1、Threat Intelligence Report 2024 Whats next for telecom:Emerging trends and technologiesAttacks on the telecom sector In North America,attacks often involved advanced techniques such as ransomware and were sometimes suspected to be state sponsored,focusing on data theft and service disruption.Inciden

2、ts in East Asia frequently involved inadvertent exposures by companies themselves,leading to significant data leaks.Western Europe experienced a mix of cyber espionage and financially motivated breaches,indicating a diverse threat landscape.DDoS attacks DDoS traffic continues to grow at a rate highe

3、r than any other type of network traffic,increasing 166%between June 2023 and June 2024.In many networks,the frequency of these events has grown from one or two a day to well over 100 per day.Botnets remain a major driver in the DDoS attack landscape,accounting for about 60%of traffic monitored by N

4、okia Deepfield.Carpet-bombing attacks,which attack multiple targets using a range of target IP addresses,are becoming larger in scope.In 2024,13%of carpet-bombing DDoS attacks targeted 256 destination IP addresses or more,and 2.8%of attacks targeted 1,024 IPs or more.AI,automation and the use of res

5、idential proxies were prominent elements in DDoS attacks.In 2024,we observed greater DDoS attack sophistication driven by AI and automation,and significant abuse of residential proxies in large-scale DDoS attacks.Emerging technology and threats Threat actors are increasingly using generative AI to m

6、ount sophisticated attacks faster and on a larger scale.Communications service providers(CSPs)are also using generative AI to accelerate response times and improve effectiveness against emerging threats.Quantum computing will pose a significant risk to critical networks and enterprises in the future

7、.The National Institute of Standards and Technology(NIST)announced the formal publication of its first set of post-quantum cryptography(PQC)algorithms marking a major milestone in quantum-safe security.Main findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS

8、 trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesMain findings2Threat Intelligence Report 2024 Real data by threat intelligence experts at Nokias Cyber Security Center in France Security events and trends observed by Nokia Managed Security Services(MSS)security

9、 operational teams across the globe Distributed denial of service(DDoS)traffic and attacks by the Nokia Deepfield Emergency Response Team(ERT)Cybersecurity regulation trends by Nokias Advanced Consulting Services,Cybersecurity Consulting team Quantum security by Nokias quantum-safe networks security

10、 experts and Nokia Bell Labs Communications service provider(CSP)assessments of their own cybersecurity postures and top priorities by TM ForumAbout this reportNokia has been producing threat intelligence reports for many years.The 2024 edition is the most comprehensive report to date,including a gr

11、eater emphasis on cybersecurity trends and emerging technologies that will impact the telecom industry.The report is based on analyses of:Main findingsTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capab

12、ilitiesAbout this report3Threat Intelligence Report 2024Telecom sector attack trendsMain findingsAbout this reportDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesTelecom sector attack trends4Threat Intelligence Report 20

13、24From 2022 to 2024,Nokias threat intelligence experts at the Cyber Security Center in France have identified a notable pattern of cyberattacks targeting the telecom sector across various regions involving diverse threat actors and motives.Attacks spanned the globe,with incidents reported in the US,

14、UK,Germany,Ukraine and China.Impacts included significant service interruptions,theft of sensitive data,and potential unauthorized access to major online platforms.Discovery and responseNokias threat intelligence experts have uncovered a concerning trend:cyberattacks are being discovered at differen

15、t times,with some going undetected for months.For example,a November 2022 attack on a Tier 1 communications service provider(CSP)in Europe was not uncovered until January 2023.This delay in detection could have significantly worsened the impact of the attack,underscoring the critical need for faster

16、 threat identification.Impact on servicesThe telecom industry is the backbone of our daily communications and vital infrastructure.An attack on the industry can have far-reaching consequences,disrupting services,jeopardizing security and undermining operational logistics.For example,in February 2022

17、,European CSP faced a sophisticated social engineering attack on its 4G/5G network that led to widespread service disruption.This attack affected 4.7 million mobile customers over 48 hours,significantly impacting the companys infrastructure and service delivery.Trends and recommendationsRansomware a

18、ttacks on industrial organizations reached new levels of sophistication and scale in 2023.The threat landscape is expansive,with hundreds of ransomware variants such as LockBit,ALPHV,Hunters International,Rhysida,and NoEscape.Each deploys its own set of complex and unique techniques.The challenge is

19、 greater than ever,as these evolving threats continue to target critical infrastructure.In 2023,LockBit ransomware became a major player in industrial cyberattacks.Operating as a ransomware-as-a-service(RaaS)provider,they execute highly aggressive extortion campaigns.LockBits signature tactic involv

20、es StealBit,a custom-built data-stealing tool that extracts sensitive industrial information from compromised systems.The stolen data is then used as leverage,with threats to release it on the dark web if ransom demands are not met.This strategy not only heightens the pressure on victims but also in

21、troduces a secondary risk by potentially exposing the data to other malicious actors.However,in 2024,a coordinated crackdown by law enforcement agencies including the US Federal Bureau of Investigation(FBI),the UKs National Crime Agency(NCA)and Europol delivered a significant blow to LockBits operat

22、ions.This joint effort led to the takedown of LockBits website,the unmasking of its affiliate network,and the seizure of its cryptocurrency assets,marking a critical step in disrupting the groups activities.Figure 1.A ransomware message from LockBit Investing in cutting-edge cybersecurity and deploy

23、ing rapid,decisive response strategies is no longer optional.It is now crucial.Enhanced detection capabilities are vital for accelerating incident response times and staying ahead of threats.Your filesare encryptedby LockBitInside the latest attack trends in telecomMain findingsAbout this reportTele

24、com sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 20245Telecom sector attack trendsGlobal telecom sector attacksTable 1 details cyberattacks from 2022 to 2024,including bo

25、th the dates of the attacks and when they were discovered.Table 1.Global telecom sector attacks,2022-2024YearCountry or areaThreat actorDate of attackDiscovery dateImpact2024North America CSPUnnamed(speculated as Black Basta)February 2024Not explicitly statedPersonal employee data exposed2024Latin A

26、merica CSPTrigona groupJune 2022February 2024Significant service disruption,data encryption,risk of data leak2023North America CSPIncident was attributed to an insider threat,inadvertent disclosure,while the customer data exposure was linked to an external vendorThe discovery date is unknown,but the

27、 customer data was exposed by March 2023;the employee data breach occurred on or around September 21,2023The customer data exposure was resolved in January 2023,prior to being reported in March.The employee data breach was discovered on December 12,2023.The first incident exposed data of 7.5 million

28、 customers without revealing unencrypted personal dataThe second incident exposed personal details of 63,000 employees2023Europe CSPNot specifiedMay 16,2023The incident was reported in June 2023Limited to 7,500 customers;no evidence sensitive data was taken2023North America CSPSeizeFebruary 25,2023F

29、ebruary 25,2023Risk to employee information2023Asia Pacific CSPUnknownNovember 8,2023November 8,2023Disruption to multiple services2022Europe CSPKelvinSecurity(alleged)First week of September 2022UnspecifiedExposure of subscription details,identity documents and contact information2022Asia Pacific C

30、SPUnconfirmed;conflicting claims between CSP and an insiderNoticed on September 20,2022September 21,2022Exposure of names,birth dates,addresses and ID numbersMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial edition

31、ConclusionAbout Nokias security capabilitiesThreat Intelligence Report 20246Telecom sector attack trendsInsights by regionRegional distribution North America stands out as the region with the highest number of attacks,highlighting its status as a major target,likely due to its concentration of techn

32、ological infrastructure and large enterprises.Western Europe and East Asia also see significant activity,suggesting that areas with high economic output and advanced digital capabilities continue to attract cybercriminals.Regions like Central America and Eastern Europe report fewer incidents but are

33、 still notable for their specific vulnerabilities and types of attacks.Nature of attacks In North America,attacks often involve advanced techniques such as ransomware and are sometimes suspected to be state sponsored,focusing on data theft and service disruption.East Asias incidents frequently invol

34、ve inadvertent exposures by companies themselves,leading to significant data leaks.Western Europe tends to experience a mix of cyber espionage and financially motivated breaches,indicating a diverse threat landscape.Key threat actors and impacts In regions like South America,groups such as Trigona f

35、ocus on service disruptions and data encryption,severely impacting business operations.Europe has seen prominent activity from groups like Killnet,which have launched attacks causing widespread service outages.Trends and recommendationsThe persistent focus on technologically advanced and economicall

36、y significant regions highlights the ongoing risk for robust cyber-security defenses.The data also reveals a trend that threat actors are exploiting both technological vulnerabilities and human factors,suggesting that a comprehensive security strategy is essential.Following are key insights and tren

37、ds from Nokias Cyber Security Center in France,based on the latest regional analysis of cyberattacks.Oceania10%Europe35%SouthAmerica5%NorthAmerica35%Asia15%To combat this,here are some key recommendations:Enhancing cybersecurity measures,including threat intelligence and rapid response capabilities,

38、is crucial,especially in high-risk regions.Increased collaboration and information sharing among international security agencies and private sectors can help mitigate the impact of these attacks.Investing in cybersecurity education and awareness programs will be vital to defend against socially engi

39、neered attacks and inadvertent data exposures.Figure 2.Distribution by region of cyberattacks against the telecom sectorMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabi

40、litiesThreat Intelligence Report 20247Telecom sector attack trendsInsights by countryCountries most targeted The US was the most frequently targeted country,indicative of its large digital infrastructure and the high value of its corporate data.Ukraine also showed a significant number of attacks,lik

41、ely due to geopolitical tensions and cyber warfare incidents in the region.The UK and Germany were also notable for experiencing cyberattacks,reflecting the broader trend of targeting economically significant and technologically advanced European countries.Nature of attacks In the US,attacks include

