the victim\u2019\
+ s permanent identifier (SUPI), master secret key K and operator key (OPc). Those\
+ \ can be used for unauthorized access to 5G network."
+ Name: Access to user credentials
+ preconditions:
+ - Description: Adversary needs physical access to USIM card during manufacturing
+ of USIMs or during transport to MNOs and the cloned USIM card needs to be activated
+ by the MNO.
+ Name: Access to USIM card
+ procedureexamples:
+ - Description: Adversary gets physical access to the victim USIM card, extracts
+ the USIM card contents (SUPI, K and OPc) and then provisions the contents in
+ an empty and writeable USIM. This can be done via SIM cloning software.
+ Name: Duplicate captured USIM card
+ references:
+ - " \\[1\\] [Martin Brisfors, Sebastian Forsmark, Elena Dubrova:\
+ \ \u201CHow Deep Learning Helps Compromising USIM\u201D](https://dl.acm.org/doi/abs/10.1007/978-3-030-68487-7_9)"
+ - " \\[2\\] [Jinghao Zhao, Boyan Ding, Yunqi Guo, Zhaowei Tan,\
+ \ Songwu Lu, \u201CSecureSIM: Rethinking Authentication and Access Control for\
+ \ SIM/eSIM\u201D](https://dl.acm.org/doi/pdf/10.1145/3447993.3483254)"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ tactics:
+ - TA5001
+ - TA0006
+ typecode: fight_technique
+- architecture-segment: Control Plane, User Plane
+ bluf: An adversary with access to Non-Service Based Interfaces (Non-SBI) network
+ nodes (including routers/switches/load balancers) may position themselves in order
+ to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040)
+ or [Transmitted Data Manipulation](/techniques/FGT1565.002).
+ criticalassets:
+ - Description: UE user plane data integrity and confidentiality
+ Name: UE user plane data
+ - Description: UE signaling data integrity and confidentiality
+ Name: UE signaling data
+ description: " An adversary with access to Non-Service Based Interfaces (Non-SBI)\
+ \ network nodes (including routers/switches/load balancers) may position themselves\
+ \ in order to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040)\
+ \ or [Transmitted Data Manipulation](/techniques/FGT1565.002).\r\n\r\n\u201CNon-SBI\u201D\
+ \ network interfaces are within the Radio Access Network (RAN) (e.g. Xn, F1, E1)\
+ \ and core (e.g. N4), and between the RAN and the 5G Core (e.g. N2, N3 interfaces).\
+ \ \r\n\r\nIf the network does not provide confidentiality or integrity protection\
+ \ for control plane and user plane packets on the non-SBI interfaces, then an\
+ \ AITM attack is possible. \r\n\r\nNote that the Non-Access Stratum (NAS) packets\
+ \ sent on the N2 interface from the UE to the core function AMF are already integrity/confidentiality\
+ \ protected. However, unlike radio communications, operator RAN to core communications\
+ \ are not always employing the confidentiality or integrity protection mandated\
+ \ by 3GPP standards.\r\n\r\n"
+ detections:
+ - detects: Check configuration changes in all switches/routers. Configuration audits
+ by OSS/BSS
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Inspect network traffic content and watch for unauthorized changes as
+ the packets move through the routers/middle boxes
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1557.503
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Use integrity (IPSec) on all non-SBI interfaces
+ name: Integrity protection of data communication
+ - fgmid: M1041
+ mitigates: Use encryption (IPSec) on all non-SBI interfaces
+ name: Encrypt Sensitive Information
+ name: 'Non-SBI '
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Both UE signaling and normal data communication with network will
+ be impacted.
+ Name: Both CP and UP data are eavesdropped or modified
+ preconditions:
+ - Description: Malware or wrong configuration in switches/routers between RAN and
+ core, between gNBs, in gNB itself, in SMF or UPF.
+ Name: Compromised or misconfigured switches/routers or gNB
+ procedureexamples:
+ - Description: Integrity or confidentiality protection can be disabled on N2 interface
+ for Control Plane (CP), N3 interface for User Plane (UP) and Xn, F1 and E1 interfaces
+ for CP and UP. Clauses 9.2, 9.3 and 9.4 of [2]
+ Name: Compromised or misconfigured switches or routers between RAN and core and
+ between gNBs
+ - Description: Network does not provide protection on N2, N3, Xn, F1 and E1 interfaces,
+ see clause D.2.2 of [1]
+ Name: Adversary configures the non-SBI interfaces to not use IPSec.
+ - Description: Compromised or misconfigured Session Management Function (SMF) or
+ User Plane Function (UPF) can cause data manipulation on N4 interface between
+ them, which in turn can cause DoS attack by diverting user traffic away from
+ the intended recipient. It can also cause charging errors. If weak encryption
+ algorithm is used on the N4 interface, adversary can eavesdrop on sensitive
+ subscriber data. Clause L.2.3 of [1]
+ Name: N4 Interface is compromised
+ references:
+ - " \\[1\\] [3GPP TR 33.926 \u201CSecurity Assurance Specification\
+ \ (SCAS) threats and critical assets in 3GPP network product classes\u201D.](https://www.3gpp.org/DynaReport/33926.htm\
+ \ )"
+ - " \\[2\\] [3GPP TS 33.501 \u201CSecurity architecture and procedures\
+ \ for 5G System\u201D.](https://www.3gpp.org/DynaReport/33501.htm )"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1557
+ tactics:
+ - TA0009
+ - TA0006
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: user, N/A, N/A
+ addendums:
+ - "#### Addendum Name: Fronthaul User Plane Data\r\n##### Architecture Segments:\
+ \ O-RAN\r\n Adversary manipulates User Plane data on Fronthaul interface between\
+ \ O-DU and O-RU to re-direct the data to a wrong destination or get discarded\
+ \ by the recipient due to incorrect message parameters.\r\n\r\nORAN Alliance has\
+ \ defined the open fronthaul interface which connects one O-DU to one or more\
+ \ O-RUs inside the gNB. The fronthaul interface makes it possible to distribute\
+ \ the physical layer functionalities between RU and DU, and to control RU operations\
+ \ from DU. ORAN Alliance has selected a specific configuration (split 7.2x) for\
+ \ splitting the physical layer among those proposed by 3GPP. The lower part of\
+ \ the physical layer (low PHY) resides in RU and performs Orthogonal Frequency\
+ \ Division Multiplexing (OFDM) phase compensation, inverse FFT and Cyclic Prefix\
+ \ (CP) insertion for frequency-to-time conversion in downlink, and FFT and CP\
+ \ removal in uplink. The physical layer in DU (high PHY) performs scrambling,\
+ \ modulation, layer mapping, and resource element mapping. Fronthaul consists\
+ \ of four types of interfaces: Control or C plane is used to carry control plane\
+ \ messages, User or U plane is used to carry user plane data, Synchronization\
+ \ or S plane is used to carry timing information and Management or M plane is\
+ \ used to carry management data.\r\n\r\nO-RAN fronthaul interface needs to implement\
+ \ strict performance requirements which includes very high throughput and very\
+ \ low latency. See clause 4.4 of [2]. Some security features may not be implemented\
+ \ by MNOs to meet those requirements and to reduce processing delay. Hence, AiTM\
+ \ attack on open fronthaul interface is possible which results in manipulation\
+ \ of U plane data. The adversary may manipulate RLC and MAC layers of the user\
+ \ plane data to cause DoS attack and/or session redirection attack (e.g. DNS redirection)\
+ \ on legitimate subscribers. Confidentiality and integrity protection requirements\
+ \ are not specified by ORAN alliance for control, user and synchronization (CUS)\
+ \ planes, and those are mandatory for M plane. See clause 6.1 of [2] and clause\
+ \ 5.4 of [3].\r\n\r\nNote: The user plane data in PDCP and above layers remains\
+ \ integrity protected on Fronthaul U plane and this data manipulation attack will\
+ \ not impact any of those data unless PDCP security is also broken by the adversary.\r\
+ \n\r\n"
+ - "#### Addendum Name: Layer 2 Redirection of DNS Requests\r\n##### Architecture\
+ \ Segments: Control Plane, User Plane, Roaming\r\n An adversary can manipulate\
+ \ encrypted traffic to achieve redirection of DNS requests sent by the victim\
+ \ UE to the network over the radio interface.\r\n\r\nUsing a fake gNB and fake\
+ \ UE device, the adversary can modify DNS requests the UE sends over the air,\
+ \ even though they are encrypted, if the adversary knows the correct DNS address\
+ \ and there is no integrity protection on user plane data[1]. User plane integrity\
+ \ protections prevent this attack on typical 5G RAN links, however these protections\
+ \ are optional. Alternatively, an adversary may have bid-down the UE as a precondition\
+ \ to achieve the effect.\r\n \r\n"
+ - "#### Addendum Name: Network Interfaces\r\n##### Architecture Segments: Control\
+ \ Plane, User Plane, Roaming\r\n Adversary with access to a non-Service Based\
+ \ Interface (non-SBI) node or an SBI Network Function (NF), or a function on the\
+ \ roaming/interconnect interfaces, may manipulate or spoof user plane and control\
+ \ plane traffic on that interface without integrity protection, towards a DOS\
+ \ or other attacks on the UE or a NF.\r\n\r\nThe following Network interfaces\
+ \ are in the scope of this document.\r\n\r\n1. \u201CNon-SBI\u201D (non-Service\
+ \ Based Interface) network interfaces are within 5G core (e.g. N4) and RAN (e.g.\
+ \ Xn, F1, E1), and between the RAN and the 5G Core (e.g. N2, N3 interfaces). \r\
+ \n\r\n2. SBI network interfaces are between core NFs within an operator network;\
+ \ they use REST APIs.\r\n\r\n3. Roaming and interconnect interfaces, including\
+ \ IPX, are between network operators (between SEPPs (N32), between UPFs (N9),\
+ \ or interworking functions like between AMF and MME (N26)).\r\n\r\nUnlike radio\
+ \ communications, within operator RAN and from RAN to core communications do not\
+ \ always employ integrity protection as per standards. If the gNB does not provide\
+ \ integrity protection for control plane (CP) packets sent on the N2/Xn-C/F1-C/E1\
+ \ interfaces or does not provide user plane (UP) integrity protection for user\
+ \ plane packets sent on the N3/Xn-U/F1-U interfaces, or UPF does not provide integrity\
+ \ protection for user plane packets sent on the N9 interface, then data manipulation\
+ \ (alteration of messages, insertion/spoofing of messages, or replay of legitimate\
+ \ signaling messages) is possible. This may result in DOS. \r\n\r\nThe adversary\
+ \ with access to the SBI links, for example, with control over a middlebox (not\
+ \ including the Service Communication Proxy or SCP), may manipulate or inject\
+ \ spoofed signaling messages if TLS integrity is not enabled or is using a weak\
+ \ algorithm.\r\n \r\nIf an IPX disables JWS signature or uses a weak algorithm\
+ \ for JWS signature, an AiTM may manipulate data over the N32 interface while\
+ \ a UE is roaming.\r\n\r\nSimilarly, if the EPC interworking interface N26 for\
+ \ non-roaming is not integrity protected, all subscriber signaling data may be\
+ \ manipulated by adversary. Refer clause 4.3.1 of [3].\r\n\r\n"
+ - "#### Addendum Name: Radio Interface\r\n##### Architecture Segments: RAN\r\n Adversary\
+ \ with access to radio interface manipulates user and control plane traffic received\
+ \ on that interface without integrity protection, for example to redirect traffic,\
+ \ or obtain location information of the UE.\r\n\r\nIf the gNB does not provide\
+ \ integrity for control plane or user plane packets on radio interfaces, then\
+ \ data manipulation (alteration of data frame content, insertion/spoofing of messages,\
+ \ or replay of old messages) is possible. \r\n\r\n"
+ architecture-segment: Control Plane, User Plane, Roaming
+ bluf: 'Adversaries may alter data en route to storage or other systems in order
+ to manipulate external outcomes or hide activity, thus threatening the integrity
+ of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018)
+ By manipulating transmitted data, adversaries may attempt to affect a business
+ process, organizational understanding, and decision making.
+
+
+ Manipulation may be possible over a network connection or between system processes
+ where there is an opportunity deploy a tool that will intercept and change information.'
+ criticalassets:
+ - Description: Legitimate subscribers can be denied access or existing subscriber
+ sessions can be terminated or directed to malicious server.
+ Name: Subscriber network access
+ - Description: Whoever controls the DNS Servers controls how and what end users
+ connect to over the network, making DNS Servers a type of critical infrastructure.
+ Name: DNS Servers
+ - Description: Any of the subscriber user plane data sourced or destined to the
+ UE
+ Name: UE data
+ - Description: Any of the signaling traffic sourced or destined to the UE
+ Name: UE signaling
+ - Description: Any of the subscriber data sent by or towards the UE
+ Name: UE user plane data
+ - Description: Any of the signaling traffic sent by or towards the UE
+ Name: UE signaling
+ description: "Adversaries may alter data en route to storage or other systems in\
+ \ order to manipulate external outcomes or hide activity, thus threatening the\
+ \ integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus\
+ \ Sony 2018) By manipulating transmitted data, adversaries may attempt to affect\
+ \ a business process, organizational understanding, and decision making.\n\nManipulation\
+ \ may be possible over a network connection or between system processes where\
+ \ there is an opportunity deploy a tool that will intercept and change information.\r\
+ \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1565/002)\r\
+ \n"
+ detections:
+ - detects: Monitor if security configurations in O-RU and O-DU are downgraded to
+ weak or no security levels.
+ fgdsid: FGDS5022
+ name: Monitor security configurations
+ - detects: 'Data transmitted across a network (ex: Web, DNS, Mail, File, etc.),
+ that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable
+ format (ex: PCAP)'
+ fgdsid: DS0029
+ name: Network Traffic
+ - detects: Inspect network traffic and watch for unauthorized changes as the packets
+ move through the interfaces.
+ fgdsid: DS0029
+ name: Network Traffic
+ - detects: Legitimate UEs notify their service provider about DoS attack and abnormal
+ session terminations.
+ fgdsid: FGDS5011
+ name: Subscriber notify provider
+ - detects: Radio traffic content can be examined to detect unauthorized modification.
+ Inspect radio traffic and watch for unauthorized changes as the packets move
+ through the interfaces.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1565.002
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Ensure fronthaul user plane data is protected with integrity protection.
+ This has performance impact on devices which implement integrity protection.
+ name: Integrity protection of data communication
+ - fgmid: FGM5024
+ mitigates: Use strong data integrity protection algorithms
+ name: Integrity protection of data communication
+ - fgmid: M1020
+ mitigates: Break and inspect SSL/TLS sessions to look at encrypted web traffic
+ for adversary activity.
+ name: SSL/TLS Inspection
+ - fgmid: FGM5024
+ mitigates: Use integrity (IPSec) on all non-SBI interfaces, TLS 1.3 on all SBI
+ interfaces including roaming interfaces (e.g. N32).
+ name: Integrity protection of data communication
+ - fgmid: FGM5024
+ mitigates: Use integrity on radio interface for both control plane and user plane
+ name: Integrity protection of data communication
+ name: Transmitted Data Manipulation
+ object-type: technique
+ platforms: RAN, 5G, 5G network, 5G radio
+ postconditions:
+ - Description: Legitimate subscribers are denied access or existing sessions can
+ be terminated.
+ Name: DoS Attack
+ - Description: Subscriber sessions are redirected to a malicious server.
+ Name: Session redirection
+ - Description: Adversary has redirected the end user to their own DNS system and
+ can now conduct adversary-in-the-middle attacks.
+ Name: DNS control
+ - Description: Both UE signaling and user plane data communication with network
+ will be impacted. This can cause DoS attack for legitimate subscribers.
+ Name: UE data manipulation
+ - Description: Both UE registration and other data communication with network will
+ be impacted.
+ Name: Both Control Plane (CP) and User Plane (UP) data are modified by AitM attack
+ preconditions:
+ - Description: Adversary must have physical access to open fronthaul network to
+ collect data and then manipulate and replay the data.
+ Name: Adversary has access to open fronthaul network.
+ - Description: Adversary must have deployed a fake gNB and a fake UE which modify
+ the payload and then replays the message towards the gNB.
+ Name: Adversary in the Middle
+ - Description: 'See technique Weaken Integrity: Network Interfaces.'
+ Name: Weakened or disabled integrity protection
+ - Description: gNB is compromised or incorrectly configured to disable integrity
+ protection on control and user plane interfaces.
+ Name: Malware or incorrect configuration in gNB.
+ procedureexamples:
+ - Description: 'Adversary launches AiTM attack on open fronthaul U plane data traffic
+ by using a simple sniffer and replay device. The fronthaul U plane data usually
+ does not have integrity protection due to stringent performance requirements.
+ Hence a data manipulation attack is possible by a simple device. DoS attack
+ can be done by manipulating RLC header with bogus data and those messages will
+ get discarded by the recipient. Session redirection attack can be launched by
+ changing the destination MAC address in the MAC header which will re-direct
+ the packets to an adversary-controlled server.
+
+
+ This attack can only manipulate user plane data below PDCP layer. Any user plane
+ data in PDCP and above layers are not compromised by this attack. See clause
+ 5.4.1.2, T-UPLANE-01 of [1], clause 6.1 of [2] and clause 5.4 of [3].'
+ Name: Manipulate U plane data on open fronthaul interface.
+ - Description: In this active attack named aLTEr, adversary exploits the fact that
+ LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected,
+ which allows an adversary to modify the message payload. This is applicable
+ in 5G when the user data integrity algorithm is set to NULL.
+ Name: Adversary employs the aLTEr procedure
+ - Description: 'If gNB is compromised or misconfigured, CP and UP data can be manipulated
+ by adversary on N2, N3, F1, E1 and Xn interfaces. Clause D.2.2 of [1], 5.3.3
+ of [2]
+
+
+ If AMF or SMF is compromised or misconfigured, CP data can be manipulated by
+ adversary on N2 and N4 interfaces. Clauses 5.5.2 & 9.9 of [2]
+
+
+ If UPF is compromised or misconfigured, UP data can be manipulated by adversary
+ on N3 interface. Clause D.2.2 of [1], 9.3 of [2]'
+ Name: Data manipulation on the non-SBI
+ - Description: "If NF is compromised or misconfigured, CP data can be manipulated\
+ \ on SBI interface. Clause 13.1 of [2] (DoS attack) \n\nIf SCP is compromised\
+ \ or misconfigured, CP data can be manipulated on SBI. Clause 5.9.2.4 of [2]\
+ \ (DoS attack)\n\nAn access token may be manipulated to gain unauthorized access\
+ \ to another NF. See technique Unauthorized access to Network Exposure Function\
+ \ (NEF) via token fraud. \n\nA rogue or misconfigured AMF can obtain the temporary\
+ \ UE ID (5G-GUTI or 5G-S-TMSI) during UE registration and service request and\
+ \ later use the ID to spoof signaling messages to retrieve sensitive subscriber\
+ \ information. Clauses 4.2.2.2.2 & 4.2.3.2 of [4]. (Unauthorized access)\n\n\
+ Note: This attack is possible in both non-roaming and roaming scenarios."
+ Name: Data manipulation on the SBI
+ - Description: 'If SEPP or IPX component is compromised or misconfigured, CP data
+ can be manipulated by adversary on N32 interface. Clauses 9.9, 13.1, 13.2 of
+ [2]
+
+
+ If UPF is compromised or misconfigured, UP data can be manipulated by adversary
+ on N9 interface. Clause 9.9 of [2]
+
+
+ If AMF or MME is compromised or misconfigured, CP data can be manipulated by
+ adversary on N26 interface. Clause K.2.1 of [1], 8.4 of [2]'
+ Name: Data manipulation on roaming/interconnect
+ - Description: '[3] describes an attack on 4G but applicable to 5G where radio interface
+ integrity is not applied, whereby an adversary changes the DNS request sent
+ by the victim UE over the radio interface so as to redirect to its own DNS server.
+ See technique DNS Manipulation.'
+ Name: Altering DNS requests not integrity protected over the radio interface.
+ - Description: 'Adversary replays NAS messages to check whether a UE is in the area.
+ See technique Locate UE: NAS exploit'
+ Name: Replay NAS messages to get UE location
+ - Description: RRC messages can be manipulated by AiTM to cause authentication of
+ legitimate subscribers to fail. Also, AiTM can manipulate RRC or UP messages
+ of an existing data session which can cause disruption or termination of session.
+ Name: DoS attack by data manipulation
+ references:
+ - \[1\] [O-RAN Threat Model 6.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[2\] [O-RAN WG4 Control, User, and Synchronization Plane Specification
+ 12.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[3\] [O-RAN WG4 Management Plane Specification 12.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
+ - " \\[1\\] [D. Rupprecht, K. Kohls, T. Holtz, and C. Popper,\
+ \ \u201CBreaking LTE on Layer Two\u201D https://alter-attack.net](https://www.gsma.com/security/wp-content/uploads/2023/10/0008-breaking_lte_on_layer_two.pdf)"
+ - " \\[1\\] [3GPP TR33.926 \u201CSecurity Assurance Specification\
+ \ (SCAS) threats and critical assets in 3GPP network product classes.\u201D](https://www.3gpp.org/DynaReport/33926.htm)"
+ - " \\[2\\] [3GPP TS33.501 \u201CSecurity architecture and procedures\
+ \ for 5G System.\u201D](https://www.3gpp.org/DynaReport/33501.htm)"
+ - " \\[3\\] [3GPP TS 23.501 \u201CSystem architecture for the\
+ \ 5G System (5GS)\u201D](https://www.3gpp.org/DynaReport/23501.htm)"
+ - " \\[4\\] [3GPP TS 23.502 \u201CProcedures for the 5G System\
+ \ (5GS)\u201D](https://www.3gpp.org/DynaReport/23502.htm)"
+ - " \\[1\\] [3GPP TR 33.926 \u201CSecurity Assurance Specification\
+ \ (SCAS) threats and critical assets in 3GPP network product classes\u201D.](https://www.3gpp.org/DynaReport/33926.htm\
+ \ )"
+ - " \\[2\\] [3GPP TS 33.501 \u201CSecurity architecture and procedures\
+ \ for 5G System\u201D.](https://www.3gpp.org/DynaReport/33501.htm )"
+ - " \\[3\\] [D. Rupprecht, K. Kohls, T. Holtz, and C. Popper,\
+ \ \u201CBreaking LTE on Layer two\u201D, in Proc. IEEE Symposium on Security\
+ \ and Privacy (SP), 2019, pp. 1-16.](https://alter-attack.net/media/breaking_lte_on_layer_two.pdf)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ subtechnique-of: FGT1565
+ tactics:
+ - TA0040
+ - TA0009
+ typecode: attack_subtechnique_addendum
+- architecture-segment: RAN, Control Plane
+ bluf: 'An adversary may obtain the UE location using radio access or core network '
+ criticalassets:
+ - Description: UE/User geographical location, coarse or fine-grained
+ Name: UE location
+ description: " An adversary may obtain the UE location using radio access or core\
+ \ network.\r\n\r\nAdversary may employ various means to obtain UE location (coarse,\
+ \ fine) using radio access or core network. The UE consists of Mobile Equipment\
+ \ (ME), that is, the device, and the Universal Subscriber Identity Module (USIM)\
+ \ card.\r\n\r\n"
+ detections: []
+ id: FGT5012
+ mitigations: []
+ name: Locate UE
+ object-type: technique
+ platforms: 5G Network
+ procedureexamples:
+ - Description: Adversary may use the radio access network to determine that a particular
+ UE is in the area, or where exactly the UE is located
+ Name: Use radio access to locate UE
+ - Description: Adversary may use the core network signaling to trigger the procedure
+ of locating a particular UE via RAN
+ Name: Use core network signaling to locate UE
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
+ \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
+ \ )"
+ - \[3\] [S. Tomasin, Stefano & Centenaro, Marco & Seco-Granados,
+ Gonzalo & Roth, Stefan & Sezgin, Aydin. (2021). Location-Privacy Leakage and Integrated
+ Solutions for 5G Cellular Networks and Beyond. Sensors. 21. 5176. 10.3390/s21155176.](https://www.researchgate.net/publication/353641837_Location-Privacy_Leakage_and_Integrated_Solutions_for_5G_Cellular_Networks_and_Beyond)
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_technique
+- access-required: User/Admin of slice
+ architecture-segment: Network Slice, Control Plane
+ bluf: 'An adversary uses a legitimate access token for a shared Network Function
+ (NF) to get location info of a user of a different slice. '
+ criticalassets:
+ - Description: UE/Subscriber geographical location, coarse or fine-grained
+ Name: UE location
+ description: " An adversary may use a legitimate access token for a shared Network\
+ \ Function (NF) to get location info of a user of a different slice.\r\n\r\nAn\
+ \ adversary controlling a slice or a NF in a slice obtains an access token for\
+ \ a shared 5G core NF (e.g., AMF) and uses it to get location info for an SUPI\
+ \ of a user belonging to a different slice but still served by same NF.\r\n\r\n"
+ detections:
+ - detects: Regularly audit applications and interface messaging logs. Check logs
+ of requests/responses at the shared NF. E.g., each entry should contain SUPI,
+ NF consumer that requested it, slice IDs of both.
+ fgdsid: DS0015
+ name: Application Log
+ id: FGT5012.005
+ mitigations:
+ - fgmid: FGM5012
+ mitigates: Cross check requested SUPI is served by (belongs to) the slice ID (NSSAI)
+ of the consumer NF (and presented in the authorization Token). That is, this
+ attack could be mitigated if the shared network function (NF service producer)
+ checks the SUPI in a service request and the requesting NF service consumer
+ are being served by the same slice. (3GPP SA3 is investigating if 3GPP specifications
+ allow for such check)
+ name: Slice ID check
+ name: Shared Network Function in slice
+ object-type: technique
+ platforms: 5G core
+ postconditions:
+ - Description: Target slice information is leaked, slice confidentiality is breached
+ due to sharing the NF between slices.
+ Name: "UE\u2019s location is tracked by rogue NF"
+ preconditions:
+ - Description: 'Two slices share one common NF that is able to get UE location info.
+ Adversary has control of one slice or at least a NF in that slice -- where said
+ NF is allowed to talk to the AMF.
+
+
+ The following core NFs can legitimately ask for or obtain directly the location
+ of a UE (some granularity): AMF, UDM, NEF, NWDAF, GMLC, LMF. The following core
+ NFs can only get limited/coarse location: SMF, UPF, PCF.'
+ Name: Access shared NF in a different slice
+ procedureexamples:
+ - Description: Malicious NF of a compromised slice gets access token for a shared
+ AMF, but then asks AMF for the location of a UE in the target slice. The AMF
+ checks that the authorization (OAuth) token is ok, which it is, but does not
+ check that the UE ID is served by target slice, while the requester NF is from
+ compromised slice. Section 3.1.5 of [1].
+ Name: Malicious NF belonging to compromised Network Slice gets an access token
+ for the target AMF, which serves both target slice and compromised slice.
+ references:
+ - ' \[1\] [AdaptiveMobile Security, "A Slice in Time: Slicing Security
+ in 5G Core Networks", 17032021-v1.00, March 2021.](https://info.adaptivemobile.com/network-slicing-security
+ )'
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT5012
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- architecture-segment: Control Plane
+ bluf: An adversary in the 5G core who has compromised a proxy or middlebox may position
+ themselves between Network Functions (NFs) that are communicating via the Service
+ Based Interfaces (SBI), in order to support follow-on behaviors such as [Network
+ Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).
+ criticalassets:
+ - Description: There are many procedures that can be impacted if an adversary gets
+ in the middle of a TLS connection between two network functions on the SBI.
+ Name: 5G Core network services, including service discovery
+ - Description: Core functions handle UE signaling for the provisioning and configuration
+ of services.
+ Name: Control plane (provisioning and configuration) data for UEs
+ description: " An adversary in the 5G core who compromised a proxy or middlebox\
+ \ may position themselves between Network Functions (NFs) that are communicating\
+ \ via the Service Based Interfaces (SBI), in order to support follow-on behaviors\
+ \ such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).\r\
+ \n\r\nSBI network interfaces are between core NFs within an operator network.\
+ \ An adversary may compromise a proxy on the SBI, such as the Service Communication\
+ \ Proxy (SCP), API proxy, or a load-balancer. Then an adversary may also exploit\
+ \ improper TLS configuration (including weaker cipher, profile) of the SBI connections,\
+ \ which may arise for example due to the use of TLS profiles forbidden in 3GPP\
+ \ TS 33.310 for NF mutual authentication and NF transport layer protection.\r\n\
+ \r\n\r\n"
+ detections: []
+ id: FGT1557.504
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Use TLS 1.3 or TLS 1.2 integrity protection with only strong cipher
+ suites.
+ name: Integrity protection of data communication
+ - fgmid: FGM5095
+ mitigates: TLS certificate thorough checking. Ensure that all certificates received
+ over a connection are valid for the current server endpoint, and abort the handshake
+ if they are not. In some usages, it may be simplest to refuse any change of
+ certificates during renegotiation.
+ name: TLS certificate check
+ - fgmid: M1041
+ mitigates: Use TLS 1.3 or TLS 1.2 encryption with only strong cipher suites.
+ name: Encrypt Sensitive Information
+ - fgmid: M1047
+ mitigates: Audit NF configuration for interfaces, e.g. if TLS is disabled or what
+ version of TLS is being used.
+ name: Audit
+ name: 'Service Based Interface '
+ object-type: technique
+ platforms: 5G Network
+ procedureexamples:
+ - Description: If a TLS client connects to a malicious server and presents a client
+ credential, the server can then impersonate the client at any other server that
+ accepts the same credential. Concretely, the malicious server performs an adversary-in-the-middle
+ attack on three successive handshakes between the honest client and server,
+ and succeeds in impersonating the client on the third handshake. See [5], clause
+ 4.2.2.2 of [2].
+ Name: Triple Handshake
+ - Description: An adversary in control of SCP can eavesdrop or alter signaling data
+ between any two core NFs.
+ Name: SCP as AITM
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks)"
+ - " \\[2\\] [3rd Generation Partnership Project (3GPP) TS 33.117,\
+ \ \u201CCatalogue of general security assurance requirements (Release 17)\u201D\
+ , v17.0.0, June 2021.](https://www.3gpp.org/DynaReport/33117.htm )"
+ - " \\[3\\] [3GPP TS 33.310 \u201CNetwork Domain Security (NDS);\
+ \ Authentication Framework (AF)\u201D](https://www.3gpp.org/DynaReport/33310.htm\
+ \ )"
+ - \[4\] [G. Koien, "On Threats to the 5G Service Based Architecture",
+ 2021.](https://www.researchgate.net/journal/Wireless-Personal-Communications-1572-834X/publication/349455036_On_Threats_to_the_5G_Service_Based_Architecture/links/6030a03a4585158939b7bcae/On-Threats-to-the-5G-Service-Based-Architecture.pdf)
+ - " \\[5\\] [3SHAKE: \u201CTriple Handshakes Considered Harmful:\
+ \ Breaking and Fixing Authentication over TLS\u201D](https://mitls.org/pages/attacks/3SHAKE)"
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1557
+ tactics:
+ - TA0009
+ - TA0006
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: Control Plane, User Plane, RAN
+ bluf: An adversary controlling a gNB or control plane or user plane Network Function
+ (NF) may manipulate signaling to result in DOS on one or more UEs
+ criticalassets:
+ - Description: Communications is denied to legitimate UEs
+ Name: Network services
+ description: " An adversary controlling a gNB or control plane or user plane Network\
+ \ Function (NF) may manipulate signaling to result in DOS for one or more UEs.\
+ \ \r\n\r\nAdversary may use a false base station to deny service to a User Equipment\
+ \ (UE) by issuing registration reject messages or other such messages to deny\
+ \ radio access, or posing as a legitimate base station, but not relaying traffic\
+ \ to or from the intended recipient. Adversary may compromise a core NF and thus\
+ \ manipulate signaling for the UE registration or session management procedures,\
+ \ in order to deny service to that UE.\r\n\r\n"
+ detections:
+ - detects: Subscriber notifies provider of no or degraded service
+ fgdsid: FGDS5011
+ name: Subscriber notify provider
+ id: FGT1499.503
+ mitigations:
+ - fgmid: FGM5023
+ mitigates: Periodically re-authenticate NFs in the network to assess whether they
+ have been compromised. Remote attestation may also be employed
+ name: Periodic Authentication & Authorization of NFs
+ - fgmid: M1030
+ mitigates: Implement industry standard core and edge network function security
+ protection
+ name: Network Segmentation
+ name: DOS a UE via gNB or NF signaling
+ object-type: technique
+ platforms: 5G
+ preconditions:
+ - Description: Adversary needs access to a fake or compromised gNB or a compromised
+ NF.
+ Name: Compromise gNB or NF
+ procedureexamples:
+ - Description: "Adversary with a fake UE can send a De-registration request to the\
+ \ victim UE's gNB with the victim\u2019s 5G-GUTI. Or, adversary with a fake\
+ \ gNB can send Deregistration request to the victim UE."
