| ID | Name |
|---|---|
| T1430.001 | Remote Device Management Services |
| T1430.002 | Impersonate SS7 Nodes |
Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.[1][2][3][4][5]
By providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.[1]
| ID | Mitigation | Description |
|---|---|---|
| M1014 | Interconnection Filtering |
Filtering requests by checking request origin information may provide some defense against spurious operators.[7] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0662 | Detection of Impersonate SS7 Nodes | AN1753 |
Defender observes anomalous signaling network queries targeting subscriber information associated with a device, including unexpected routing requests, location information exchanges, or node-origin inconsistencies indicative of SS7 signaling abuse. [5] The CSRIC also suggests threat information sharing between telecommunications industry members. |
| AN1754 |
Defender observes anomalous signaling interactions involving subscriber identity or location resolution events associated with a device, including abnormal routing requests, unexpected location information exchanges, or signaling node inconsistencies indicative of SS7 abuse. [5] The CSRIC also suggests threat information sharing between telecommunications industry members. |