42、d both ransomware and insider threats targeting a range of sectors,from telecom to government.The variety of attacks reflects the broad.spectrum of valuable assets and sensitive information held by entities in the country.In Ukraine,the attacks were more focused on telecommunications and critical in

43、frastructure,possibly due to ongoing conflicts and the strategic importance of disrupting these services.Attacks in the UK and Germany often involved data breaches and ransomware,aimed at extracting financial gains and disrupting services.Trends and recommendationsWe are seeing a clear trend where c

44、yberattacks are increasingly aimed at nations with substantial global influence and economic power,particularly those at the forefront of technological advancements.These attacks are becoming more sophisticated,using a blend of techniques to exploit everything from human errors to system vulnerabili

45、ties.The distribution of cyberattacks by country underscores the need for heightened cyber-security awareness and enhanced protective measures,particularly in nations that play significant roles in the global economy.Nations and organizations in these countries need to bolster their cybersecurity de

46、fenses through advanced security technologies,regular audits and continuous monitoring.Collaboration between governments and the private sector is also crucial for developing more resilient infrastructure and responding promptly to cyber incidents.Following are observations and emerging trends from

47、our latest analysis of cyberattacks,broken down by country.Main findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 20248Telecom sector attack t

48、rends9Understanding the telco security landscapeIn cybersecurity,there are two distinct worlds:conventional IT security and telecom network security.Both are important but differ significantly in their scope,focus,features,and challenges.The telecom sector is characterized by vast and complex networ

49、k infrastructure that is essential to providing uninterrupted communication services.With the advent of 5G and the Internet of Things(IoT),CSPs must manage an ever-increasing number of connected devices and a higher volume of data traffic.This expansion of the threat surface requires a specialized a

50、pproach to security.For CSPs,there is a need for both information technology(IT)and telecom network security,but they often converge under a single leadership umbrella.In a 2023 global survey by TM Forum of 40 telco operators at the director level or above,71%of respondents said their organization h

51、as a single Chief Information Security Officer(CISO)or Chief Security Officer(CSO)across both enterprise IT and network domains.To safeguard their organizations and protect critical data assets,it is critical that CSPs understand the differences between IT and telecom network security.Anatomy of bre

52、aches in IT and telecom network securityIT security incidents range from common threats like phishing and weak passwords to more severe issues such as data theft,compromised databases and banking trojans.These attacks can disrupt services and expose user data,including personally identifiable inform

53、ation(PII)and credit card details.In the specialized field of telecommunications network security,incidents are far more severe and can have significant consequences for end customers.Threats include eavesdropping on subscriber or network data,signaling storms targeting the radio access network(RAN)

54、/core and cross-technology attacks on roaming interfaces(SS7/GTP),and compromised CSP workloads and network functions.These attacks can result in network failures and country-wide communication outages that hinder access to emergency services and financial transactions.The stakes are much higher whe

55、n it comes to CSP network security breaches.While IT security attacks often result in data theft and service disruptions,breaches in CSP networks can have life-or-death consequences.IT securityTelecom network securityComponentsIndustry agnostic such as laptops,mobile devices,intranet,IT applications

56、 and data centersPurpose-built networks such as core,RAN,transport,access network,OSS/BSSInfrastructure and protocolsStandard protocols like TCP/IP and TLSMulti-vendor legacy technologies mixed with the latest cloud-based SBA and telco protocols like SS7,Diameter and GTPSkill setsSkills in endpoint

57、security(mobile,desktop servers),app security,firewalls and secure gatewaysExpertise in telecom network topology,communication protocols,attack scenarios for SBA,NE integrations to collect telemetry data and take actionsTools and technologyHomogenous security tools like IT SIEM,IAM,EDR and laptop an

58、tivirusSpecialized tools like telco XDR,mission-critical EDR,telco PAM,cloud-native architectureRegulatory landscapeGoverned by standards like HIPAA,PCI and GDPRAbides by 3GPP,GSMA and country-specific regulations such as TSA in the UK,NIS2 in EuropeTable 2.IT security versus telecom network securit

59、yMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 20249Telecom sector attack trendsSPOTLIGHT:How IT and telecom network security solutio

60、ns differMany CSPs are unaware of the distinctions between telecom-specific and generic security solutions.Despite sharing similar names,these solutions have fundamentally different approaches to network security.For example,generic endpoint detection and response(EDR)systems are tailored to enterpr

61、ise environments,protecting workstations,end-user devices,and IT data centers.In contrast,telecom-specialized EDR systems have agents running on critical infrastructure to protect against telecom-specific attacks while maintaining the functionality of network elements.These specialized solutions are

62、 engineered to have minimal impact on the workloads,ensuring network performance is not affected.In July 2024,a defective update to EDR software triggered a global IT outage that led to widespread disruptions.Airports were forced to ground flights,financial institutions faced ATM outages,and hospita

63、ls had to cancel procedures due to system failures.This event underscored the importance of having a telecom-specific security solution to ensure security agents on telecom endpoints do not interfere with critical functions,and to prioritize network functionality and uptime.Figure 3.Customized OpenC

64、TI threat intelligence platform dashboard used to track cyber telecom attacks and collect cyber operational dataIntelligence is the key to success in cybersecurity.Having the right information at the right time requires the deployment of sensors to collect data,analyze it,and produce actionable inte

65、lligence.Automation supported by recent machine learning and large language model techniques is critical to drawing insights from the massive amounts of data that businesses manage today.Even still,the quality of the information these systems output depends on the quality of the information provided

66、 as input.The most effective approach involves using recognized and robust standards combined with data centralization and management solutions that leverage the latest developments.This includes threat intelligence expressions such as Structured Threat Information eXpression(STIX)and Trusted Automa

67、ted eXchange of Indicator Information(TAXII)ontology,playbook automation,and AI integration capabilities.Threat intelligence platforms are highly customizable,allowing users to add multiple threat intelligence sources.They also include widgets that retrieve and display specific information relevant

68、to the telecom sector.Automation playbooks also make it possible to pre-analyze data and draw insights quickly.The following figures demonstrate a sample of the capabilities threat intelligence platforms have to identify threats faster.Figure 3 shows an example of a customized dashboard for an open-

69、source threat intelligence platform.The critical role of a tailored database in building a cyberattack knowledge baseMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilit

70、iesThreat Intelligence Report 202410Telecom sector attack trendsFigure 4 shows examples of key telecom cyber threat activity that can be monitored from open-source intelligence(OSINT).Following is a breakdown of what each key performance indicator(KPI)means:Intrusion set telecom sector widget:Displa

71、ys information about intrusion sets specifically targeting the telecom sector.Malware target telecom sector:Shows data about malware that targets the telecom sector.Report telecom:Generates reports related to telecom threats and incidents.Attack campaign:Number of cyber campaigns launched by threat

72、actors.Number of indicators of compromise(IOCs):IOCs found for attacks against CSPs.Figure 4.High-level cyber threat activity statisticsFigure 5.Dates and number of reports of cyberattacks in the telecom sectorMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC thr

73、ough MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202411Telecom sector attack trendsThe GSMA Mobile Threat Intelligence Framework(MoTIF)is designed to systematize the understanding and mitigation of adversarial threats against

74、mobile networks.For CSPs,MoTIF refers to a targeted approach to defending against mobile network attacks,encompassing every generation from 2G to 5G.It also covers essential services like roaming,SMS,and VoIP,ensuring comprehensive protection across all mobile technologies.MoTIFs scope includes adve

75、rsary TTPs not covered by other public frameworks,incorporating unique mobile network threats like fraud against networks and their customers.It serves to document and analyze how adversaries exploit mobile networks,offering structured descriptions of their actions and impacts.The framework details

76、TTPs by breaking down adversarial activities into tactics for easy categorization and response.The framework also introduces several core concepts such as“techniques”and“sub-techniques”specific to mobile network security.These are aligned with MoTIFs High-Level Strategy(HLS),which provides an overar

77、ching strategic context for attacks,helping guide mobile network operators in their defense strategies.HLS components include the attack goal,attack surface and specific attack targets,with each element given a distinct MoTIF number for identification and reference.MoTIF also integrates with the STI

78、X framework,enabling interoperability with other threat intelligence tools and facilitating the exchange of information across different platforms and stakeholders involved in mobile network security.By providing a comprehensive and specialized framework,MoTIF assists security professionals in not o

79、nly understanding and tracking adversarial tactics but also in developing and refining defensive measures tailored to the complex environment of mobile networks.This strategic tool thus plays a crucial role in enhancing the security resilience of mobile communication infrastructures globally.What do

80、es this mean for CSPs?MoTIF is a vital resource for CSPs as it empowers them to proactively combat evolving mobile threats and safeguard their networks,customers and reputation.Through shared intelligence and collaboration on best practices,MoTIF enables CSPs to:Stay ahead of the curve:Gain access t

81、o a wider pool of threat intelligence,including early detection of malware,phishing campaigns,and other malicious activities targeting mobile users.Enhance customer trust:Proactively address security threats,protecting users from financial fraud,data breaches,and other security risks that can impact

82、 customer trust and satisfaction.Optimize operational efficiency:Reduce costs associated with security incidents,such as remediation efforts,customer support,and reputational damage.Meet regulatory requirements:Align with industry regulations and best practices,demonstrating a commitment to security

83、 and meeting compliance obligations.This framework empowers CSPs to move beyond reactive security measures and adopt a proactive approach to threat management.GSMA MoTIF Framework:A vital resource for CSPsMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through