+ Name: DOS via gNB control
+ - Description: Adversary with fake UE can try to register as the victim UE, and
+ when the victim UE tries to RRC connect again, it will be rejected. See [2]
+ Name: DOS via impersonating UE
+ - Description: "Adversary controlling Access and Mobility Management Function (AMF)\
+ \ can cause authentication to fail or deny SMS service by deactivating SMS for\
+ \ a given SUPI [1]. Control of AMF (with or without its Security Anchor Function\
+ \ (SEAF) functionality) can give an adversary the ability to manipulate the\
+ \ AKA procedure (e.g. change parameters exchanged) between the AMF and any other\
+ \ UE, so that (at the simplest) the UE fails authentication and cannot get services.\
+ \ \nAlternatively, rogue or misconfigured AMF modifies the registration accept\
+ \ message for legitimate subscribers to deny access to some or all services\
+ \ that are configured in their profile."
+ Name: DOS via AMF control
+ - Description: Adversary controlling Session Management Function (SMF) can release
+ an existing PDU session or not create a new one; or send a N4 Session Release
+ request to User Plane Function (UPF) currently serving the UE.
+ Name: DOS via SMF control
+ - Description: Adversary controlling UPF can send a report of PDU session inactivity,
+ which results in de-activating the UE session. Or alter secondary authentication
+ between DN AAA and SMF so it fails
+ Name: DOS via UPF control
+ - Description: Adversary controlling Authentication Server Function (AUSF) can produce
+ incorrect AKA parameters or change data out of UDM.
+ Name: DOS via AUSF control
+ - Description: Adversary controlling Unified Data Management (UDM) can fail the
+ SUPI de-concealing operation, so that the UE key will be different and Non-Access
+ Stratum (NAS) Security Mode Command (SMC) will fail (e.g., responding to SUCI
+ de-concealment with an incorrect SUPI). See clause E.2.2.1 of [3].
+ Name: DOS via UDM control
+ - Description: "Adversary controlling Authentication Credential Repository and Processing\
+ \ Function (ARPF) can either (a) Alter the root key (K) or provide wrong root\
+ \ key for the UE; or (b) Generate wrong authentication vector (AV) during UE\
+ \ authentication procedure using EAP-AKA\u2019 or 5G AKA.\nBoth will result\
+ \ in authentication failure for the UE. Section 6.1.3 of [4]"
+ Name: DOS via ARPF control
+ - Description: Adversary controlling the Unified Data Repository (UDR) may give
+ UDM incorrect security parameters, or remove UE authentication status.
+ Name: DOS via UDR control
+ - Description: Adversary controlling Policy and Charging Function (PCF) may return
+ a very restrictive policy for that UE.
+ Name: DOS via PCF control
+ - Description: Adversary controlling the Network Slicing Selection Function (NSSF) and/or
+ the Network Slicing Selection Authentication and Authorization Function (NSSAAF)
+ may deny UE access to a slice by mishandling NSSAI (saying it's unavailable)
+ or altering authentication params so that authentication procedure fails.
+ Name: DOS via NSSF and NSSAAF control
+ - Description: Adversary controlling Charging Function (CHF) may send a message
+ to SMF to start PDU session release.
+ Name: DOS via CHF control
+ - Description: Adversary controlling SMS Function (SMSF) may achieve DOS only for
+ SMS for a given UE; i.e. the device does not receive or send text messages.
+ Name: DOS via SMSF control
+ - Description: Adversary controlling 5G-Equipment Identity Register (5G EIR) can
+ mark UE as stolen.
+ Name: DOS via 5G EIR control
+ - Description: Adversary controlling home network Security Edge Protection Proxy
+ (SEPP) or visited SEPP can alter or discard registration request/response message
+ and/or other signaling messages to deny access for a UE.
+ Name: DOS via Home or visited network SEPP
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [Hu, X. et al: \u201CA Systematic Analysis Method\
+ \ for 5G Non-Access Stratum Signalling Security\u201D, August 2019](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
+ \ )"
+ - " \\[3\\] [3rd Generation Partnership Project (3GPP) TR 33.926:\
+ \ \u201CSecurity Assurance Specification (SCAS) threats and critical assets in\
+ \ 3GPP network product classes\u201D, Technical Report, v17.3.0, December. 2021.](https://www.3gpp.org/DynaReport/33926.htm\
+ \ )"
+ - " \\[4\\] [3rd Generation Partnership Project (3GPP) TS 33.501:\
+ \ \u201CSecurity architecture and procedures for 5G System\u201D, Technical Specification,\
+ \ v17.6.0, June 2022](https://www.3gpp.org/DynaReport/33501.htm )"
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1499
+ tactics:
+ - TA0040
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: admin
+ architecture-segment: Control Plane
+ bluf: An adversary controlling a control plane network function may manipulate signaling
+ to retrieve UE subscription information
+ criticalassets:
+ - Description: Subscriber data can be permanent (not updateable) or updateable (like
+ the current serving PLMN, AMF etc)
+ Name: UDM and subscriber/UE data
+ description: " Adversary controlling a control plane network function (NF) may manipulate\
+ \ signaling to retrieve UE subscription information.\r\n\r\nThe AMF, SMF, NEF,\
+ \ SMSF and the UDM itself can use legitimate signaling to retrieve the subscription\
+ \ data of a given UE, assuming its SUPI is known. The subscription data is stored\
+ \ in the UDM or UDR. \r\n\r\nThe UE data in the UDM is referred to as the \u201C\
+ Session Data Management Subscription data\u201D, and it includes access and mobility\
+ \ subscription data, SMS subscription data, slice information (the UE\u2019s NSSAIs),\
+ \ \"supported features\", serving PLMN ID. This threat consists of a compromised\
+ \ NF to ask the UDM for the data for a given SUPI or GPSI. \r\n\r\n"
+ detections:
+ - detects: Monitor logs
+ fgdsid: DS0015
+ name: Application Log
+ id: FGT5020
+ mitigations:
+ - fgmid: FGM5033
+ mitigates: 'Standard 5G enterprise/core network security functionality
+
+ E.g. Zero trust principles for OA&M.'
+ name: Zero Trust
+ name: Retrieve UE subscription data
+ object-type: technique
+ platforms: 5G Core Network
+ preconditions:
+ - Description: Adversary must know the SUPI or GPSI of victim UE
+ Name: SUPI or GPSI
+ procedureexamples:
+ - Description: An AMF can extract subscription data (including NSSAIs) for any given
+ UE SUPI by asking the UDM (uses Nudm_SDM_Get service (SDM=SubscriberDataManagement)).
+ The UDM does not check that that AMF is the one serving the UE, i.e. the AMF
+ does not need to register itself first as serving the UE, via the Nudm_UECM_Registration
+ Request. Table 5.2.3.1-1 of [1]
+ Name: AMF retrieves subscription data from UDM.
+ - Description: "A rogue AMF in visited PLMN can retrieve the UE\u2019s sensitive\
+ \ information during 5GS to EPC roaming. AMF calls Nsmf_PDUSession_ContextRequest\
+ \ API to v/hSMF. SMF sends the UE SM context in response which can reveal the\
+ \ following UE information: SUPI, S-NSSAI, DNN, UE IP address etc. Clause 4.11.1.2.1\
+ \ & Table 5.2.8.2.10-1 of [1]"
+ Name: AMF in visited PLMN retrieves UE information during 5GS to EPC roaming.
+ - Description: "The SMF can send to UDM a Nudm-sdm message and retrieve \u201CSession\
+ \ mgmt subscription data\u201D, i.e. DNN configuration for all network slices."
+ Name: SMF retrieves subscription data from UDM
+ - Description: The UDM can legitimately get UE subscription data from UDR.
+ Name: UDM can look up any UE (in UDR if one is employed).
+ - Description: The SMSF can get the UE subscription data via Nudm_sdm API.
+ Name: SMSF retrieves UE subscription data from UDM
+ - Description: The NEF can get the UE subscription data via Nudm_sdm API.
+ Name: NEF retrieves some of the UE subscription data from UDM.
+ references:
+ - " \\[1\\] [3rd Generation Partnership Project (3GPP) 23.502\
+ \ \u201CProcedures for the 5G System (5GS)\u201D, March 2022.](https://www.3gpp.org/DynaReport/23502.htm)"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0009
+ typecode: fight_technique
+- architecture-segment: Control Plane
+ bluf: An adversary controlling a control plane network function may manipulate
+ signaling or parameters to achieve charging/billing fraud where victim is UE or
+ operator itself
+ criticalassets:
+ - Description: Communications is denied
+ Name: UE call/data records accuracy
+ description: " An adversary controlling a control plane network function (NF) may\
+ \ manipulate signaling or parameters to achieve charging/billing fraud where victim\
+ \ is UE or operator itself. \r\n\r\nThere are multiple procedures to support this\
+ \ adversarial behavior, and they depend on the NF that is compromised.\r\n\r\n"
+ detections:
+ - detects: Management system (OSS/BSS) checks uniqueness of charging ID for all
+ new PDU sessions in non-roaming scenario and existing PDU sessions in handover
+ and roaming scenario
+ fgdsid: FGDS5003
+ name: Charging anomaly
+ id: FGT5023
+ mitigations:
+ - fgmid: FGM5023
+ mitigates: Periodic authentication / authorization of NF consumer e.g. SMF/PCF/CHF/NEF/AF
+ by NRF will help detect rogue NFs.
+ name: Periodic Authentication & Authorization of NFs
+ - fgmid: FGM5094
+ mitigates: Rigorous checks of unique mapping of charging ID to PDU session (applicable
+ to the SMF case). Management system (OSS/BSS) can generate alert for possible
+ intervention.
+ name: Allocate new 5G identifiers judiciously
+ name: Charging fraud via NF control
+ object-type: technique
+ platforms: 5G
+ procedureexamples:
+ - Description: 'An adversary may control the SMF and assign the same SMF Charging
+ Identifier to a device data flow as that of an existing victim device, to cause
+ charging errors. Clause 5.1.4 & annex A.1 of [3].
+
+
+ The SMF can also pause charging for a given UE (even though not warranted),
+ clause 4.4.4 of [4].
+
+ The SMF can also misreport 5G data used by a given UE.'
+ Name: SMF control
+ - Description: An adversary with control over the PCF can change policy so that
+ UE is allowed to consume a service it was not subscribed to - but it will still
+ be traceable to that UE. Clause 4.3.2 of [5].
+ Name: PCF control
+ - Description: An adversary with control over the CHF can ignore when PCF tells
+ it that the spending limit for this subscriber has been reached or can ignore
+ the SMS records from the SMSF (SMSF uses POST to put in data), or can ignore
+ the 5G data the SMF reports ([3])
+ Name: CHF control
+ - Description: "Adversary on AF can attack a weak NEF. Or, the NEF can be compromised\
+ \ and conduct this attack without even an AF. \nAn AF can ask the NEF to change\
+ \ the \u201Cchargeable party\u201D Clause 4.4.8 of [6], clause 4.4.4 of [7].\n\
+ \nThis is meant to support the AF being the chargeable party, but it\u2019s\
+ \ imaginable how the AF can put a different AF as chargeable: it has to send\
+ \ the AF identifier, UE IP address, Sponsor ID, ASP ID, etc. even AppID."
+ Name: NEF control or Application Function (AF) control exploiting weak NEF
+ references:
+ - " \\[1\\] [3rd Generation Partnership Project (3GPP) TR 33.926:\
+ \ \u201CSecurity Assurance Specification (SCAS) threats and critical assets in\
+ \ 3GPP network product classes\u201D, Technical Report, v17.3.0, December. 2021](https://www.3gpp.org/DynaReport/33926.htm\
+ \ )"
+ - " \\[2\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[3\\] [3GPP TS 32.255 \u201CTelecommunication management;\
+ \ Charging management; 5G data connectivity domain charging; Stage 2\u201D](https://www.3gpp.org/DynaReport/32255.htm)"
+ - " \\[4\\] [3GPP TS 23.502 \u201CProcedures for the 5G System\
+ \ (5GS)\u201D](https://www.3gpp.org/DynaReport/23502.htm)"
+ - " \\[5\\] [3GPP TS 23.503 \u201CPolicy and charging control\
+ \ framework for the 5G System (5GS); Stage 2\u201D](https://www.3gpp.org/DynaReport/23503.htm)"
+ - " \\[6\\] [3GPP TS 29.522 \u201C5G System; Network Exposure\
+ \ Function Northbound APIs; Stage 3\u201D](https://www.3gpp.org/DynaReport/29522.htm)"
+ - " \\[7\\] [3GPP TS 29.122 \u201CT8 reference point for Northbound\
+ \ APIs\u201D](https://www.3gpp.org/DynaReport/29122.htm)"
+ status: This is a theoretical behavior
+ tactics:
+ - TA5001
+ typecode: fight_technique
+- access-required: physical or malware insertion
+ architecture-segment: UE
+ bluf: 'An adversary may get access to several SIM credentials either by physical
+ access to SIM card inventory or by injecting malware on SIM vendor server. '
+ criticalassets:
+ - Description: Adversary is after getting the keys to decrypt cellular communications
+ for those sets of SIMs whose credentials it captured.
+ Name: Privacy of subscriber data
+ description: " An adversary may get access to several SIM credentials either by\
+ \ physical access to SIM card inventory or by injecting malware on SIM vendor\
+ \ server. \r\n\r\nUnauthorized actors use various means to intercept/steal SIM\
+ \ data in transit from SIM card vendors towards the HSS or the UDR/UDM in the\
+ \ operator's network and by gaining physical access to the SIM card inventory\
+ \ in order to obtain customer credentials.\r\n\r\n"
+ detections: []
+ id: FGT1195.501
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Protect the files where SIM data is stored by integrity protection.
+ name: Integrity protection of data communication
+ - fgmid: M1017
+ mitigates: 'Personnel security: Train personnel in SIM card OEMs to be wary of
+ social engineering and other attempts of unauthorized parties to gain access
+ to any relevant resource, and to report suspicious activities.'
+ name: User Training
+ - fgmid: M1022
+ mitigates: Restrict access to files exchanged between SIM vendor and MNO.
+ name: Restrict File and Directory Permissions
+ - fgmid: M1030
+ mitigates: Physical and cyber security of IT systems, servers.
+ name: Network Segmentation
+ - fgmid: M1041
+ mitigates: Protect the files where SIM data is stored by encryption.
+ name: Encrypt Sensitive Information
+ name: SIM Credential Theft
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: "Subscriber\u2019s sensitive signaling and user plane data are exposed\
+ \ to the adversary."
+ Name: Subscriber data leak
+ preconditions:
+ - Description: "Adversary needs to either implant malware in SIM vendor\u2019s server\
+ \ or have physical access to the SIM card inventory."
+ Name: Implant malware or physical access
+ procedureexamples:
+ - Description: An adversary may implant malware on a SIM vendor server or gain physical
+ access to their SIM cards and thus obtain SIM credentials.
+ Name: "Infiltrate SIM vendor\u2019s network."
+ references:
+ - " \\[1\\] [GSMA FS.28 \u201CSecurity Guidelines for Exchange\
+ \ of UICC Credentials\u201D, Version 1.0, November 2020.](https://www.gsma.com/security/resources/fs-28-security-guidelines-for-exchange-of-uicc-credentials/\
+ \ )"
+ - " \\[2\\] [Gemalto article on SIM credential threat: \u201C\
+ GEMALTO PRESENTS THE FINDINGS OF ITS INVESTIGATIONS INTO THE ALLEGED HACKING OF\
+ \ SIM CARD ENCRYPTION KEYS BY BRITAIN'S GOVERNMENT COMMUNICATIONS HEADQUARTERS\
+ \ (GCHQ) AND THE U.S. NATIONAL SECURITY AGENCY (NSA)\u201D.](https://www.thalesgroup.com/en/markets/digital-identity-and-security/press-release/gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-sim-card-encryption-keys)"
+ - " \\[3\\] [BBC article: \u201CUS and UK accused of hacking\
+ \ Sim card firm to steal codes\u201C.](https://www.bbc.com/news/technology-31545050)"
+ - " \\[4\\] [Securitytoday.com article: \u201CU.S. and Britain\
+ \ Work Together to Pull off SIM Card Heist\u201D.](https://securitytoday.com/articles/2015/02/20/us-and-britain-work-together-to-pull-off-sim-card-heist.aspx?admgarea=ht.government)"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT1195
+ tactics:
+ - TA0006
+ - TA0001
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: User Plane
+ bluf: An adversary may compromise the operator's SMS Center (SMSC) to collect SMS
+ messages to/from the UEs.
+ criticalassets:
+ - Description: User data from SMS
+ Name: User data
+ description: " An adversary may compromise the operator's SMS Center (SMSC) to collect\
+ \ SMS messages to/from the UEs. \r\n\r\nThe SMSC is a server in 3G, 4G, and 5G\
+ \ networks, and it communicates in 5G with the SMS Function (SMSF) and IMS function\
+ \ IP-SM-GW, using MAP protocol.\r\n\r\nAn adversary can eavesdrop the SMS data\
+ \ to/from certain subscribers (identified by IMSI or MSISDN), by compromising\
+ \ the operator\u2019s SMSC. Similar techniques can be applied to other operator\
+ \ functions such as IP-SM-GW or STF, SMSF, towards the same goal.\r\n\r\n\r\n"
+ detections: []
+ id: FGT5001
+ mitigations:
+ - fgmid: M1049
+ mitigates: Check telecom servers for malware or use endpoint security solution.
+ Implement the latest patches in Linux systems and use strong anti-virus software
+ to detect malware.
+ name: Anti-virus & Anti-malware
+ name: Network-side SMS collection
+ object-type: technique
+ platforms: 5G Network
+ preconditions:
+ - Description: Adversary must first develop the malware to achieve the procedures
+ herein.
+ Name: Malware developed
+ procedureexamples:
+ - Description: "A data miner program may be loaded by an installation script. The\
+ \ script targets and saves SMS messages (the contents, the IMSI and the source\
+ \ and destination phone number). This is highly targeted to given IMSI numbers\
+ \ (e.g., proponents of movements against the Chinese gov\u2019t). (note: Call\
+ \ Data Records (CDRs) were also targeted for certain IMSIs, the info therein\
+ \ is called metadata, i.e. time, duration, phone numbers). [1], [2]."
+ Name: Malware loaded into a Linux running SMSC server
+ references:
+ - " \\[1\\] [Dynamic Ciso.com \u201CNew Malware Discovered by\
+ \ FireEye APT41, Infects SMS Servers Within Telecoms\u201D, Nov 1, 2019, retrieved\
+ \ March 4, 2022.](https://dynamicciso.com/new-malware-discovered-by-fireeye-apt41infects-sms-servers-within-telecoms)"
+ - " \\[2\\] [Leong, Raymond, Perez, Dan & Dean, Tyler, \u201C\
+ MESSAGETAP: Who\u2019s Reading Your Text Messages\u201D FireEye. 31 Oct 2019.](https://www.mandiant.com/resources/messagetap-who-is-reading-your-text-messages)"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ tactics:
+ - TA0009
+ typecode: fight_technique
+- architecture-segment: Control Plane
+ bluf: Adversary may compromise the 5G Charging Function (CHF) in order to steal
+ sensitive subscriber call related data/CDRs.
+ criticalassets:
+ - Description: Confidentiality of sensitive subscriber data in the form of (calls/data/SMS).
+ Name: Subscriber data
+ description: " Adversary may compromise the 5G Charging Function (CHF) in order\
+ \ to steal sensitive subscriber call related data/CDRs.\r\n\r\nAdversary may compromise\
+ \ 5G CHF by either cloning a legitimate CHF or by implanting malware inside a\
+ \ legitimate 5G CHF in order to steal subscriber\u2019s call and SMS related metadata.\
+ \ The information may be used to enable follow-on privacy attacks such as tracking\
+ \ internet usage and call/SMS activities of certain subscribers.\r\n\r\nIn earlier\
+ \ generations of 3GPP networks, CDRs are generated on switches, and then moved\
+ \ to billing servers. In 5G, Converged Charging System (CCS) is responsible for\
+ \ generating CDRs for subscribers based on their data usage. CHF is part of the\
+ \ CCS. CHF communicates to other core NFs via Service Based Interface (SBI). It\
+ \ receives data usage information from core NFs such as SMF. The CDRs are processed\
+ \ by charging data processing functions external to the 5G network \u2013 that\
+ \ is, by the Offline Charging System (OFCS) for postpaid customers and by the\
+ \ Online Charging System (OCS) for prepaid customers.\r\n\r\n\r\n"
+ detections:
+ - detects: 'Log and raise alarms for any suspicious deployment activities in core:
+ Update image, cloning an existing NF etc.'
+ fgdsid: FGDS5012
+ name: SIEM
+ id: FGT5017
+ mitigations:
+ - fgmid: FGM5089
+ mitigates: Verify image hash of every core NF by periodic checks
+ name: Verify image in deployment
+ name: 'Charging Data Record (CDR) collection '
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Exposure of subscriber sensitive information such as call/data/text
+ metadata.
+ Name: Leakage of subscriber data
+ preconditions:
+ - Description: Adversary either clones a legitimate CHF or implants malware in a
+ legitimate CHF.
+ Name: Adversary compromises a legitimate CHF
+ procedureexamples:
+ - Description: "Adversary may use a compromised CHF to collect CDR\u2019s belonging\
+ \ to a target subscriber, or a group of subscribers based on their SUPI or GPSI\
+ \ (phone number). The collected CDRs may be used to track internet usage and\
+ \ call/SMS activities of target subscriber(s). [3]"
+ Name: Compromised CHF steals CDRs
+ references:
+ - " \\[1\\] [3GPP TS 32.291 \u201CCharging management; 5G system,\
+ \ charging service; Stage 3\u201D](https://www.3gpp.org/DynaReport/32291.htm)"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0009
+ - TA0007
+ typecode: fight_technique
+- access-required: physical/gNB
+ architecture-segment: RAN, Control Plane
+ bluf: An adversary may geolocate a UE by modifying Non-Access Stratum (NAS) signaling.
+ criticalassets:
+ - Description: UE/Subscriber geographical location, coarse or fine-grained.
+ Name: UE location
+ description: " An adversary may geolocate a UE using modified Non-Access Stratum\
+ \ (NAS) signaling. \r\n\r\nNAS is signaling that is exchanged for registration\
+ \ and authentication between the UE and the Access and Mobility Function (AMF),\
+ \ via the gNB as a pass-through. Adversary uses a fake gNB to intercept, modify\
+ \ and/or replay NAS messages to probe for UE presence in a that cell, which leads\
+ \ to coarse location. The victim UE tried to connect to a nearby gNB, and adversary\
+ \ then lured UEs to connect to it (e.g., by increasing the transmit power of the\
+ \ fake gNB). \r\n\r\n"
+ detections:
+ - detects: Operator standard means to detect presence of fake gNBs. gNB radio signals
+ (sent to all UEs to enable them to select gNB and connect) are received and
+ reported by UEs to the operator, who can then run cross checks with the signals
+ that the UEs should have received if all gNBs nearby were legitimate. Clause
+ 6.24 of [2].
+ fgdsid: FGDS5002
+ name: UE signal measurements
+ id: FGT5012.006
+ mitigations: []
+ name: NAS Exploit
+ object-type: technique
+ platforms: 5G Network
+ preconditions:
+ - Description: Adversary must install a fake gNB that it can control what messages
+ it sends to UEs.
+ Name: Control of fake gNB in the area where the victim UE may be located.
+ - Description: Adversary must acquire a fake UE to achieve the NAS SMC attack.
+ Name: Control of fake UE in the NAS SMC attack.
+ procedureexamples:
+ - Description: "Adversary eavesdrops one NAS message from the legitimate network\
+ \ (the Auth_Req (R, AUTN), or the NAS Security Mode Command (SMC)), then replays\
+ \ that NAS message whenever it wants to check whether the victim UE is nearby,\
+ \ since the type of error (or response, in the case of SMC) received from the\
+ \ responder indicates whether it's the victim UE or not. Thus, adversary can\
+ \ probe for UE\u2019s presence in a that cell, which leads to coarse location\
+ \ data. See [1]."
+ Name: Replay of NAS message
+ references:
+ - " \\[1\\] [X. Hu et.al. \u201CA Systematic Analysis Method\
+ \ for 5G Non-Access Stratum Signalling Security\u201D, IEEE Access, August 2019.](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
+ \ )"
+ - " \\[2\\] [3rd Generation Partnership Project (3GPP) TR 33.809:\
+ \ \u201CStudy on 5G security enhancements against False Base Stations (FBS)\u201D\
+ , Technical Report, v0.18.0, February 2022.](https://www.3gpp.org/DynaReport/33809.htm\
+ \ )"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT5012
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- access-required: User/NPE/Administrative access
+ architecture-segment: RAN, O-RAN
+ bluf: An adversary may compromise a component of gNodeB to affect radio network
+ configuration
+ criticalassets:
+ - Description: Configuration and data related to gNodeB
+ Name: RAN Service Management and Orchestration
+ - Description: RIC and Configuration and data related to gNodeB
+ Name: ORAN RIC
+ - Description: xApp and Configuration and data related to gNodeB, Realtime optimization
+ data
+ Name: xApps
+ - Description: rApp and Configuration and data related to gNodeB, non-Realtime optimization
+ data
+ Name: rApps
+ description: " An adversary may compromise a component of gNodeB to affect radio\
+ \ network configuration.\r\n\r\nThe 3GPP standards assume that RAN functions are\
+ \ securely deployed, properly implemented, and do not contain components with\
+ \ malicious intent. If that assumption fails, malicious activity can take place.\r\
+ \n \r\nThe gNB is the termination point for encryption and integrity protection,\
+ \ if user plane traffic is sent in clear, it can potentially be exposed to an\
+ \ adversary controlling the gNodeB. \r\n\r\nO-RAN Architecture puts network intelligence\
+ \ and management capability in Service Management and Orchestration (SMO) framework,\
+ \ with Near-Real-Time Radio Intelligent Controller (Near-RT RIC) and Non-Real-Time\
+ \ RIC (Non-RT RIC) that can change the network behavior. It further allows xApps\
+ \ and rApps with standard interfaces to agents (if configured) outside the controlled\
+ \ network that can also read data and send configuration changes. A compromise\
+ \ of any of these components can potentially cause unintended changes to the network\
+ \ and expose user information.\r\n\r\n\r\nUnauthorized access to and manipulation\
+ \ of the gNB component can be carried out by a supply chain attack or as a result\
+ \ of malicious updates using operator\u2019s management and deployment tools.\
+ \ Adversaries may also gain access by physically connecting to the device through\
+ \ an unsecured USB, serial, or COM port on the base station (or device hosting\
+ \ virtual CU/DU/RU/RIC), or by remotely logging in using SSH or Telnet if strong\
+ \ access control is not implemented.\r\n\r\nIn distributed deployment architectures,\
+ \ APIs present additional threat vectors that can be exploited by attackers. In\
+ \ shared RAN scenarios, the use of service configuration and management tools\
+ \ by multiple parties may increase the risk vectors.\r\n\r\n\r\n3GPP does not\
+ \ dictate deployment models, so it is possible that improper security hardening\
+ \ and separation of networks between RAN VNF and Core VNF in the same Cloud or\
+ \ MEC may further allow lateral movements of adversary if a gNodeB component is\
+ \ compromised.\r\n\r\n\r\n"
+ detections: []
+ id: FGT5032
+ mitigations: []
+ name: gNodeB Component Manipulation
+ object-type: technique
+ platforms: O-RAN
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0002
+ typecode: fight_technique
+- access-required: User/NPE/Administrative access
+ architecture-segment: RAN, O-RAN
+ bluf: An adversary may compromise a RAN Intelligent Controller (RIC) to affect radio
+ network configuration.
+ criticalassets:
+ - Description: Configuration and date related to gNodeB
+ Name: RAN Service Management and Orchestration
+ - Description: RIC and Configuration and data related to gNodeB
+ Name: O-RAN RIC
+ description: " \r\n\r\nAn adversary may compromise a RAN Intelligent Controller\
+ \ (RIC) to affect radio network configuration.\r\nO-RAN architecture includes\
+ \ the RAN Intelligence Controllers (RICs), which consists of the Non-Real-Time\
+ \ RAN Intelligent Controller (Non-RT RIC) and the Near-Real-Time RAN Intelligent\
+ \ Controller (Near-RT RIC), to optimize radio resource management of gNB components.\
+ \ The Non-RT RIC is embedded in the Service and Management Orchestration function\
+ \ (SMO) framework and hosts rApps to provide policy-based guidance, machine learning\
+ \ model management and enrichment information to the Near-RT RIC function for\
+ \ the purpose of RAN optimization. The Near-RT RIC is a logical function that\
+ \ hosts xApps and enables near real-time control and optimization of the functions\
+ \ and resources of gNB components O-CU-CP, O-CU-UP and O-DU, steered via the policies\
+ \ and enrichment data provided from the Non-RT RIC.\r\nO-RAN RIC functions integrate\
+ \ and interact with xApps and rApps, which can bring information and instructions\
+ \ to the RIC from outside of the O-RAN architecture. A compromise of the RIC components\
+ \ (by any means) can potentially lead to unauthorized changes in O-CU or O-DU\
+ \ via E2 Interface.\r\n\r\n\r\n"
+ detections: []
+ id: FGT5032.001
+ mitigations: []
+ name: RAN Intelligent Controller (RIC)
+ object-type: technique
+ platforms: O-RAN
+ references:
+ - \[1\] [O-RAN.WG3.RICARCH-R003-v04.00](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[2\] [O-RAN.WG2.Non-RT-RIC-ARCH-R003-v03.00](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[3\] [O-RAN.WG2.Non-RT-RIC-ARCH-TR-v01.01](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[4\] [O-RAN.WG11.Threat-Model.O-R003-v06.00](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[5\] [Federal Office of information Security, Study 5G RAN
+ Risk Analysis](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/5G/5GRAN-Risk-Analysis.pdf?__blob=publicationFile&v=5)
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT5032
+ tactics:
+ - TA0002
+ typecode: fight_subtechnique
+- access-required: Privileged Access
+ architecture-segment: RAN, O-RAN
+ bluf: 'An adversary may compromise an xApp to affect the radio network configuration. '
+ criticalassets:
+ - Description: "UE data includes UE\u2019s coarse location, temporary identifier\
+ \ and correlation of UE temporary identifier to other service-related data e.g.,\
+ \ DNN, NSSAI etc. See clause 6.2.1 of [2]."
+ Name: ' UE data'
+ - Description: Sensitive network data such as QoS policies of a slice
+ Name: Sensitive network data
+ - Description: Configuration data such as configuration regarding radio resource
+ management (RRM), QoS, and spectrum allocation
+ Name: RAN configuration data
+ description: " \r\nAn adversary may compromise an xApp to affect the radio network\
+ \ configuration.\r\n\r\nThe O-RAN architecture includes the RAN Intelligence Controllers\
+ \ (RIC), which consists of the Non-Real-Time RAN Intelligent Controller (Non-RT\
+ \ RIC) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC), to optimize\
+ \ radio resource management of gNB components. The Non-RT RIC is embedded in the\
+ \ Service Management and Orchestration (SMO) framework and hosts rApps to provide\
+ \ policy-based guidance, machine learning model management and enrichment information\
+ \ to the Near-RT RIC function for the purpose of RAN optimization. \r\n\r\nThe\
+ \ Near-RT RIC is a logical function that hosts xApps and enables near-real-time\
+ \ control and optimization of the functions and resources of gNB components [O-RAN\
+ \ Central Unit-Control Plane (O-CU-CP), O-RAN Central Unit-User Plane (O-CU-UP)\
+ \ and O-RAN Distributed Unit (O-DU)], steered via the policies and enrichment\
+ \ data provided from the Non-RT RIC. \r\n\r\nThe O-RAN platform can perform both\
+ \ non-real-time optimization and near-real-time optimization of O-RAN elements\
+ \ through the Non-RT RIC and Near-RT RIC. Non-real-time optimization may be used\
+ \ for higher-level optimization and is facilitated by the Non-RT RIC. Use cases\
+ \ such as policy-based guidance and AI/ML are examples of those appropriate for\
+ \ non real-time-optimization. Near-real-time optimization enables certain capabilities\
+ \ and is facilitated by the Near-RT RIC. Use cases such as radio resource management\
+ \ and Quality of Service (QoS) optimization are examples of those appropriate\
+ \ for near-real-time optimization. \r\n\r\nxApps are applications designed to\
+ \ run on the Near-RT RIC to provide the desired RAN functionality. xApps are independent\
+ \ of the Near-RT RIC and may be provided by any third party. \r\n\r\nxApps on\
+ \ the Near-RT RIC can collect near-real-time information from gNB components (O-CU-CP,\
+ \ O-CU-UP and O-DU) and influence behavior of those components, thereby impacting\
+ \ 5G base station performance and delivery of services to a group of UEs or a\
+ \ single UE.\r\n\r\nxApps may be compromised during the delivery to the service\
+ \ provider, either through the external supply chain from vendor to the service\
+ \ provider or through the internal CI/CD pipeline. Malicious code may be inserted\
+ \ in the xApp application package that could compromise the application. Adversary\
+ \ may also obtain xApp credentials or compromise a 3rd party infrastructure the\
+ \ application is hosted on.\r\n\r\nA compromise of an xApp (or through xApp Agent)\
+ \ can potentially lead to unauthorized changes in O-CU or O-DU via E2 Interface.\r\
+ \n\r\n"
+ detections:
+ - detects: Monitor xApp lifecycle management events from logs regarding onboarding,
+ authentication/authorization of xApps to Near-RT RIC. Audit logs and telemetry
+ data for unauthorized activity.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Monitor and alert on changes to xApp and cloud configuration files during
+ runtime
+ fgdsid: DS0022
+ name: File
+ - detects: Perform real-time audits and post-processing of logs. Detect which parts
+ of the O-RAN are accessed by xApps.
