Cellular Internet of Things Security Bernardo Flores Dissertation for the degree of Philosophiae Doctor (PhD) Department of Computer Science Faculty of Technology, Art and Design OsloMet – Oslo Metropolitan University Spring 2023 Threat Modelling for 5G networks Abstract—The new fifth generation (5G) mobile cellular network brings enhanced mobile broadband, massive machine type communication (e.g. IoT), critical machine type communication and fixed wireless access and will accommodate new services and applications such as augmented reality, and seamless streaming to all. 5G will boost security with encrypted data, segmented networks (network slices), enhanced privacy, and user authentication, but the 5G success may also attract attackers to look for vulnerabilities, exploits or eavesdropping. The increase in connected devices creates more targets, and larger attack surfaces, hence attacks on vital connected systems could become more chaotic and consequential. The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework attempts to provide a comprehensive overview of the methods (Techniques) by which an attacker can achieve various operational objectives (Tactics). However, some techniques may not be included in the MITRE ATT&CK matrices. This paper proposes to enhance the ATT&CK framework with Adversarial Tactics and Techniques catered for the mobile network infrastructure – CONCORDIA Mobile Threat Modeling Framework (CMTMF). Keywords—mobile security, cyber security, threat modelling, threat intelligence I. INTRODUCTION With the global digital transformation accelerated by the pandemic, cyber-attacks on governmental and commercial organizations and also private individuals increase both in terms of number and level of sophistication. Signature-based intrusion detection using Indications of Compromise (IoCs) is no longer sufficient to provide protection against Zero-Day attacks or Advanced Persistent Threats (APTs). In fact, IoCs are forensic data gathered and shared from systems that have been breached and are hence less useful in the detection of brand new and sophisticated cyber-attacks. To complement IoCs, it is essential to understand the behavior of the attacker i.e., the actor responsible for the attack, its tactics, techniques and procedures (TTPs). Consequently, a sound and efficient Threat Modelling Framework is urgently demanded, especially for virtualized 5G networks. The MITRE ATT&CK [1] is currently one of the popular threat modelling frameworks which provides solid fundaments for the description and analysis of cyber threats of enterprises networks and mobile devices. Unfortunately, it does not address neither 5G networks nor mobile networks in general. Indeed, due to the softwarerization of mobile networks and their reliance on Web technologies, 5G networks are not only subject to the same cyber threats as regular enterprise networks but are also exposed to the ones brought by its capability of providing connectivity to billions of IoT devices ranging from primitive sensors to advanced medical equipment requiring ultra-reliable and low-latency connections. Potential attackers to 5G networks have different behaviors, tactics and techniques that require extensions to the current MITRE ATT&CK framework. The BHADRA framework [9] was the first attempt to extend the MITRE ATT&CK framework for mobile networks which emphasizes the need for modelling threats in mobile networks but is unfortunately too simple and incompatible with the mainstream MITRE ATT&CK framework. To address this urgent need in the mobile networks, especially 5G networks this work proposes and develops a CONCORDIA Mobile Modelling Framework (CMTMF), which is a compatible combination of the enterprise, mobile and ICS (Industrial Control Systems) matrices of the MITRE ATT&CK framework. The work also includes the implementation of the CMTMF in MISP (Malware Information Sharing Platform) [10] , which is a open-source threat intelligence platform. II. THREATS IN 5G NETWORKS Threats in 5G can be classified into two dimensions. In the first dimension, there are threats on the mobile network itself. In the second dimension, all the threats which are related to the virtualization of the mobile networks are gathered i.e., issues related to the hosting of virtual Network Functions (vNFs) in the cloud. Since the threats in the second dimension can be adequately modelled using the MITRE ATT&CK Enterprise and Cloud matrices, this work focuses only on threats in the first dimension. At high level, a 5G network is exposed at the entry points as shown in Figure 1 : Figure 1 Cyber-attack entry points for a 5G network Bernardo Santos OsloMet – Oslo Metropolitan University