84、MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202412Telecom sector attack trendsSPOTLIGHT:How GTPDOOR worksEarlier this year,a new telecom-oriented malware named GTPDOOR was found,likely attributed to UNC1945(Mandiant)/LightBasi

85、n(CrowdStrike).This malware allows attackers to execute remote commands and stealthily extract the output over the GPRS(general packet radio service)roaming exchange(GRX)backbone that interconnects mobile network operators for roaming purposes.In the 2023 Threat Intelligence Report,we highlighted th

86、e LightBasin threat with an analysis using the FiGHT framework.For reference,LightBasin is a malware that mainly allows attackers to run commands on the compromised host and exfiltrate outputs over GTP-C protocol using the GRX network.Hackers can move laterally within the mobile network operator net

87、work to non-GRX-connected devices.Security researchers have uncovered evidence of at least 13 telecommunication companies worldwide compromised by LightBasin dating back to at least 2019.GTPDOOR showcases the capabilities of the LightBasin arsenal for backdoors and gives a sense of the groups level

88、of knowledge.GTPDOOR was built to avoid detection.Its flow is hidden inside regular GTP-C traffic and captured using a raw socket,and it implements a kind of access list to allow only specific IPs to Compromised MNO/attackers infrastructureGGSNPGWMNOMNOMalwares communication hiddenin regular GTP-C t

89、rafficGTPDOORs compromisednetwork elementAttackers command and controlGGSNGGSNMMEHSSHLRUDRPCRFTargeted MNOGTPDOORGRXbackboneGGSNPGWPGWSGWSGWSGSNSGSNSGSNFigure 6.GTPDOOR enabling malicious communication through GTP-C traffic over GRXuse it.The process also mimics a kernel thread by renaming itself“sy

90、slogd.”GTPDOOR uses raw sockets for communication rather than opening a new port,which can be detected.As hackers refine their tactics to evade detection,strong,multilayered defense mechanisms become increasingly critical.The emergence of GTPDOOR serves as an important reminder of the need for conti

91、nuous monitoring,advanced detection capabilities,and robust security measures to safeguard critical telecom infrastructure.GTPDOOR was built to avoid detection.Its flow is hidden inside regular GTP-C traffic and captured using a raw socket,and it implements a kind of access list to allow only specif

92、ic IPs to use it.The process also mimics a kernel thread by renaming itself“syslogd.”GTPDOOR uses raw sockets for communication rather than opening a new port,which can be detected.As hackers refine their tactics to evade detection,strong,multilayered defense mechanisms become increasingly critical.

93、The emergence of GTPDOOR serves as an important reminder of the need for continuous monitoring,advanced detection capabilities,and robust security measures to safeguard critical telecom infrastructure.Main findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS

94、trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202413Telecom sector attack trendsWhat is a system-on-chip?System-on-chips(SoCs)are hardware-integrated circuits that integrate computer components or other electronic systems.In terms o

95、f cost and reliability,SoCs are one of the only feasible solutions for achieving higher performance while minimizing power consumption.This technology is embedded in base station solutions to boost network performance,cut energy consumption,and meet the escalating demands of 5G networks.Unlike micro

96、controller units,which are small computers with integrated boards,SoCs are integrated into a single-chip package that does everything that once required multiple chips.SoCs are typically a hardware encapsulation of one or more central processing units(CPUs),memory,microcontrollers,digital signal pro

97、cessors(DSPs)and accelerators.SoCs are used across a wide range of industries to enhance device performance and efficiency.In the realm of IoT,SoCs are the backbone of smart devices and sensors used in smart homes,industrial automation and healthcare.Their ability to integrate multiple functions ont

98、o a single chip allows for compact,low-power devices that can efficiently collect,process and transmit data.This is crucial for applications such as smart thermostats,wearable health monitors and remote industrial sensors.SoCs are also critical in the development of high-performance computing and da

99、ta centers.They are used in servers and specialized processors for tasks like machine learning and artificial intelligence(AI).These chips help in handling large volumes of data and complex computations with greater speed and efficiency,driving advancements in fields such as big data analytics and s

100、cientific research.BootloaderCounterCounterARMCortex MOCapSensePSoC4TimerTimerUARTPCDACAnalog MUXComparitorFigure 7.Illustration of a SoCThe hidden threat of system-on-chip(SOC attacks):Securing 5G innovationMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC throu

101、gh MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202414Telecom sector attack trendsSoC attacksSoC attacks have emerged as a significant concern in cybersecurity.With the proliferation of SoCs across a wide range of devices and i

102、ndustries,these attacks are becoming more frequent and sophisticated,posing substantial risks to both individuals and organizations.While the integration of numerous functions onto a single chip enhances performance and efficiency,it also creates a larger attack surface.Cybercriminals are increasing

103、ly targeting SoCs to exploit vulnerabilities in various components,such as firmware,software and hardware interfaces.These attacks can lead to unauthorized access,data theft and even complete system compromise.One of the primary drivers of the growth in SoC attacks is the widespread adoption of conn

104、ected devices,especially in the IoT space.Often designed with cost and functionality as primary considerations,many IoT devices lack robust security measures,making them attractive targets for cybercriminals.The consequences of SoC attacks can be severe.In critical infrastructure,such as energy grid

105、s or transportation systems,an attack on SoC-based controllers could lead to widespread disruptions and safety hazards.In the automotive industry,vulnerabilities in SoCs used in advanced driver-assistance systems or vehicle-to-everything communication could result in unauthorized control over vehicl

106、es,posing significant risks to public safety.SoC securityGiven the growing threat,it is crucial to prioritize the security of SoCs.To effectively safeguard against SoC-based threats in telecommunications,particularly within the 5G infrastructure,CSPs should consider implementing a comprehensive set

107、of robust security measures such as strong data encryption,enhanced endpoint detection and response agents,strict access control on the principle of least privilege,and an artificial intelligence(AI)/machine learning(ML)advanced threat analysis and mitigation orchestration.These measures are designe

108、d to enhance the resilience of the network,protect data integrity,and ensure continuous service availability.It is vital that end users stay informed about devices security features and regularly update software and firmware.Implementing network security measures,such as firewalls and intrusion dete

109、ction systems,can also help protect devices that rely on SoCs.Figure 8.Relative impact of attacks on different componentsMinimumimpactMaximumimpactSensorsCommunicationData accumulationHardware abstractionFirmwareHardware platformMain findingsAbout this reportTelecom sector attack trendsDDoS attack t

110、rendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202415Telecom sector attack trendsDDoS traffic and attack trendsMain findingsAbout this reportTelecom sector attack trendsGlobal SOC through MSS trendsRegulat

111、ory environmentSpecial editionConclusionAbout Nokias security capabilitiesDDoS attack trendsThreat Intelligence Report 202416In 2024,DDoS traffic growth continued to surpass the growth rates of all other network traffic types.DDoS traffic volume increased 166%year over year(between June 2023 and Jun

112、e 2024).This growth has been fueled by the proliferation of insecure IoT devices,which have more bandwidth available to them due to gigabit and multi-gigabit broadband offers.Many attacks continue to employ multi-vector strategies,but the use of Domain Name System(DNS)amplification still constitutes

113、 the primary legacy driver:36%of all DDoS attacks are driven by DNS amplification.Other vectors such as Network Time Protocol(NTP)amplification,Connectionless Lightweight Directory Access Protocol(CLDAP)amplification and Memcache amplification are rapidly declining,with a recorded 2070%year-over-yea

114、r drop,depending on the vector.Botnets remain a significant threat in the DDoS landscape.While the potential number of unsecured devices that can be used in DDoS attacks is in the hundreds of thousands,if not millions,most individual botnet DDoS attacks involve a small number of bots:60%of all botne

115、t DDoS attacks involve fewer than 100 bots.Carpet-bombing DDoS attacksAttacks on multiple targets using a range of target IP addresses within a network or multiple networks are referred to as carpet-bombing DDoS attacks.Unlike DDoS attacks that target specific servers or services,carpet-bombing DDoS

116、 attacks aim to disrupt a whole subset of IP addresses,attacking a broader array of resources and infrastructure.In 2024,they grew in scope:13%of carpet-bombing DDoS attacks targeted 256 destination IP addresses or more,and 2.8%of attacks targeted 1,024 IP addresses or more.The largest observed carp

117、et-bombing attack in 2024 targeted more than 16,000 IP addresses.The top vectors used in carpet bombing attacks are a small subset of what is otherwise observed for other types of DDoS attacks:80%are DNS-based,16%use botnets and 2%use Transmission Control Protocol(TCP)reflection.Attack durationsTher

118、e was a marked shift toward shorter attack durations:44%of the DDoS attacks observed in 2024 lasted less than five minutes,underscoring the necessity of a rapid,automated response to detect and neutralize these threats in seconds rather than minutes.This shift to shorter attack durations is not“good

119、 news”per se,because the number and frequency of DDoS attacks are also on the rise.Many CSPs see large numbers of significant DDoS events that require attention by security operations teams.In many networks,the frequency of these events has grown from one or two a day to well over 100 per day.Many o

120、f these shorter attacks exhibit a level of dynamism that indicates added sophistication,likely driven by artificial intelligence(AI).Attacks on the same targets frequently employ morphing techniques,changing attack vectors and changing behavior during the attack.This trend underscores the need for a

121、dvanced,AI-driven defense strategies to combat evolving DDoS threats.2024:The surge of AI in DDoS attacksDDoS is a well-established area within computer science and software engineering,both in terms of the methods and techniques used to coordinate and launch attacks and in terms of protection and d

122、efense against them.However,2024 was a turning point,as new capabilities were introduced that made DDoS more pervasive and visible and brought it into mainstream conversations and news.As AI technology continues to rise steadily across all types of applications,the novel use of AI for launching DDoS