+ fgdsid: DS0025
+ name: Cloud Service
+ - detects: Verify xApp image hash
+ fgdsid: FGDS5015
+ name: Image verification
+ id: FGT5032.002
+ mitigations:
+ - fgmid: M1033
+ mitigates: Use only trusted supply chain, rigorous scanning of software images.
+ Limit Software Installations especially from 3rd party sources.
+ name: Limit Software Installation
+ - fgmid: M1035
+ mitigates: Limit access to xApp instance
+ name: Limit Access to Resource Over Network
+ - fgmid: M1043
+ mitigates: Use capabilities to prevent successful credential access by adversaries
+ name: Credential Access Protection
+ - fgmid: M1045
+ mitigates: Verify digital signature of xApp
+ name: Code Signing
+ - fgmid: M1025
+ mitigates: Enforce least privilege access for cloud components
+ name: Privileged Process Integrity
+ name: xApp
+ object-type: technique
+ platforms: O-RAN
+ postconditions:
+ - Description: Adversary affects the radio network configuration, accesses configuration
+ data, and perform other unauthorized activities
+ Name: Affected Network Radio Configuration
+ - Description: Adversary degrades network operation or in the worst case, causes
+ network outage
+ Name: Network operations impacted
+ - Description: "UE and subscriber\u2019s sensitive data is revealed to the adversary"
+ Name: Sensitive UE data exposed to adversary
+ preconditions:
+ - Description: Adversary has access to xApp (e.g., application package, credentials)
+ Name: Adversary access to xApp
+ procedureexamples:
+ - Description: Adversary compromising external supply chain or internal CI/CD pipeline
+ to implement backdoor into xApp
+ Name: xApp access via backdoor
+ - Description: Adversary obtains xApp credentials through various means and compromises
+ the xApp
+ Name: xApp access via stolen credentials
+ - Description: Adversary may compromise the infrastructure the O-RAN platform is
+ deployed on and gain access to xApp
+ Name: xApp access via compromised 3rd party hosting infrastructure provider
+ references:
+ - \[1\] [O-RAN Security Threat Model 6.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[2\] [O-RAN WG3 Near-RT RIC Architecture 4.00 Version](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[3\] [Federal Office of information Security, Study 5G RAN
+ Risk Analysis](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/5G/5GRAN-Risk-Analysis.pdf?__blob=publicationFile&v=5)
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT5032
+ tactics:
+ - TA0002
+ typecode: fight_subtechnique
+- access-required: Privileged Access
+ architecture-segment: RAN, O-RAN
+ bluf: An adversary may compromise an rApp to affect the radio network configuration.
+ criticalassets:
+ - Description: "UE data includes UE\u2019s coarse location, temporary identifier\
+ \ and correlation of UE temporary identifier to other service-related data e.g.,\
+ \ DNN, NSSAI etc. See clause 6.2.1 of [2]."
+ Name: ' UE data'
+ - Description: Sensitive network data such as QoS policies of a slice
+ Name: Sensitive network data
+ - Description: Configuration data such as configuration regarding radio resource
+ management (RRM), QoS, and spectrum allocation
+ Name: RAN configuration data
+ description: " \r\nAn adversary may compromise an rApp to affect the radio network\
+ \ configuration.\r\n\r\nO-RAN architecture includes the RAN Intelligence Controllers\
+ \ (RICs), which consists of the Non-Real-Time RAN Intelligent Controller (Non-RT\
+ \ RIC) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC), to optimize\
+ \ radio resource management of gNB components. The Non-RT RIC is embedded in the\
+ \ Service Management and Orchestration (SMO) framework and hosts rApps to provide\
+ \ policy-based guidance, machine learning model management and enrichment information\
+ \ to the Near-RT RIC function for the purpose of RAN optimization. \r\n\r\nrApps\
+ \ are applications that use the functionalities in the Non-RT RIC Framework to\
+ \ provide value-added services related to RAN operation and optimization. \_rApps\
+ \ are deployed on the Non-RT RIC. rApps can provide better efficiency and optimization\
+ \ of the RAN and can access or produce various services and data, enabling achievements\
+ \ of use case objectives.\r\n\r\nrApps may be compromised during the delivery\
+ \ to the service provider, either through the external supply chain from vendor\
+ \ to the service provider or through the internal CI/CD pipeline. Malicious code\
+ \ may be inserted in the rApp application package that could compromise the application.\
+ \ Adversary may also obtain rApp credentials or compromise a 3rd party infrastructure\
+ \ the application is hosted on.\r\n\r\nA compromise of an rApp (or through rApp\
+ \ Agent) can potentially lead to unauthorized changes in O-CU or O-DU via A1 interface.\r\
+ \n\r\n"
+ detections:
+ - detects: Monitor rApp lifecycle management events from logs regarding onboarding,
+ authentication/authorization of rApps. Audit logs and telemetry data for unauthorized
+ activity.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Monitor and alert on changes to rApp and cloud configuration files during
+ runtime
+ fgdsid: DS0022
+ name: File
+ - detects: Perform real-time audits and post-processing of logs. Detect which parts
+ of the O-RAN are accessed by rApps.
+ fgdsid: DS0025
+ name: Cloud Service
+ - detects: Verify rApp image hash
+ fgdsid: FGDS5015
+ name: Image verification
+ id: FGT5032.003
+ mitigations:
+ - fgmid: M1033
+ mitigates: Use only trusted supply chain, rigorous scanning of software images.
+ Limit Software Installations especially from 3rd party sources.
+ name: Limit Software Installation
+ - fgmid: M1035
+ mitigates: Limit access to rApp instance
+ name: Limit Access to Resource Over Network
+ - fgmid: M1043
+ mitigates: Use capabilities to prevent successful rApp credential access by adversaries.
+ name: Credential Access Protection
+ - fgmid: M1045
+ mitigates: Verify digital signature of rApp
+ name: Code Signing
+ - fgmid: M1025
+ mitigates: Enforce least privilege access for cloud components
+ name: Privileged Process Integrity
+ name: rApp
+ object-type: technique
+ platforms: O-RAN
+ postconditions:
+ - Description: Adversary affects the radio network configuration, accesses configuration
+ data, and performs other unauthorized activities
+ Name: Affected Network Radio Configuration
+ - Description: Adversary degrades network operation or in the worst case, causes
+ network outage
+ Name: Network operations impacted
+ - Description: "UE and subscriber\u2019s sensitive data are revealed to adversary"
+ Name: Sensitive UE data exposed to adversary
+ preconditions:
+ - Description: Adversary has access to rApp (e.g., application package, credential)
+ Name: Adversary access to rApp
+ procedureexamples:
+ - Description: Adversary compromising external supply chain or internal CI/CD pipeline
+ to implement backdoor into rApp
+ Name: rApp access via backdoor
+ - Description: Adversary obtains rApp credentials through various means and compromises
+ the rApp
+ Name: rApp access via stolen credentials
+ - Description: Adversary may compromise the infrastructure the O-RAN platform is
+ deployed on and gain access to rApp
+ Name: rApp access via compromised 3rd party hosting infrastructure provider
+ references:
+ - \[1\] [O-RAN WG11 Threat Model O-R003-v06.00](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[2\] [O-RAN WG2 Non-RT RIC Architecture 3.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[3\] [O-RAN WG2 Non-RT RIC Technical Report 1.01 version](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[4\] [Federal Office of information Security, Study 5G RAN
+ Risk Analysis](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/5G/5GRAN-Risk-Analysis.pdf?__blob=publicationFile&v=5)
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT5032
+ tactics:
+ - TA0002
+ typecode: fight_subtechnique
+- access-required: N/A
+ architecture-segment: Control Plane
+ bluf: An adversary in control of an Application Function (AF) or a rogue Network
+ Function (NF) can make an API call to obtain the Subscriber Permanent Identifier
+ (SUPI) or other sensitive UE information.
+ criticalassets:
+ - Description: If SUPI is stolen, many other subsequent attacks are possible such
+ as subscriber identity spoofing and location tracking.
+ Name: UE permanent identity (SUPI)
+ description: " An adversary in control of an Application Function (AF) or a rogue\
+ \ Network Function (NF) can make an API call to obtain the Subscriber Permanent\
+ \ Identifier (SUPI) or other sensitive UE information.\r\nBesides control of a\
+ \ NF, the adversary needs knowledge of the UE\u2019s phone number or Generic Public\
+ \ Subscription Identifier (GPSI), which are easier to discover compared to the\
+ \ SUPI, which is a tightly held UE identifier. There is a legitimate API to the\
+ \ operator\u2019s Network Exposure Function (NEF) to return a UE SUPI given a\
+ \ UE GPSI. \r\nAfter acquiring the SUPI, an adversary can use it in other follow-on\
+ \ behaviors against that UE, such as obtain location information or slice subscription\
+ \ data.\r\n"
+ detections:
+ - detects: "Logging of AF inquiries for UEs that they don\u2019t serve. Post process\
+ \ the logs to detect fraudulent API calls by rogue AF or NF."
+ fgdsid: DS0015
+ name: Application Log
+ id: FGT5019.003
+ mitigations:
+ - fgmid: FGM5019
+ mitigates: NEF should check that UE in question is subscribed to services of the
+ AF. This way, unauthorized access by external rogue AFs can be avoided.
+ name: Authorize external API calls
+ name: Obtain subscriber identifier via NF
+ object-type: technique
+ platforms: 5G Network
+ postconditions:
+ - Description: If SUPI is obtained, many other subsequent attacks are possible such
+ as subscriber identity spoofing and location tracking.
+ Name: SUPI is available to the adversary
+ preconditions:
+ - Description: Adversary has knowledge of UE phone number/GPSI and has control over
+ an AF or NEF or AMF.
+ Name: UE phone number and control of AF/NF
+ procedureexamples:
+ - Description: "The NEF stores the UE data \u2013 including SUPI-- in UDR and responds\
+ \ to API requests from various AFs. An adversary in control of an (external)\
+ \ AF uses legitimate SBA API to retrieve subscriber identifier of victim UE\
+ \ (SUPI) from their phone number. \n\nThe API that the AF calls is Nnef_ApplyPolicy_Create\
+ \ API, it is sent to NEF with UE's GPSI/phone number. NEF retrieves the SUPI\
+ \ from UDM by using Nudm_SDM_Get API. See clause 4.15.6.8 of [1].\n\nAlternatively,\
+ \ Rogue NEF retrieves SUPI from GPSI/phone number using Nudm_SDM_Get API towards\
+ \ the UDM, See clause 4.13.2.2 of [1]."
+ Name: Retrieve UE SUPI via API
+ - Description: "The AMF can obtain some sensitive information about a UE it serves\
+ \ (or claims to serve). An example for roaming scenarios is that a rogue AMF\
+ \ in visited PLMN retrieves UE\u2019s sensitive information from the home PLMN\
+ \ by calling an API when UE roams from 5GS to EPC.\n\nAMF asks the SMF for UE\
+ \ Session Management context, and thus can obtain the following sensitive information:\
+ \ Permanent identifier (SUPI), the names of the slices the UE is subscribed\
+ \ to (S-NSSAIs), the name of the data network the UE is connected to, and the\
+ \ IP address of the UE. (The AMF API call to SMF is Nsmf_PDUSession_ContextRequest\
+ \ API, see clause 4.11.1.2.1 & Table 5.2.8.2.10-1 of [1])\n\nThe same attack\
+ \ can happen in non-roaming scenario by a compromised AMF."
+ Name: "Retrieve UE\u2019s sensitive information via rogue NF"
+ references:
+ - " \\[1\\] [3rd Generation Partnership Project (3GPP) TS 23.502,\
+ \ \u201CProcedures for the 5G System (5GS); Stage 2 (Release 17)\u201D, v17.4.0,\
+ \ March 2022.](https://www.3gpp.org/DynaReport/23502.htm )"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT5019
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- access-required: user
+ addendums:
+ - "#### Addendum Name: _DNS_Encapsulation_\r\n##### Architecture Segments: User\
+ \ Plane, Control Plane\r\n An adversary can piggyback user data within DNS requests,\
+ \ so that the DNS server retrieves the user data for further processing. \r\n\r\
+ \nDNS encapsulation involves adversaries transmitting data by encapsulating it\
+ \ within hostname queries in the DNS lookup process. Specifically, the targeted\
+ \ data is inserted into the names section of a DNS lookup request. The target\
+ \ DNS server, operated by the adversary, records the query and extracts the encoded\
+ \ information. This data is then reconstructed according to the intended sequence\
+ \ derived from the named fields. This method allows for covert data movement,\
+ \ exploiting the DNS protocol as a channel for unauthorized data transmission.\r\
+ \n\r\n"
+ architecture-segment: User Plane, Control Plane
+ bluf: Adversaries may tunnel network communications to and from a victim system
+ within a separate protocol to avoid detection/network filtering and/or enable
+ access to otherwise unreachable systems.
+ criticalassets:
+ - Description: Whoever controls the DNS servers controls how and what end users
+ connect to over the network, making DNS servers a type of critical infrastructure.
+ Name: DNS Servers
+ description: "Adversaries may tunnel network communications to and from a victim\
+ \ system within a separate protocol to avoid detection/network filtering and/or\
+ \ enable access to otherwise unreachable systems.\r\n[To read more, please see\
+ \ the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1572)\r\
+ \n"
+ detections:
+ - detects: 'Data transmitted across a network (ex: Web, DNS, Mail, File, etc.),
+ that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable
+ format (ex: PCAP)'
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1572
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Use strong data integrity protection algorithms within 5G network such
+ as airlink, backhaul and core network.
+ name: Integrity protection of data communication
+ - fgmid: M1031
+ mitigates: "Network intrusion detection and prevention systems that use network\
+ \ signatures to identify traffic for specific adversary malware can be used\
+ \ to mitigate activity at the network level. Signatures are often for unique\
+ \ indicators within protocols and may be based on the specific obfuscation technique\
+ \ used by a particular adversary or tool and will likely be different across\
+ \ various malware families and versions. Adversaries will likely change tool\
+ \ command and control signatures over time or construct protocols in such a\
+ \ way to avoid detection by common defensive tools.\_\nScan all external traffic\
+ \ header fields to detect any suspicious protocol or port number use."
+ name: Network Intrusion Prevention
+ - fgmid: M1037
+ mitigates: Filter network traffic to discard untrusted or known bad domains and
+ resources.
+ name: Filter Network Traffic
+ name: Protocol Tunneling
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Attacker will be able to route traffic through DNS channels to connect
+ to internet free of charge.
+ Name: Billing Fraud
+ - Description: Attacker can route command and control traffic through DNS to control
+ botnets or other entities.
+ Name: Command and Control Network
+ - Description: Attacker has a route to exfiltrate stolen data disguised as DNS packets.
+ Name: Exfiltration Route
+ preconditions:
+ - Description: There must not be an endpoint detection and response capability to
+ validate whether host/network function/UE is communicating with a malicious
+ DNS server or a valid one.
+ Name: Unauthenticated DNS Services
+ procedureexamples:
+ - Description: Operators do not strictly enforce free DNS service via the standard
+ five-tuple flow ID (src IP, dest IP, src port, dest port, protocol). Instead,
+ they use only the destination port (or plus protocol ID), thus exposing a vulnerability.
+ Adversary may setup fake DNS server to process the received data from victim
+ network function/host/UE. [2]
+ Name: Free DNS loophole
+ references:
+ - " \\[1\\] [\u201CBhadhra Framework\u201D: S.P. Rao, S. Holtmanns,\
+ \ T. Aura, \u201CThreat modeling framework for mobile communication systems\u201D\
+ ](https://arxiv.org/pdf/2005.05110.pdf)"
+ - ' \[2\] [Peng, C., Li, C., Tu, G., Lu, S., & Zhang, L. (2012).
+ Mobile data charging: new attacks and countermeasures. Proceedings of the 2012
+ ACM conference on Computer and communications security.](https://dl.acm.org/doi/pdf/10.1145/2382196.2382220)'
+ - " \\[3\\] [Merve Sahin, Aurelien Francillon, Payas Gupta, and\
+ \ Mustaque Ahamad. 2017. \n\u201CSok: Fraud in telephony networks\u201D. In 2017\
+ \ IEEE European Symposium on Security\nand Privacy (EuroS&P). IEEE, p235\u2013\
+ 250](https://ieeexplore.ieee.org/document/7961983)"
+ - " \\[4\\] [Kui Xu, Patrick Butler, Sudip Saha, Danfeng (Daphni)\
+ \ Yao in DNS CC Journal, \u201CDNS for Massive-Scale Command and Control\u201D\
+ ](https://people.cs.vt.edu/~danfeng/papers/DNS-CC-JOURNAL.pdf)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0011
+ - TA0010
+ - TA0001
+ typecode: attack_technique_addendum
+- architecture-segment: RAN
+ bluf: An adversary may purchase, rent, or download software to stand up a fake base
+ station (gNB or gNB emulator) or WiFi access point in order to pave the way to
+ other follow-on behaviors against UEs such as adversary in the middle, denial
+ of service, data interception or manipulation.
+ description: " An adversary may purchase, rent, or download software to stand up\
+ \ a false base station (gNB or gNB emulator) or WiFi access point in order to\
+ \ pave the way to other follow-on behaviors against UEs such as adversary in the\
+ \ middle, denial of service, data interception or manipulation.\r\n\r\nDue to\
+ \ the radio spectrum bands used in 5G, 5G cellular base stations are expected\
+ \ to have smaller footprint and so are often smaller in size and mounted on street\
+ \ poles and other vulnerable locations. Thus they can be compromised more easily.\
+ \ A false cellular base station radio component can be mounted in a given favorable\
+ \ location and be connected to a system of the adversary (instead of a regular\
+ \ operator\u2019s network). \r\n\r\n\r\n"
+ detections:
+ - detects: UE measurements of received power levels from all base stations nearby,
+ and their identifiers. Clause 6.24 of [2].
+ fgdsid: FGDS5002
+ name: UE signal measurements
+ id: FGT1583.501
+ mitigations:
+ - fgmid: M1056
+ mitigates: This technique cannot be easily mitigated with preventive controls
+ since it is based on behaviors performed outside of the scope of the mobile
+ network operator.
+ name: Pre-compromise
+ name: False Base Station or Access Point
+ object-type: technique
+ platforms: 5G radio
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [3rd Generation Partnership Project (3GPP) TR 33.809:\
+ \ \u201CStudy on 5G security enhancements against False Base Stations (FBS)\u201D\
+ , Technical Report, v0.18.0, February 2022.](https://www.3gpp.org/DynaReport/33809.htm\
+ \ )"
+ - " \\[3\\] [Cablelabs article \u201CFalse Base Station or IMSI\
+ \ Catcher: What You Need to Know\u201D](https://www.cablelabs.com/blog/false-base-station-or-imsi-catcher-what-you-need-to-know)"
+ - \[4\] [Open source O-RAN 5G CU/DU solution from Software Radio
+ Systems (SRS)](https://github.com/srsran/srsRAN_Project )
+ - \[5\] [Open Air Interface project source code](https://gitlab.eurecom.fr/oai/openairinterface5g/)
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT1583
+ tactics:
+ - TA0042
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: RAN, User Plane, Control Plane
+ bluf: An adversary may compromise a network device's integrity capability or configuration
+ in order to exploit the non-integrity protected data communication
+ criticalassets:
+ - Description: Subscriber signaling and user plane data
+ Name: Subscriber data
+ description: " An adversary may compromise a network device\u2019s integrity capability\
+ \ or configuration in order to exploit the non-integrity protected data communication.\r\
+ \n\r\nIntegrity can be used to protect transmitted data traffic against unauthorized\
+ \ changes. Algorithms for user data and signaling communication take a plaintext\
+ \ or encrypted message and compute, using a symmetric secret key, a keyed MIC\
+ \ (message integrity check) or MAC (Message Authentication Code). A recipient\
+ \ in possession of that symmetric integrity key can verify that the message was\
+ \ not modified in transit. \r\n\r\nAn adversary may alter network signaling or\
+ \ compromise an NF, proxy or gNB that controls the choice of integrity algorithm,\
+ \ so as to enable the weak or no integrity algorithm, thus allowing for manipulation\
+ \ or spoofing of user data or signaling (over the radio interface or within the\
+ \ core network, e.g. Non-SBI, or SBI, or roaming interfaces). \r\n\r\n\r\n"
+ detections:
+ - detects: Data sent over the network or radio interface can be analyzed to check
+ for the integrity algorithm.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT5009
+ mitigations:
+ - fgmid: M1047
+ mitigates: Monitor periodically if integrity protection algorithm is enabled
+ name: Audit
+ name: Weaken Integrity
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Subscriber data session does not get setup (DoS attack) or gets interrupted,
+ spoofed or redirected during an active session.
+ Name: Subscriber data session impact
+ preconditions:
+ - Description: Adversary gets hold of an end point such as gNB to manipulate signaling
+ Name: Adversary controlling end point
+ procedureexamples:
+ - Description: An adversary may manipulate gNB signaling to enable NULL integrity
+ over the radio interface (Uu)
+ Name: Weaken integrity over radio interface
+ - Description: An adversary may change network configuration so that IPSec is not
+ enabled between gNB and UPF (N3) or between gNB and AMF (N2).
+ Name: Weaken integrity within the RAN to core connections
+ - Description: An adversary may change network configuration so that IPSec is not
+ enabled between two gNBs (Xn).
+ Name: Weaken integrity within RAN
+ - Description: An adversary may disable TLS between two NFs or between one or more
+ NFs and the Service Communication Proxy (SCP) if deployed by MNO.
+ Name: Weaken integrity within SBI
+ - Description: 'An adversary may disable or weaken integrity protection of the communications
+ between SEPPs (N32 which uses JWS for example) or between visited PLMN UPF and
+ home PLMN UPF (N9).
+
+
+ An adversary may weaken integrity protection on N26 interface between MME and
+ AMF.'
+ Name: Weaken integrity on the roaming/interconnect
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks)"
+ status: This is a theoretical behavior
+ tactics:
+ - TA0005
+ typecode: fight_technique
+- architecture-segment: RAN
+ bluf: An adversary may alter or spoof network signaling so as to enable the NULL
+ integrity algorithm thus allowing for manipulation of user data or signaling over
+ the radio interface, for example to redirect traffic.
+ criticalassets:
+ - Description: UE signaling and subscriber (user plane) data integrity.
+ Name: UE data
+ description: " An adversary may alter or spoof network signaling so as to enable\
+ \ the NULL integrity algorithm thus allowing for manipulation of user data or\
+ \ signaling over the radio interface, for example to redirect traffic. \r\n\r\n\
+ Several procedures and interfaces can be implemented incorrectly or misused by\
+ \ an adversary in control over a gNB or NF and may result in a configuration that\
+ \ calls for the NULL integrity algorithm to protect data sent over the radio interface.\
+ \ The data sent is user signaling -- Non-Access Stratum (NAS) or Access Stratum\
+ \ (AS) Control Plane (CP) -- or subscriber data -- AS User Plane (UP)). These\
+ \ actions can be followed by another adversarial behavior whereby data and signaling\
+ \ sent over the radio interface is manipulated or tampered with. \r\n\r\n"
+ detections:
+ - detects: Check for unusual changes in gNB, SMF, AMF user profile, policy, and
+ configuration data. Configuration audits by OSS/BSS to detect for example, user
+ session redirects.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: 'Radio traffic content
+
+ Inspect radio traffic and watch for unauthorized changes as the packets move
+ through the interfaces.'
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT5009.001
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Ensure gNB implementation and SMF implementations are both checking
+ the UE CP and UP security policy against the most trustworthy source and taking
+ action to not enable NULL integrity except for emergency calls.
+ name: Integrity protection of data communication
+ - fgmid: FGM5006
+ mitigates: UE should refuse to set up radio bearer and PDU session without integrity
+ protection.
+ name: Restrictive user profile
+ - fgmid: M1018
+ mitigates: Network element security safeguards for gNBs, AMFs and SMFs. Includes
+ measures in clause 5.3.4 of [2] (e.g. software updates, OA&M access security,
+ secure boot).
+ name: User Account Management
+ - fgmid: M1031
+ mitigates: Implement network intrusion prevention methods.
+ name: Network Intrusion Prevention
+ - fgmid: M1043
+ mitigates: Implement credential access protection methods.
+ name: Credential Access Protection
+ name: Radio Interface
+ object-type: technique
+ platforms: 5G Radio
+ postconditions:
+ - Description: "Control Plane (CP): All UE signaling data may be tampered with if\
+ \ both NAS and AS CP (i.e., RRC) algorithms are weakened. \n\nUser Plane (UP):\
+ \ Subscriber (user) data may be tampered with if AS UP algorithms are weakened.\n\
+ \nAs a result, subscriber data session does not get setup (DoS attack) or gets\
+ \ interrupted during an active session."
+ Name: UE data not integrity protected on air interface
+ preconditions:
+ - Description: "A rogue gNB may be required to change the UE\u2019s CP & UP supported\
+ \ algorithms to NULL. It\u2019s easier to achieve control over a gNB than over\
+ \ the AMF or SMF itself. But then if the AMF and SMF are not rogue just not\
+ \ configured to do these additional checks, then control over a rogue gNB is\
+ \ sufficient.\nThis attack is possible with only control over the AMF, in which\
+ \ case the algorithm for CP and UP protection may be changed to NULL."
+ Name: Rogue or misconfigured AMF or SMF or gNB or MME
+ procedureexamples:
+ - Description: "Adversary (e.g. with fake gNB) intentionally configures NULL integrity\
+ \ algorithm to have highest priority in gNB. These algorithms are sent to the\
+ \ UE in the Access Stratum (AS) Security Mode Command (SMC). Normally the activation\
+ \ of algorithms for the AS is done by the gNB based on that policy received\
+ \ from the SMF, but a fake gNB can ignore the SMF. Clauses 6.7.3 & D.1 of [2].\n\
+ \nAdversary with control over a legitimate gNB, and who currently serves the\
+ \ UE, tells the SMF that the UE Control Plane (CP) and User Plane (UP) policy\
+ \ is NULL integrity, and the (legit but not correctly implemented) SMF doesn\u2019\
+ t check that against the locally configured UE CP & UP policy and lets the CP\
+ \ and UP data use NULL integrity. Clause 6.6.1 of [2]."
+ Name: Fake or misconfigured base station
+ - Description: 'Adversary makes the unauthorized change in the SMF CP & UP local
+ policy to enable NULL integrity for CP & UP traffic.
+
+ Alternatively, adversary exploits an SMF that is not implemented to check (for
+ every UE it serves) that the algorithm received from gNB- (which may be compromised
+ or fake) matches the local policy. That local policy in turn should be checked
+ that it is the same as the UE policy stored in the UDM. Any of these failures
+ can result in the SMF enabling the CP and UP traffic over the radio interface
+ to use NULL integrity.'
+ Name: Rogue or misconfigured SMF
+ - Description: "Adversary with control over AMF (or control over the configuration\
+ \ of AMF) can affect UE procedures such as NAS Security Mode Command, such that\
+ \ the UE's NAS data is not protected, i.e. prioritize NULL algorithm for either\
+ \ NAS encryption or integrity. Clause K.2.3.3. of [1]. \n\nThis can be followed\
+ \ by another attack behavior whereby data manipulation can be done over the\
+ \ air interface for signaling data. Clauses 5.3.2, 5.3.3 & 5.5.1, 5.5.2 of [2]."
+ Name: Rogue or misconfigured AMF non-roaming
+ - Description: "Compromised source AMF sends incorrect UE context information to\
+ \ legitimate target AMF during\nInitial registration & roaming or\nHandover\
+ \ (N2 based)\n\nSource AMF sends null integrity algorithm information as part\
+ \ of the \u201CUEContextTransfer\u201D (initial registration & roaming) or \u201C\
+ CreateUEContext\u201D (N2 handover) service request messages. All UE data will\
+ \ be sent without integrity protection after registration or handover is completed.\
+ \ Clauses 4.2.2.2.2, 4.9.1.3.1 & 5.2.2.1 of [3] The element in the UE context\
+ \ is the ueSecurityCapability which the rogue AMF sets to NULL only."
+ Name: Rogue or misconfigured AMF during roaming/handover
+ - Description: "Compromised source MME sends incorrect UE context information to\
+ \ legitimate target AMF during EPS to 5GS handover and roaming with and without\
+ \ N26 interface.\n\nSource AMF sends NULL integrity algorithm information as\
+ \ part of the \u201CUEContextTransfer\u201D or \n\u201CRelocateUEContext\u201D\
+ \ service request messages. All UE data will be sent without integrity protection\
+ \ after roaming or handover is completed. Clauses 4.11.1.2.2.2, 4.11.1.3.3,\
+ \ 4.11.2.3 & 5.2.2.1 of [3] The element in the UE context is the ueSecurityCapability\
+ \ which the rogue AMF sets to NULL only."
+ Name: Rogue or misconfigured MME during EPS roaming/handover
+ references:
+ - " \\[1\\] [3GPP TR 33.926 \u201CSecurity Assurance Specification\
+ \ (SCAS) threats and critical assets in 3GPP network product classes\u201D, v17.4.0,\
+ \ June 2022](https://www.3gpp.org/DynaReport/33926.htm )"
+ - " \\[2\\] [3GPP TS 33.501 \u201CSecurity architecture and procedures\
+ \ for 5G System\u201D, v 17.6.0, June 2022](https://www.3gpp.org/DynaReport/33501.htm\
+ \ )"
+ - " \\[3\\] [3GPP TS 23.502 \u201CProcedures for the 5G System\
+ \ (5GS)\u201D, v17.5.0, June 2022](https://www.3gpp.org/DynaReport/23502.htm \
+ \ )"
+ status: This is a theoretical behavior
+ subtechnique-of: FGT5009
+ tactics:
+ - TA0005
+ typecode: fight_subtechnique
+- access-required: N/A
+ addendums:
+ - "#### Addendum Name: Exploit Public-Facing Network Function\r\n##### Architecture\
+ \ Segments: Control Plane, User Plane\r\n An adversary may exploit weaknesses\
+ \ in Application Programming (API) interfaces on Network Functions (NF) that are\
+ \ exposed to the public Internet, which exposes those functions to compromise\
+ \ of the NF, or disclosure of information. \r\n\r\nSome 5G functions such as the\
+ \ Network Exposure Function (NEF) have APIs that are public facing and are subject\
+ \ to potential exploit by adversaries similarly to public facing websites and\
+ \ services. The adversary could exploit a previously identified weakness in the\
+ \ API to gain initial access to the operator\u2019s environment. The adversary\
+ \ may also obtain credentials through other techniques that allow the adversary\
+ \ to obtain unauthorized information from the exposed network function. See Exploit\
+ \ Semi-public Facing Application [FGT5029](/techniques/FGT5029) for API exposure\
+ \ to interworking networks.\r\n\r\nAn example of this is represented through access\
+ \ control of application functions (AF) by NEF is done at the API level which\
+ \ is not protected at a granular enough level, i.e., it is not done at Information\
+ \ Element (IE) level. An adversary may use a 3rd party AF to make requests for\
+ \ a service, e.g. location of a UE, beyond their authorization level since IE\u2019\
+ s are not explicitly required to be checked. \r\n\r\n"
+ architecture-segment: Control Plane, User Plane
+ bluf: Adversaries may attempt to exploit a weakness in an Internet-facing host or
+ system to initially access a network.
+ criticalassets:
+ - Description: The Network Exposure Function has the N33 interface exposed to an
+ Application Function (AF) on the Internet (3rd party)
+ Name: NEF
+ description: "Adversaries may attempt to exploit a weakness in an Internet-facing\
+ \ host or system to initially access a network.\r\n[To read more, please see the\
+ \ MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1190)\r\
+ \n"
+ detections: []
+ id: FGT1190
+ mitigations:
+ - fgmid: M1016
+ mitigates: Vulnerability scanning of public APIs
+ name: Vulnerability Scanning
+ - fgmid: M1050
+ mitigates: Use Web Application Firewall (WAF) to minimize potential exploit of
+ vulnerabilities
+ name: Exploit Protection
+ name: Exploit Public-Facing Application
+ object-type: technique
+ platforms: 5G
+ preconditions:
+ - Description: Adversary may need to identify vulnerabilities in the API to obtain
+ initial-access, unauthorized information, or perform a denial of service
+ Name: API vulnerability
+ - Description: Adversary may need to obtain credentials to collect unauthorized
+ information
+ Name: API credentials
+ procedureexamples:
+ - Description: Adversary uses an insecure API to take over the edge NF, then can
+ use legitimate signaling to obtain sensitive UE or network data.
+ Name: Sensitive data exposure
+ - Description: Adversary may bypass standard AF API access control mechanism by
+ using crafted IEs to access sensitive data such as location of a UE through
+ NEF.
+ Name: Exploit vulnerable API
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ - \[3\] [TOP 7 REST API Security Threats, blog January 2019](https://blog.restcase.com/top-7-rest-api-security-threats/
+ )
+ - " \\[4\\] [3GPP TS 29.522: \u201CNetwork Exposure Function\
+ \ Northbound APIs; Stage 3\u201D](https://www.3gpp.org/DynaReport/29522.htm)"
+ - " \\[5\\] [\u201CSystem architecture for the 5G System (5GS),\u201D\
+ TS 23.501, 3GPP, Sec. 4.2.3](https://www.3gpp.org/DynaReport/23501.htm)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0040
+ - TA0001
+ - TA0009
+ typecode: attack_technique_addendum
+- access-required: N/A, N/A
+ addendums:
+ - "#### Addendum Name: Interworking Denial of Service\r\n##### Architecture Segments:\
+ \ Control Plane, Roaming\r\n An adversary on a semi-public/roaming partner network\
+ \ may exploit weaknesses in Application Programming (API) interfaces on Network\
+ \ Functions (NF) that are exposed to the semi-public network, i.e. roaming partner\
+ \ network, which can lead to denial of service of the exposed NF.\r\n\r\nSome\
+ \ 5G functions such as the SEPP and UPF have API\u2019s that are exposed and accessible\
+ \ to other providers over an interworking network that is not Internet accessible.\
+ \ An adversary with a position on another organization, outside the targeted operator\u2019\
+ s trust zone, could exploit a previously identified weakness in the target API\
+ \ to cause the NF to crash resulting in denial of service. The adversary may also\
+ \ potentially use volumetric techniques to degrade or deny service.\r\n\r\n"
+ - "#### Addendum Name: Public Function Denial of Service\r\n##### Architecture Segments:\
+ \ Control Plane, User Plane\r\n An adversary may exploit weaknesses in Application\
+ \ Programming (API) interfaces on Network Functions (NF) that are exposed to the\
+ \ public Internet, which exposes those functions to potential adversary denial\
+ \ of service of the NF.\r\n\r\nSome 5G functions such as the Network Exposure\
+ \ Function (NEF) have APIs that are public facing and are subject to potential\
+ \ exploit by adversaries similarly to public facing websites and services. The\
+ \ adversary could exploit a previously identified weakness in the API to cause\
+ \ the NF to crash, resulting in denial of service. The adversary may also potentially\
+ \ use volumetric techniques to degrade or deny service.\r\n\r\n"
+ architecture-segment: Control Plane, User Plane
+ bluf: Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade
+ or block the availability of services to users.
+ criticalassets:
+ - Description: Security Edge Protection Proxy function which provides roaming interface
+ for signaling traffic to roaming partner (MNO) networks
+ Name: SEPP
+ - Description: User Plane Function which provides roaming interface for user plane
+ traffic to roaming partner (MNO) networks
+ Name: UPF
+ - Description: Access and Mobility Function which provides roaming interface for
+ signaling traffic to 4G networks via N26 interface and mobility function to
+ 5G networks via N2 interface
+ Name: AMF
+ - Description: Network Exposure Function which provides API access to external (to
+ the operator) Application Functions (AF)
+ Name: NEF
+ description: "Adversaries may perform Endpoint Denial of Service (DoS) attacks to\
+ \ degrade or block the availability of services to users.\r\n[To read more, please\
+ \ see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1499)\r\
+ \n"
+ detections:
+ - detects: Monitor application logs for unusual requests or rate of requests
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Monitor for unusual volumes or sources of requests to the service
+ fgdsid: DS0029
+ name: Network Traffic
+ - detects: Monitor application logs for unusual requests or rate of requests
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Monitor for unusual volumes or sources of requests to the service
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1499
+ mitigations:
+ - fgmid: M1016
+ mitigates: Vulnerability scanning of public APIs
+ name: Vulnerability Scanning
+ - fgmid: M1037
+ mitigates: Use of network based DDoS mitigation capabilities to filter traffic
+ upstream
+ name: Filter Network Traffic
+ - fgmid: M1050
+ mitigates: Use Web Application Firewall (WAF) to minimize potential exploit of
+ vulnerabilities
+ name: Exploit Protection
+ - fgmid: M1016
+ mitigates: Vulnerability scanning of public APIs
+ name: Vulnerability Scanning
+ - fgmid: M1037
+ mitigates: Use of network based DDoS mitigation capabilities to filter traffic
+ upstream
+ name: Filter Network Traffic
+ - fgmid: M1050
+ mitigates: Use Web Application Firewall (WAF) to minimize potential exploit of
+ vulnerabilities
+ name: Exploit Protection
+ name: Endpoint Denial of Service
+ object-type: technique
+ platforms: 5G, 5G
+ preconditions:
+ - Description: Adversary may need to identify vulnerabilities in the API to obtain
+ initial-access, unauthorized information, or perform a denial of service
+ Name: API vulnerability
+ - Description: Adversary may need to obtain credentials to collect unauthorized
+ information
+ Name: API credentials
+ - Description: Adversary may need to identify vulnerabilities in the API to obtain
+ initial-access, unauthorized information, or perform a denial of service
+ Name: API vulnerability
+ - Description: Adversary may need to obtain credentials to collect unauthorized
+ information
+ Name: API credentials
+ procedureexamples:
+ - Description: Adversary uses a vulnerability to cause the NF to crash
+ Name: Vulnerability Exploit
+ - Description: Adversary uses one or more volumetric techniques to degrade or deny
+ availability of the NF
+ Name: Volumetric attack
+ - Description: Adversary uses a vulnerability to cause the NF to crash
+ Name: Vulnerability Exploit
+ - Description: Adversary uses one or more volumetric techniques to degrade or deny
+ availability of the NF
+ Name: Volumetric attack
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ - \[3\] [TOP 7 REST API Security Threats, blog January 2019](https://blog.restcase.com/top-7-rest-api-security-threats/
+ )
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ - \[3\] [TOP 7 REST API Security Threats, blog January 2019](https://blog.restcase.com/top-7-rest-api-security-threats/
+ )
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0040
+ typecode: attack_technique_addendum
+- access-required: N/A, N/A
+ addendums:
+ - "#### Addendum Name: Silent paging tool\r\n##### Architecture Segments: RAN\r\n\
+ \ An adversary may buy or steal a silent SMS tool in order to send SMSes to nearby\
+ \ phones in a target area.\r\n\r\nA silent SMS is described in the specification\
+ \ GSM 03.40 as a Short Message of type 0, which indicates that the UE must acknowledge\
+ \ receipt of the short message but may discard its contents.\r\n\r\nA simple mobile\
+ \ phone running a program to send silent SMSes is such an SMS tool. What is needed\
+ \ is cellular connectivity, and the phone number of the victim. \r\n\r\n"
+ - "#### Addendum Name: IMSI Catcher\r\n##### Architecture Segments: RAN\r\n An adversary\
+ \ may buy or steal an International Mobile Subscriber Identity (IMSI) catcher\
+ \ to capture IMSI data from nearby UEs in a target area.\r\n\r\nIMSI catchers\
+ \ are very similar to fake base stations but may not have full capabilities of\
+ \ the base station. IMSI Catcher terms has been traditionally associated with\
+ \ UE identity discovery or location identification. Adversary may buy an IMSI\
+ \ Catcher from legitimate vendors selling products.\r\n\r\n"
+ architecture-segment: RAN
+ bluf: Adversaries may buy and/or steal capabilities that can be used during targeting.
+ description: "Adversaries may buy and/or steal capabilities that can be used during\
+ \ targeting.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1588)\r\
+ \n"
+ detections: []
+ id: FGT1588
+ mitigations:
+ - fgmid: M1056
+ mitigates: This technique cannot be easily mitigated with preventive controls
+ since it is based on behaviors performed outside of the scope of the mobile
+ network operator.
+ name: Pre-compromise
+ name: Obtain Capabilities
+ object-type: technique
+ platforms: RAN, RAN
+ references:
+ - " \\[1\\] [SMS Deliverer, \u201CPING/Silent SMS\u201D.](https://www.smsdeliverer.com/onlinehelp/interface/pingsms/)"
+ - " \\[2\\] [Information Security Newspaper, \u201CHow to hack\
+ \ and track anybody\u2019s phone location via silent SMS messages\u201D.](https://www.securitynewspaper.com/2023/06/20/how-to-hack-track-anybodys-phone-location-via-silent-sms-messages/)"
+ - " \\[1\\] [Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin\
+ \ Mulazzani, and Edgar Weippl. \u201CIMSI-catch me if you can: IMSI-catcher-catchers\u201D\
+ . Proceedings of the 30th annual computer security applications Conference, pages\
+ \ 246\u2013255, 2014.](https://its-wiki.no/images/f/fb/Dabrowski_ISMI_Catch_me_Catchers.pdf)"
+ - " \\[2\\] [Ravishankar Borgaonkar, Altaf Shaik, \u201C5G IMSI\
+ \ Catchers Mirage\u201D, Blackhat USA Conference 2021.](https://blackhat.com/us-21/briefings/schedule/#g-imsi-catchers-mirage-23538)"
+ - " \\[3\\] [\u201CHOW COPS CAN SECRETLY TRACK YOUR PHONE\u201D\
+ , The Intercept, online article, July 31, 2021. Accessed 6/22/2022.](https://theintercept.com/2020/07/31/protests-surveillance-stingrays-dirtboxes-phone-tracking/)"
+ - " \\[4\\] [A Knight, Brier & Thorn, \u201CHacking GSM: Building\
+ \ a Rogue Base Station to Hack Cellular Devices,\u201D Online Article. Accessed\
+ \ 6/22/2022.](https://www.brierandthorn.com/post/hacking-gsm-building-a-rogue-base-station-to-hack-cellular-devices)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0042
+ typecode: attack_technique_addendum
+- architecture-segment: UE
+ bluf: An adversary can purchase, rent, or download software to acquire a programmable
+ User Equipment (UE) device, in order to pave the way to other follow-on behaviors
+ against the Radio-Access Network (ran) such as denial of service
+ description: " An adversary can purchase, rent, or download software to acquire\
+ \ a programmable User Equipment (UE) device, in order to pave the way to other\
+ \ follow-on behaviors against the Radio-Access Network (RAN) such as denial of\
+ \ service.\r\n\r\nFake UEs are used in many adversarial behaviors against the\
+ \ mobile network. \r\n\r\n"
+ detections: []
+ id: FGT1583.502
+ mitigations: []
+ name: Programable UE devices
+ object-type: technique
+ platforms: 5G radio
+ procedureexamples:
+ - Description: "Adversary uses Software-Defined-Radio (SDR) running OAI-5G (\u201C\
+ OpenAirInterface\u201D) modified software"
+ Name: Fake UE build
+ - Description: "In [1], it is mentioned that the adversary must \u201Cforge a malicious\
+ \ UE\u201D, which is then used to replay messages form the malicious (adversary\
+ \ controlled) gNB to the legitimate gNB"
+ Name: Fake UE acquisition
+ references:
+ - " \\[1\\] [Hu, X. et al: \u201CA Systematic Analysis Method\
+ \ for 5G Non-Access Stratum Signalling Security\u201D, August 2019](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
+ \ )"
+ - " \\[2\\] [Ericsson: \u201CDetecting false base stations in\
+ \ mobile networks\u201D](https://www.ericsson.com/en/blog/2018/6/detecting-false-base-stations-in-mobile-networks)"
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1583
+ tactics:
+ - TA0042
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: RAN
+ bluf: An adversary may obtain software to configure a fake base station (gNB or
+ gNB emulator) or WiFi access point in order to enable other Radio Access Network
+ (ran) follow-on behaviors against UEs such as adversary in the middle or denial
+ of service.
+ description: " An adversary may obtain software to configure a false base station\
+ \ (gNB or gNB emulator) or WiFi access point in order to enable other Radio Access\
+ \ Network (RAN) follow-on behaviors against UEs such as adversary in the middle\
+ \ or denial of service.\r\n\r\nAn adversary enables the programmability of a false\
+ \ base station, for example its broadcast configuration is adjustable so that\
+ \ it can broadcast the local PLMN Identifier, a particular cell ID, etc. In addition,\
+ \ the transmit power of the base station \r\nis adjustable so that it will be\
+ \ higher than the legitimate base stations nearby, so as to succeed in luring\
+ \ UEs to connect to it.\r\n\r\n\r\n"
+ detections:
+ - detects: UE measurements of received power levels from all base stations nearby,
+ and their identifiers. Refer to clause 6.24 of [2].
+ fgdsid: FGDS5002
+ name: UE signal measurements
+ id: FGT1608.501
+ mitigations: []
+ name: Configurability of Fake Base Station or Access Point
+ object-type: technique
+ platforms: 5G radio
+ procedureexamples:
+ - Description: 'Adversary obtains software capability such as: modified custom code,
+ scripts, configuration parameters.'
+ Name: Obtain capability for configuration of gNB, gNB emulator, or WiFi access
+ point.
+ - Description: Adversary installs an illegitimate complete gNB and configures the
+ power so as to appear strongest to a given UE in a particular location, see
+ [2].
+ Name: Configure false gNB to appear strongest
+ references:
+ - " \\[1\\] [European Union Agency for Cybersecurity (ENISA):\
+ \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
+ \ )"
+ - " \\[2\\] [3rd Generation Partnership Project (3GPP) TR 33.809:\
+ \ \u201CStudy on 5G security enhancements against False Base Stations (FBS)\u201D\
+ , Technical Report, v0.18.0, February 2022.](https://www.3gpp.org/DynaReport/33809.htm\
+ \ )"
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1608
+ tactics:
+ - TA0042
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: User/NPE/Administrative access
+ architecture-segment: Network Slice
+ bluf: 'Adversaries may exhaust common resources of a slice to cause denial of service
+ (service degradation) to all other slices that use the same common resources. '
+ criticalassets:
+ - Description: NFVI network and compute resources
+ Name: NFVI
+ - Description: 5G Core, RAN and Non-SBI functions, virtual resources supporting
+ VNF
+ Name: VNFs
+ description: " Adversaries may exhaust common resources of a slice to cause denial\
+ \ of service (service degradation) to all other slices that use the same common\
+ \ resources. \r\n\r\n5G network slices may be built using same NFVI resources\
+ \ or may be sharing a common Core or RAN function. A network slice may have dedicated\
+ \ AMF, SMF and UPF but NEF, NRF, UDM is usually shared for a deployment. Adversary\u2019\
+ s slice A may target a slice B by exhausting resources common to slice A and B\
+ \ such as NEF.\r\n\r\nIt is possible for adversary\u2019s slice to oversubscribe\
+ \ a resource (NF or NFVI Resource) to an extent where other slices cannot get\
+ \ their messages and process executed in due time. This result in UEs or some\
+ \ network functions experiencing denial of service within target slices. \r\
+ \n\r\n\r\n"
+ detections:
+ - detects: Monitor systems performance and alert on quota exceptions on hosts, applications
+ and networks
+ fgdsid: DS0013
+ name: Sensor Health
+ - detects: Auditing logs for security, authentication and authorization activity,
+ host access, hosts, virtualization orchestrator and managers can reveal behavioral
+ anomalies
+ fgdsid: FGDS5012
+ name: SIEM
+ - detects: Automated user and resource policy compliance checks and instrumentation
+ to alert on violation attempts
+ fgdsid: FGDS5023
+ name: Audit policy violation
+ id: FGT1498.502
+ mitigations:
+ - fgmid: FGM5005
+ mitigates: Hardware, network, and point of presence can be separated to provide
+ additional isolation
+ name: Physical and environmental protection
+ - fgmid: M1030
+ mitigates: Implementing segmentation policy at granular level, network and compute
+ resources can prevent some co-residency threats when mapped to SLAs, Users,
+ and Resource policies.
+ name: Network Segmentation
+ - fgmid: FGM5518
+ mitigates: Create and enforce resource policy; policy can include SLA, quotas,
+ QOS etc.
+ name: Resource Policy enforcement
+ name: Shared slice common control network function resource exhaustion
+ object-type: technique
+ platforms: Slice, CSP
+ references:
+ - \[1\] [ETSI NFV SEC026 Isolation and trust domain specification,
+ section 4.2.3, Accessed 6/27/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain)
+ - \[2\] [GSMA Official Document NG.126 - Cloud Infrastructure
+ Reference Model_NG.126-v1.0-2, Accessed 6/27/2022](https://www.gsma.com/newsroom/wp-content/uploads//NG.126-v1.0-2.pdf)
+ - " \\[3\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ ,\_ October 2021](https://arxiv.org/abs/2108.11206)"
+ - " \\[4\\] [NGMN: \n5G Security Recommendation Package #2 Network\
+ \ Slicing, Accessed 6/27/2022](https://www.ngmn.org/publications/5g-security-recommendations-package-2-network-slicing.html)"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1498
+ tactics:
+ - TA0040
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: N/A
+ addendums:
+ - "#### Addendum Name: DNS Queries\r\n##### Architecture Segments: Control Plane,\
+ \ Roaming\r\n Adversaries may steal data by exfiltrating from an MNO by sending\
+ \ it over allowed DNS queries to DNS servers outside the MNO. The data may be\
+ \ sent to an alternate network location from that used for command and control.\r\
+ \nAdversaries may opt to obfuscate this data within the constraints of DNS record\
+ \ types. The adversary may also use custom or publicly available encoding/compression\
+ \ algorithms (such as base64) as well as embedding data within protocol headers\
+ \ and fields.\r\n\r\n"
+ architecture-segment: Control Plane, Roaming
+ bluf: Adversaries may steal data by exfiltrating it over an un-encrypted network
+ protocol other than that of the existing command and control channel.
+ criticalassets:
+ - Description: The configuration of DNS Resolvers is important to ensure ability
+ to monitor DNS queries for adversary behavior.
+ Name: DNS Resolvers
+ description: "Adversaries may steal data by exfiltrating it over an un-encrypted\
+ \ network protocol other than that of the existing command and control channel.\r\
+ \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1048/003)\r\
+ \n"
+ detections:
+ - detects: Collect and analyze DNS lookup logs for unusual patterns and destinations
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Analyze network destinations for DNS traffic for unusual destinations
+ and volumes.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1048.003
+ mitigations:
+ - fgmid: M1037
+ mitigates: Filter public network lookups to limit exfiltration destinations. Potential
+ use of protective DNS services.
+ name: Filter Network Traffic
+ name: Exfiltration Over Unencrypted Non-C2 Protocol
+ object-type: technique
+ platforms: NF, SEPP
+ preconditions:
+ - Description: "Operator environment must permit DNS queries either directly or\
+ \ recursively for domains the operator doesn\u2019t directly control."
+ Name: External DNS Resolution
+ references:
+ - " \\[1\\] [\u201CBhadra framework\u201D: S.P. Rao, S. Holtmanns,\
+ \ T. Aura, \u201CThreat modeling framework for mobile communication systems,\u201D\
+ \ Retrieved April 28, 2022](https://arxiv.org/pdf/2005.05110.pdf)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ subtechnique-of: FGT1048
+ tactics:
+ - TA0010
+ typecode: attack_subtechnique_addendum
+- access-required: NF Service Account credentials
+ addendums:
+ - "#### Addendum Name: Control plane signaling exfiltration\r\n##### Architecture\
+ \ Segments: Control Plane, Roaming\r\n An adversary may use Control Plane signaling\
+ \ between operator-internal Network Functions and externally-facing NFs or proxies\
+ \ to exfiltrate data to external endpoints.\r\n\r\nThe operator network uses edge\
+ \ functions that communicate to external parties: The Network Exposure Function\
+ \ (NEF) communicates with external Application Functions (AF), and the Security\
+ \ Edge Protection Proxy (SEPP) communicates with nodes on the IP Interchange (roaming/interconnect\
+ \ fabric). This channel can be used by an adversary to exfiltrate data originating\
+ \ at a compromised NF inside the operator network and ending up at the external\
+ \ node (AF, IPX node). For example, HTTP/2 optional parameters may be used to\
+ \ communicate between a core NF and an external server via NEF or SEPP.\r\n\r\n"
+ architecture-segment: Control Plane, Roaming
+ bluf: Adversaries may steal data by exfiltrating it over a different protocol than
+ that of the existing command and control channel.
+ criticalassets:
+ - Description: Sensitive information in subscriber signaling data
+ Name: Subscriber signaling data
+ - Description: Core NF identifiers (e.g. IP address, FQDN) such as AMF, SMF, UDM
+ etc.
+ Name: Operator resource identifiers
+ description: "Adversaries may steal data by exfiltrating it over a different protocol\
+ \ than that of the existing command and control channel.\r\n[To read more, please\
+ \ see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1048)\r\
+ \n"
+ detections:
+ - detects: Monitor and analyze traffic patterns and packet inspection over the SBI,
+ especially to/from external functions.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1048
+ mitigations:
+ - fgmid: M1037
+ mitigates: Filter and inspect network traffic coming out of SEPP and NEF
+ name: Filter Network Traffic
+ name: Exfiltration Over Alternative Protocol
+ object-type: technique
+ platforms: 5G Network
+ procedureexamples:
+ - Description: HTTP/2 optional parameters may be used to communicate between a core
+ NF and an external server (AF, IPX node) via NEF or SEPP.
+ Name: HTTP/2 optional parameters
+ references:
+ - " \\[1\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206 )"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0010
+ - TA0011
+ typecode: attack_technique_addendum
+- addendums:
+ - "#### Addendum Name: Access to Cloud Infra or MEC\r\n##### Architecture Segments:\
+ \ OA&M, MEC\r\n An adversary may purchase access to cloud infrastructure or Multi-access\
+ \ Edge Computing (MEC) resources that will also be hosting the operator\u2019\
+ s infrastructure.\r\n\r\nMobile Network Operators are looking to commercial cloud\
+ \ and MEC providers to deploy 5G Core and RAN functions. Similar resources may\
+ \ also be utilized to offer compute services for time sensitive enterprise/user\
+ \ applications. Adversaries may attempt to target victims by creating co-residency\
+ \ in cloud or MEC resources for bridging network, or lateral movements by using\
+ \ software and configuration vulnerabilities. These are sometimes referred to\
+ \ as colocation attacks.\r\n\r\n\r\n"
+ architecture-segment: OA&M, MEC
+ bluf: Adversaries may buy, lease, or rent infrastructure that can be used during
+ targeting.
+ description: "Adversaries may buy, lease, or rent infrastructure that can be used\
+ \ during targeting.\r\n[To read more, please see the MITRE ATT&CK page for this\
+ \ technique](https://attack.mitre.org/techniques/T1583)\r\n"
+ detections: []
+ id: FGT1583
+ mitigations:
+ - fgmid: FGM5504
+ mitigates: Cloud compute, cloud storage and any serverless activity should be
+ isolated from other tenants
+ name: Resource Isolation in virtualization environment
+ - fgmid: FGM5505
+ mitigates: Hardware mediated execution environment
+ name: Hardware mediated execution environment
+ - fgmid: M1030
+ mitigates: Network isolation. Deployment architecture should consider physical
+ and virtual isolation from other tenants
+ name: Network Segmentation
+ - fgmid: M1041
+ mitigates: Any traffic going from a security zone to another security zone must
+ be protected with encryption. Key based user and resource authentication and
+ authorization should be used
+ name: Encrypt Sensitive Information
+ name: Acquire Infrastructure
+ object-type: technique
+ platforms: 5G Network
+ procedureexamples:
+ - Description: "[2] is a university research showing how an attacker can locate\
+ \ an entity\u2019s systems in the cloud and work to instantiate profiling and\
+ \ other malicious hosts on the same physical platform."
+ Name: Locate cloud resources of target
+ references:
+ - " \\[1\\] [S. Sahoo, S. K. Mishra, B. Sahoo & A. K. Turuk,\
+ \ \u201CCo-resident Attack in Cloud Computing: An Overview\u201D, Encyclopedia\
+ \ of Big Data Technologies, March 2018](https://link.springer.com/content/pdf/10.1007%2F978-3-319-63962-8_322-1.pdf\
+ \ )"
+ - " \\[2\\] [T. Ristenpart, E. Tromer, H. Shacham, S. Savage,\
+ \ \u201CHey, you, get off of my cloud: exploring information leakage in third-party\
+ \ compute clouds\u201D, In CCS '09: Proceedings of the 16th ACM conference on\
+ \ Computer and communications security, November 2009 Pages 199\u2013212](https://dl.acm.org/doi/10.1145/1653662.1653687\
+ \ )"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0042
+ typecode: attack_technique_addendum
+- access-required: N/A
+ architecture-segment: User Plane, Control Plane, Roaming
+ bluf: An adversary may change the configuration of network nodes so as to disable
+ or weaken integrity protection on the network interfaces Non-SBI, SBI and Roaming,
+ thus allowing for transmitted data manipulation.
+ criticalassets:
+ - Description: Any of the subscriber data sourced or destined to the UE
+ Name: UE data
+ - Description: Any of the signaling traffic between UE and network
+ Name: UE signaling
+ - Description: Any of the signaling traffic between 5G core NFs, between 5G core
+ and RAN, within RAN and between 5G and 4G core networks.
+ Name: Network signaling
+ description: " An adversary may change the configuration of network nodes so as\
+ \ to disable or weaken integrity protection on the network interfaces Non-SBI,\
+ \ SBI and Roaming, thus allowing for transmitted data manipulation.\r\n\r\nThe\
+ \ following network interfaces are in the scope of this document.\r\n\r\n1. \u201C\
+ Non-SBI\u201D (non-Service Based Interface) network interfaces are within 5G core\
+ \ (e.g. N4) and RAN (e.g. Xn, F1, E1), and between the RAN and the 5G Core (e.g.\
+ \ N2, N3). \r\n\r\n2. SBI network interfaces are between core NFs within an operator\
+ \ network; they use REST APIs.\r\n\r\n3. Roaming and interconnect interfaces,\
+ \ including IPX, are between network operators (between SEPPs (N32), or other\
+ \ interworking functions like AMF/MME (N26) and between the UPFs owned by different\
+ \ network operators (N9)).\r\n\r\nAn adversary with control over gNB or AMF or\
+ \ UPF or SMF may disable IPSec on non-SBI interfaces (Xn, F1, E1, N2, N3, N4).\
+ \ IPSec is expected to be used to protect all non-SBI links, however, unlike radio\
+ \ communications, operator RAN to core communications do not mandate integrity\
+ \ protection.\r\n\r\nAn adversary with access to the SBI links, for example, with\
+ \ control over one or more core network NFs or a middlebox (including the Service\
+ \ Communication Proxy (SCP) if deployed), may disable use of TLS or use older\
+ \ TLS version such as v1.1. TLS is expected (by 3GPP standards) to be used to\
+ \ protect all SBI links within the operator core network. \r\n\r\nAn adversary\
+ \ with control over roaming nodes or interfaces - namely SEPP or IPX network --\
+ \ may disable or cause to use a weak integrity algorithm for TLS or JWS signatures\
+ \ on the N32 interface. An adversary with control over visited network UPF may\
+ \ disable IPSec on N9 interface or a compromised MME or AMF may disable IPSec\
+ \ on N26 interface. \r\n\r\n"
+ detections:
+ - detects: 'Check configuration changes in gNB, NFs, SEPP and MME.
+
+ Run configuration audits by OSS/BSS.'
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Inspect network traffic and watch for unauthorized changes as the packets
+ move through the interfaces.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT5009.002
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Use strong integrity protection on all non-SBI, SBI and roaming/interconnect
+ interfaces. That is, TLS should be used in all SBI, N32-c and N32-f and PRINS
+ in N32-f when TLS is not used.
+ name: Integrity protection of data communication
+ - fgmid: M1018
+ mitigates: Network element security safeguards for gNB and all core NFs
+ name: User Account Management
+ - fgmid: M1031
+ mitigates: Implement network intrusion prevention methods
+ name: Network Intrusion Prevention
+ - fgmid: M1043
+ mitigates: Implement credential access protection methods
+ name: Credential Access Protection
+ - fgmid: M1046
+ mitigates: Network element security safeguards for gNB and all core NFs
+ name: Boot Integrity
+ - fgmid: M1051
+ mitigates: Network element security safeguards for gNB and all core NFs
+ name: Update Software
+ name: Network Interfaces
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: UE signaling with network and user plane data may be impacted. This
+ can be used to cause DoS attack.
+ Name: UE at risk of data manipulation
+ - Description: Network communication within core network or on the non-SBI interfaces
+ or on roaming interface may be impacted.
+ Name: Network signaling at risk of data manipulation
+ preconditions:
+ - Description: Adversary must have access to the network components to cause the
+ attacks
+ Name: Rogue or misconfigured AMF or SMF or gNB or UPF or SEPP or MME or any other
+ core NF
+ procedureexamples:
+ - Description: A rogue or misconfigured gNB can disable IPSec integrity or use a
+ weak IPSec integrity algorithm on N2, N3, F1, E1 and Xn interfaces. Then it
+ can launch other attacks. Clause D.2.2 of [1].
+ Name: Compromised or misconfigured gNB
+ - Description: A rogue or misconfigured AMF can disable integrity protection or
+ use a weak integrity algorithm on N2 and N26 interfaces. Then it can launch
+ other attacks. Clause K.2.1 of [1], clause 5.5.2 of [2].
+ Name: Compromised or misconfigured AMF
+ - Description: A rogue or misconfigured UPF can disable IPSec integrity or use a
+ weak IPSec integrity algorithm on N3, N4 and N9 interfaces. Then it can launch
+ other attacks. Clause L.2.1 of [1], clauses 9.3 & 9.9 of [2].
+ Name: Compromised or misconfigured UPF
+ - Description: A rogue or misconfigured SMF can disable IPSec integrity or use a
+ weak IPSec integrity algorithm on N4 interface. Then it can launch other attacks.
+ Clause 9.9 of [2].
+ Name: Compromised or misconfigured SMF
+ - Description: 'A rogue or misconfigured NF can disable the TLS integrity or use
+ a weak TLS integrity algorithm to another NF including the SCP (if deployed).
+ Then it can launch other attacks to gain unauthorized access to network services.
+ Clause 13.1 of [2].
+
+
+ If SCP is rogue or misconfigured, it can force TLS connections to all NFs to
+ be unencrypted or use weak integrity for all. Clause 5.9.2.4 of [2].'
+ Name: Compromised or misconfigured NF
+ - Description: 'A rogue or misconfigured SEPP can disable TLS integrity or use a
+ weak TLS integrity algorithm on N32-c interface or N32-f interface or both.
+
+
+ A rogue or misconfigured IPX component can disable JWS integrity or use a weak
+ integrity algorithm when PRINS is used on N32-f. Then it can launch other attacks.
+ Clauses 9.9, 13.1 and 13.2 of [2].'
+ Name: Compromised or misconfigured SEPP or IPX component
+ - Description: A rogue or misconfigured AMF/MME can disable IPSec integrity or use
+ a weak IPSec integrity algorithm on N26 interface. Then it can launch other
+ attacks. Clause K.2.1 of [1], 8.4 of [2].
+ Name: Compromised or misconfigured MME/AMF
+ references:
+ - " \\[1\\] [3GPP TR33.926 \u201CSecurity Assurance Specification\
+ \ (SCAS) threats and critical assets in 3GPP network product classes.\u201D](https://www.3gpp.org/DynaReport/33926.htm)"
+ - " \\[2\\] [3GPP TS33.501 \u201CSecurity architecture and procedures\
+ \ for 5G System.\u201D](https://www.3gpp.org/DynaReport/33501.htm)"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT5009
+ tactics:
+ - TA0005
+ typecode: fight_subtechnique
+- access-required: None
+ architecture-segment: Control Plane, User Plane
+ bluf: An adversary may alter network signaling so as to use weakened or no encryption
+ algorithm on the Non-SBI (Service Based Interface), SBI and Roaming interfaces,
+ thus allowing for eavesdropping of user data or signaling.
+ criticalassets:
+ - Description: Any of the subscriber data sourced or destined to the UE
+ Name: UE data
+ - Description: Any of the signaling traffic between UE and network
+ Name: UE signaling
+ description: " An adversary may alter network signaling so as to use weakened or\
+ \ no encryption algorithm on the Non-SBI (Service Based Interface), SBI and Roaming\
+ \ interfaces, thus allowing for eavesdropping of user data or signaling. \r\n\r\
+ \nThe following Network interfaces are in the scope of this document.\r\n\r\n\
+ 1. \u201CNon-SBI\u201D network interfaces are within 5G core network and the Radio\
+ \ Access Network (RAN), and between the RAN and the 5G Core (e.g. N2, N3, N4,\
+ \ Xn). \r\n\r\n2. SBI network interfaces are between core Network Functions (NFs)\
+ \ within an operator network; they use REST APIs.\r\n\r\n3. Roaming and interconnect\
+ \ interfaces, including IPX, are between network operators (between Security Edge\
+ \ Protection Proxies (SEPPs) (N32), or other interworking functions like Access\
+ \ and Mobility Management (AMF/MME) (N26) and between User Plane Functions (UPFs)\
+ \ owned by different network operators (N9)).\r\n\r\nAn adversary with control\
+ \ over gNB, AMF, UPF or SMF may disable IPSec on non-SBI interfaces (Xn, N2, N3,\
+ \ N4). IPSec is expected to be used to protect all non-SBI links, however, unlike\
+ \ radio communications, operator RAN to core communications are not mandated to\
+ \ actually run encryption protection. \r\n\r\nAn adversary with access to the\
+ \ SBI links, with control over one or more core network functions (NFs) or a middlebox\
+ \ (including the Service Communication Proxy (SCP) if deployed), may disable use\
+ \ of TLS or use older TLS version such as v1.1. TLS is required by 3GPP standards\
+ \ to be used to protect all SBI links within the operator core network. \r\n\r\
+ \nAn adversary with control over roaming nodes or interfaces- namely SEPP or IPX\
+ \ network-- may disable or cause to use a weak encryption algorithm for TLS or\
+ \ JWE encryption on the N32 interface. An adversary with control over visited\
+ \ network UPF may disable IPSec on the N9 interface or a compromised MME or AMF\
+ \ may disable IPSec on N26 interface.\r\n\r\n"
+ detections:
+ - detects: Check configuration changes in gNB and all core NFs; Configuration audits
+ by OSS/BSS.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Inspect network traffic and watch for unauthorized changes
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1600.502
+ mitigations:
+ - fgmid: M1018
+ mitigates: Network element security safeguards for gNB and all core NFs
+ name: User Account Management
+ - fgmid: M1031
+ mitigates: Implement network intrusion prevention methods
+ name: Network Intrusion Prevention
+ - fgmid: M1041
+ mitigates: Ensure strong encryption is used in all non-SBI, SBI and roaming/interconnect
+ interfaces. That is, TLS (not version 1.1) should be used in all SBI, N32-c
+ and N32-f ; in addition, PRINS should be used on N32-f when TLS is not used.