123、 attacks was also evident in 2024.The use of AI for DDoS attacks leads to a stepwise increase in malicious actors capabilities and threat potential.The early 2020s saw the exponential increase of botnet-driven DDoS traffic,enabled by hundreds of thousands of IoT devices providing virtually unlimited

124、 distributed compute and increased accessibility to gigabit(and multi-gigabit)uplink connectivity.Botnets remain a major driver in todays DDoS landscape,accounting for about 60%of traffic monitored by Nokia Deepfield through its Emergency Response Team(ERT).However,2024 has been the year of AI and a

125、utomation for new DDoS threats and the year in which significant abuse of residential proxies started in large-scale DDoS attacks.Rising DDoS attacks and shifting threat trendsMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environm

126、entSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202417DDoS attack trendsResidential proxy abuse is on the riseProxies have been around since the advent of the internet,facilitating two-step connectivity:one step to the proxy,and the second to the desired dest

127、ination on the internet.Running on consumer devices using a fixed or mobile broadband connection,residential proxies(also known as RESIP)use proxy software that aims to represent the originating system or a device toward the internet with a different IP address or a number of IP addresses that dynam

128、ically change over time.Residential proxies have been widely used for a variety of use cases.Some sit in a gray legal or ethical zone,such as web scraping,price monitoring,spam,and sneaker auctions.Others are used in criminal activities,including identity theft,phishing,click/credit card/auction fra

129、ud,malvertising and many more.The main appeal for users of residential proxies that their traffic will originate from a“clean”IP address that changes dynamically also attracts DDoS threat actors.This is because traffic sent from and through these proxies is not likely to be listed on various ill-rep

130、utation lists associated with prior botnet activity.This also affords attackers some amount of obfuscation,making it more difficult to trace back the real source of malicious traffic.From the perspective of security teams,there is one major difference between bots and residential proxies:scale.While

131、 the number of bots used for DDoS today is in the order of several hundreds of thousands,several residential proxy service providers offer access to tens of millions of IP endpoints.This makes the problem space vastly larger and allows threat actors to choose which country(and even city)they want to

132、 reflect attacks from.Lured by a“free”virtual private network(VPN)service,people who install residential proxy software on their devices may inadvertently turn their devices into DDoS attack endpoints.Residential proxies have already been exploited this way and are behind many DDoS attacks.With mill

133、ions of IP addresses that appear legitimate and have not(yet)been compromised in observed attacks,these endpoints can and continue to generate DDoS traffic that can pass traditional DDoS security systems.Main findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through M

134、SS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202418DDoS attack trendsSPOTLIGHT:How threat actor group NoName016(57)uses residential proxiesOne of the most active malicious users of residential proxy services is a pro-Russian hac

135、ktivist group called NoName016(57).The group openly recruits volunteers through a Telegram channel and provides a daily list of targets through their command-and-control server,which participants machines then attack using the DDoSia toolkit software.These attacks are executed synchronously to overw

136、helm the targeted web server.This type of attack is not a volumetric DDoS attack.Rather,the NoName016(57)attacks primarily rely on HTTPS POST requests using valid parameters,indicating some level of reconnaissance on a given target ahead of the actual attack.When the Nokia Deepfield Emergency Respon

137、se Team(ERT)first investigated the attack sample provided by a customer under attack,the bandwidth represented just 10 Mbps(5 kilopackets per second kpps),which is far below typical volumetric thresholds.While these attacks use low-volume attack traffic,they can often be enough to disrupt service av

138、ailability because each request generates a significant workload at the application layer.A common way to mitigate this type of attack is to create a geofence that permits traffic only from countries where legitimate users are expected to be.This has been evident when threat actors post evidence of

139、the relative success of their attack(s),marking them with a common“blocked by geo”note.Geo-blocking is not a silver bullet.Using residential proxies and a large pool of IP addresses that are not yet compromised,attackers can pick which countries they want malicious traffic to appear to originate fro

140、m.This means a large portion of the traffic will not be blocked,but legitimate users from different countries will be blocked based on their geo-IP location.This has resulted in high rates of false negatives(DDoS not detected)and false positives(legitimate traffic identified as DDoS).Nokia Deepfield

141、 ERT devised an alternative mitigation method that only blocks proxy traffic at the edge of the service provider network.For more details,refer to the Nokia blog post on adding layers of DDoS protection to IP routers.Threat actor profile:NoName016(57)Pro-Russian hacktivist group that emerged in Marc

142、h 2022 following Russias invasion of Ukraine Conducts DDoS attacks against various websites from organizations(both governmental and private)deemed “anti-Russian”Uses Telegram channels to claim responsibility for attacks,make threats and share tools like DDoSia,their custom DDoS software Developed a

143、 cryptocurrency payment system to reward contributors(volunteer-based system as opposed to malware/exploitation)Attacks primarily rely on web DDoS,i.e.,crafted HTTPS GET/POST requests that can overwhelm a server even with a relatively low number of sources/requests Attackers use proxy services to hi

144、de their IPs from known botnet lists and to pretend that traffic originates in the destination countryMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intel

145、ligence Report 202419DDoS attack trendsWhile proxy-based,application-layer DDoS attacks rose in 2024,volumetric DDoS(network-level)traffic volume did not let up.Nokia Deepfield observed a notable change in the methods used in these attacks.Instead of using mostly fixed attack vectors and targets ove

146、r the lifetime of a given attack,we noticed rapidly evolving DDoS vector changes and microbursts,as well as automated target changes over many subnets.Morphing attacksMorphing attacks(also referred to as adaptive or dynamic DDoS)can present significant challenges for mitigation,particularly when it

147、comes to out-of-data-path solutions used by large service providers.Along with obvious attack vector changes for example,quickly switching from botnet-based TCP SYN flood to User Datagram Protocol(UDP)flood we also observed behavioral changes within a given attack vector.For instance,several custome

148、rs were targeted with a multi-hundred Gbps UDP flood featuring a specific packet length invariant,then quickly by a different size.This tactic can be more challenging to combat in manual mitigation scenarios where identifying a consistent pattern leads security teams to instantiate a specific filter

149、 entry on the network edge.More saliently,during several such attacks,we observed rapid shifts in attack patterns as a response to newly created router filter entries.In other words,the attacks were responding to defense tactics and changing their tactics accordingly.While it is possible for well-tr

150、ained and on-task humans to do this,software automation that probes the targets reachability and adapts DDoS payloads accordingly can clearly accelerate the response time.Network operators have had access to different levels of automation for configuration and performance management,but it seems tha

151、t certain threat actors have gained some level of automation for their DDoS activities.Exploring distributed attacks and automation:Qualitative research on evolving tacticsWe also observed hundreds of attacks for a given customer in which the destination addresses changed continuously throughout the

152、 attacks lifetime.Carpet-bombing attacks targeting a range of IP addresses or a whole subnet have been around for some time.However,traditionally,the ranges of IP addresses targeted have been static.In this new generation of distributed carpet-bombing DDoS attacks,attackers spread the malicious traf

153、fic across several subnets in an attempt to evade detection(for defense systems that monitor per-host bandwidth)and to raise the cost and complexity of mitigation.In 2024,we observed a significant increase in highly distributed carpet-bombing attacks.These attacks not only targeted a vast number of

154、hosts(one of the largest attacks we observed targeted 49 individuals/24 subnets)but also alternated between different destination subnets over time.These morphing distributed carpet-bombing DDoS attacks make protection much more challenging for conventional scrubbing solutions.This is because they d

155、epend on traffic diversion to be effective,and diverting traffic aimed at a large number of IP addresses that are dynamically changing over time represents a great challenge for the speed and accuracy of detection and the scalability of mitigation.Learnings and recommendationsDetecting DDoS attack t

156、raffic in 2024 continues to be challenging because traditional approaches to detection,such as thresholds or baselines,are no longer effective.Botnet traffic and shorter DDoS attacks circumvent traditional anti-DDoS systems.Due to this,the primary challenge today is to improve detection,accuracy and

157、 speed of new generations of DDoS attacks as they happen and to ensure this detection happens in seconds,not minutes.To combat contemporary DDoS attacks,modern defense approaches must better understand the larger internet security context.Continuous monitoring and tracking and real-time updates can

158、help identify a much wider range of new attack points originating from botnet DDoS and residential proxies.Additionally,while network owners have traditionally been guarding only the“front door”(i.e.,internet peering/transit links),attacks now come from many other entry points,including their custom

159、ers,partners(e.g.,cloud providers),and compromised devices in their networks.Legacy-based solutions cannot adequately monitor and detect DDoS traffic originating from these new entry points.Forward-looking DDoS solutions need to enable protection from all directions:inbound and outbound,across all n

160、etwork edges.CSPs and data center operators should evaluate DDoS mitigation solutions based on their ability to detect new generations of attacks with improved accuracy and speed,but also scale,cost and efficacy.They should also consider DDoS mitigation false-positive tolerances against the cost and

161、 complexity of different solutions.Automation is driving attack sophisticationMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202420DDo

162、S attack trendsGlobal Security Operations Center(SOC)through Managed Security Services(MSS)trends Main findingsAbout this reportTelecom sector attack trendsDDoS attack trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesGlobal SOC through MSS trendsThreat Intellige

163、nce Report 202421At Nokias global security operation centers,our telecom experts manage more than 360,000 incidents and triage more than 3,500 security issues,including more than 20 global critical incidents across multiple SOC in the APAC,EU+MEA,and Americas regions.Our experts track hundreds of se

164、curity incidents each month,while our EDR team monitors a similar volume every six months.This section dives into the evolving security trends these teams have uncovered.Trends identified through telecom interface assessments and penetration testing Our telecom security specialists evaluate CSP netw