+ name: Encrypt Sensitive Information
+ - fgmid: M1043
+ mitigates: Implement credential access protection methods
+ name: Credential Access Protection
+ - fgmid: M1046
+ mitigates: Network element security safeguards for gNB and all core NFs
+ name: Boot Integrity
+ - fgmid: M1051
+ mitigates: Network element security safeguards for gNB and all core NFs
+ name: Update Software
+ name: Network Interfaces
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: "Control Plane: All UE signaling data may be revealed if IPSec and\
+ \ TLS are disabled.\n\nUser Plane: Subscriber (user plane) data may be revealed\
+ \ if IPSec is disabled. \n\nUE CP & UP data can be sniffed, see FGT1040 \u2013\
+ \ Network Sniffing"
+ Name: UE data unprotected on network interfaces
+ preconditions:
+ - Description: Adversary must have access to the network components to cause the
+ attacks
+ Name: Rogue or misconfigured AMF/MME, SMF, gNB or UPF, or SEPP or any other core
+ NF
+ procedureexamples:
+ - Description: A rogue or misconfigured gNB can disable IPSec encryption or use
+ a weak IPSec encryption algorithm on backhaul interfaces such as N2, N3 and
+ Xn. This can be used to launch other attacks. Clause D.2.2 of [1], clause 5.3.2
+ of [2].
+ Name: Compromised or misconfigured gNB
+ - Description: A rogue or misconfigured AMF can disable IPSec encryption or use
+ a weak IPSec encryption algorithm on N2 and N26 interfaces. This can be used
+ to launch other attacks. Clause K.2.1 of [1], clause 5.5.1 of [2].
+ Name: Compromised or misconfigured AMF
+ - Description: A rogue or misconfigured UPF can disable IPSec encryption or use
+ a weak IPSec encryption algorithm on N3, N4 and N9 interfaces. This can be used
+ to launch other attacks. Clause L.2.1 of [1], clauses 9.3 and 9.9 of [2].
+ Name: Compromised or misconfigured UPF
+ - Description: A rogue or misconfigured SMF can disable IPSec encryption or use
+ a weak IPSec encryption algorithm on N4 interface. This can be used to launch
+ other attacks. Clause 9.9 of [2]
+ Name: Compromised or misconfigured SMF
+ - Description: 'A rogue or misconfigured NF can disable the TLS encryption or use
+ a weak TLS encryption algorithm to another NF including the SCP. Then it can
+ launch other attacks to gain unauthorized access to network services. Clause
+ 13.1 of [2]
+
+
+ If SCP is rogue or misconfigured, it can force TLS connections to all NFs to
+ be unencrypted or use weak encryptions for all. Clause 5.9.2.4 of [2].'
+ Name: Compromised or misconfigured NF
+ - Description: 'A rogue or misconfigured SEPP can disable TLS encryption or use
+ a weak TLS encryption algorithm on N32-c interface or N32-f interface or both.
+
+
+ A rogue or misconfigured SEPP can disable JWE encryption or use a weak encryption
+ algorithm when the PRINS algorithm is used on N32-f. Then it can launch other
+ attacks. Clauses 9.9, 13.1 and 13.2 of [2].'
+ Name: Compromised or misconfigured SEPP or IPX component
+ - Description: A rogue or misconfigured AMF/MME can disable IPSec encryption or
+ use a weak IPSec encryption algorithm on N26 interface. Then it can launch other
+ attacks. Clause K.2.1 of [1], 8.4 of [2].
+ Name: Compromised or misconfigured MME/AMF
+ references:
+ - " \\[1\\] [3GPP TR 33.926 \u201CSecurity Assurance Specification\
+ \ (SCAS) threats and critical assets in 3GPP network product classes\u201D.](https://www.3gpp.org/DynaReport/33926.htm\
+ \ )"
+ - " \\[2\\] [3GPP TS 33.501 \u201CSecurity architecture and procedures\
+ \ for 5G System\u201D.](https://www.3gpp.org/DynaReport/33501.htm )"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1600
+ tactics:
+ - TA0005
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: N/A
+ architecture-segment: RAN, Virtualization, OA&M
+ bluf: Adversaries may manipulate service or service delivery mechanisms prior to
+ or while used by a mobile network operator (MNO) for the purpose of data or system
+ compromise.
+ criticalassets:
+ - Description: Network Exposure Function is a likely target for adversaries in a
+ MEC environment.
+ Name: NEF
+ - Description: Distributed deployment models may require third party transport service
+ Name: Transport network
+ - Description: Distributed deployment models may require third party MEC service
+ Name: MEC
+ - Description: RAN as a Service or Shared RAN
+ Name: RAN
+ - Description: Mobile Virtual Network Operators may complete rely on third party
+ provided services for their subscriber
+ Name: MVNO Core and RAN infrastructure
+ description: " Adversaries may manipulate service or service delivery mechanisms\
+ \ prior to or while used by a mobile network operator (MNO) for the purpose of\
+ \ data or system compromise.\r\n\r\nThe adversary may use the compromised service\
+ \ as a means to apply additional techniques against interfaces exposed to the\
+ \ service provider such as the NEF. When the service provider hosts or provides\
+ \ core network functions, the adversary may attempt to compromise the 5G core\
+ \ components in the service provider environment, e.g. MEC hosted NFs (clause\
+ \ 5.13 of [1]), or through the service provider environment, attempt compromise\
+ \ of other core NFs not hosted in the MEC. \r\n\r\nWhen service providers are\
+ \ used for providing service to customers, the adversary may be in a position\
+ \ to compromise information about the subscriber. \r\n\r\nThe adversary, as an\
+ \ example, may also compromise software and/or hardware used by the service provider,\
+ \ such as opensource, as a technique to gain initial access or achieve other tactics\
+ \ within the service provider to provide a position for initial access to the\
+ \ MNO\u2019s network. Open source software may be an attractive target for supply\
+ \ chain attacks, as detection, reporting, and patch availability timelines can\
+ \ provide a greater window of opportunity for vulnerabilities to be exploited.\r\
+ \n\r\n\r\n"
+ detections: []
+ id: FGT1195.502
+ mitigations:
+ - fgmid: M0817
+ mitigates: 5G Operators should evaluate suppliers of services for their technical
+ and administrative controls to ensure that it meets minimum standards for assured
+ services. These evaluations may include SW, HD supply chain, personnel and process
+ used for service creation.
+ name: Supply chain management
+ - fgmid: FGM5519
+ mitigates: 5G operators should integrate performance and change management from
+ their suppliers into their own OA&M tools to have complete visibility into service
+ name: Integrate Performance and Change Management
+ name: Compromise Service Supply Chain
+ object-type: technique
+ platforms: 5G
+ procedureexamples:
+ - Description: Hardware used in service may be compromised in its build and delivery
+ supply chain
+ Name: HW supply chain
+ - Description: Software used in service may be compromised in its build and delivery
+ supply chain
+ Name: SW supply chain
+ - Description: OA&M tools in service has greater access to network elements, compromise
+ of such tools provide adversary access to network providing the service
+ Name: OA&M tools
+ - Description: Service provider management may have nefarious intent for data collection
+ or providing assistance to other nefarious actors
+ Name: Malicious Service provider
+ references:
+ - " \\[1\\] [3GPP TS 23.501 \u201CSystem architecture for the\
+ \ 5G System (5GS); Stage 2 (Release 17)\u201D]( https://www.3gpp.org/DynaReport/23501.htm)"
+ - " \\[2\\] [3GPP TS 23.558: \u201C\nArchitecture for enabling\
+ \ Edge Applications\u201D](https://www.3gpp.org/DynaReport/23558.htm)"
+ - " \\[3\\] [3GPP TS 23.548: \u201C5G System Enhancements for\
+ \ Edge Computing; Stage 2\u201D](https://www.3gpp.org/DynaReport/23548.htm)"
+ - " \\[4\\] [ETSI, White Paper No. 28, \u201CMEC in 5G networks\u201D\
+ ](https://www.etsi.org/images/files/ETSIWhitePapers/etsi_wp28_mec_in_5G_FINAL.pdf)"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1195
+ tactics:
+ - TA0001
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: RAN
+ bluf: An adversary may intercept unencrypted radio transmissions of a UE's SUCI
+ to identify the IMSI/SUPI of the UE.
+ criticalassets:
+ - Description: "UE\u2019s identity is obtained for subsequent attacks."
+ Name: UE privacy
+ description: " An adversary may intercept unencrypted radio transmissions of a UE\u2019\
+ s SUCI to identify the IMSI/SUPI of the UE. \r\n\r\nAdversary can retrieve the\
+ \ IMSI/SUPI of UE if SUCI is sent unencrypted over the air. The adversary can\
+ \ launch other attacks on the subscriber with the IMSI/SUPI. \r\n\r\nWhen 5G UE\
+ \ is connected to 4G base station (eNB) in non-stand alone (NSA) mode, adversary\
+ \ uses an airlink signal analyzer to retrieve UE's permanent identity (IMSI/SUPI).\
+ \ All threats present in 4G network including IMSI/SUPI catching can materialize\
+ \ when UE is connected to network via 4G eNB.\r\n\r\nBackground information: The\
+ \ UE\u2019s permanent identity, SUPI (SUbscriber Permanent Identifier), includes\
+ \ a home network identifier and a user-specific identifier, and is never sent\
+ \ unencrypted over the radio interface. Instead, a SUCI (SUbscriber Concealed\
+ \ Identifier) is sent when the UE goes through initial registration to the serving\
+ \ network procedures; this de-concealment operation can only be done by the UE\u2019\
+ s home network. However, SUCI can be sent unencrypted over the air by UE in any\
+ \ of the following scenarios: \r\n\r\n1. When UE makes an emergency call and it\
+ \ does not have a 5G-GUTI\r\n \r\n2. If the home PLMN has configured \"NULL\u201D\
+ \ SUCI-protection algorithm to be used\r\n\r\n3. If the home PLMN has not provisioned\
+ \ the public key needed to generate a SUCI \r\nRefer clause 6.12.2 of [1].\r\n\
+ \r\nNSA mode uses 4G core, and it uses two types of base stations: 4G & 5G for\
+ \ network access. Depending on the coverage area and network load, MNO chooses\
+ \ whether to connect the UE to the 5G base station (gNB) or to 4G base station\
+ \ (eNB). eNB typically covers a much larger area than gNB.\r\n\r\n"
+ detections:
+ - detects: 'Monitor gNB and core network logs when:
+
+
+
+ Null scheme is used for SUCI protection
+
+
+
+ Home PLMN does not configure public key for SUCI protection'
+ fgdsid: FGDS5017
+ name: Monitor null scheme usage
+ - detects: Monitor Provisioning logs for changes in Home network public key configuration,
+ PLMN ID etc.
+ fgdsid: FGDS5018
+ name: Monitor provisioning logs
+ - detects: 'Monitor Operations logs for:
+
+
+
+ UE makes an emergency call
+
+
+
+ In NSA mode, when 5G UE is ordered to connect to network via eNB'
+ fgdsid: FGDS5019
+ name: Monitor operations logs
+ id: FGT5019.004
+ mitigations:
+ - fgmid: M1041
+ mitigates: Always configure home PLMN public key in the UE. Do not use NULL scheme
+ for SUCI encryption both in network configuration and in UE configuration.
+ name: Encrypt Sensitive Information
+ - fgmid: FGM5514
+ mitigates: Minimize the number of connections to eNB when using NSA mode, use
+ eNB only when 5G coverage is not available or 5G network is overloaded.
+ name: Minmize eNB connections
+ name: Intercept unencrypted SUPI
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: When UE identity is obtained, it allows attacker to launch other
+ attacks such as geolocation tracking, degradation of service, loss of traffic
+ confidentiality, or physical attack.
+ Name: Target association
+ preconditions:
+ - Description: Adversary requires sufficient signal to capture and decode all airlink
+ messages (with low interference and high SNR).
+ Name: Ability to receive SUCI over the air
+ - Description: In NSA mode, 5G UE is directed to connect to eNB due to lack of 5G
+ coverage in the area or network load situations.
+ Name: 5G UE is directed to connect to 4G base station in NSA mode
+ procedureexamples:
+ - Description: "Adversary reads the SUCI from airlink messages using signal analyzer\
+ \ when it is sent in clear mode and extracts the IMSI/SUPI.\n\nThis is possible\
+ \ in the following scenarios:\n\n\nWhen UE makes an emergency call and it does\
+ \ not have a 5G-GUTI.\n\n\nIf the home PLMN has configured \"NULL\u201D SUCI-protection\
+ \ algorithm to be used.\n\nIf the home PLMN has not provisioned the public key\
+ \ needed to generate a SUCI. \n\n\nUE is moved from a gNB to an eNB in NSA mode."
+ Name: Intercept IMSI/SUPI over the radio interface
+ references:
+ - " \\[1\\] [3GPP TS 33.501 \" Security architecture and procedures\
+ \ for 5G system\u201D](https://www.3gpp.org/DynaReport/33501.htm )"
+ status: This is a theoretical behavior
+ subtechnique-of: FGT5019
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- access-required: N/A
+ architecture-segment: Roaming
+ bluf: Adversary send specifically crafted messages from an interconnect/interworking
+ partner against roaming interface to gain access to the service function, e.g.
+ SEPP, or cause a denial of service (DoS).
+ criticalassets:
+ - Description: The Security Edge Protection Proxy (SEPP) is the primary target for
+ this technique and represent a key interface point between the operator and
+ other service providers, via N32, for roaming.
+ Name: SEPP
+ - Description: The User Plane Function (UPF) in the home provider network exposes
+ the N9 interface to other providers and can be targeted using this technique.
+ If the Home Public Land Mobile Network (HPLMN) UPF is compromised, sensitive
+ data may be sniffed or potentially dropped.
+ Name: UPF
+ - Description: The home Policy Control Function (h-PCF) is exposed to the visited
+ PCF (v-PCF) via N24 in a home routed roaming scenario.
+ Name: PCF
+ - Description: The HPLMN Unified Data Management (UDM) function is exposed via N10
+ to the Visited PLMN (VPLMN) Session Management Function + Packet Data Network
+ Gateway Control (SMF+PGW-C) for local breakout roaming architecture. The VPLMN
+ Access and Mobility Management Function (AMF) can also reach the Home Subscriber
+ Server UDM (HSS+UDM) via N8. The VPLMN Mobility Management Entity (MME) can
+ reach the HSS+UDM via S6a as well.
+ Name: HSS+UDM
+ - Description: The Non-3GPP Interworking Function (N3IWF) is exposed via the Y2
+ and NWu.
+ Name: N3IWF
+ description: " Adversary sends specifically crafted messages from an interconnect/interworking\
+ \ partner against roaming interface to gain access to the service function, e.g.,\
+ \ SEPP, or to obtain information from the interworking facing service function.\r\
+ \nA semi-public application or service is one that is only reachable by an adversary\
+ \ over an interworking network that is typically only exposed to mobile network\
+ \ operators (MNO), internetwork packet exchange providers (IPX), Value Added Services\
+ \ (VAS) providers. An adversary that has previously compromised, through other\
+ \ techniques, another service on the interworking network may be in a position\
+ \ to use this technique against an operator\u2019s interworking facing service\
+ \ interfaces. The adversary does not necessarily need to compromise a roaming\
+ \ partner but needs to be on a network which can reach the target interface.\r\
+ \n\r\nThe technique uses specifically formatted signaling messages to cause unexpected\
+ \ behavior that the adversary has previously determined to permit gaining access\
+ \ to the roaming interface system or network functions reachable via SEPP (N32),\
+ \ PCF (N24), HSS+UDM (N10, N8, S6a) or N3IWF interfaces. The specially crafted\
+ \ messages may also permit the collection of information about the targeted operator\
+ \ and its users. The adversary may target the SEPP itself or place specially crafted\
+ \ messages within legitimately authenticated messages that the SEPP passes to\
+ \ NFs that can result in compromise of the NF or information collection. N9 interfaces\
+ \ and non-3GPP interfaces exposed to interworking partners may also be targeted\
+ \ by adversaries. The technique [FGT1190](/techniques/FGT1190) covers internet\
+ \ facing service interfaces.\r\n\r\n"
+ detections:
+ - detects: Monitor application logs for evidence of unexpected access requests or
+ potential pattern of errors logged that might indicate attempts to create unexpected
+ behavior
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Monitor login session logs for evidence an adversary has created accounts
+ or setup access after compromise of the service via specially formed packets
+ on the service API
+ fgdsid: DS0028
+ name: Logon Session
+ - detects: Observe unusual traffic to the SEPP and any evidence of unusual source
+ or destinations from the SEPP that might indicate a source of specially formed
+ packets.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT5029
+ mitigations:
+ - fgmid: FGM5010
+ mitigates: Redeploy SEPP regularly to prevent dwell time aka use non-persistence
+ name: Non-Persistent Services
+ - fgmid: M1050
+ mitigates: Use of a Web Application Firewall may only allow properly formatted
+ service communication.
+ name: Exploit Protection
+ - fgmid: M1051
+ mitigates: Aggressive patching may reduce window of vulnerability if a known vulnerability
+ name: Update Software
+ name: Exploit Semi-public Facing Application
+ object-type: technique
+ platforms: SEPP, UPF
+ preconditions:
+ - Description: Adversary must have identified a vulnerability susceptible to the
+ specially crafted message that results in an ability to use additional techniques.
+ Name: Vulnerability Identified
+ references:
+ - " \\[1\\] [\u201C5G Security Assurance Specification (SCAS)\
+ \ for the Security Edge Protection Proxy (SEPP) network product class,\u201C TS\
+ \ 33.517 ver. 17.0.0, 3rd Generation Partnership Project (3GPP), Sec. 4.2.3.3-4.4,\
+ \ Jun. 2021](https://www.3gpp.org/DynaReport/33517.htm)"
+ - " \\[2\\] [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
+ \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
+ , October 2021](https://arxiv.org/abs/2108.11206)"
+ - " \\[3\\] [\u201CSecurity Edge Protection Proxy (SEPP),\u201D\
+ \ Broadforward, Amersfoort, Netherlands, Accessed: May 17, 2022](https://www.broadforward.com/security-edge-protection-proxy/)"
+ - " \\[4\\] [ \u201CSecurity Assurance Specification (SCAS) threats\
+ \ and critical assets in 3GPP network product classes,\u201C TR 33.926, 3GPP,\
+ \ Sec. 5.3.7.2.](https://www.3gpp.org/DynaReport/33926.htm)"
+ - " \\[5\\] [\u201CSystem architecture for the 5G System (5GS),\u201D\
+ TS 23.501, 3GPP, Sec. 4.2.8.2, 4.3.1, 4.3.2](https://www.3gpp.org/DynaReport/23501.htm)"
+ status: This is a theoretical behavior in context of 5G systems.
+ tactics:
+ - TA0001
+ - TA0009
+ typecode: fight_technique
+- access-required: N/A
+ architecture-segment: UE
+ bluf: An adversary may send specially crafted data to the UE over-the-air via the
+ radio interface to execute malicious code.
+ description: " An adversary may send specially crafted data to the UE over-the-air\
+ \ via the radio interface to execute malicious code. An adversary with a position\
+ \ to send data to the UE, such as control of an IMS service or the UPF may send\
+ \ data to the UE that can, using a previously identified vulnerability, cause\
+ \ adversary execution on the UE.\r\n\r\nThe adversary may identify a vulnerability\
+ \ in the radio interface through fuzzing techniques against the baseband and supporting\
+ \ chips used in the UE. Vulnerabilities that could enable an adversary to execute\
+ \ code include heap corruptions and use-after-frees[1]. Additionally, vulnerabilities\
+ \ such as buffer overflow vulnerabilities are often found due to insecure coding\
+ \ practices. Although fuzzing has been demonstrated to be a viable approach to\
+ \ identify vulnerabilities, vulnerabilities may be discovered by adversaries through\
+ \ additional techniques including physical examination/tampering and binary executable\
+ \ analysis.\r\n\r\n\r\n"
+ detections: []
+ id: FGT1203.501
+ mitigations: []
+ name: Over-the-Air Input
+ object-type: technique
+ platforms: 5G
+ preconditions:
+ - Description: Adversary must have identified a vulnerability in the target UE baseband
+ or supporting chips to enable OTA exploitation.
+ Name: Identified vulnerability on baseband or supporting chips
+ procedureexamples:
+ - Description: Proof of Concept demonstration of technique exploiting modem vulnerability
+ from IMS service over an adversary controlled 5G core and base station.
+ Name: Adversary controlled IMS
+ references:
+ - " \\[1\\] [M.Grassi & X. Chen, \u201COver The Air Baseband\
+ \ Exploit: Gaining Remote\nCode Execution on 5G Smartphones,\u201D retrieved May\
+ \ 16, 2023](https://dl.acm.org/doi/abs/10.1145/3395351.3399360)"
+ status: This a 5G relevant behavior that has been demonstrated in a successful proof
+ of concept
+ subtechnique-of: FGT1203
+ tactics:
+ - TA0002
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: Privileged
+ architecture-segment: UE
+ bluf: An adversary may send specially crafted data to the UE's application processor's
+ interface to the baseband API to execute malicious code.
+ description: " An adversary may send specially crafted data to the UE's application\
+ \ processor's interface to the baseband API to execute malicious code. The adversary\
+ \ with a position on the UE to communicate to the baseband API can execute malicious\
+ \ code on the baseband processing system.\r\n\r\nThe adversary may identify a\
+ \ vulnerability in the baseband API through fuzzing techniques[1]. Vulnerabilities\
+ \ that could enable an adversary to execute code include memory boundary violations,\
+ \ including buffer overflows that affect the stack and the heap on the baseband.\
+ \ Vulnerabilities such as buffer overflow vulnerabilities are often found due\
+ \ to insecure coding practices. Although fuzzing has been demonstrated to be a\
+ \ viable approach to identify vulnerabilities, vulnerabilities may be discovered\
+ \ by adversaries through additional techniques including physical examination/tampering\
+ \ and binary executable analysis.\r\n\r\n"
+ detections: []
+ id: FGT1203.502
+ mitigations: []
+ name: Baseband API
+ object-type: technique
+ platforms: 5G, 4G, 3G
+ preconditions:
+ - Description: Exploitation requires the ability to communicate with the baseband
+ API.
+ Name: Baseband API Access
+ references:
+ - ' \[1\] [Imtiaz Karim, Fabrizio Cicala, Syed Rafiul Hussain,
+ Omar Chowdhury, and Elisa Bertino. 2020. ATFuzzer: Dynamic Analysis Framework
+ of AT Interface for Android Smartphones. Digital Threats 1, 4, Article 23 (December
+ 2020)](https://dl.acm.org/doi/10.1145/3416125)'
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1203
+ tactics:
+ - TA0002
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: N/A
+ addendums:
+ - "#### Addendum Name: Baseband Exploits\r\n##### Architecture Segments: UE\r\n\
+ \ An adversary may develop exploits that target the UE to execute malicious code.\
+ \ The adversary may identify a vulnerability in the UE modem and exploit this\
+ \ to execute malicious code. The adversary may need specific knowledge of the\
+ \ modems, e.g.[T1592.001]( https://attack.mitre.org/techniques/T1592/001/), used\
+ \ in specific UEs and exploits might be viable for specific models of UEs or the\
+ \ class of UE utilizing a specific version of firmware, e.g. [T1592.003]( https://attack.mitre.org/techniques/T1592/003/).\
+ \ Vulnerabilities may be discovered in multiple ways and exploiting the vulnerability\
+ \ may require previous use of techniques to obtain an operator RAN position or\
+ \ deploy a false base station, such as in [FGT1583.501]( https://fight.mitre.org/techniques/FGT1583.501),\
+ \ to which the UE would connect. \r\n"
+ architecture-segment: UE
+ bluf: Adversaries may develop exploits that can be used during targeting.
+ description: "Adversaries may develop exploits that can be used during targeting.\r\
+ \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1587/004)\r\
+ \n"
+ detections:
+ - detects: Use of stack canaries by the firmware author can be used to detect manipulation
+ of stack return addresses,
+ fgdsid: DS0008
+ name: Kernel
+ id: FGT1587.004
+ mitigations: []
+ name: Exploits
+ object-type: technique
+ platforms: UE Baseband
+ preconditions:
+ - Description: Adversary may need to deploy their own base station (and possibly
+ core network) in a lab environment for exploit development and testing.
+ Name: Lab test environment
+ procedureexamples:
+ - Description: Researchers[1] analyzed firmware for vulnerabilities and identified
+ stack overflow vulnerability in an XML parser inside the baseband that parses
+ IMS messages.
+ Name: Stack Overflow
+ references:
+ - " \\[1\\] [M.Grassi and X. Chen, \u201COver The Air Baseband\
+ \ Exploit: Gaining Remote\nCode Execution on 5G Smartphones, Retrieved May 16,\
+ \ 2023](https://keenlab.tencent.com/zh/whitepapers/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-on-5G-Smartphones-wp.pdf)"
+ - " \\[2\\] [I.Karim, F.Cicala, et.al.,\u201CATFuzzer: Dynamic\
+ \ Analysis Framework of AT Interface\nfor Android Smartphones,\u201D Retrieved\
+ \ May 16, 2023](https://dl.acm.org/doi/pdf/10.1145/3416125)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ subtechnique-of: FGT1587
+ tactics:
+ - TA0042
+ typecode: attack_subtechnique_addendum
+- access-required: N/A
+ architecture-segment: RAN, Control Plane, User Plane
+ bluf: An adversary may create an operator network to facilitate applying techniques
+ to a victim UE.
+ description: " An adversary may create an operator network to facilitate applying\
+ \ techniques to a victim UE.\r\n\r\nAn adversary may create a fully functional\
+ \ operator network such as a 5G core and false base station to exploit the user\
+ \ and/or UE. Creation of a false base station may not be sufficient in a 5G network\
+ \ to further the adversary\u2019s objectives due to security improvements from\
+ \ earlier generations. The availability of open 5G core and RAN software and services\
+ \ make this viable for an adversary. The adversary, controlling the 5G network\
+ \ the UE attaches, via additional techniques, such as [FGT1583.501](https://fight.mitre.org/techniques/FGT1583.501/),\
+ \ may redirect the UE or use [FGT1562.501](https://fight.mitre.org/techniques/FGT1562.501)\
+ \ to perform a downgrade attack to weaken end-to-end security. Techniques such\
+ \ as [FGT5009]( https://fight.mitre.org/techniques/FGT5009/) may also be utilized\
+ \ by the adversary to evade defenses.\r\n\r\n\r\n"
+ detections: []
+ id: FGT1587.501
+ mitigations:
+ - fgmid: M1056
+ mitigates: The development aspect is not visible to the UE or Operator and is
+ therefore not easily or possible to mitigate.
+ name: Pre-compromise
+ name: Operator Network
+ object-type: technique
+ platforms: 5G
+ references:
+ - " \\[1\\] [M.Grassi and X. Chen, \u201COver The Air Baseband\
+ \ Exploit: Gaining Remote Code Execution on 5G Smartphones\u201D, Retrieved May\
+ \ 16, 2023.](https://keenlab.tencent.com/zh/whitepapers/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-on-5G-Smartphones-wp.pdf)"
+ status: This a 5G relevant behavior that has been demonstrated in a successful proof
+ of concept
+ subtechnique-of: FGT1587
+ tactics:
+ - TA0042
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: N/A
+ architecture-segment: Control Plane
+ bluf: An adversary obtains network access through illicit means in order to install
+ instrumentation.
+ description: " An adversary obtains use of network or signaling infrastructure in\
+ \ order to apply techniques against 5G networks.\r\n\r\nAn adversary may attempt\
+ \ to legitimately or illegitimately acquire network or signaling, e.g. SS7, infrastructure\
+ \ capabilities that are able to communicate with other operator environments.\
+ \ Unlike [T1650 \u2013 Acquire Access](https://attack.mitre.org/techniques/T1650),\
+ \ the adversary is not acquiring access through an underground market and the\
+ \ adversary may be part of a legitimate organization that has obtained access.\
+ \ The adversary, working within the legitimate organization, may then use that\
+ \ legitimately obtained access in unauthorized ways. The adversary may also be\
+ \ acquiring infrastructure access through coercion or subterfuge from a legitimate\
+ \ operator or service provider. The adversary may use this network infrastructure,\
+ \ however obtained, as a position to apply additional follow-on behaviors. \r\n\
+ \r\n\r\n"
+ detections:
+ - detects: Logs from firewalls may be useful for detecting adversary activities
+ through signaling or via other network access protocols protected by firewalls.
+ fgdsid: DS0018
+ name: Firewall
+ id: FGT1583.508
+ mitigations:
+ - fgmid: M1037
+ mitigates: Use of firewall capabilities may allow filtering for a number of different
+ paths, protocols, and networks. Firewall capability may permit restrictions
+ on SS7, SMS, IP, Diameter and other protocols.
+ name: Filter Network Traffic
+ name: Network Access
+ object-type: technique
+ platforms: 5G
+ references:
+ - " \\[1\\] [\u201CNSO offered \u2018bags of cash\u2019 for access\
+ \ to U.S. cell networks, whistleblower claims,\u201D Washington Post. Accessed:\
+ \ Apr. 11, 2023. [Online].](https://www.washingtonpost.com/technology/2022/02/01/nso-pegasus-bags-of-cash-fbi/)"
+ - " \\[2\\] [\u201CNSO Group's Recent Difficulties Could Shape\
+ \ the Future of the Spyware Industry,\u201D Infosecurity Magazine, Access: Sep.\
+ \ 11, 2011. [online]](https://www.infosecurity-magazine.com/news-features/nso-groups-difficulties-spyware/)"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1583
+ tactics:
+ - TA0042
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: RAN, User Plane, UE
+ bluf: An adversary may send crafted GTP-U packets to the UPF/PGW in order to establish
+ an illicit session with a target UE.
+ criticalassets:
+ - Description: "UE\u2019s privacy is violated by the data session established by\
+ \ adversary."
+ Name: UE security is impacted
+ description: " An adversary may send crafted GTP-U packets to the UPF/PGW in order\
+ \ to establish an illicit session with a target UE.\r\n\r\nAdversary may send\
+ \ an encapsulated GTP-U packet to UPF/PGW from the internet with destination IP\
+ \ of inner IP the same as UE\u2019s private IP address and source IP of inner\
+ \ IP as its own IP or a server IP on the internet which is controlled by the adversary.\
+ \ UPF/PGW forwards the GTP-U packet to gNB/eNB. gNB/eNB decapsulates the GTP-U\
+ \ header and forwards the inner packet to the victim UE. UE responds to the message.\
+ \ The response message is received either by the adversary or by an adversary\
+ \ controlled malicious server on the internet. Thus, adversary establishes a two-way\
+ \ communication to the victim UE. Once the session is established, adversary can\
+ \ launch further attacks such as inserting malware, execute Remote Procedure Call\
+ \ (RPC) etc.\r\n\r\n"
+ detections:
+ - detects: Monitor incoming packets on N6/SGi interface for any unauthorized data
+ sessions.
+ fgdsid: DS0029
+ name: Network Traffic
+ - detects: Examine all IP packets received from the internet at UPF/PGW with encapsulated
+ GTP-U payload.
+ fgdsid: FGDS5016
+ name: Payload checking
+ id: FGT1572.501
+ mitigations:
+ - fgmid: FGM5498
+ mitigates: GTP firewall can be used to prevent GTP-U based frauds. GTP in GTP
+ Identification can be used to prevent GTP reflection attacks. [2]
+ name: Limit incoming signaling and user plane traffic
+ - fgmid: M1031
+ mitigates: Network Intrusion Prevention.
+ name: Network Intrusion Prevention
+ - fgmid: M1041
+ mitigates: Use IPSec tunnel between gNB and UPF to prevent Adversary on the side
+ (AoTS) attacks.
+ name: Encrypt Sensitive Information
+ name: UE Access via GTP-U
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: UE is subject to further attacks such as malware insertion, RPC execution
+ etc.
+ Name: UE security is compromised
+ preconditions:
+ - Description: "Adversary figures out UE\u2019s private IP address by using open-source\
+ \ IP address scanning tools such as Shodan and they also figure out the TEID\
+ \ being used by the network. [See FGT5031 Discover TEID]\n\nNote: For LTE, the\
+ \ adversary needs to know TEIDs of two GTP tunnels: TEIDs on S5 and S1-U interfaces."