165、orks by emulating the tactics,techniques,and procedures of threat actors,offering a hackers perspective in an operational telecom environment.The following describes how our team identifies key security trends and critical concerns through in-depth analysis of CSP telecom nodes.5G core network Due t

166、o the lack of Transport Layer Security(TLS)and Oauth2 implementation in CSP networks,the basic security principle of 5G mutual authentication and token-based communication with the use of the network repository function(NRF)is a year away.For now,the CSPs focus is on first building the networks with

167、 basic requirements.Enhancing security is a secondary priority.5G roaming Globally,very few CSPs have implemented 5G roaming security edge protection proxy(SEPP).This means that legacy security issues with roaming on old technologies remain.Interconnect(SS7/GTP/DIAMETER)Gray areas remain even after

168、implementing an appropriate solution,which might be due to misconfigurations or a lack of signaling firewall features.These gray areas could allow certain attacks on subscribers and networks from a rogue roaming partner network.Examples of tactics that may be possible include location tracking,Unstr

169、uctured Supplementary Service Data(USSD)code fraud,call interception,tunnel hijacking and denial of services on network nodes.Radio access network(RAN)International mobile subscriber identity(IMSI)catching remediation in 5G can take a long time on the ground because old SIM cards cannot be updated w

170、ith applets that support subscription concealed identifier(SUCI)computations.SIM cards must be replaced for this,which comes with a cost.End users are also generally unaware of the benefits of IMSI hiding,making it a non-priority for them.Weak or no ciphering over the air interface is one of the sec

171、urity concerns still unaddressed by legacy operators due to handset capability issues and legal requirements in certain countries.The second most common security concern is a fake base transceiver station(BTS)attached to an actual core network.This threat persists due to the lack of mutual authentic

172、ation between the RAN and core network access in LTE and 5G.While some operators have started using the certificate/IPsec base solution to mitigate this risk,there is still a long way to go to overcome it.User plane integrity protection in 5G to mitigate man-in-the-middle attacks was also frequently

173、 missing.Managed Security Services driving new trends in global SOCMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202422Global SOC through MSS trendsOpen radio acc

174、ess network(ORAN)The lack of IPsec for authentication and encryption on fronthaul,mid-haul,and backhaul undermines ORANs core security features.As these interfaces operate on distinct transports,there is a false sense of security.This gap leaves unprotected cell sites vulnerable to exploitation.VoLT

175、E/VoWiFi Due to the lack of security hardening and availability of appropriate solutions,security issues such as billing fraud and caller ID spoofing still exist.Another significant security issue is the lack of traffic separation,which can expose network nodes publicly and allow unauthorized access

176、 to them.If VoIP traffic encryption is missing,whether for operational and/or financial reasons,it allows user voice traffic to be intercepted.Fixed-line networks The fixed-line core network remains a top target for attackers due to a lack of traffic separation and hardening of CSP devices.Due to th

177、e routing definition at the IP/transport nodes and exposure of CSP devices outside the CSPs control,an enterprise became the target of several cyberattacks,including denial of services,caller ID faking,unauthorized takeover and unauthorized interception of calls.Key findings revealed in quarterly vu

178、lnerability assessment and penetration testing(VAPT)Every quarter,our network vulnerability assessment and penetration testing(VAPT)experts provide scanning,analysis and remediation support for an average of more than 1500 IP addresses on average per month.Some of the critical and high vulnerabiliti

179、es identified include:Protocol misconfiguration Our team observed multiple protocol misconfigurations,for example,with Secure Socket Layer(SSL)/TLS.Protocol misconfigurations can unintentionally expose vulnerabilities in network communication,potentially leading to unauthorized access,data breaches,

180、or service disruptions.Potential impacts Padding Oracle on Downgraded Legacy Encryption(POODLE)attacks Man-in-the-middle attacks Denial of service(DoS)attacks Data interceptionMissing security patch updatesVendors release fixes or updates to address known vulnerabilities or weaknesses in their produ

181、cts.When patches are not applied,systems remain exposed to potential security threats.Attackers can exploit these vulnerabilities to gain unauthorized access,steal data,or disrupt services.It is important to apply patches promptly to avoid security breaches and compromised integrity,confidentiality,

182、and availability of systems and data.90%of the vulnerabilities identified solely because of not implementing security patches in the network.Potential impacts Increased vulnerability exploitation Malware infection Data breaches and increased attack surfaceUsing unsecured protocolsOur team observed t

183、he use of protocols like FTP and HTTP.Unsecured protocols pose significant security risks,with data transmitted through them vulnerable to interception,tampering,and unauthorized access.The use of secure protocols is recommended.Potential impacts Man-in-the-middle attacks Unauthorized access Complia

184、nce concerns Data exposure and tamperingFigure 9.Vulnerability classification among CSPs90%of the vulnerabilities identified solely because of not implementing security patches in the network.Missing securitypatches93%Using unsecuredprotocols1%Other2%Protocolmisconfiguration4%Main findingsAbout this

185、 reportTelecom sector attack trendsDDoS attack trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202423Global SOC through MSS trendsTop vulnerabilities and application security trends identified(AppSec)On average,our application securit

186、y experts perform more than 200 scans per year.The vulnerabilities identified included:Broken authentication Authentication is a critical component of ensuring the security of web applications.A security risk is created when specific endpoints within applications can be accessed without the need for

187、 authentication.Session hijacking With session hijacking,the attacker forces the users session identifier(e.g.,session ID or token)to a known value.The attacker typically persuades the user to use a session identifier the attacker provides,often through a URL parameter or malicious script.Once the u

188、ser logs in using the manipulated session identifier,the attacker can hijack the session and gain unauthorized access to the users account and sensitive information.Host header injection Host header injection occurs when an attacker manipulates the host header of an HTTP request to exploit weaknesse

189、s in a web server or application.By altering this header,which specifies the domain name of the server being accessed,attackers can trick the server into processing requests intended for other domains.This can lead to various security issues,such as unauthorized access,data leakage,cache poisoning,c

190、ross-site scripting(XSS)and server-side request forgery(SSRF).Phishing attack susceptibility Phishing attacks involve sending fraudulent communications that appear to come from a reputable source,usually through email.The goal is to steal sensitive data like credit card and login information or to i

191、nstall malware on the targets machine.Attackers may spoof email addresses to make their emails appear as though they are coming from a legitimate source,which can deceive recipients into believing the email is trustworthy.Unencrypted communication Unencrypted communication refers to the transmission

192、 of data over a network or communication channel without any form of encryption applied to protect the confidentiality and integrity of the data.When data is transmitted in plain text,it is vulnerable to interception,eavesdropping and manipulation by attackers who may have access to the network or c

193、ommunication medium.Malicious file upload The consequences of an unrestricted file upload can vary,including complete system takeover,an overloaded file system or database,the forwarding of attacks to backend systems,client-side attacks,or simple defacement.It depends on what the application does wi

194、th the uploaded file and where it is stored.The application may execute malicious code if the uploaded file has executable code in it and is used to run as part of a program.If the file is run after uploading,the server may get infected with a virus,malware or other malicious software.Outdated and v

195、ulnerable components Attackers can exploit outdated and vulnerable components or software used by applications.For example,old versions of jQuery contain an XSS vulnerability that is easy to exploit.User enumeration User enumeration deals with the discovery of valid usernames or user IDs through mea

196、ns such as predictable user IDs,differentiated error messages,insecure application programming interfaces(APIs)or directory listing vulnerabilities.Once attackers have enumerated valid usernames,they can attempt to exploit other weaknesses in the authentication process,such as weak passwords or insu

197、fficient session management controls.Information disclosure Information disclosure through error messages occurs when a web application inadvertently reveals sensitive information in its error responses.For example,web server disclosures and database errors can expose database types,versions and que

198、ry details,and reveal the names of hidden directories,as well as their structure and contents.Cross-origin resource sharing(CORS)CORS is a security feature that web browsers use to control interactions between web applications from different origins.It allows web servers to specify which origins are

199、 permitted to access resources from the server,thereby mitigating certain types of cross-origin attacks,such as XSS and cross-site request forgery(CSRF).Main findingsAbout this reportTelecom sector attack trendsDDoS attack trendsRegulatory environmentSpecial editionConclusionAbout Nokias security ca

200、pabilitiesThreat Intelligence Report 202424Global SOC through MSS trendsSecurity trends observed by Minimum Baseline Security Standards(MBSS)Minimum Baseline Security Standards(MBSS)experts audit CSP networks and original equipment manufacturer(OEM)infrastructure and are developing new auditing cont

201、rols.While these controls are defined,there has been a major gap in adoption as regular changes to network elements are made as the network scales in deployment to meet demands.The baselines are beyond traditional Center for Internet Security(CIS)baselines(which are not available for most telecom ne

202、twork elements)and are created in house by experts to provide a preventive analysis of hardening configurations.Key trends based on recent MBSS audits performed on telecom nodes include:Use of unsecured protocols Missing security patch updates called for by the latest releases and security advisorie

203、s Missing two-factor authentication and strong password policies Missing banner for authorized user legal/corporate obligations in command line interface(CLI)serversAbout 9%of the CSP network remains noncompliant by security standards.Of this,nearly half is related to access management.CategoryCompl

204、iantNon-compliantOS and platform configurations71System security architecture11 N/AAccountability141Access control204Business continuity plan and disaster recovery9 N/AData securityN/A N/APrivacy4 N/ALegal and regulatory151Cloud computingN/A N/AMobile securityN/A N/AAPI security N/A N/AContainer sec

205、urityN/A N/ANode specific51Total858Table 3.Compliance and noncompliance among CSPs based on 3GPP and CIS benchmarksMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilities25Threat Intelligence Report

206、 2024Global SOC through MSS trendsRegulatory changes will drive new threat intelligence insightsMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsSpecial editionConclusionAbout Nokias security capabilitiesRegulatory environmentThreat Intelligenc

207、e Report 202426As incident detection and reporting regulations tighten,the mandatory disclosures will reveal new threat intelligence insights and security practices within CSPs and other critical entities in the years to come.This transparency will reveal the full scope of cyber threats,enabling ope

208、rators to anticipate and counter attacks with precision.Mandating these reports is about more than compliance.Its about empowering operators to better protect their systems and data through collective threat intelligence.Navigating country-specific regulations enhances the security posture and resul

209、ts in significant savings through threat intelligence.The following are some of the key regulations that have already taken effect and will impact threat intelligence collection:Telecom Security Act(TSA):Enacted in the UK in October 2022,this law impacts telecom and service providers,hardware vendor

210、s and software developers.By March 2024,Tier 1 providers are tasked with rolling out initial measures,such as alerting affected parties of security breaches and promptly notifying the Office of Communications,the UKs communications regulator.Failing to comply could lead to fines of 10%of turnover an

211、d then 100,000 per day for continued noncompliance.Telecom Security Regulations(TSR):Part of the UK TSA framework,TSR recommends operators implement a four-tiered approach to assessing the security posture of vendor products.This involves a security declaration,spot checks on implemented security pr

212、ocesses for specific and independently chosen product releases,lab tests,and ongoing monitoring.Executive Order 14028:Launched in May 2021 in the US,this mandate compels network providers operated by federal institutions to disclose cyber incidents and threats that may jeopardize government networks

213、.EU Cybersecurity Act(CSA):This 2019 act introduces an EU-wide cybersecurity certification framework for information and communications technology(ICT)products,services and processes.It also establishes the European Union Agency for Cybersecurity(ENISA)as a permanent regulatory agency to support the

214、 coordination of the EU in case of a major cross-border cyberattack.Noncompliance can lead to fines of 15 million,or 2.5%of annual revenue.NIS2 Directive:Revised in 2023,this EU legislation now extends the responsibilities of telecom companies in the realm of cybersecurity.Entities must integrate cy

215、ber risk management strategies,exchange cyber threat intelligence and adhere to rigorous reporting schedules for cyber incidents,with some reports due within 24 hours.Potential penalties for noncompliance amount to up to 2%of the companys annual turnover.Entities that fall under the scope of NIS2 mu

216、st comply with the regulation by April 17,2025.New security regulations are paving the wayMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202427Regulatory en

217、vironmentInfocomm Media Development Authority(IMDA)regulations:In Singapore,legislation establishes stringent quality of service(QoS)requirements for operators and requires the submission of regular reports on service quality.Operators found in breach of these telecom and postal QoS regulations are

218、subject to financial penalties that can amount to as much as$50,000 for each instance of noncompliance.Security of Critical Infrastructure Act 2022:In Australia,this legislation mandates that CSPs rigorously safeguard their telecom networks with a risk management program that is regularly reviewed a

219、nd updated.Additionally,critical infrastructure providers are required to discuss any proposed changes to their telecom systems with the government.Failure to comply can lead to civil penalties.Best regulatory practices for accelerating incident responseThe stakes of regulatory noncompliance are hig

220、h:fines,legal issues and reputational damage are just the tip of the iceberg.Regulatory frameworks are becoming increasingly stringent and more inclusive,especially for telecom infrastructure.Cybersecurity is a high international priority,and vendors are expected to share the measures they are imple

221、menting to deter threat actors.These new regulations focus not only on reducing attack risks but also on enhancing the quality of incident response.With significant incidents having to be reported to authorities within 24 hours,a threat intelligence platform can lay the groundwork for effective repo

222、rting by collecting real-time intelligence during incidents,triggering automated response plans,and promptly notifying the relevant authorities.There are two key steps CSPs can take to ensure they comply with regulations and minimize network disruptions during a cyberattack.First,CSPs should thoroug

223、hly research and understand the regulatory requirements of the country where they are based.Second,CSPs should leverage features and capabilities provided by relevant standards(e.g.,3GPP,ITU-T,ETSI,etc.)and customer reference installations.Software supply chain security|and the impact of regulations

224、With the scrutiny on software supply chain security intensifying,suppliers are now under pressure from an ever-growing list of regulatory demands.Global regulations are looming,and software suppliers are now on high alert as new requirements emerge to defend against attackers targeting widely used p

225、latforms.These regulations are not just guidelines but the last line of defense to protect governments and nations from devastating software supply chain attacks.CSPs must be ready before new rules come into effect:US:Proposed bill H.R.4611 from the Department of Homeland Security,known as the DHS S

226、oftware Supply Chain Risk Management Act of 2021,aims to tighten the reins on software security.It will require US government software vendors to deliver software bills of materials,certify their vulnerability status and share plans for patching vulnerabilities as they emerge,ensuring a proactive st

227、ance on cybersecurity.EU:Legislation is currently working its way through parliament to strengthen software security.In the interim,ENISA lays out essential guidelines for software vendors to elevate their security posture,including monitoring security vulnerabilities,maintaining an inventory of ass

228、ets that include patch-relevant information,and other measures.Association of Southeast Asian Nations(ASEAN):Ten members are currently in planning mode and will not reveal their comprehensive set of cybersecurity regulations until 2025.Outpacing regulatory pressures,CSPs must enhance their security

229、operations with continuous assessments and optimized reporting to meet industry standards.Main findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsSpecial editionConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202428Regulatory en

230、vironmentSPECIAL EDITIONEmerging cybersecurity trends and technologiesMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentConclusionAbout Nokias security capabilities29Threat Intelligence Report 2024Special editionTraditional

231、 security measures are no longer sufficient in the age of advanced threats.AI has the potential to transform cybersecurity by analyzing vast datasets and identifying critical patterns.Its role in security is essential,with generative AI offering unique advantages in advanced threat detection,rapid i

232、ncident response,and comprehensive security management.According to an Omdia Industry Insight Report,when evaluating new products or services,55%of telecom businesses consider it“very important”or“critical”that generative AI(GenAI)is part of the package.Predictably,those whose companies have or are

233、currently incorporating GenAI into their cybersecurity strategies find the inclusion of GenAI particularly important.However,the report also found that insufficient knowledge is a barrier to GenAI adoption,which is holding some back from implementing this technology.Figure 10.GenAI in cybersecurity

234、adoption among CSPsGSMAis 2023 network transformation survey reveals that 66%of operators see GenAI as transformative for network troubleshooting and predictive maintenance,while 44%believe its threat detection and mitigation capabilities will have the greatest impact on their business.This highligh

235、ts a clear need to efficiently identify and neutralize cyber threats with minimal human error.Figure 11.Perceived impact of GenAI among CSPs21%48%24%7%Not sureNoYesIn the process of doing soQuestion:Has your organization incorporated GenAI into its cybersecurity strategy?Base:All respondents(n=126)O

236、ne in 5 respondents(21%)report their organization have already incorporated Generative AIinto their cybersecurity strategies.Another 48%report they are currently in the process of doing so.Making the move:69%of respondents areshifting towards Gen AI in cybersecurityof telecoms businesshave incorpora

237、ted,or are in the process ofincorporating,Generative AIinto cybersecurity69%Generative AI:Business impactHow do you believe Generative AI use cases will have the greatestimpact on your business?(Top two choices not ranked)Network troubleshooting andpredictive maintenanceWith 18%of operators having a

238、lreadycommercially deployed Generative AI(GenAI)solutions and 56%currently testing it,2024 will be crucial for proving the value of GenAIs impact on telecoms.Network troubleshooting,predictive maintenance and threat detection/mitigation topped the expected benefits of GenAI by a large margin in our

239、network transformationsurvey.However,while it is natural for network decision-makers to focus on network-relaed benefits,other use casessuch as personalized service creation,datamonetization and customer care need to beconsidered.This means that network teams(who may not see the full potential of Ge

240、nAI)will need to plan and coordinate with servicecolleagues to help materialize the GenAI opportunities.Source:GSMA Intelligence Operators in Focus:Network Transformation Survey 2023A more holistic approach is needed66%47%28%20%19%11%7%2%Threat detection and mitigationPersonalized service creationIn

241、creaased data traffic demandsfrom customersNetwork planning and optimizationCustomer careImproved monetization of data assetsImproved internal softwaredevelopment velocityUse of Generative AI by operators:Where do network decision-makers see the business impactExploring the future of security with e

242、merging technologies and trends Generative AI in securityMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202430Special editionHow threat actors are us

243、ing GenAI for advanced attacks Threat actors are increasingly using GenAI to mount sophisticated attacks faster and on a larger scale.Sophisticated phishing attacks and deepfakes using GenAI will more easily compromise telecom admins.Complex technology standards that were previously difficult to ana

244、lyze and exploit are now within easy reach of even low-skilled attackers using GenAI.Coupled with the code-generation capabilities of GenAI,this will result in a new level of attacks against mission-critical telecommunication infrastructure that could previously only be achieved by nation states.The

245、 role of GenAI in security teams Operators are also using GenAI for defense.Within security operations centers,AI models play a pivotal role in identifying patterns that signal potential cyber threats including malware,ransomware,and irregular network activity that conventional detection systems mig

246、ht overlook.GenAI assistants enhanced with knowledge of telecom-network architectures and telecom-specific threats can amplify the speed and quality of the security operations center response to an emergent threat.A variety of use cases can benefit,ranging from forensic analysis to guided response.T

247、his helps address the ever-growing skills gap for telecom security operations centers.GenAI assistants can also help automate the compliance reporting required by an ever-growing array of regulatory requirements.By constantly learning from data,generative AI keeps up with new threats,reducing the ch

248、ances of breaches and lessening their impact if they occur.Security teams benefit from detailed insights into how threats work.This helps them plan targeted responses and strengthen their defenses against future attacks.Another key benefit of GenAI is automating and streamlining security operations.