+ Name: Adversary has knowledge of UE IP address and TEID
+ procedureexamples:
+ - Description: "Adversary may send encapsulated GTP-U packet to UPF/PGW from the\
+ \ internet with destination IP of inner IP the same as UE\u2019s private IP\
+ \ address and source IP of inner IP as its own IP or a server IP on the internet\
+ \ which is controlled by the adversary. UPF/PGW forwards the GTP-U packet to\
+ \ gNB/eNB. gNB/eNB decapsulates the GTP-U header and forwards the inner packet\
+ \ to the victim UE. UE responds to the message. The response message is received\
+ \ either by the adversary or by an adversary controlled malicious server on\
+ \ the internet. Thus, adversary establishes a two-way communication to the victim\
+ \ UE. [1]\n\nAdversary may launch further attacks on victim UE such as inserting\
+ \ malware, execute Remote Procedure Call (RPC) etc.\n\nNote: For LTE, two GTP\
+ \ tunnels are used in the user plane. The first GTP tunnel is between PGW and\
+ \ SGW-U on S5 interface and the second GTP tunnel is between SGW-U and eNB on\
+ \ S1-U interface. Hence, the adversary needs to know the TEID of both GTP tunnels\
+ \ to launch this attack."
+ Name: Two way session is established between victim UE and adversary
+ references:
+ - " \\[1\\] [Trend Micro article: \u201COutside Looking In: How\
+ \ a Packet Reflection Vulnerability Could Allow Attackers to Infiltrate Internal\
+ \ 5G Networks\u201D](https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/plague-private-5g-networks)"
+ - " \\[2\\] [A10 Networks article: \u201CGTP FIREWALL IN 4G AND\
+ \ 5G MOBILE NETWORKS STRONG PROTECTION FOR ALL GTP INTERFACES\u201D.](https://www.a10networks.com/wp-content/uploads/A10-SB-19202-EN.pdf)"
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1572
+ tactics:
+ - TA0001
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: User Plane
+ bluf: An adversary may discover a valid GTP-U TEID in order to apply additional
+ techniques.
+ criticalassets:
+ - Description: "UE\u2019s sensitive data such as its private IP address and GTP-U\
+ \ tunnel id (TEID) are revealed to adversary."
+ Name: UE privacy
+ description: " An adversary may discover a valid GTP-U TEID in order to apply additional\
+ \ techniques.\r\n\r\nThe GPRS Tunneling Protocol - User plane (GTP-U) is a protocol\
+ \ in both 4G and 5G that tunnels user data packets between the radio network (gNB/eNB)\
+ \ and the User Plane Function (UPF) in 5G, Serving Gateway (SGW) in 4G. In 4G,\
+ \ there is another GTP-U tunnel between SGW and Packet Data Network (PDN) Gateway\
+ \ (PGW). The GTP-U protocol header has a Tunnel Endpoint ID (TEID). Each UE is\
+ \ assigned a unique TEID for the GTP-U tunnel and it is used to carry data from\
+ \ multiple QoS flows. In order to apply additional techniques like hijacking the\
+ \ tunnel, the adversary needs to discover a valid TEID.\r\n\r\nAdversary may try\
+ \ to guess the TEID by sending a large number of encapsulated GTP-U packets to\
+ \ the UPF/PGW from the internet with different TEIDs, until a valid one is found.\
+ \ UPF/PGW forwards those packets to the UE through GTP-U tunnels. Following GTP-U\
+ \ tunnels are used: In 5G, N3 GTP-U tunnel between UPF and gNB, in 4G, S1-U GTP-U\
+ \ tunnel between SGW and eNB and S5 GTP-U tunnel between SGW and PGW. When target\
+ \ IP address and TEID match, the adversary may receive a response indicating success.\
+ \ Some core networks show affinity to certain ranges of TEIDs under certain conditions,\
+ \ making brute forcing easier. Once TEID is known, further attacks can be launched\
+ \ to slow down or crash the targeted UE.\r\n\r\n"
+ detections:
+ - detects: Monitor incoming packets on N6 and SGi interfaces for any unauthorized
+ data sessions.
+ fgdsid: DS0029
+ name: Network Traffic
+ - detects: Inspect the payloads of all incoming packets to filter encapsulated GTP-U
+ on internet facing interface of UPF and PGW.
+ fgdsid: FGDS5016
+ name: Payload checking
+ id: FGT5031
+ mitigations:
+ - fgmid: M1031
+ mitigates: Network Intrusion Prevention.
+ name: Network Intrusion Prevention
+ - fgmid: M1041
+ mitigates: Use IPSec between gNB and UPF, eNB and SGW, SGW and PGW. Use strong
+ encryption algorithms to prevent eavesdropping on subscriber payload data including
+ their private IP addresses.
+ name: Encrypt Sensitive Information
+ - fgmid: FGM5507
+ mitigates: Randomize TEID allocations.
+ name: TEID allocation
+ - fgmid: FGM5508
+ mitigates: Refresh TEIDs frequently to make discovery of TEID to UE IP address
+ mapping harder.
+ name: Refresh TEIDs
+ name: Discover TEID
+ object-type: technique
+ platforms: 5G
+ preconditions:
+ - Description: "Retrieve the target UE\u2019s private IP address using open-source\
+ \ search engines e.g. shodan."
+ Name: "Obtain victim UE\u2019s private IP address"
+ procedureexamples:
+ - Description: "Adversary sends large number of encapsulated GTP-U packets with\
+ \ different TEIDs to a particular UE whose IP address is known to the adversary.\
+ \ Encapsulated GTP-U packets are sent from the internet to UPF/PGW and UPF/PGW\
+ \ forwards those packets to the UE via gNB/eNB. If response is received for\
+ \ a GTP-U packet, UE\u2019s TEID will be known to the adversary. [1]\n\nFor\
+ \ example, adversary may launch further attacks such as GTP-U tunnel hijack\
+ \ and DoS to the target UE.\n\nIn 5G, the TEID of N3 GTP-U tunnel needs to be\
+ \ discovered by the adversary. In 4G, the adversary needs to discover TEID of\
+ \ S1-U GTP-U tunnel and S5 GTP tunnel."
+ Name: Send large number of GTP-U packets via UPF/PGW/SGW to the target UE
+ references:
+ - " \\[1\\] [TrendMicro publication: \u201CA Deep Dive into the\
+ \ Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Networks\
+ \ - Security News.\u201D](https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/plague-private-5g-networks)"
+ status: This a 5G relevant behavior that has been demonstrated in a successful proof
+ of concept
+ tactics:
+ - TA0007
+ typecode: fight_technique
+- architecture-segment: Control Plane
+ bluf: An adversary controlled UE may be used to send crafted NAS messages to AMF
+ to crash or slow down the AMF.
+ criticalassets:
+ - Description: 5G core network functions can be slowed down or crashed which causes
+ temporary network outage for UEs and gNBs.
+ Name: Core network functions
+ description: " An adversary controlled UE may be used to send crafted NAS messages\
+ \ to AMF to crash or slow down the AMF.\r\n\r\nAMF processes registration request\
+ \ messages from UE and it works with other NFs in the core to respond to those\
+ \ messages. By sending crafted NAS messages from UE, an adversary may force 5G\
+ \ core AMF or other Control Plane functions to go into undefined states, and might\
+ \ result in DoS. UEs use NAS connection (via N1 interface) to the core AMF function.\
+ \ A specially crafted message can be used to cause coding or parsing error which\
+ \ can potentially crash the AMF. Existing UEs and new UEs may not be able to get\
+ \ service from the 5G network.\r\n\r\n"
+ detections:
+ - detects: 'Examine all header fields of control plane messages received in the
+ uplink direction from UE to the core.
+
+ This can be done either by logging all messages received by the NF or by using
+ a proxy or firewall at the core network entry point.'
+ fgdsid: DS0029
+ name: Network Traffic
+ - detects: Test all software patches for each core NF.
+ fgdsid: FGDS5015
+ name: Image verification
+ id: FGT1498.503
+ mitigations:
+ - fgmid: FGM5511
+ mitigates: Check for NAS message with incorrect or very large length, examine
+ all header fields. Improve message parsing mechanism by discarding messages
+ with improper header lengths.
+ name: Verify NAS messages from UE
+ - fgmid: FGM5512
+ mitigates: Use high availability feature for all core network functions.
+ name: Use high availability
+ name: UE DoS to AMF
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Some 5G core network services will be unavailable causing temporary
+ network outage.
+ Name: Network services unavailable
+ preconditions:
+ - Description: A compromised COTS UE or a UE with open-source code running in an
+ SDR can be used to run malicious application code. This can be used to generate
+ the specially crafted NAS message to be sent towards AMF.
+ Name: Compromise a UE or a purpose built UE
+ procedureexamples:
+ - Description: Adversary controlled UE sends a crafted NAS message towards AMF with
+ the length field increased to a very large value. If AMF does not do proper
+ header parameters check including length check, it can cause buffer overflow
+ in the AMF which can force AMF to go to an undefined state or crash. This will
+ cause Denial of Service for existing and future UEs. [1,2,3]
+ Name: AMF is targeted from UE using malformed NAS message
+ references:
+ - " \\[1\\] [Github post: \u201C[NAS] fix the security issue\
+ \ (ZDI-CAN-14043)\u201D](https://github.com/open5gs/open5gs/commit/00c96a3f0ffd12c4330bee9a3f9596f8e4b86b6f)"
+ - " \\[2\\] [CVE-2021-44081: \u201CA buffer overflow vulnerability\
+ \ exists in the AMF of open5gs 2.1.4. When the length of MSIN in Supi exceeds\
+ \ 24 characters, it leads to AMF denial of service.\u201D](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44081)"
+ - " \\[3\\] [CVE-2022-43677: \u201CA crafted malformed NGAP message\
+ \ can crash AMF and NGAP decoder\u201D.](https://github.com/free5gc/free5gc/issues/402)"
+ status: This a 5G relevant behavior that has been demonstrated in a successful proof
+ of concept
+ subtechnique-of: FGT1498
+ tactics:
+ - TA0040
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: User Plane
+ bluf: An adversary-controlled UE may be used to send a GTP-U packet to UPF/PGW with
+ a malicious payload in order to evade UPF/PGW routing controls to establish communications
+ with a core NF.
+ criticalassets:
+ - Description: Core NF is illegitimately accessed from the UE via user plane function
+ UPF/PGW.
+ Name: Core network functions accessed from the user plane
+ description: " An adversary-controlled UE may be used to send a GTP-U packet to\
+ \ UPF/PGW with a malicious payload in order to evade UPF/PGW routing controls\
+ \ to establish communications with a core NF.\r\n\r\nThe UPF/PGW is the core network\
+ \ function supporting the user plane. It tunnels user data packets from the radio\
+ \ access networks (gNB/eNB) towards data networks (such as the Internet). Other\
+ \ core network functions (NFs) - such as the Session Management Function (SMF)\
+ \ - support the control plane. In this threat, a user plane packet crosses over\
+ \ to the control plane. \r\n\r\nThe UPF/PGW normally processes GTP-U packets to\
+ \ and from the radio access network (gNB/eNB). A GTP-U packet, after the header\
+ \ is stripped, should contain a regular user data IP packet, with the source IP\
+ \ address of the UE, and the destination an external IP address (Internet). However,\
+ \ in this case, it contains a control packet addressed to a core network function\
+ \ for instance the SMF. The UPF/PGW should then drop this packet, but in some\
+ \ implementations it was found that the UPF/PGW may instead route it as indicated.\r\
+ \n\r\nThus, if UPF/PGW does not do proper parameter checks, it may route the packet\
+ \ to an improper destination such as a core network function in the control plane\
+ \ e.g. SMF, it can cause the NF to go to an undefined state and the NF may crash.\r\
+ \n\r\n\r\n"
+ detections:
+ - detects: Examine all header fields and encapsulated payload of user plane packets
+ received in the uplink direction from UE.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1599.505
+ mitigations:
+ - fgmid: FGM5510
+ mitigates: "Do not allow any packets received from UE which has destination address\
+ \ set to a core NF\u2019s IP address."
+ name: Filter packets to core NF sent by UE
+ name: GTP-U Abuse
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: "Core network function is DoS\u2019ed from the user plane."
+ Name: Core network functions impacted
+ preconditions:
+ - Description: A COTS UE or SDR UE can be used to prepare specially crafted GTP-U
+ packets to be sent to towards UPF/PGW.
+ Name: Compromise a UE
+ procedureexamples:
+ - Description: 'This is a UP to CP cross-over or network boundary bridging attack.
+ A specially crafted GTP-U packet containing a control plane packet is sent by
+ the adversary controlled UE to the UPF/PGW, e.g. a tunneled GTP-U packet can
+ be sent to trick the UPF/PGW. The payload packet contains the NF IP address
+ as the destination IP.
+
+
+
+ Without proper parameter validation, UPF/PGW may send the GTP-U payload to the
+ destination address in the control plane which can be SMF. The message can cause
+ the SMF to go to an undefined state and it may crash the SMF.'
+ Name: Core NF is attacked from UE using tunneled GTP-U packets via UPF/PGW
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1599
+ tactics:
+ - TA0005
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: N/A
+ architecture-segment: Control Plane
+ bluf: An adversary may send an unsolicited SS7/Diameter message to the core network
+ of a UE that will cause the core network to provide coarse location of the UE.
+ criticalassets:
+ - Description: "Subscriber\u2019s coarse location is revealed to the adversary."
+ Name: "UE\u2019s privacy is compromised"
+ description: " An adversary may send an unsolicited SS7/Diameter message to the\
+ \ core network of a UE that will cause the core network to provide coarse location\
+ \ of the UE.\r\n\r\nAn operator\u2019s network consists of a 5G Core and also\
+ \ auxiliary systems such as the IP Multimedia System (IMS). The IMS is used to\
+ \ provide voice and SMS services; this is accomplished via traditional protocols\
+ \ SS7 and Diameter between the IMS and 5G core functions. This subtechnique covers\
+ \ the abuse of such legitimate signaling to obtain the location of a UE.\r\n\r\
+ \nBackground info:\r\n5G SA core has interfaces to IMS core to support voice and\
+ \ SMS services. Diameter/SS7 attacks. In signaling plane, voice service uses Diameter\
+ \ based Rx interface between PCF and P-CSCF in IMS, Diameter based Sh interface\
+ \ between HSS/UDM and TAS in IMS, Diameter based Cx interface between HSS/UDM\
+ \ and I/S-CSCF. It also uses SIP/SDP based Gm interface between UPF and P-CSCF\
+ \ in the user plane. SMS over NAS service uses SS7 (MAP) based interface and S6c\
+ \ Diameter based interface from UDM to SMSC. It also uses MAP and SGd (Diameter)\
+ \ interfaces from SMSF to SMSC.\r\n\r\n\r\n"
+ detections:
+ - detects: Monitor all communications over Diameter and SS7/MAP based interfaces
+ to/from core network.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT5012.008
+ mitigations:
+ - fgmid: FGM5004
+ mitigates: Use SMS router or firewall
+ name: Correctly configure SMS firewall
+ - fgmid: FGM5513
+ mitigates: Use Diameter End-to-end Signaling Security (DESS). Section 6.5.3 of
+ [4].
+ name: Use DESS security
+ name: Diameter signaling
+ object-type: technique
+ platforms: 5G Network
+ postconditions:
+ - Description: Further attacks such as physical attack and eavesdropping on subscriber
+ private data are possible once their coarse location is known to the adversary.
+ Name: Further attacks on subscriber are possible
+ preconditions:
+ - Description: "Adversary collects victim UE\u2019s phone number from subscriber\u2019\
+ s physical address using internet based services such as numlooker.com."
+ Name: MSISDN or phone number of victim UE is known to adversary
+ procedureexamples:
+ - Description: "Adversary sets up a fake SMSC and then sends a specially crafted\
+ \ MAP SRI_SM Send Routing Info for Short Message Request (SRR) with victim UE\u2019\
+ s MSISDN to HSS/UDM. If SMS router/firewall is not setup or if it is setup incorrectly,\
+ \ HSS/UDM will return the IMSI/SUPI of the UE and the ID of AMF/MME\u2019s currently\
+ \ serving the UE in response Send Routing Info for SM Answer (SRA) message.\
+ \ Thus, adversary will know the coarse location of the UE e.g. part of the town\
+ \ where the victim UE is present [1]"
+ Name: "Subscriber\u2019s coarse location is retrieved via SS7/MAP signaling"
+ - Description: "Adversary sets up a fake IP-SM-GW or SMS-GMSC and then sends a specially\
+ \ crafted Send Routing Info for Short Message Request (SRR) with victim UE\u2019\
+ s MSISDN to HSS/UDM. If SMS router/firewall is not setup or if it is setup incorrectly,\
+ \ HSS/UDM will return the ID of AMF/MME\u2019s currently serving the UE in response\
+ \ Send Routing Info for SM Answer (SRA) message. Thus, adversary will know the\
+ \ coarse location of the UE e.g. part of the town where the victim UE is present.\
+ \ [2]"
+ Name: "Subscriber\u2019s coarse location is retrieved via Diameter signaling"
+ references:
+ - " \\[1\\] [International Conference on Cyber Conflict 2016:\
+ \ \u201CWe know where you are\".](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7529440)"
+ - " \\[2\\] [Positive Technologies article: \u201CNext Generation\
+ \ Networks, Next Level Cyber Security Problems\u201D.](https://www.ptsecurity.com/upload/iblock/a8e/diameter_research.pdf)"
+ - " \\[3\\] [Broadforward\u2019s SS7/MAP Firewall](https://www.broadforward.com/ss7-firewall-ss7fw/)"
+ - " \\[4\\] [GSMA IR.88 \u201CEPS Roaming Guidelines\u201D.](https://www.gsma.com/newsroom/wp-content/uploads/IR.88-v22.0.pdf)"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT5012
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- access-required: N/A
+ architecture-segment: Control Plane
+ bluf: An adversary may send an unsolicited SS7/Diameter message to the core network
+ of a UE that will cause the core network to provide IMSI/SUPI of the UE.
+ criticalassets:
+ - Description: "Subscriber\u2019s identity is revealed to the adversary."
+ Name: "UE\u2019s privacy is compromised"
+ description: " An adversary may send an unsolicited SS7/Diameter message to the\
+ \ core network of a UE that will cause the core network to provide IMSI/SUPI of\
+ \ the UE.\r\n\r\nAn operator\u2019s network consists of a 5G Core and also auxiliary\
+ \ systems such as the IP Multimedia System (IMS). The IMS is used to provide\
+ \ voice and SMS services; this is accomplished via traditional protocols SS7 and\
+ \ Diameter between the IMS and 5G core functions. This subtechnique covers the\
+ \ abuse of such legitimate signaling to obtain the permanent identifier of a UE.\
+ \ Once the IMSI/SUPI is obtained, adversary may launch further attacks such as\
+ \ retrieving location of the UE, network slice and data network that are being\
+ \ used by the UE etc.\r\n \r\nBackground info:\r\n5G SA core has interfaces to\
+ \ IMS core to support voice and SMS services. Diameter/SS7 attacks. In signaling\
+ \ plane, voice service uses Diameter based Rx interface between PCF and P-CSCF\
+ \ in IMS, Diameter based Sh interface between HSS/UDM and TAS in IMS, Diameter\
+ \ based Cx interface between HSS/UDM and I/S-CSCF. It also uses SIP/SDP based\
+ \ Gm interface between UPF and P-CSCF in the user plane. SMS over NAS service\
+ \ uses SS7 (MAP) based interface and S6c Diameter based interface from UDM to\
+ \ SMSC. It also uses MAP and SGd (Diameter) interfaces from SMSF to SMSC.\r\n\r\
+ \n"
+ detections:
+ - detects: Monitor all communications over Diameter and SS7/MAP based interfaces
+ to/from core network.
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT5019.005
+ mitigations:
+ - fgmid: FGM5004
+ mitigates: Use SMS router or firewall
+ name: Correctly configure SMS firewall
+ - fgmid: FGM5513
+ mitigates: Use Diameter End-to-end Signaling Security (DESS). Section 6.5.3 of
+ [4].
+ name: Use DESS security
+ name: Diameter signaling
+ object-type: technique
+ platforms: 5G Network
+ postconditions:
+ - Description: If IMSI/SUPI is obtained, many other subsequent attacks are possible
+ such as retrieving subscriber location, network slice, data network of the UE.
+ Name: IMSI/SUPI is available to the adversary
+ preconditions:
+ - Description: "Adversary collects victim UE\u2019s phone number from subscriber\u2019\
+ s physical address using internet based services such as numlooker.com."
+ Name: MSISDN or phone number of victim UE is known to adversary
+ procedureexamples:
+ - Description: "Diameter protocol:\nAdversary sets up a fake SMSC and then sends\
+ \ a specially crafted Send Routing Info for Short Message Request (SRR) with\
+ \ victim UE\u2019s MSISDN to HSS/UDM. If SMS router/firewall is not setup or\
+ \ if it is setup incorrectly, HSS/UDM will return the IMSI/SUPI of the UE and\
+ \ the ID of AMF/MME\u2019s ID currently serving the UE in response Send Routing\
+ \ Info for SM Answer (SRA) message.\n\nSS7 protocol:\nAdversary sets up a fake\
+ \ SMSC and then sends a specially crafted MAP SRI_SM Send Routing Info for Short\
+ \ Message Request (SRR) with victim UE\u2019s MSISDN to HSS/UDM. If SMS router/firewall\
+ \ is not setup or if it is setup incorrectly, HSS/UDM will return the IMSI/SUPI\
+ \ of the UE and the ID of AMF/MME\u2019s ID currently serving the UE in response\
+ \ Send Routing Info for SM Answer (SRA) message. [1, 2]"
+ Name: "UE\u2019s IMSI/SUPI is retrieved using SRR message"
+ - Description: "Diameter protocol: Adversary sets up an application server and sends\
+ \ a specially crafted User Data Request (UDR) message with victim UE\u2019s\
+ \ MSISDN to HSS/UDM. If HSS/UDM is not configured properly, HSS/UDM will return\
+ \ the IMSI/SUPI of the UE in User Data Answer (UDA) response message. [2]"
+ Name: "UE\u2019s IMSI/SUPI is retrieved using Diameter UDR message"
+ references:
+ - " \\[1\\] [International Conference on Cyber Conflict 2016:\
+ \ \u201CWe know where you are\".](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7529440)"
+ - " \\[2\\] [Positive Technologies article: \u201CNext Generation\
+ \ Networks, Next Level Cyber Security Problems\u201D](https://www.ptsecurity.com/upload/iblock/a8e/diameter_research.pdf)"
+ - " \\[3\\] [Broadforward\u2019s SS7/MAP Firewall](https://www.broadforward.com/ss7-firewall-ss7fw/)"
+ - " \\[4\\] [GSMA IR.88 \u201CEPS Roaming Guidelines\u201D.](https://www.gsma.com/newsroom/wp-content/uploads/IR.88-v22.0.pdf)"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT5019
+ tactics:
+ - TA0007
+ - TA0009
+ typecode: fight_subtechnique
+- architecture-segment: O-RAN, RAN
+ bluf: Malicious xApps may gain unauthorized access to near-RT RIC and E2 nodes,
+ in order to affect Radio Access Network (ran) behavior.
+ criticalassets:
+ - Description: Adversary may impact normal RAN functions.
+ Name: 'Near-RT RIC function: RAN optimization'
+ - Description: "Adversary may disrupt RAN operations by changing UE\u2019s slice\
+ \ priority and QoS parameters which results in denying new connections or dropping\
+ \ existing connections."
+ Name: RAN configuration data
+ - Description: "UE data includes UE\u2019s coarse location, temporary identifier\
+ \ and correlation of UE temporary identifier to other service related data e.g.\
+ \ DNN, NSSAI etc. See clause 6.2.1 of [2]."
+ Name: UE data
+ - Description: Adversary has read/write access to database containing sensitive
+ network data such as QoS policies and slice priority.
+ Name: Sensitive network data
+ description: " Malicious xApps may gain unauthorized access to near-RT RIC and E2\
+ \ nodes, in order to affect Radio Access Network (RAN) behavior. \r\n\r\nxApps\
+ \ are application software that may be developed by third party vendors. They\
+ \ reside in the Near Real Time (near-RT) RAN Intelligent Controller (RIC) after\
+ \ onboarding is done by ORAN orchestration system. Near-RT RICs control and optimize\
+ \ RAN functions for events ranging from 10 ms to 1 sec. xApps manage Radio Resource\
+ \ Management (RRM) functions of RAN via E2 interface. The following components\
+ \ are controlled by xApps by using APIs: E2 nodes such as O-DU, O-RU, O-CU-CP\
+ \ and O-CU-UP. Near-RT RIC and xApps are managed by non-RT RIC via A1 interface\
+ \ for RAN optimizations and by SMO via O1 interface for lifecycle management.\r\
+ \n\r\nDuring onboarding of xApps, malware may be installed by the adversary in\
+ \ xApps which can gain unauthorized access to near-RT RIC by exploiting weak or\
+ \ misconfigured authentication mechanism in near-RT RIC. A malicious xApp image\
+ \ may be crafted by the adversary and then installed in near-RT RIC during onboarding.\
+ \ A legitimate xApp may be cloned in near-RT RIC by an insider adversary.\r\n\r\
+ \nOnce installed in near-RT RIC, the rogue xApp may indirectly access E2 nodes\
+ \ via APIs by penetrating traffic separating firewalls within ORAN. The rogue\
+ \ xApp may change behavior of near-RT RIC which will impact RAN functions such\
+ \ as coverage, network slicing, QoS etc.\r\n \r\n\r\n"
+ detections:
+ - detects: Monitor access token usage by xApps.
+ fgdsid: DS0006
+ name: Web Credential
+ - detects: 'Perform real-time audits and post-processing of logs.
+
+ Detect which parts of the RAN is accessed by each xApp e.g. O-DU, O-CU-CP, O-CU-UP,
+ O-RU etc.'
+ fgdsid: DS0010
+ name: Cloud Storage
+ - detects: Monitor logs for authentication/authorization of xApps to near-RT RIC
+ and E2 nodes, logs for each transaction done by xApps to E2 nodes. Audit logs
+ and telemetry data for unauthorized activities.
+ fgdsid: DS0025
+ name: Cloud Service
+ - detects: Verify and refresh frequently digital signatures used for authenticating
+ xApps by near-RT RIC and E2 nodes.
+ fgdsid: DS0037
+ name: Certificate
+ - detects: Verify xApp image hash
+ fgdsid: FGDS5015
+ name: Image verification
+ - detects: Monitor all xApps onboarding processes. Use host scanning tools to detect
+ malware insertions.
+ fgdsid: FGDS5021
+ name: Monitor 3rd party application onboarding
+ id: FGT5034
+ mitigations:
+ - fgmid: FGM5091
+ mitigates: Use strong authentication and authorization for 3rd party xApps during
+ onboarding and use strong mutual authentication between xApps and near-RT RIC
+ and between xApp and E2 nodes.
+ name: Mutual authentication
+ - fgmid: M1030
+ mitigates: Restrict SW paths for some network components using standard protocols
+ such as SSL, REST/HTTPS etc.
+ name: Network Segmentation
+ - fgmid: M1033
+ mitigates: Use only trusted supply chain, rigorous scanning of software images.
+ Limit Software Installations especially from 3rd party sources.
+ name: Limit Software Installation
+ - fgmid: M1043
+ mitigates: Credential Access Protection - Use capabilities to prevent successful
+ credential access by adversaries; including blocking forms of credential dumping.
+ name: Credential Access Protection
+ - fgmid: M1045
+ mitigates: Verify digital signature of xApp
+ name: Code Signing
+ - fgmid: FGM5516
+ mitigates: Make the tokens short lived to prevent replay of token attacks (AiTM).
+ name: Make xApp sessions short lived
+ name: Radio control manipulation via rogue xApps
+ object-type: technique
+ platforms: O-RAN
+ postconditions:
+ - Description: Adversary degrades network operation or in the worst case causes
+ temporary network outage.
+ Name: Network operations impacted
+ - Description: "Operator\u2019s network policies are known to the adversary."
+ Name: Sensitive network data exposed to adversary
+ - Description: "UE and subscriber\u2019s sensitive data is revealed to the adversary."
+ Name: Sensitive UE data exposed to adversary
+ preconditions:
+ - Description: 'Adversary installs rogue xApp in near-RT RIC via malware during
+ onboarding and it finds out weak authentication mechanism in near-RT RIC to
+ gain entry in the O-RAN systems.
+
+
+ A legitimate xApp may be cloned by adversary to launch further attacks.'
+ Name: Adversary has access to near-RT RIC during onboarding or via insider attack
+ procedureexamples:
+ - Description: 'Adversary may exploit weakly configured authentication mechanism
+ in near-RT RIC and E2 nodes for the xApps and may gain unauthorized access to
+ near-RT RIC and thus affect E2 nodes.
+
+
+ Adversary may access E2 nodes such as O-DU, O-RU, O-CU-CP and O-CU-UP via E2
+ interface by using E2 related APIs. Clause 5.4.1.4 of [1], clause 7.3 of [2]
+ and [3].'
+ Name: Malicious xApp gets access to near-RT RIC and E2 nodes.
+ - Description: "Rogue xApp may change behavior of near-RT RIC by intercepting or\
+ \ modifying A1 messages to/from non-RT RIC or O1 messages to/from SMO. Some\
+ \ examples of attacks are:\n\nDoS attack on network and UEs by changing slice\
+ \ priority and QoS parameters, steal network and UE information and track UE\u2019\
+ s location."
+ Name: Rogue xApp changes behavior of ORAN system
+ - Description: "When a new xApp is deployed, it is authenticated by near-RT RIC.\
+ \ If authentication is successful, near-RT RIC provides an ID to the xApp and\
+ \ it creates a Managed Object Instance (MOI) for the xApp. MOI is used by SMO\
+ \ to manage xApps. \n\nAiTM attack may be launched by adversary by monitoring\
+ \ and replaying a stolen token or MOI of a legitimate xApp. This may change\
+ \ behavior of near-RT RIC and impact RAN functions such as coverage, network\
+ \ slicing and QoS. Clause 9.4.1 of [2]."
+ Name: xApps stolen token/MOI
+ references:
+ - \[1\] [O-RAN Security Threat Model 6.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
+ - \[2\] [O-RAN WG3 Near-RT RIC Architecture 4.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
+ - " \\[3\\] [Ericsson white paper: \u201CSecurity considerations\
+ \ of Open RAN\u201D.](https://www.ericsson.com/en/security/security-considerations-of-open-ran)"
+ status: This is a theoretical behavior
+ tactics:
+ - TA0001
+ - TA0008
+ typecode: fight_technique
+- architecture-segment: O-RAN, RAN
+ bluf: Adversary may jam to impact IAB or mIAB (gNB) node's communications to impact
+ the UEs and downstream IAB node's ability to connect to network.
+ criticalassets:
+ - Description: 5G RAN services are disrupted during jamming attack.
+ Name: Network operations disrupted
+ description: " Adversary may jam to impact IAB or mIAB (gNB) node's communications\
+ \ to impact the UEs and downstream IAB node\u2019s ability to connect to network.\r\
+ \n\r\nIf one or more Integrated Access and Backhaul (IAB) nodes or mobile IAB\
+ \ (mIAB) or gNBs wireless backhaul connection is jammed in tactical or mobile\
+ \ network deployment, the network connectivity will be disrupted. This will cause\
+ \ temporary DoS attack for some users until an alternate connection is available.\r\
+ \n\r\nMobile IAB nodes are small cell base stations which are typically deployed\
+ \ on a vehicle placed in strategic areas. For example, mIAB node can be deployed\
+ \ near a stadium for a game event. The backhaul traffic from the mIAB node is\
+ \ carried over the air to the next hop base station. The next hop gNB can be another\
+ \ IAB node or a fixed base station (aka donor IAB) which has a wired connection\
+ \ to the 5G core network.\r\n\r\nAn IAB node may use the same or different RF\
+ \ frequency bands for the backhaul traffic to the upstream IAB node and for providing\
+ \ network access to the UEs connected to itself. If the same frequency band is\
+ \ used for backhaul and access, it is known as in-band deployment and if different\
+ \ frequency bands are used for backhaul and access, it is known as out-of-band\
+ \ deployment. The adversary may choose to jam both frequency bands in case of\
+ \ out-of-band deployment to disrupt both backhaul and access communications.\r\
+ \n\r\nThe adversary may impact communications of the target IAB node, the IAB\
+ \ nodes that are downstream from the target IAB node and all UEs that are connected\
+ \ to the target IAB node and all UEs that are connected to downstream IAB nodes.\
+ \ [2]\r\n\r\n"
+ detections:
+ - detects: Monitor gNB logs for abnormal service outage.
+ fgdsid: FGDS5020
+ name: Monitor unplanned service outage
+ id: FGT5024
+ mitigations:
+ - fgmid: FGM5515
+ mitigates: Move the mIAB node to another location to avoid jamming and establish
+ a new connection to the next hop base station.
+ name: Move mIAB node
+ name: IAB Denial of Service
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Legitimate subscribers are not able to connect to 5G network.