249、This frees up human resources to focus on tackling more intricate challenges and reduces the risk of human error.Additionally,security protocols can be tailored by analyzing extensive data to predict and implement the most efficient measures for specific threat scenarios.Balancing GenAI risks and re

250、wards While GenAI presents inherent risks,it also offers opportunities for proactive defense and resilience-building in the face of evolving cybersecurity challenges.With responsible AI usage and a commitment to data privacy,stakeholders across the landscape can collaborate and navigate these comple

251、xities to drive positive change in cybersecurity.Cybercriminals can use GenAI to automate the creation of sophisticated malware,evade detection systems,or launch targeted attacks with unprecedented precision.As this technology matures,hackers will increasingly exploit its capabilities for malicious

252、purposes,and bad actors will refine their strategies to leverage this technology to their advantage.Security vendors must expedite the enhancement of their products capabilities to effectively address emerging threats.Pairing GenAI with human security expertise can help level the playing field and s

253、trengthen defense strategies against evolving cyber threats.The prospect of data poisoning poses an additional concern.Maliciously crafted inputs could corrupt the training process of GenAI models,leading to compromised security measures.Adopting robust security measures is essential for the safe de

254、ployment of GenAI and large language models(LLMs)in CSPs and enterprises to maximize the full capability of this emerging technology.Key security measures that help ensure safe deployment of GenAI and LLMs include:Sanitizing training data to prevent leaks Implementing strong user authentication Filt

255、ering outputs to ensure content safetyMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202431Special edition As quantum computers evolve,they pose sign

256、ificant risks to existing encryption technologies,rendering them obsolete.Quantum computers have the potential to perform calculations at speeds far beyond those of classical computers.This capability could enable cybercriminals to break public key-based encryption algorithms,making possible a new w

257、ave of cyber-attacks.One emerging threat is the“Store Now,Decrypt Later”(SNDL)attack,also known as“Harvest Now,Decrypt Later”(HNDL).In these attacks,cybercriminals steal encrypted data and store it,waiting for quantum computing capabilities to become accessible enough to decrypt it.This approach put

258、s confidential data at significant risk of future exposure.As we approach Q-Day the day a Cryptographically Relevant Quantum Computer(CRQC)becomes a reality critical infrastructure providers decision-makers must urgently assess and prioritize the most vulnerable parts of their networks.Although the

259、quantum era may seem distant,it is essential to implement countermeasures now.Even if customer data is secure today,it remains vulnerable to future unauthorized decryption.Post-quantum cryptography(PQC)is a range of advanced asymmetric algorithms designed to withstand the power of quantum computers.

260、The goal of PQC is to develop cryptographic frameworks that protect against both quantum and classical computing threats while ensuring smooth integration with current communication protocols and network infrastructures.The present mode of operation may not be as secure as we believe.Many cryptograp

261、hic algorithms in use today have already been deprecated due to vulnerabilities,and their lack of quantum safety is just one aspect of their inadequacy.These outdated algorithms pose significant security risks in todays cyber threat landscape,even before considering the advancements in quantum compu

262、ting.The Global Risk Institutes 2023 Quantum Threat Timeline Report underscores the growing risk of a CRQC compromising RSA-2048,a commonly used public-key cipher.According to the report,there is up to an 11%likelihood that this encryption method could be rendered ineffective within the next five ye

263、ars.Within 10 years,this risk triples to over 31%.2023 opinion-based estimates of the likelihood of a digital quantum computer able to break RSA-2048 in 24 hours,as a function of timeRange between average of an optimistic(top value)or pessimistic(bottom value)interpretation of the likelihood interva

264、ls indicated by the respondents*The 25-year timeframe was not explicitly considered in the questionaire.Interpretation of responsesOptimisticPessimistic100%80%Average likelihood estimateWithin this many years from now60%40%20%10%5y11%4%17%31%54%78%92%75%56%33%10y15y20y25y*30yGlobal Risk Institutes 2

265、023 Quantum Threat Timeline Report Executive Summary(January 2024)By Dr.Michele Mosca,Co-Founder&CEO,evolutionQ Inc.,and Dr.Marco Piani,Senior Research Analyst,evolutionQ Inc.*Global Risk InstituteFigure 12.Estimated timeline for a CRQC capable of breaking RSA-2048The rise of post-quantum cryptograp

266、hyMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202432Special editionIn August 2024,the National Institute of Standards and Technology(NIST)announce

267、d the formal publication of its first PQC algorithms since the standardization process began in 2016.In this first set,3 algorithms have been standardized:one for encryption,ML-KEM,formally known as CRYSTALS-KYBER,and two for digital signatures,ML-DSA,formally known as CRYSTALSDilithium,and SLH-DSA,

268、formally known as SPHINCS+.While the standards themselves remain largely unchanged from the draft versions,NIST has made a key update by renaming the algorithms to reflect the specific versions included in the three finalized standards.Heres whats new:Federal Information Processing Standard(FIPS 203

269、)This algorithm is the primary standard for general encryptions.Based on the CRYSTALS-Kyber algorithm,it was renamed ML-KEM(Module-Lattice-Based Key-Encapsulation Mechanism).FIPS 204 This algorithm is the primary standard for protecting digital signatures.Based on the CRYSTALS-Dilithium algorithm,it

270、 was renamed ML-DSA,short for Module-Lattice-Based Digital Signature Algorithm.FIPS 205 This algorithm(based on the Sphincs+algorithm)is also designed for digital signatures but is based on a different mathematical approach and serves as a backup method in case FIPS 204(ML-DSA)proves vulnerable.FIPS

271、 206 Built around the FALCON,this will be finalized in late 2024 and will be renamed FN-DSA.This is a groundbreaking development for PQC.With NISTs approval of these algorithms,they are set to become integral to industry standards(e.g.,IETF,3GPP)for internet,network,and data encryption.These PQC sta

272、ndards will play a crucial role in building quantum-safe networks and products.In addition to algorithmic advancements,significant strides have been made in physics-based quantum-safe cryptography.Quantum security includes physics-based solutions like pre-shared keys with symmetric distribution and

273、quantum-key distribution(QKD).QKD uses quantum properties to securely exchange encryption keys,ensuring that any attempt at eavesdropping alters the key and alerts the parties involved.These cutting-edge techniques offer a promising pathway to secure communications in the quantum era,complementing a

274、lgorithmic solutions and enhancing overall cybersecurity resilience.By implementing a defense-in-depth approach(where additive network-layer quantum-safe cryptography complements application layer quantum-safe cryptography),we can ensure our data remains protected even if one line is breached.How th

275、e formalized PQC algorithms are relevant to standardsThe next major step in standardization is integrating PQC algorithms into public key cryptographic protocols and digital certificates like Internet Engineering Task Force(IETF),Transport Layer Security(TLS),IPSec and X.509.IETF has been addressing

276、 this,using draft NIST PQC standards from 2023,with a key challenge being the migration from traditional cryptography to PQC.Migration to PQC cannot happen overnight,as these algorithms may still have vulnerabilities.To address this,a hybrid approach is being explored where security protocols and ce

277、rtificates support both traditional cryptography and PQC.This ensures continued security even if one method fails.IETF is using existing extension mechanisms rather than creating new versions.Once the IETF updates its RFCs for this hybrid approach,3GPP will adopt these profiles.ABI Research predicts

278、 that the PQC market will reach a valuation of$246 million by the end of 2024.As new algorithms are introduced and national guidelines are established,the demand for quantum-safe cryptography solutions is expected to soar,more than doubling to$530 million by 2028.Main findingsAbout this reportTeleco

279、m sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202433Special editionWhy CSPs must prepare for quantum computingQuantum computers are quickly moving from theory to reality,making it cruc

280、ial time that CSPs begin the quantum security journey and prepare for HNDL attacks.Each day of delay in implementing quantum-resistant strategies could lead to future data exposure.A recent Deloitte survey of over 400 professionals revealed that more than half(50.2%)believe their organizations are a

281、t risk of HNDL attacks.The message is clear:the time to act is now before the quantum threat becomes an unavoidable challenge.Quantum threats are a concern for more than just companies using quantum computers.These threats can impact every industry and everyone they serve.As quantum technology advan

282、ces,the risk of these attacks becomes increasingly real.CSPs must proactively address these risks to ensure data privacy and security for critical telecom infrastructures.This requires a proactive approach,leveraging both classical and quantum-safe networks through private and/or managed private net

283、works and enhancing retail connectivity services with quantum-safe virtual private networks(VPNs).When it comes to quantum safety,there is no“one-size-fits-all”solution.It is necessary to adapt,scale,and evolve using a layered Defense-in-Depth approach to stay ahead of the threats.Application-layerc

284、ryptographyStart todaywith a layeredapproach:1+1,1+2,1+NNetwork-layercryptography“Application”layer“Application”layerIP layerMPLS layerData link layerPhysical layer“Application”layer“Application”layerIP layerMPLS layerData link layerPhysical layerAsymmetric crypto(PQC)Mathematics-based key exchange

285、Public Key infrastructure Authentication and encryptionSymmetric crypto(PQC)Physics-based key generation Key distribution(QKD,PSK)Encryption onlyFigure 13.Defense-in-depth approachMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory envi