+ Name: Network operations are impacted
+ preconditions:
+ - Description: Adversary must be positioned in the same area as the victim IAB node
+ with a wireless sniffer device and a jamming device equipped with sufficient
+ transmit power.
+ Name: Adversary in the same vicinity as victim IAB node
+ - Description: Adversary impacts all communications associated to the victim IAB
+ node i.e. both access and backhaul.
+ Name: Adversary jams all communications of the victim IAB node
+ procedureexamples:
+ - Description: Adversary monitors transmissions on the IAB node backhaul and access
+ links with a wireless sniffer device. Then it starts transmitting bogus RF signal
+ with enough transmit power to jam the backhaul and access link communications.
+ This will disrupt connectivity to the network of the victim IAB node, all IAB
+ nodes that are downstream from victim IAB node, all UEs which are connected
+ to the victim IAB node and all UEs which are connected to downstream IAB nodes.
+ Name: IAB or mIAB node is jammed by adversary.
+ references:
+ - " \\[1\\] [5G Americas White Paper: \u201CInnovations in 5G\
+ \ Backhaul Technologies; IAB, HFC & FIBER\u201D, June 2020.](https://www.5gamericas.org/wp-content/uploads/2020/06/Innovations-in-5G-Backhaul-Technologies-WP-PDF.pdf)"
+ - " \\[2\\] [3GPP TS 38.401: \u201CNG-RAN; Architecture description\u201D\
+ .](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3219)"
+ status: This is a theoretical behavior
+ tactics:
+ - TA0040
+ typecode: fight_technique
+- access-required: N/A, N/A
+ addendums:
+ - "#### Addendum Name: IMSI Catcher\r\n##### Architecture Segments: RAN, UE\r\n\
+ \ An adversary may build an International Mobile Subscriber Identity (IMSI) catcher\
+ \ to capture IMSI numbers from nearby UEs in a target area.\r\n\r\nIMSI catchers\
+ \ are very similar to fake base stations but may not have full capabilities of\
+ \ the base station. The IMSI Catcher term has been traditionally associated with\
+ \ UE identity discovery or location identification. Adversary may build one with\
+ \ open-source code and generic radio transceivers. Open-source code for software\
+ \ defined radio, or RAN test equipment, or simulators can also be modified to\
+ \ create an IMSI catcher.\r\n\r\n"
+ - "#### Addendum Name: Silent paging tool\r\n##### Architecture Segments: RAN, UE\r\
+ \n An adversary may build or develop a silent SMS tool in order to send SMSs to\
+ \ nearby phones in a target area.\r\n\r\nA silent SMS is described in the specification\
+ \ GSM 03.40 as a Short Message of type 0, which indicates that the UE must acknowledge\
+ \ receipt of the short message but may discard its contents.\r\n\r\nIt is possible\
+ \ to build/develop an application to send silent SMS messages, which can run on\
+ \ a regular phone (UE) that can register to a local network. That application\
+ \ can be used to send a silent SMS to a target UE using the phone number (MSISDN).\r\
+ \n\r\n"
+ architecture-segment: RAN, UE
+ bluf: Adversaries may build capabilities that can be used during targeting.
+ description: "Adversaries may build capabilities that can be used during targeting.\r\
+ \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1587)\r\
+ \n"
+ detections: []
+ id: FGT1587
+ mitigations:
+ - fgmid: M1056
+ mitigates: This technique cannot be easily mitigated with preventive controls
+ since it is based on behaviors performed outside of the scope of the mobile
+ network operator.
+ name: Pre-compromise
+ name: Develop Capabilities
+ object-type: technique
+ platforms: RAN, RAN
+ references:
+ - " \\[1\\] [Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin\
+ \ Mulazzani, and Edgar Weippl. \u201CIMSI-catch me if you can: IMSI-catcher-catchers\u201D\
+ . In Proceedings of the 30th annual computer security applications Conference,\
+ \ pages 246\u2013255, 2014.](https://its-wiki.no/images/f/fb/Dabrowski_ISMI_Catch_me_Catchers.pdf)"
+ - " \\[2\\] [Ravishankar Borgaonkar, Altaf Shaik, \u201C5G IMSI\
+ \ Catchers Mirage\u201D, Blackhat USA Conference 2021.](https://blackhat.com/us-21/briefings/schedule/#g-imsi-catchers-mirage-23538)"
+ - " \\[3\\] [\u201CHOW COPS CAN SECRETLY TRACK YOUR PHONE\u201D\
+ , The Intercept online article, July 31, 2021. Accessed 6/22/2022.](https://theintercept.com/2020/07/31/protests-surveillance-stingrays-dirtboxes-phone-tracking/)"
+ - " \\[4\\] [A Knight, Brier & Thorn, \u201CHacking GSM: Building\
+ \ a Rogue Base Station to Hack Cellular Devices\u201D, Online Article. Accessed\
+ \ 6/22/2022.](https://www.brierandthorn.com/post/hacking-gsm-building-a-rogue-base-station-to-hack-cellular-devices)"
+ - " \\[1\\] [Information Security Newspaper, \u201CHow to hack\
+ \ and track anybody\u2019s phone location via silent SMS messages\u201D.](https://www.securitynewspaper.com/2023/06/20/how-to-hack-track-anybodys-phone-location-via-silent-sms-messages/)"
+ - \[2\] [Silent-sms-ping github repository](https://github.com/MatejKovacic/silent-sms-ping)
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0042
+ typecode: attack_technique_addendum
+- addendums:
+ - "#### Addendum Name: Rogue Operator Network\r\n##### Architecture Segments: Control\
+ \ Plane, RAN\r\n An adversary may install or set up a customized core mobile network\
+ \ in a target environment to enable follow-on behaviors.\r\n\r\nAn adversary may\
+ \ install, or otherwise set up a 5G core network capability that can be used during\
+ \ targeting. To support their operations, an adversary will likely obtain this\
+ \ capability (e.g. from open source software), and then proceed to stage it on\
+ \ a server (COTS) under their control. For a complete mobile network set-up, a\
+ \ radio access network (e.g. fake base station) would also be used, connected\
+ \ to this core network.\r\n\r\n\r\n"
+ architecture-segment: Control Plane, RAN
+ bluf: Adversaries may upload, install, or otherwise set up capabilities that can
+ be used during targeting.
+ description: "Adversaries may upload, install, or otherwise set up capabilities\
+ \ that can be used during targeting.\r\n[To read more, please see the MITRE ATT&CK\
+ \ page for this technique](https://attack.mitre.org/techniques/T1608)\r\n"
+ detections: []
+ id: FGT1608
+ mitigations: []
+ name: Stage Capabilities
+ object-type: technique
+ platforms: 5G Core
+ references:
+ - " \\[1\\] [M.Grassi & X. Chen, \u201COver The Air Baseband\
+ \ Exploit: Gaining Remote Code Execution on 5G Smartphones,\u201D retrieved May\
+ \ 16, 2023](https://dl.acm.org/doi/abs/10.1145/3395351.3399360)"
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0042
+ typecode: attack_technique_addendum
+- architecture-segment: Control Plane
+ bluf: An adversary may operationalize a customized mobile network in a target environment
+ to enable other follow-on behaviors against UEs.
+ criticalassets:
+ - Description: UEs that are lured to connect to a fake network may lose functionality.
+ The registration signaling will likely fail in the end.
+ Name: UE functionality
+ description: " An adversary may operationalize a customized mobile network in a\
+ \ target environment to enable other follow-on behaviors against UEs.\r\n\r\n\
+ An adversary enables the programmability of a rogue mobile network, in order to\
+ \ be able to connect a victim UE to a hostile/fake operator network. This is software\
+ \ that can run on a single piece of hardware. To configure it, the configuration\
+ \ files would need to be updated: configure PLMN identifiers, radio frequency\
+ \ spectrum, IP addresses for core components. Configuration for connecting to\
+ \ one or more radio access nodes (e.g. base station) may also be done.\r\n\r\n\
+ This technique is to be used in conjunction with the equivalent technique for\
+ \ fake base station FGT1608.501. \r\n\r\n\r\n"
+ detections: []
+ id: FGT1608.502
+ mitigations: []
+ name: Configure Operator Core Network
+ object-type: technique
+ platforms: 5G Core
+ procedureexamples:
+ - Description: 'Adversary obtains software capability such as: open source software
+ (e.g Open5GS, free5GC) to set up a rogue operator network, with sufficient capability
+ to achieve follow-on behavior.'
+ Name: Obtain capability for configuration of a rogue mobile network core
+ references:
+ - " \\[1\\] [M.Grassi & X. Chen, \u201COver The Air Baseband\
+ \ Exploit: Gaining Remote\nCode Execution on 5G Smartphones,\u201D retrieved May\
+ \ 16, 2023](https://dl.acm.org/doi/abs/10.1145/3395351.3399360)"
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1608
+ tactics:
+ - TA0042
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: N/A
+ architecture-segment: RAN
+ bluf: Adversary sends a spoofed or silent SMS to trigger paging of UE, to retrieve
+ the subscriber profile identifier.
+ criticalassets:
+ - Description: ''
+ Name: UE identifier
+ description: " Adversary sends a spoofed or silent SMS to trigger paging of UE,\
+ \ to retrieve the subscriber profile identifier. \r\n\r\nA UE has a permanent\
+ \ identifier (IMSI or SUPI), but also a temporary one (\u201CTemporary Mobile\
+ \ Subscriber Identity\u201D) assigned by the network (TMSI, with their version\
+ \ for 4G and 5G). Adversaries can take advantage of cellular networks where the\
+ \ IMSI is used when computing how to page a UE, rather than TMSI, or when the\
+ \ TMSI is used but not changed frequently. This is a choice of the mobile network\
+ \ operator. \r\n\r\n\r\nAn adversary can send silent SMS messages to that target\
+ \ phone number, and watch the paging messages that the base station in that area\
+ \ sends in response (assumes the target UE is in inactive mode and is located\
+ \ in the area of a base station where the adversary has installed a radio interface\
+ \ sniffer). From the sniffed paging messages, and adversary learns the \u201C\
+ paging occasion\u201D for that UE. From the paging occasion, several bits (7)\
+ \ of the IMSI can be deduced. The rest of the IMSI (24 bits) can be tried out\
+ \ by brute force by sending many paging messages (e.g. via a fake base station)\
+ \ corresponding to the IMSIs being tried out, and if one gets a response that\
+ \ is valid, it means that the guess is correct. \r\n\r\n\r\nSeveral UEs may end\
+ \ up sharing the same paging occasion. With knowledge of the victim\u2019s phone\
+ \ number, an adversary can cause the victim UE to be paged in a certain fashion\
+ \ (e.g. by sending a given number of silent SMS and watching for a similar number\
+ \ of paging messages), the adversary can determine the paging occasion for that\
+ \ UE. If the UE is not located in that cell area, then no such paging messages\
+ \ will be noticed. An adversary needs to install sniffers in all of the cell areas\
+ \ of interest, i.e. where they desire to determine the presence or absence of\
+ \ a target UE at a given time, and/or to determine the UE identifiers (IMSI or\
+ \ SUPI or TMSI).\r\n\r\n\r\nBackground information: the IMSI in the US is ~49\
+ \ bits, but the IMSI\u2019s leading 18-bits (i.e., the mobile country code and\
+ \ the mobile network code) can be obtained from the phone number using paid, Internet-based\
+ \ home location register lookup services. The \u201Cpaging occasion\u201D \u2013\
+ \ the precise time/frequency slot when the paging indication is sent\u2014is calculated\
+ \ in a known way based on a UE identifier- either IMSI or TMSI.\r\n\r\n"
+ detections:
+ - detects: Run at the UE side a tool to detect silent SMS messages (can be OS monitoring
+ app as in [4])
+ fgdsid: FGDS5102
+ name: Silent SMS detector
+ id: FGT5019.006
+ mitigations:
+ - fgmid: FGM5004
+ mitigates: The operator may run a network side SMS firewall that permits legitimate
+ silent SMSs (e.g. from law enforcement) but blocks the ones from suspicious
+ sources
+ name: Correctly configure SMS firewall
+ - fgmid: FGM5102
+ mitigates: Run at the UE side a tool to detect and not respond to multiple silent
+ SMS messages received in a short time (can be OS monitoring app as in [2])
+ name: 'Silent SMS blocker '
+ name: Silent SMS
+ object-type: technique
+ platforms: 5G Network
+ preconditions:
+ - Description: Adversary deployed a sniffer in the coverage area where the target
+ UE may be located
+ Name: Radio interface sniffer
+ procedureexamples:
+ - Description: By sending several (about 8) silent SMS messages to a UE, (or make
+ 8 silent calls), and watching the responses on the radio interface- if the UE
+ is present, the paging occasion of the UE can be determined [1].
+ Name: Paging occasion guessing
+ - Description: If the operator uses IMSI to page UEs, then if some bits of the IMSI
+ are already guessed (e.g. via a location/paging occasion guessing discovery
+ technique), it is possible to infer the actual IMSI. The adversary sends multiple
+ silent SMS messages corresponding to guessed IMSIs, and watches the radio interface
+ for responses. [1]
+ Name: IMSI-cracking
+ references:
+ - " \\[1\\] [S.R. Hussain et.al., \u201CPrivacy Attacks to the\
+ \ 4G and 5G Cellular Paging Protocols Using Side Channel Information\u201D](https://homepage.divms.uiowa.edu/~comarhaider/publications/LTE-torpedo-NDSS19.pdf\
+ \ )"
+ - " \\[2\\] [H. Wen et al., \u201CThwarting Smartphone SMS Attacks\
+ \ at the\nRadio Interface Layer\u201D. Retrieved Sept 14, 2023.](https://www.ndss-symposium.org/ndss-paper/thwarting-smartphone-sms-attacks-at-the-radio-interface-layer/)"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT5019
+ tactics:
+ - TA0009
+ - TA0007
+ typecode: fight_subtechnique
+- architecture-segment: RAN
+ bluf: Adversary sends spoofed or silent paging messages to a UE and deduces the
+ UE's location from the responses of that UE
+ criticalassets:
+ - Description: UEs rough location is known to the adversary which can be used for
+ further attacks such as bidding down, IMSI cracking and physical attack.
+ Name: UE location
+ description: " Adversary sends spoofed or silent paging messages to a UE and deduces\
+ \ the UE's location from the responses of that UE.\r\n\r\nAdversary broadcasts\
+ \ spoofed paging message from a false base station or manipulates a legitimate\
+ \ one using a Software-defined-radio tool; alternatively, the adversary uses a\
+ \ silent SMS message tool to cause the legitimate base station to send a paging\
+ \ message. These paging messages can be heard by all UEs in the area. The paging\
+ \ message broadcast time/frequency is calculated by the base station based on\
+ \ the temporary identifier 5G-GUTI or 4G-GUTI of the target UE, or the IMSI. It\
+ \ is assumed that the adversary can guess the UEs GUTI (see technique FGT5012.006).\r\
+ \n\r\nAn adversary sends multiple paging messages and then sniffs the radio interface\
+ \ looking for UEs\u2019 responses to paging messages. Paging is successful if\
+ \ the target UE responds. If such a set of multiple paging responses corresponding\
+ \ to the paging calculated from the one given GUTI is noticed, then it can be\
+ \ concluded that that UE is present in the cell area. This leads to discovery\
+ \ of the coarse location of a UE. As a side benefit, a valid GUTI (or several\
+ \ GUTIs) is also now discovered. \r\n\r\nBackground info: Silent SMS messages\
+ \ is a type of SMS that are used legitimately by mobile operators and governments\
+ \ to track a smartphone subscriber\u2019s geographical location. \r\n\r\n\r\n"
+ detections:
+ - detects: UE measurements of received power levels from all base stations nearby,
+ and their identifiers. Clause 6.24 of [2].
+ fgdsid: FGDS5002
+ name: UE signal measurements
+ - detects: Run at the UE side a tool to detect silent SMS messages (can be OS monitoring
+ app as in [4])
+ fgdsid: FGDS5102
+ name: Silent SMS detector
+ id: FGT5012.007
+ mitigations:
+ - fgmid: FGM5004
+ mitigates: The operator may run a network-side SMS firewall that permits legitimate
+ silent SMSs (e.g. from law enforcement) but blocks the ones from suspicious
+ sources
+ name: Correctly configure SMS firewall
+ - fgmid: FGM5102
+ mitigates: Run at the UE side a tool to detect and not respond to multiple silent
+ SMS messages received in a short time (can be OS monitoring app as in [4])
+ name: 'Silent SMS blocker '
+ name: Silent or spoofed paging
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: "Adversary knows the cellular base station area where the UE is located.\
+ \ Further attacks are possible such as eavesdropping on target UE\u2019s communication\
+ \ to network if UE coarse location is known to adversary."
+ Name: UE coarse location is known to adversary
+ preconditions:
+ - Description: Adversary gets hold of a false base station which is capable of sending
+ fraudulent paging messages.
+ Name: Obtain a false base station to send fake broadcast messages, or a SDR tool
+ to manipulate legitimate signaling on the radio interface
+ - Description: Adversary develops or obtains a tool to send silent SMS (e.g. mobile
+ phone with special application running)
+ Name: Obtain a silent SMS tool
+ procedureexamples:
+ - Description: "Adversary sends fake paging message with UEs temporary identifier\
+ \ from a false base station. Sigover attack method is used to overshadow the\
+ \ paging message from legitimate base station. If the victim UE is in the area,\
+ \ it responds with a service request message. UE\u2019s presence in the cell\
+ \ area is then known to the adversary [1]."
+ Name: Send fake paging message to target UE
+ - Description: "Adversary sends a series of silent SMS messages or makes a series\
+ \ of silent calls to a target UE, that would cause the base station to send\
+ \ a series of corresponding paging messages. The adversary then monitors the\
+ \ paging channel to watch for these set of multiple paging messages, and thus\
+ \ determines the paging slots (\u201Cpaging occasion\u201D) assigned to the\
+ \ target UE. In addition, if the target UE responds, adversary concludes the\
+ \ target is in the area of that base station. If not, the target is not there\
+ \ [3]"
+ Name: Send silent SMS to target UE
+ - Description: "Adversary sends multiple silent SMS to the UE, and then watches\
+ \ the paging channel. If multiple instances of the same GUTI is seen, or if\
+ \ a given Paging Frame Index (determined by the IMSI) (PFI) seems to be \u201C\
+ busy\u201D then the adversary can conclude that the target UE is in that cell\
+ \ area (coarse location retrieval) [3]"
+ Name: Watch for same paging occasion to be used by base station
+ references:
+ - " \\[1\\] [Chuan Yu et al, \u201CImproving 4G/5G air interface\
+ \ security: A survey of existing attacks on different LTE layers\u201D, ACM digital\
+ \ library](https://dl.acm.org/doi/abs/10.1016/j.comnet.2021.108532)"
+ - " \\[2\\] [3GPP TR 33.809 \u201CStudy on 5G security enhancements\
+ \ against False Base Stations (FBS)\u201D, Technical Report, v0.18.0, February\
+ \ 2022.](https://www.3gpp.org/DynaReport/33809.htm)"
+ - " \\[3\\] [S.R. Hussain et.al., \u201CPrivacy Attacks to the\
+ \ 4G and 5G Cellular Paging Protocols Using Side Channel Information\u201D. Retrieved\
+ \ Sept 11, 2023](https://homepage.divms.uiowa.edu/~comarhaider/publications/LTE-torpedo-NDSS19.pdf)"
+ - " \\[4\\] [H. Wen et al., \u201CThwarting Smartphone SMS Attacks\
+ \ at the\nRadio Interface Layer\u201D. Retrieved Sept 14, 2023.](https://www.ndss-symposium.org/ndss-paper/thwarting-smartphone-sms-attacks-at-the-radio-interface-layer/)"
+ status: Observed in earlier 3GPP generations and expected in 5G.
+ subtechnique-of: FGT5012
+ tactics:
+ - TA0009
+ - TA0007
+ typecode: fight_subtechnique
+- architecture-segment: RAN, Virtualization
+ bluf: 'Adversary may gain unauthorized access to machine learning model or database
+ and alters the data to disrupt service or change the behavior of network elements. '
+ criticalassets:
+ - Description: Configuration and session data for RAN as well as ML applications.
+ Name: Configuration and session data
+ - Description: ML models and algorithms itself can be a lucrative asset to acquire
+ in addition to understanding the behavior of the models fo0r an adversary.
+ Name: Algorithm
+ description: " Adversary may gain unauthorized access to machine learning model\
+ \ or database and alters the data to disrupt service or change the behavior of\
+ \ network elements. \r\n\r\nCurrently ORAN implementation specifies RAN Intelligent\
+ \ Controller (RIC) and associated xApps/rApps as part of the RAN system for machine\
+ \ learning and optimization. Machine learning models may also exist in Service\
+ \ Management and Orchestration (SMO) to optimize network design, deployment and\
+ \ operation. A nefarious change on ML models or data can cause drastic behavior\
+ \ change of O-RAN components including network outage. Altering a machine learning\
+ \ model (System manipulation and compromise of ML data confidentiality and privacy),\
+ \ adversary can change O-RAN behavior.\r\n\r\n"
+ detections:
+ - detects: Application logs can provide information about change, read, update,
+ and delete(CRUD) activity.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Access and authorization logs can reveal abnormal logging activity that
+ precedes action taken on the system
+ fgdsid: DS0028
+ name: Logon Session
+ id: FGT5037
+ mitigations:
+ - fgmid: M1018
+ mitigates: Manage the creation, modification, use, and permissions associated
+ to user accounts.
+ name: User Account Management
+ - fgmid: M1026
+ mitigates: Strict access control to infrastructure and application supporting
+ AI/ML operations
+ name: Privileged Account Management
+ - fgmid: M1041
+ mitigates: Model and data should be encrypted in the system
+ name: Encrypt Sensitive Information
+ - fgmid: M1047
+ mitigates: Monitoring of access logs, sensor data and changes proposed by algorithms
+ and Human experts
+ name: Audit
+ - fgmid: M1009
+ mitigates: APIs in the system should use secure access and data transport using
+ TLS 1.3 or latest.
+ name: Encrypt Network Traffic
+ name: Alter ML Model
+ object-type: technique
+ platforms: ORAN, OA&M
+ references:
+ - " \\[1\\] [O-RAN Security Threat Modeling and Remediation Analysis\
+ \ 6.0\_\nO-RAN.WG11.Threat-Model.O-R003-v06.00, T-ML-02](https://orandownloadsweb.azurewebsites.net/specifications)"
+ - ' \[2\] [Adversarial Machine Learning: Well-known techniques](https://viso.ai/deep-learning/adversarial-machine-learning/)'
+ - \[3\] [OWASP Machine Learning Security Top Ten](https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack.html)
+ status: This is a theoretical behavior
+ tactics:
+ - TA0040
+ typecode: fight_technique
+- architecture-segment: RAN, Virtualization, O-RAN
+ bluf: 'Adversary may use AI/ML training data and prediction poisoning techniques
+ to manipulate the outcomes of a machine learning model for malicious purposes,
+ to disrupt service or change the behavior of network elements. '
+ criticalassets:
+ - Description: Configuration and session data for RAN as well as ML applications.
+ Name: Configuration and session data
+ - Description: ML models and algorithms itself can be a lucrative asset to acquire
+ in addition to understanding the behavior of the models fo0r an adversary.
+ Name: Algorithm
+ description: " Adversary may use AI/ML training data and prediction poisoning techniques\
+ \ to manipulate the outcomes of a machine learning model for malicious purposes,\
+ \ to disrupt service or change the behavior of network elements. \r\n\r\nIn the\
+ \ context of AI/ML security threats, adversaries can employ various techniques\
+ \ to compromise machine learning models at different stages. During training,\
+ \ they can engage in data poisoning by injecting manipulated data (Data Injection),\
+ \ mislabeling data points (Label Poisoning), or maliciously augmenting data with\
+ \ adversarial samples (Data Augmentation Poisoning). Adversaries can also manipulate\
+ \ the model itself during training, introducing hidden backdoor patterns (Backdoor\
+ \ Attacks) or deducing sensitive information by observing model outputs (Model\
+ \ Inversion Attacks). In the inference phase, they can create adversarial examples\
+ \ to trick the model (Adversarial Examples) or subtly change data distributions\
+ \ over time to cause incorrect predictions (Concept Drift). Additionally, adversaries\
+ \ can engage in data pollution by manipulating live input data (Data Poisoning\
+ \ in Live Systems) or compromise model integrity by stealing and manipulating\
+ \ training data (Data Theft). Lastly, they can attempt to determine training data\
+ \ membership via Membership Inference Attacks by querying the model with tailored\
+ \ inputs. \r\n\r\nThe ORAN implementation outlines the inclusion of a RAN Intelligent\
+ \ Controller (RIC) and its associated xApps/rApps within the RAN system, which\
+ \ are designed for machine learning and optimization purposes. Machine learning\
+ \ models might also be present within the Service Management and Orchestration\
+ \ (SMO) framework to enhance network design, deployment, and operation. However,\
+ \ any malicious alterations made to these ML models, or their associated data\
+ \ could lead to unintended consequences, such as disruptions in the desired operational\
+ \ state of network components, traffic management issues, and potentially even\
+ \ network outages.\r\n\r\n\r\n\r\n"
+ detections:
+ - detects: Application logs can provide information about change, read, update,
+ and delete(CRUD) activity.
+ fgdsid: DS0015
+ name: Application Log
+ - detects: Access and authorization logs can reveal abnormal logging activity that
+ precedes action taken on the system
+ fgdsid: DS0028
+ name: Logon Session
+ id: FGT5036
+ mitigations:
+ - fgmid: M1018
+ mitigates: Manage the creation, modification, use, and permissions associated
+ to user accounts.
+ name: User Account Management
+ - fgmid: M1026
+ mitigates: Strict access control to infrastructure and application supporting
+ AI/ML operations
+ name: Privileged Account Management
+ - fgmid: M1041
+ mitigates: Model and data should be encrypted in the system
+ name: Encrypt Sensitive Information
+ - fgmid: M1047
+ mitigates: Monitoring of access logs, sensor data and changes proposed by algorithms
+ and Human experts
+ name: Audit
+ - fgmid: M1009
+ mitigates: APIs in the system should use secure access and data transport using
+ TLS 1.3 or latest.
+ name: Encrypt Network Traffic
+ name: AI/ML training data and prediction poisoning
+ object-type: technique
+ platforms: ORAN, OA&M
+ references:
+ - " \\[1\\] [O-RAN Security Threat Modeling and Remediation Analysis\
+ \ 6.0, \_\nO-RAN.WG11.Threat-Model.O-R003-v06.00, T-ML-02](https://orandownloadsweb.azurewebsites.net/specifications)"
+ - ' \[2\] [Adversarial Machine Learning: Well-known techniques](https://viso.ai/deep-learning/adversarial-machine-learning/)'
+ - \[3\] [OWASP Machine Learning Security Top Ten](https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack.html)
+ status: This is a theoretical behavior
+ tactics:
+ - TA0040
+ typecode: fight_technique
+- addendums:
+ - "#### Addendum Name: Compromise software Supply Chain\r\n##### Architecture Segments:\
+ \ Control Plane, RAN, Virtualization, OA&M, O-RAN\r\n Adversaries may manipulate\
+ \ software products or product delivery mechanisms prior to deployment in an MNO\u2019\
+ s production environment for the purpose of data or system compromise.\r\n\r\n\
+ Software supply chain compromise can occur through various means, such as tampering\
+ \ with the source code of the application, manipulating the software's update\
+ \ and distribution process, or substituting legitimate compiled releases with\
+ \ altered versions.\r\n\r\n5G deployments are expected to embrace diverse deployment\
+ \ models, encompassing vendor-supplied VNF/CNFs, open-source software, dedicated\
+ \ physical appliances from suppliers, and white-label hardware. This diversity\
+ \ introduces multiple potential points of vulnerability before the software is\
+ \ employed in 5G communication services. An adversary could exploit the supply\
+ \ chain of management and monitoring tools, network functions, or infrastructure\
+ \ software, including operating systems, orchestration systems, and element managers.\
+ \ The same software deployment model is used in O-RAN systems, hence all vulnerabilities\
+ \ described in this addendum applies to O-RAN networks as well.\r\n\r\n"
+ architecture-segment: Control Plane, RAN, Virtualization, OA&M, O-RAN
+ bluf: Adversaries may manipulate application software prior to receipt by a final
+ consumer for the purpose of data or system compromise.
+ criticalassets:
+ - Description: Network functions are prime target to impact 5G communication services
+ Name: CORE, RAN VNFs
+ - Description: OSS tools have privileged access and broad reachability and may be
+ used to change configuration of the network by adversary.
+ Name: OSS Tools
+ - Description: Security tools have privileged access and broad reachability may
+ be used to evade defenses and allow for lateral movements by the adversary
+ Name: Security tools
+ - Description: CI/CD tools may be used for inserting malware or poisoned images
+ as well as change the network elements deployed and their behavior.
+ Name: CI/CD Tools
+ description: "Adversaries may manipulate application software prior to receipt by\
+ \ a final consumer for the purpose of data or system compromise.\r\n[To read more,\
+ \ please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1195/002)\r\
+ \n"
+ detections:
+ - detects: Use verification of distributed binaries through hash checking or other
+ integrity checking mechanisms. Scan downloads for malicious signatures and attempt
+ to test software and updates prior to deployment while taking note of potential
+ suspicious activity.
+ fgdsid: DS0022
+ name: File
+ id: FGT1195.002
+ mitigations:
+ - fgmid: M1016
+ mitigates: Vulnerability Scanning of software before it is brought into MNO environment
+ as well as regular scans to detect abnormal behavior
+ name: Vulnerability Scanning
+ - fgmid: M1045
+ mitigates: Enforce binary and application integrity with digital signature verification
+ to prevent untrusted code from executing.
+ name: Code Signing
+ - fgmid: M1051
+ mitigates: Update Software regularly
+ name: Update Software
+ - fgmid: FGM5517
+ mitigates: Enforce policy to use signed Software Bill of Materials (SBOMs) and
+ software.
+ name: Use obfuscation at application layer
+ - fgmid: M0817
+ mitigates: Implement a supply chain management program, including policies and
+ procedures to ensure all devices and components originate from a trusted supplier
+ and are tested to verify their integrity. 5G Operators should evaluate suppliers
+ of services for their technical and administrative controls to ensure that it
+ meets minimum standards for assured services. These evaluations may include
+ SW, HD supply chain, personnel and process used for service creation.
+ name: Supply chain management
+ name: Compromise Software Supply Chain
+ object-type: technique
+ platforms: Infrastructure, 5G, CI/CD, OA&M Tools, VNFs
+ references:
+ - " \\[1\\] [ETSI NFV SEC001, \u201CNetwork Functions Virtualization\
+ \ (NFV); NFV Security; Problem Statement\u201D, Jan. 2014, section 6.9](https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf\
+ \ )"
+ - \[2\] [The Untold Story of the Boldest Supply-Chain Hack Ever](https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/)
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ subtechnique-of: FGT1195
+ tactics:
+ - TA0001
+ typecode: attack_subtechnique_addendum
+- addendums:
+ - "#### Addendum Name: Compromise Hardware Supply Chain\r\n##### Architecture Segments:\
+ \ Control Plane, RAN, Virtualization, OA&M, O-RAN\r\n Adversaries may manipulate\
+ \ hardware components or products prior to deployment in an MNO\u2019s production\
+ \ environment for the purpose of data or system compromise.\r\n\r\nThrough alterations\
+ \ to hardware or firmware within the supply chain, malicious actors can implant\
+ \ a concealed entry point into consumer networks. This clandestine access can\
+ \ prove challenging to identify, affording the adversary substantial control over\
+ \ the system. Hardware backdoors have the potential to be introduced into a wide\
+ \ array of devices, including servers, workstations, network infrastructure components,\
+ \ and peripherals.\r\n\r\n5G multiplicity of deployment options introduces numerous\
+ \ potential points of vulnerability, all before the hardware even integrates into\
+ \ 5G communication services. Within this complex landscape, adversaries possess\
+ \ the opportunity to exploit various aspects of the supply chain, such as compromising\
+ \ management and monitoring tools, tampering with firmware within components,\
+ \ or clandestinely introducing additional chips into server and network hardware.\
+ \ Furthermore, the prospect of counterfeit hardware infiltrating the legitimate\
+ \ supply chain accentuates the vulnerability landscape. Counterfeit hardware may\
+ \ lack rigorous security considerations and thorough testing, making it a potential\
+ \ Achilles' heel within the supply chain. The same hardware or firmware deployment\
+ \ model is used in O-RAN systems, hence all vulnerabilities described in this\
+ \ addendum applies to O-RAN networks as well.\r\n\r\n"
+ architecture-segment: Control Plane, RAN, Virtualization, OA&M, O-RAN
+ bluf: Adversaries may manipulate hardware components in products prior to receipt
+ by a final consumer for the purpose of data or system compromise.
+ criticalassets:
+ - Description: Network functions are prime target to impact 5G communication services
+ Name: CORE, RAN VNFs
+ - Description: OSS tools have privileged access and broad reachability and may be
+ used to change configuration of the network by adversary.
+ Name: OSS Tools
+ - Description: Security tools have privileged access and broad reachability may
+ be used to evade defenses and allow for lateral movements by the adversary
+ Name: Security tools
+ - Description: CI/CD tools may be used for inserting malware or poisoned images
+ as well as change the network elements deployed and their behavior.