286、ronmentConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202434Special editionFive steps to prepare for quantum threatsProactive steps must be taken to safeguard data and infrastructure in the face of emerging quantum threats.Timelines and guidelines set by regulators will be cr

287、ucial in accelerating investments toward a quantum-safe migration,underscoring the need for telecom operators to stay ahead of regulatory and technological advancements to maintain robust security measures.1.Raise awareness of quantum risks within your team:Educate your team about the potential risk

288、s posed by quantum computing and the importance of quantum-safe cryptography in mitigating these threats.2.Conduct comprehensive risk audits:Conduct thorough risk assessments to identify cryptographic vulnerabilities and establish a cryptographic bill of materials(CBOM).This includes discovering cry

289、ptographic inventories and managing certificates effectively.3.Develop a strategic roadmap:Outline the plan and timeline for implementing quantum-safe solutions across your organization.4.Implement quantum-safe solutions:Deploy quantum-safe solutions,starting with high-risk areas,to protect sensitiv

290、e data and critical infrastructure.5.Test and update regularly:Continuously test and update your security measures to ensure they remain effective against evolving quantum threats.Stay proactive and agile in adapting to new challenges and advancements in quantum technology.Main findingsAbout this re

291、portTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202435Special editionHow CSPs are tackling cybersecurity challenges Drivers behind CSPs security strategiesUnderstanding and add

292、ressing risks from the evolving cyber threat landscape is the most important factor in shaping security strategies for telecom operators.Government regulations play a pivotal role,as compliance is now seen as a baseline requirement rather than a competitive edge.Meeting these regulatory standards is

293、 essential for telecom operators,but according to 34%of CSP respondents,its the proactive management of emerging threats that truly sets the stage.Figure 14.Most important factors driving CSPs security strategyEffective risk management shapes spending decisionsSurvey findings reveal that risk manage

294、ment is revolutionary in how CSPs allocate their cybersecurity budgets.Over 60%of respondents ranked risk management as a top priority,surpassing the 50%who focused on regulatory compliance.This underscores the growing recognition that effectively identifying and mitigating risks is crucial for not

295、just compliance but for robust security and operational resilience.As threats become more sophisticated and regulations tighten,prioritizing risk management allows CSPs to proactively address vulnerabilities and protect their assets.Figure 15.Most important factors for CSPs in prioritizing security

296、spendingCSPs are transforming their cybersecurity strategies,and the Chief Information Security Officer(CISO)role is evolving to cover both enterprise and IT networks.Insights from the 2023 Nokia-commissioned TM Forum report,Cybersecurity strategies:Risk management moves firmly into the telco spotli

297、ght,include that 71%of respondents said their organization has a single CISO or CSO across both enterprise IT and network domains.For example,the CISOs of Telefnica,KPN and Telus all have responsibility across both domains today.Top three insights and trends from the TM Forum reportRisks arising fro

298、mchanges in the cyberthreat landscapeGovermentregulationRisks introduced withcloud-native networktransformationCustomer demand35%24%22%19%Source:TM Forum,202362%51%35%18%33%15%Risk managementRegulatorycomplianceThe organizations ownexperience of breachesCostThe direction of the business andits suppo

299、rting IT requirementsThe organizations learningsfrom other breachesSource:TM Forum,2023Main findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202436Special e

300、dition24/7 threat monitoring is lacking When it comes to cyber threat monitoring,detection,and response,telecom infrastructure often lags behind enterprise IT environments in terms of investment and advancement.Threat monitoring is crucial for a resilient telecom infrastructure because it reduces in

301、sider threats and enhances data protection.By gaining full visibility into data access and usage across their networks,telecom operators can better defend against both internal and external threats.Enforcing stringent data protection policies helps prevent sensitive information from being compromise

302、d.Figure 16.CSP investment priorities for extended detection and response(XDR)and security orchestration,automation and response(SOAR)HighMediumLowNot a priority at all51%40%7%2%Source:TM Forum,2023Main findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS tre

303、ndsRegulatory environmentConclusionAbout Nokias security capabilitiesThreat Intelligence Report 202437Special editionConclusionIn 2023 and 2024,the telecom sector is grappled with a diverse range of cyber threats across different regions.In North America,advanced techniques like ransomware,potential

304、ly state-sponsored,are targeted at data theft and service disruption.East Asia faces significant data leaks due to inadvertent exposures by companies themselves,while Western Europe contends with a mix of cyber espionage and financially motivated breaches,reflecting a complex threat landscape.DDoS a

305、ttacks are growing in both scale and sophistication.In 2024,13%of carpet-bombing DDoS attacks targeted 256 or more IP addresses,with 2.8%hitting 1,024 or more.Botnets,which accounted for about 60%of DDoS traffic observed by Nokia Deepfield,continue to be a major driver.The use of AI,automation and r

306、esidential proxies has become more prominent,reflecting a rise in attack sophistication.Emerging technologies bring both opportunities and challenges.Generative AI enables faster,more sophisticated attacks,while CSPs are using the same technology to improve their response times and effectiveness.Add

307、itionally,quantum computing poses a significant risk to critical networks.ABI Research forecasts that the PQC market will be valued at$246 million by the end of 2024.This underscores the urgent need for advanced,quantum-safe solutions to protect sensitive data and infrastructure.Staying ahead of the

308、se evolving threats requires continual adaptation and strategic foresight.Main findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionAbout Nokias security capabilitiesConclusionThreat Intelligence Report 202438AppSec

309、Application security assessmentBSS Business support systemCIS Center for internet securityCRQC Cryptographically Relevant Quantum ComputerCSP Communications service providerDDoS Distributed denial-of-serviceEDR Endpoint detection and responseGTPDOOR New telecom-oriented malwareMSS Managed Security S

310、ervicesNE Network elementOSS Operations support systemPAM Privileged access managementPQC Post-quantum cryptographySBA Service-based architecture SIEM Security information and event managementSOAR Security orchestration,automation,and responseSTIX Structured Threat Information eXpressionTAXII Truste

311、d Automated eXchange of Indicator InformationTCP Transmission control protocol TPT Telecom penetration testingTLS Transport layer securityVAPT Vulnerability assessment and penetration testingAbbreviationsMain findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through M

312、SS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilities39Threat Intelligence Report 2024ConclusionAbout Nokias security capabilitiesNokia has a team of highly experienced analysts with extensive expertise in Threat Intelligence for the telecom industry.These analys

313、ts use the latest tactics,techniques and procedures to analyze and prevent cyber threats.We also offer a broad range of security products and services to help CSPs identify threats quickly,stop them automatically and take fast remediation actions when needed so they can protect their networks from d

314、egradation and deliver on their service-level agreements.Nokia Deepfield Defender uses AI-driven big data and,real-time analytics with detailed network context(Deepfield Genome)to monitor,recognize and stop DDoS attacks.The Nokia anti-DDoS solution provides 360-degree protection against inbound(exte

315、rnal,from the internet)and outbound(internal,from hijacked or malicious devices within a network)DDoS threats from volumetric to application-layer attacks.With broad expertise and deep experience handling DDoS attacks,the Nokia Deepfield Emergency Response Team of security experts can help service p

316、roviders minimize the effects of DDoS on their services and customers.Nokias Managed Security Services(MSS)global security intelligence and operations centers(SIOCs)manage the security of multiple telecom networks 24/7 to rapidly prevent and stop threats,includes Nokia MSS SIOC conduct preventative

317、and reactive operational activities,protecting networks serving hundreds of millions of subscribers around the globe.The comprehensive views of critical security incidents,application security trends and VAPT trends are based on observations across global networks.Nokia quantum-safe networks(QSN)emp

318、loy a defense-in-depth approach to deliver quantum-safe security at multiple layers through multi-layered cryptography.Nokia QSNs can adapt to individual business and use case needs and give CSPs the confidence to securely scale their quantum deployments.Together with Nokia Bell Labs,the Nokia QSN t

319、eam is shaping the future of quantum-safe network solutions.Nokia Cybersecurity Consulting,part of Nokias Advanced Consulting Services,brings deep 3G,4G and 5G security expertise to help CSPs assess their security risks,processes and designs so they can secure their network and services with accepta

320、ble risks.With one of the worlds only end-to-end 5G security capabilities based on in-house research and products,the team guides critical infrastructure providers to navigate the challenges and opportunities presented by global cybersecurity regulations.Nokia NetGuard security solutions,designed wi

321、th real-world applications in mind,our end-to-end security products portfolio,includes use-case driven technologies and are effective at blocking threats in Security Operations Centers such as the NetGuard XDR Security Operations suite including NetGuard Cybersecurity Dome,NetGuard Endpoint Detectio

322、n and Response,NetGuard Identity Access Manager,NetGuard Audit Compliance Manager and NetGuard Certificate Manager.Main findingsAbout this reportTelecom sector attack trendsDDoS attack trendsGlobal SOC through MSS trendsRegulatory environmentSpecial editionConclusionAbout Nokias security capabilitie

323、s40Threat Intelligence Report 2024About NokiaAt Nokia,we create technology that helps the world act together.As a B2B technology innovation leader,we are pioneering networks that sense,think and act by leveraging our work across mobile,fixed and cloud networks.In addition,we create value with intell

324、ectual property and long-term research,led by the award-winning Nokia Bell Labs.Service providers,enterprises and partners worldwide trust Nokia to deliver secure,reliable and sustainable networks today and work with us to create the digital services and applications of the future.Nokia is a registered trademark of Nokia Corporation.Other product and company names mentioned herein may be trademarks or trade names of their respective owners.2024 Nokia Nokia OYJ Karakaari 7 02610 Espoo FinlandTel.+358(0)10 44 88 000CID:214202(September)