+ Name: CI/CD Tools
+ description: "Adversaries may manipulate hardware components in products prior to\
+ \ receipt by a final consumer for the purpose of data or system compromise.\r\n\
+ [To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1195/003)\r\
+ \n"
+ detections:
+ - detects: 'Perform physical inspection of hardware to look for potential tampering.
+ Perform integrity checking on pre-OS boot mechanisms that can be manipulated
+ for malicious purposes and compare against known good baseline behavior.
+
+
+ Some manufacturers are now adding seals to their component hardware packaging. This
+ may provide some indication if Hardware was tampered with after leaving the
+ manufacturing facility.'
+ fgdsid: DS0013
+ name: Sensor Health
+ - detects: Use verification of distributed binaries through hash checking or other
+ integrity checking mechanisms. Scan downloads for malicious signatures and attempt
+ to test software and updates prior to deployment while taking note of potential
+ suspicious activity.
+ fgdsid: DS0022
+ name: File
+ id: FGT1195.003
+ mitigations:
+ - fgmid: M1016
+ mitigates: Vulnerability Scanning of software before it is brought into MNO environment
+ as well as regular scans to detect abnormal behavior
+ name: Vulnerability Scanning
+ - fgmid: M1051
+ mitigates: Update Software regularly
+ name: Update Software
+ name: Compromise Hardware Supply Chain
+ object-type: technique
+ platforms: Infrastructure, 5G, CI/CD & OA&M Tools, VNFs
+ procedureexamples:
+ - Description: "In virtual network functions, the provisioning, configuration, testing,\
+ \ and debugging processes involve software interfaces, often remote, with distinct\
+ \ security implications compared to traditional physical interfaces, emphasizing\
+ \ the need for mitigations and protections in situations where debug and test\
+ \ interfaces in NFV devices are enabled in the field.\n\nETSI NFV SEC001, \u201C\
+ Network Functions Virtualization (NFV); NFV Security; Problem Statement\u201D\
+ , Jan. 2014,\_section 6.9"
+ Name: Back-Doors via Virtualized Test & Monitoring Functions
+ references:
+ - " \\[1\\] [ETSI NFV SEC001, \u201CNetwork Functions Virtualization\
+ \ (NFV); NFV Security; Problem Statement\u201D, Jan. 2014, section 6.9](https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf\
+ \ )"
+ - \[2\] [The Untold Story of the Boldest Supply-Chain Hack Ever](https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/)
+ - \[3\] [Trusted Platform Module (TPM) Summary](https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf)
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ subtechnique-of: FGT1195
+ tactics:
+ - TA0001
+ typecode: attack_subtechnique_addendum
+- addendums:
+ - "#### Addendum Name: Unauthorized device on O-RAN fronthaul infrastructure\r\n\
+ ##### Architecture Segments: RAN, O-RAN\r\n An adversary may attach a device to\
+ \ an O-RAN fronthaul infrastructure in order to disrupt its traffic.\r\n\r\nIn\
+ \ an O-RAN architecture, the baseband unit (BBU) is divided into two components:\
+ \ the distributed unit (DU) and the centralized unit (CU). The front haul interface\
+ \ plays a crucial role in connecting the DU and the Remote Radio Unit (RU or RRU)\
+ \ within the network, ensuring efficient communication. \r\n\r\nTo transport the\
+ \ CPRI (Common Public Radio Interface) traffic from the RU to the DU, an Ethernet-based\
+ \ bridged network is employed. This involves utilizing various Ethernet protocols\
+ \ such as IEEE 802.3 for general Ethernet connectivity, IEEE 802.1 for bridging\
+ \ and VLAN tagging, and IEEE 802.1CM for time-sensitive networking in industrial\
+ \ automation. The Ethernet-based fronthaul interface establishes a high-capacity\
+ \ and low-latency connection between the DU and the RU, facilitating the efficient\
+ \ transmission of digital baseband data, synchronization signals, control signals,\
+ \ and management information. Usually, RUs and Ethernet Switches are placed near\
+ \ the antenna units, which are unmanned facilities and can be physically breached\
+ \ due to detection and response time delays by personnel. \r\n\r\nUnauthorized\
+ \ devices on this infrastructure can pose significant risks to the O-RAN network.\
+ \ Such devices can be used towards a Denial-of-Service (DoS) attack by sending\
+ \ malicious or bogus messages, disrupting network operations. Additionally, they\
+ \ may attempt to eavesdrop on critical Control (C-Plane), User (U-Plane), Synchronization\
+ \ (S-Plane), or Management (M-Plane) traffic, compromising the confidentiality\
+ \ of the network.\r\n\r\n\r\n"
+ architecture-segment: RAN, O-RAN
+ bluf: Adversaries may introduce computer accessories, networking hardware, or other
+ computing devices into a system or network that can be used as a vector to gain
+ access.
+ criticalassets:
+ - Description: RRU, DU, CU may be exposed to front haul design vulnerability or
+ compromise.
+ Name: RAN network elements
+ - Description: Control plane and user plane data communication between DU and RRU
+ as well as UE.
+ Name: CP/UP Data
+ description: "Adversaries may introduce computer accessories, networking hardware,\
+ \ or other computing devices into a system or network that can be used as a vector\
+ \ to gain access.\r\n[To read more, please see the MITRE ATT&CK page for this\
+ \ technique](https://attack.mitre.org/techniques/T1200)\r\n"
+ detections:
+ - detects: Monitor network traffic between hosts
+ fgdsid: DS0029
+ name: Network Traffic
+ - detects: Monitoring ability to detect new ports, devices on the network
+ fgdsid: DS0039
+ name: Asset
+ id: FGT1200
+ mitigations:
+ - fgmid: M1026
+ mitigates: Implement strong access control for all types of interfaces on originating
+ switch and any intermediary devices on the fronthaul.
+ name: Privileged Account Management
+ - fgmid: M1030
+ mitigates: Implement network segmentation.
+ name: Network Segmentation
+ - fgmid: M1047
+ mitigates: Perform hardware and software installation audits of all O-RAN open
+ fronthaul components.
+ name: Audit
+ name: Hardware Additions
+ object-type: technique
+ platforms: O-RAN
+ procedureexamples:
+ - Description: Addition of unauthorized hardware in the O-RAN fronthaul infrastructure
+ may leak data to the adversary as the fronthaul interfaces normally are not
+ confidentiality and integrity protected. [ATT&CK T1200]
+ Name: Adding hardware to insecure open switch ports
+ - Description: A compromised access via remote login or physical access to communication,
+ technician interface can yield to creating span ports and tunneling traffic
+ to network sniffer.
+ Name: Privileged access to a router or switch
+ references:
+ - " \\[1\\] [O-RAN WG11 Threat Model 6.00 version, \u201CORAN\
+ \ Threat Model\u201D](https://orandownloadsweb.azurewebsites.net/specifications)"
+ - \[2\] [NTIA Open RAN Security Report May 2023](https://ntia.gov/sites/default/files/publications/open_ran_security_report_full_report_0.pdf)
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ tactics:
+ - TA0040
+ typecode: attack_technique_addendum
+- addendums:
+ - "#### Addendum Name: Tools\r\n##### Architecture Segments: RAN, O-RAN\r\n An adversary\
+ \ may obtain tooling needed to target victim UEs for attack.\r\n\r\nAdversary\
+ \ needs to obtain tools (HW/SW) to carry out planned attacks against victim UEs.\
+ \ This may include buying stingrays or buying radio cards, laptops and integrating\
+ \ into a working base station. Adversary may need specific tools such as Sim\
+ \ Cloning, network traffic analyzer, certificates, or code needed to be executed\
+ \ on a compromised 5G Network Function to achieve its goals. \r\n\r\nIn some\
+ \ cases, an adversaries may purchase from third party specific software to do\
+ \ development and integration work to provide specific attack capabilities. \r\
+ \n\r\n\r\n\r\n\r\n"
+ architecture-segment: RAN, O-RAN
+ bluf: Adversaries may buy, steal, or download software tools that can be used during
+ targeting.
+ criticalassets:
+ - Description: Radio communication service between UE and base station.
+ Name: RAN Service
+ - Description: UE and subscriber identity as well as communication.
+ Name: UE identity, and communication
+ description: "Adversaries may buy, steal, or download software tools that can be\
+ \ used during targeting.\r\n[To read more, please see the MITRE ATT&CK page for\
+ \ this technique](https://attack.mitre.org/techniques/T1588/002)\r\n"
+ detections: []
+ id: FGT1588.002
+ mitigations:
+ - fgmid: M1056
+ mitigates: This technique cannot be easily mitigated with preventive controls
+ since it is based on behaviors performed outside of the scope of enterprise
+ defenses and controls.
+ name: Pre-compromise
+ name: Tool
+ object-type: technique
+ platforms: 5G
+ procedureexamples:
+ - Description: There are many tools developed to test 5G systems, same tools can
+ be used for adversarial objective on a system.
+ Name: Use of Open-source software & Testing tools
+ references:
+ - \[1\] [Open Source tools](https://github.com/ravens/awesome-telco)
+ - \[2\] [Building a Cellphone IMSI Catcher (Stingray)](https://www.hackers-arise.com/post/software-defined-radio-part-6-building-a-imsi-catcher-stingray)
+ status: This is an observed behavior in Enterprise networks, and is theoretical
+ in context of 5G systems.
+ subtechnique-of: FGT1588
+ tactics:
+ - TA0042
+ typecode: attack_subtechnique_addendum
+- architecture-segment: RAN, O-RAN
+ bluf: An adversary may obtain radio network function needed to attack target victim
+ UEs.
+ criticalassets:
+ - Description: Radio Communication service between UE and basestation.
+ Name: RAN Service
+ - Description: UE and Subscriber identity as well as communication, cellular devices
+ and user data.
+ Name: UE identity, and communication
+ description: " An adversary may obtain radio network function needed to attack target\
+ \ victim UEs.\r\n\r\nAdversary provides an alternate radio access network (gNB\
+ \ or open-RAN gNB components such as Distributed Unit (DU) or Centralized Unit\
+ \ (CU)) to target victim UEs without victim (user or UE) discovering that they\
+ \ are not attached to a legitimate MNO network. This can be achieved by the adversary\
+ \ obtaining false base station network functionality and any connections to core\
+ \ network functions required to carry out their mission. Opensource radio and\
+ \ base station software combined with radio cards can be easily obtained to create\
+ \ a base station to launch attacks against network or UE.\r\n\r\n\r\n\r\n\r\n"
+ detections: []
+ id: FGT1588.501
+ mitigations:
+ - fgmid: M1056
+ mitigates: This technique cannot be easily mitigated with preventive controls
+ since it is based on behaviors performed outside of the scope of enterprise
+ defenses and controls.
+ name: Pre-compromise
+ name: ' Radio Network Functions'
+ object-type: technique
+ platforms: 5G
+ procedureexamples:
+ - Description: Many software defined source code are available that can be used
+ to build a base station with radio transceiver hardware on Linux and or windows
+ PC. There are also opensource 5G core software available on opensource project
+ websites.
+ Name: Use of opensource SW
+ - Description: With the proliferation of private 5G deployments, almost anyone can
+ now purchase software for the RAN components such as gNB, DU, CU.
+ Name: Purchase of Commercial equipment
+ references:
+ - \[1\] [Open Source RAN project](https://www.srslte.com)
+ - ' \[2\] [Over The Air Baseband Exploit: Gaining Remote Code Execution
+ on 5G Smartphones](https://keenlab.tencent.com/zh/whitepapers/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-on-5G-Smartphones-wp.pdf)'
+ - \[3\] [Open5GS](https://open5gs.org)
+ - ' \[4\] [Over The Air Baseband Exploit: Gaining Remote Code Execution
+ on 5G Smartphones](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-On-5G-Smartphones.pdf)'
+ - \[5\] [Open Source tools](https://github.com/ravens/awesome-telco)
+ - \[6\] [Building a Cellphone IMSI Catcher (Stingray)](https://www.hackers-arise.com/post/software-defined-radio-part-6-building-a-imsi-catcher-stingray)
+ - \[7\] [5G NR equipment suppliers](https://www.rfwireless-world.com/Vendors/5G-NR-Network-Equipment-Manufacturers.html)
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1588
+ tactics:
+ - TA0042
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: RAN
+ bluf: Adversary controlled fake base station transmits crafted broadcast messages
+ to prevent legitimate UEs to connect to network.
+ criticalassets:
+ - Description: Legitimate UEs do not get network access in the area where false
+ base station is deployed.
+ Name: 5G network access
+ description: " Adversary controlled fake base station transmits crafted broadcast\
+ \ messages to prevent legitimate UEs to connect to network.\r\n\r\nLTE sub-frames\
+ \ are sent by adversary from a false base station which mimics legitimate eNB.\
+ \ It sends fake System Information Block Type 1 (SIB1) messages which are aligned\
+ \ in time-frequency domain with the messages sent by the legitimate eNB, but with\
+ \ stronger transmit power. The adversary does not send synchronization signals\
+ \ (PSS, SSS) for this attack which makes it harder to detect. This is known as\
+ \ sigover attack. [1]\r\n\r\nAdversary may transmit crafted broadcast messages\
+ \ by manipulating cell barring in Master Information Block (MIB) and access barring\
+ \ feature in SIB1 broadcast messages, UE will stop camping on to legitimate network\
+ \ for 300 seconds and it gets a DoS attack. The same attacks are possible in 5G\
+ \ network as MIB and SIB1 messages in 5G are similar to 4G and those are not integrity\
+ \ protected in 5G.\r\n\r\n"
+ detections:
+ - detects: UE measurements of received power levels from all base stations nearby,
+ and their identifiers. Clause 6.24 of [3].
+ fgdsid: FGDS5002
+ name: UE signal measurements
+ id: FGT1642.501
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Use integrity protection for all broadcast messages sent by gNB. This
+ will have performance impact on the network and UE due to additional processing
+ of integrity protection algorithm.
+ name: Integrity protection of data communication
+ name: Transmit Spoofed Broadcast Message
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: No UE in the area where false base station is present can get connection
+ to the network.
+ Name: Network access denied
+ preconditions:
+ - Description: Adversary gets hold of a false base station which is capable of broadcasting
+ fraudulent messages.
+ Name: Obtain a false base station to send fake broadcast messages
+ - Description: False base station must be deployed in the area where target UEs
+ are located.
+ Name: Adversary must be in the same vicinity of target UEs
+ procedureexamples:
+ - Description: "Adversary broadcasts fake MIB and SIB1 messages with cell barring\
+ \ and access barring features turned on. cellbarred field in the MIB can be\
+ \ set to \u201Cbarred\u201D, cellReservedForOperatorUse and cellReservedforOtherUse\
+ \ fields can be set to \u201Ctrue\u201D in the SIB1. All UEs in the area which\
+ \ are camped on to the false base station will not connect to legitimate base\
+ \ stations for 300 seconds. [1, 4], clauses 6.2.2 & 6.3.2 of [2].\n\nThe same\
+ \ attack is possible in 5G as MIB and SIB1 messages are sent without integrity\
+ \ protection and the format of the messages are similar to 4G.\n\nNote: This\
+ \ attack is not persistent as the UE\u2019s will try to connect the legitimate\
+ \ network after about 300 seconds."
+ Name: Send cell barring and access barring information to target UEs
+ references:
+ - " \\[1\\] [ACM article, : \u201CImproving 4G/5G air interface\
+ \ security: A survey of existing attacks on different LTE layers\u201D.](https://dl.acm.org/doi/abs/10.1016/j.comnet.2021.108532)"
+ - " \\[2\\] [3GPP TS 38.331: \u201CRadio Resource Control (RRC);\
+ \ Protocol specification\u201D Release 16.](https://www.3gpp.org/DynaReport/38331.htm)"
+ - \[3\] [3GPP TR 33.809:](https://www.3gpp.org/DynaReport/33809.htm)
+ - " \\[4\\] [Ericsson paper, Jingya Li et al: \u201CAn Overview\
+ \ of 5G System Accessibility Differentiation and Control\u201D.](https://arxiv.org/ftp/arxiv/papers/2012/2012.05520.pdf)"
+ status: This is a theoretical behavior
+ subtechnique-of: FGT1642
+ tactics:
+ - TA0040
+ typecode: fight_subtechnique_to_attack_technique
+- access-required: user
+ architecture-segment: User Plane, Control Plane
+ bluf: 'An adversary may move targeted data and remain undetected during the exfiltration
+ process by using DNS requests. '
+ criticalassets:
+ - Description: Whoever controls the DNS servers controls how and what end users
+ connect to over the network, making DNS servers a type of critical infrastructure.
+ Name: DNS Servers
+ description: " An adversary may move targeted data and remain undetected during\
+ \ the exfiltration process by using DNS requests. \r\n\r\nAn adversary may be\
+ \ able to move data by simply encoding data as a hostname query and by placing\
+ \ the data in the names section of a DNS lookup. The receiving DNS server, controlled\
+ \ by the adversary, logs the query and decodes the data, reassembles in the planned\
+ \ sequence from the named field. The reply to the query may or may not sent. If\
+ \ the query is sent, it may be ignored by the compromised host.\r\n\r\nThe data\
+ \ may be of the following categories:\r\nC2 data \u2013 This involves remote command\
+ \ and control information like system change, routing information change, etc.\r\
+ \nUser/System data \u2013 This involves information such as identifiers, files,\
+ \ credentials, etc.\r\n\r\n"
+ detections:
+ - detects: Monitor executed commands and arguments that may steal data by exfiltrating
+ it over an existing command and control channel.
+ fgdsid: DS0017
+ name: Command
+ - detects: 'Data transmitted across a network (ex: Web, DNS, Mail, File, etc.),
+ that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable
+ format (ex: PCAP).'
+ fgdsid: DS0029
+ name: Network Traffic
+ id: FGT1048.501
+ mitigations:
+ - fgmid: FGM5024
+ mitigates: Use strong data integrity protection algorithms within 5G network such
+ as airlink, backhaul and core network.
+ name: Integrity protection of data communication
+ - fgmid: M1031
+ mitigates: "Network intrusion detection and prevention systems that use network\
+ \ signatures to identify traffic for specific adversary malware can be used\
+ \ to mitigate activity at the network level. Signatures are often for unique\
+ \ indicators within protocols and may be based on the specific obfuscation technique\
+ \ used by a particular adversary or tool and will likely be different across\
+ \ various malware families and versions. Adversaries will likely change tool\
+ \ command and control signatures over time or construct protocols in such a\
+ \ way to avoid detection by common defensive tools.\_\nScan all external traffic\
+ \ header fields to detect any suspicious protocol or port number use."
+ name: Network Intrusion Prevention
+ name: 'Covert Exfiltration of Data Via DNS Request '
+ object-type: technique
+ platforms: 5G
+ postconditions:
+ - Description: Attacker can route command and control traffic through DNS to control
+ botnets or other entities.
+ Name: Command and Control Network
+ - Description: Attacker has a route to exfiltrate stolen data disguised as DNS packets.
+ Name: Exfiltration Route
+ - Description: This involves information such as identifiers, files, user credentials,
+ etc.
+ Name: User/System data
+ preconditions:
+ - Description: There must not be an endpoint detection and response capability to
+ validate whether host/network function/UE is communicating with a malicious
+ DNS server or a valid one.
+ Name: Unauthenticated DNS Services
+ procedureexamples:
+ - Description: 'Operators do not strictly enforce flow monitoring for free DNS service
+ via the standard five-tuple flow ID (src IP, dest IP, src port, dest port, protocol).
+ Instead, they use only the destination port (or plus protocol ID), thus exposing
+ a vulnerability.
+
+ Adversary may setup fake DNS server to receive exfiltered data.
+
+ Adversarial activity could be a person who has remote access or a worm collecting
+ and transmitting protected information. [2]'
+ Name: Free DNS loophole
+ references:
+ - " \\[1\\] [\u201CBhadhra Framework\u201D: S.P. Rao, S. Holtmanns,\
+ \ T. Aura, \u201CThreat modeling framework for mobile communication systems\u201D\
+ ](https://arxiv.org/pdf/2005.05110.pdf)"
+ - ' \[2\] [Peng, C., Li, C., Tu, G., Lu, S., & Zhang, L. (2012).
+ Mobile data charging: new attacks and countermeasures. Proceedings of the 2012
+ ACM conference on Computer and communications security.](https://dl.acm.org/doi/pdf/10.1145/2382196.2382220)'
+ - " \\[3\\] [Merve Sahin, Aurelien Francillon, Payas Gupta, and\
+ \ Mustaque Ahamad. 2017. \n\u201CSok: Fraud in telephony networks\u201D. In 2017\
+ \ IEEE European Symposium on Security\nand Privacy (EuroS&P). IEEE, p235\u2013\
+ 250](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7961983&tag=1)"
+ - " \\[4\\] [Kui Xu, Patrick Butler, Sudip Saha, Danfeng (Daphni)\
+ \ Yao in DNS CC Journal, \u201CDNS for Massive-Scale Command and Control\u201D\
+ ](https://people.cs.vt.edu/~danfeng/papers/DNS-CC-JOURNAL.pdf)"
+ status: This is a theoretical behavior in context of 5G systems.
+ subtechnique-of: FGT1048
+ tactics:
+ - TA0011
+ - TA0010
+ typecode: fight_subtechnique_to_attack_technique
+- architecture-segment: 5G
+ bluf: Adversaries may breach or otherwise leverage organizations who have access
+ to intended victims.
+ description: "Adversaries may breach or otherwise leverage organizations who have\
+ \ access to intended victims.\r\n[To read more, please see the MITRE ATT&CK page\
+ \ for this technique](https://attack.mitre.org/techniques/T1199)\r\n"
+ detections: []
+ id: FGT1199
+ mitigations: []
+ name: Trusted Relationship
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0001
+ - TA0040
+ typecode: attack_technique_with_fight_subs
+- architecture-segment: 5G
+ bluf: Adversaries may maliciously modify components of a victim environment in order
+ to hinder or disable defensive mechanisms.
+ description: "Adversaries may maliciously modify components of a victim environment\
+ \ in order to hinder or disable defensive mechanisms.\r\n[To read more, please\
+ \ see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1562)\r\
+ \n"
+ detections: []
+ id: FGT1562
+ mitigations: []
+ name: Impair Defenses
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0005
+ typecode: attack_technique_with_fight_subs
+- architecture-segment: 5G
+ bluf: Adversaries may gather information about the victim's hosts that can be used
+ during targeting.
+ description: "Adversaries may gather information about the victim's hosts that can\
+ \ be used during targeting.\r\n[To read more, please see the MITRE ATT&CK page\
+ \ for this technique](https://attack.mitre.org/techniques/T1592)\r\n"
+ detections: []
+ id: FGT1592
+ mitigations: []
+ name: Gather Victim Host Information
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0043
+ typecode: attack_technique_with_fight_subs
+- architecture-segment: 5G
+ bluf: Adversaries may obtain and abuse credentials of existing accounts as a means
+ of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
+ description: "Adversaries may obtain and abuse credentials of existing accounts\
+ \ as a means of gaining Initial Access, Persistence, Privilege Escalation, or\
+ \ Defense Evasion.\r\n[To read more, please see the MITRE ATT&CK page for this\
+ \ technique](https://attack.mitre.org/techniques/T1078)\r\n"
+ detections: []
+ id: FGT1078
+ mitigations: []
+ name: Valid Accounts
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0003
+ - TA0005
+ - TA0004
+ - TA0001
+ typecode: attack_technique_with_subs_with_addendums
+- architecture-segment: 5G
+ bluf: Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence
+ on a system.
+ description: "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish\
+ \ persistence on a system.\r\n[To read more, please see the MITRE ATT&CK page\
+ \ for this technique](https://attack.mitre.org/techniques/T1542)\r\n"
+ detections: []
+ id: FGT1542
+ mitigations: []
+ name: Pre-OS Boot
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0003
+ - TA0005
+ typecode: attack_technique_with_fight_subs
+- architecture-segment: 5G
+ bluf: "Adversaries may compromise a network device\u2019s encryption capability\
+ \ in order to bypass encryption that would otherwise protect data communications."
+ description: "Adversaries may compromise a network device\u2019s encryption capability\
+ \ in order to bypass encryption that would otherwise protect data communications.\r\
+ \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1600)\r\
+ \n"
+ detections: []
+ id: FGT1600
+ mitigations: []
+ name: Weaken Encryption
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0005
+ typecode: attack_technique_with_fight_subs
+- architecture-segment: 5G
+ bluf: Adversaries may abuse a container administration service to execute commands
+ within a container.
+ description: "Adversaries may abuse a container administration service to execute\
+ \ commands within a container.\r\n[To read more, please see the MITRE ATT&CK page\
+ \ for this technique](https://attack.mitre.org/techniques/T1609)\r\n"
+ detections: []
+ id: FGT1609
+ mitigations: []
+ name: Container Administration Command
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0006
+ - TA0007
+ typecode: attack_technique_with_fight_subs
+- architecture-segment: 5G
+ bluf: Adversaries may exfiltrate data, such as sensitive documents, through the
+ use of automated processing after being gathered during Collection.
+ description: "Adversaries may exfiltrate data, such as sensitive documents, through\
+ \ the use of automated processing after being gathered during Collection.\r\n\
+ [To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1020)\r\
+ \n"
+ detections: []
+ id: FGT1020
+ mitigations: []
+ name: Automated Exfiltration
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0007
+ - TA0010
+ typecode: attack_technique_with_subs_with_addendums
+- architecture-segment: 5G
+ bluf: Adversaries may search for common password storage locations to obtain user
+ credentials.
+ description: "Adversaries may search for common password storage locations to obtain\
+ \ user credentials.\r\n[To read more, please see the MITRE ATT&CK page for this\
+ \ technique](https://attack.mitre.org/techniques/T1555)\r\n"
+ detections: []
+ id: FGT1555
+ mitigations: []
+ name: Credentials from Password Stores
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0006
+ typecode: attack_technique_with_fight_subs
+- architecture-segment: 5G
+ bluf: Adversaries may perform Network Denial of Service (DoS) attacks to degrade
+ or block the availability of targeted resources to users.
+ description: "Adversaries may perform Network Denial of Service (DoS) attacks to\
+ \ degrade or block the availability of targeted resources to users.\r\n[To read\
+ \ more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1498)\r\
+ \n"
+ detections: []
+ id: FGT1498
+ mitigations: []
+ name: Network Denial of Service
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0040
+ typecode: attack_technique_with_fight_subs
+- architecture-segment: 5G
+ bluf: Adversaries may attempt to position themselves between two or more networked
+ devices using an adversary-in-the-middle (AiTM) technique to support follow-on
+ behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+ [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+ or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)).
+ description: "Adversaries may attempt to position themselves between two or more\
+ \ networked devices using an adversary-in-the-middle (AiTM) technique to support\
+ \ follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),\
+ \ [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),\
+ \ or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)).\r\
+ \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1557)\r\
+ \n"
+ detections: []
+ id: FGT1557
+ mitigations: []
+ name: Adversary-in-the-Middle
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0009
+ - TA0006
+ typecode: attack_technique_with_fight_subs
+- architecture-segment: 5G
+ bluf: Adversaries may insert, delete, or manipulate data in order to influence external
+ outcomes or hide activity, thus threatening the integrity of the data.
+ description: "Adversaries may insert, delete, or manipulate data in order to influence\
+ \ external outcomes or hide activity, thus threatening the integrity of the data.\r\
+ \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1565)\r\
+ \n"
+ detections: []
+ id: FGT1565
+ mitigations: []
+ name: Data Manipulation
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0040
+ - TA0009
+ typecode: attack_technique_with_subs_with_addendums
+- architecture-segment: 5G
+ bluf: Adversaries may exploit software vulnerabilities in client applications to
+ execute code.
+ description: "Adversaries may exploit software vulnerabilities in client applications\
+ \ to execute code.\r\n[To read more, please see the MITRE ATT&CK page for this\
+ \ technique](https://attack.mitre.org/techniques/T1203)\r\n"
+ detections: []
+ id: FGT1203
+ mitigations: []
+ name: Exploitation for Client Execution
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0002
+ typecode: attack_technique_with_fight_subs
+- architecture-segment: 5G
+ bluf: 'Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade
+ or block the availability of services to users.
+
+
+ On Android versions prior to 7, apps can abuse Device Administrator access to
+ reset the device lock passcode, preventing the user from unlocking the device.'
+ description: "Adversaries may perform Endpoint Denial of Service (DoS) attacks to\
+ \ degrade or block the availability of services to users.\n\nOn Android versions\
+ \ prior to 7, apps can abuse Device Administrator access to reset the device lock\
+ \ passcode, preventing the user from unlocking the device.\r\n[To read more, please\
+ \ see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1642)\r\
+ \n"
+ detections: []
+ id: FGT1642
+ mitigations: []
+ name: Endpoint Denial of Service
+ object-type: technique
+ platforms: 5G
+ status: This is an observed behavior in Enterprise networks.
+ tactics:
+ - TA0040
+ typecode: attack_technique_with_fight_subs
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..9349c26
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,8 @@
+module accuknox.com/mitreFight
+
+go 1.22.1
+
+require (
+ gopkg.in/yaml.v2 v2.4.0 // indirect
+ gopkg.in/yaml.v3 v3.0.1 // indirect
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..3483296
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,5 @@
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/template.go b/template.go
new file mode 100644
index 0000000..3681b77
--- /dev/null
+++ b/template.go
@@ -0,0 +1,140 @@
+package main
+
+import (
+ "log"
+ "os"
+ "text/template"
+
+ "gopkg.in/yaml.v3"
+)
+
+// generated from https://zhwt.github.io/yaml-to-go/
+
+type T struct {
+ Tactics []struct {
+ Description string `yaml:"description"`
+ Id string `yaml:"id"`
+ Name string `yaml:"name"`
+ ObjectType string `yaml:"object-type"`
+ } `yaml:"tactics"`
+ Techniques []struct {
+ AccessRequired string `yaml:"access-required"`
+ ArchitectureSegment string `yaml:"architecture-segment"`
+ Bluf string `yaml:"bluf"`
+ Criticalassets []struct {
+ Description string `yaml:"Description"`
+ Name string `yaml:"Name"`
+ } `yaml:"criticalassets"`
+ Description string `yaml:"description"`
+ Detections []struct {
+ Detects string `yaml:"detects"`
+ Fgdsid string `yaml:"fgdsid"`
+ Name string `yaml:"name"`
+ } `yaml:"detections"`
+ ID string `yaml:"id"`
+ Mitigations []struct {
+ Fgmid string `yaml:"fgmid"`
+ Mitigates string `yaml:"mitigates"`
+ Name string `yaml:"name"`
+ } `yaml:"mitigations"`
+ Name string `yaml:"name"`
+ ObjectType string `yaml:"object-type"`
+ Platforms string `yaml:"platforms"`
+ Preconditions []struct {
+ Description string `yaml:"Description"`
+ Name string `yaml:"Name"`
+ } `yaml:"preconditions"`
+ Procedureexamples []struct {
+ Description string `yaml:"Description"`
+ Name string `yaml:"Name"`
+ } `yaml:"procedureexamples"`
+ References []string `yaml:"references"`
+ Status string `yaml:"status"`
+ SubtechniqueOf string `yaml:"subtechnique-of"`
+ Tactics []string `yaml:"tactics"`
+ Typecode string `yaml:"typecode"`
+ } `yaml:"techniques"`
+}
+
+type A struct {
+ Techniques map[string]string
+}
+
+func (t *T) parseFightYaml() *T {
+ yamlFile, err := os.ReadFile("fight.yaml")
+ if err != nil {
+ log.Printf("yamlFile.Get err #%v ", err)
+ }
+
+ err = yaml.Unmarshal(yamlFile, t)
+ if err != nil {
+ log.Fatalf("error: %v", err)
+ }
+
+ /*
+ for _, technique := range t.Techniques {
+ fmt.Printf("%s\n", technique.Name)
+ }
+ */
+
+ return t
+}
+
+func (a *A) parseAccuknoxYaml() *A {
+ yamlFile, err := os.ReadFile("accuknox_support.yaml")
+ if err != nil {
+ log.Printf("yamlFile.Get err #%v ", err)
+ }
+
+ err = yaml.Unmarshal(yamlFile, a)
+ if err != nil {
+ log.Fatalf("error: %v", err)
+ }
+
+ /*
+ for tactic, support := range a.Techniques {
+ fmt.Printf("%s: %s\n", tactic, support)
+ }
+ */
+
+ return a
+}
+
+func (t displayT) generateAllTacticsPage(out *os.File) error {
+ tacticList := template.Must(template.New("tacticList").Parse(`
+ Tactics List
+
+ |
+ {{range .Tactics}}
+ | {{.Name}} |
+ {{end}}
+
+
+ `))
+ if err := tacticList.Execute(out, t); err != nil {
+ return err
+ }
+ return nil
+}
+
+func (t Tactic) generateTechniquesPerTacticPage(out *os.File) error {
+ techniqueList := template.Must(template.New("techniqueList").Parse(`
+
+
+
+ | Technique Name |
+ Accuknox Support |
+
+ {{range .Techniques}}
+
+ | {{.Name}} |
+ {{.Support}}
+ |
+ {{end}}
+
+ `))
+ if err := techniqueList.Execute(out, t); err != nil {
+ return err
+ }
+ return nil
+}