fight.yaml

case-studies: []
data sources:
- description: Computer software that provides low-level control for the hardware
    and device(s) of a host, such as BIOS or UEFI/EFI
  id: DS0001
  name: Firmware
  object-type: data source
  techniques: []
- description: A profile representing a user, device, service, or application used
    to authenticate and access resources
  id: DS0002
  name: User Account
  object-type: data source
  techniques:
  - FGT1078.003
  - FGT1078.004
  - FGT1020.001
- description: 'Automated tasks that can be executed at a specific time or on a recurring
    schedule running in the background (ex: Cron daemon, task scheduler, BITS)'
  id: DS0003
  name: Scheduled Job
  object-type: data source
  techniques: []
- description: Information obtained (via shared or submitted samples) regarding malicious
    software (droppers, backdoors, etc.) used by adversaries
  id: DS0004
  name: Malware Repository
  object-type: data source
  techniques: []
- description: The infrastructure for management data and operations that enables
    local and remote management of Windows personal computers and servers
  id: DS0005
  name: WMI
  object-type: data source
  techniques: []
- description: Credential material, such as session cookies or tokens, used to authenticate
    to web applications and services
  id: DS0006
  name: Web Credential
  object-type: data source
  techniques:
  - FGT5034
- description: A single file used to deploy a virtual machine/bootable disk into an
    on-premise or third-party cloud environment
  id: DS0007
  name: Image
  object-type: data source
  techniques:
  - FGT5039
  - FGT1014
  - FGT1542.501
- description: A computer program, at the core of a computer OS, that resides in memory
    and facilitates interactions between hardware and software components
  id: DS0008
  name: Kernel
  object-type: data source
  techniques:
  - FGT1014
  - FGT1542.501
  - FGT1587.004
- description: Instances of computer programs that are being executed by at least
    one thread. Processes have memory space for process executables, loaded modules
    (DLLs or shared libraries), and allocated memory regions containing everything
    from user input to application-specific data structures
  id: DS0009
  name: Process
  object-type: data source
  techniques:
  - FGT1611
  - FGT1014
  - FGT1542.501
  - FGT1072
  - FGT1611.501
  - FGT1040
- description: Data object storage infrastructure hosted on-premise or by third-party
    providers, made available to users through network connections and/or APIs
  id: DS0010
  name: Cloud Storage
  object-type: data source
  techniques:
  - FGT5034
- description: Executable files consisting of one or more shared classes and interfaces,
    such as portable executable (PE) format binaries/dynamic link libraries (DLL),
    executable and linkable format (ELF) binaries/shared libraries, and Mach-O format
    binaries/shared libraries
  id: DS0011
  name: Module
  object-type: data source
  techniques: []
- description: A file or stream containing a list of commands, allowing them to be
    launched in sequence
  id: DS0012
  name: Script
  object-type: data source
  techniques: []
- description: Information from host telemetry providing insights about system status,
    errors, or other notable functional activity
  id: DS0013
  name: Sensor Health
  object-type: data source
  techniques:
  - FGT1542.501
  - FGT1195
  - FGT1599.501
  - FGT1599.502
  - FGT5038
  - FGT1498.502
  - FGT1195.003
- description: A single unit of shared resources within a cluster, comprised of one
    or more containers
  id: DS0014
  name: Pod
  object-type: data source
  techniques:
  - FGT5013
  - FGT5014
- description: Events collected by third-party services such as mail servers, web
    applications, or other appliances (not by the native OS or platform) Data sources
    with information about the set of devices found within the network, along with
    their current software and configurations
  id: DS0015
  name: Application Log
  object-type: data source
  techniques:
  - FGT1199.501
  - FGT5002
  - FGT5003
  - FGT5004
  - FGT5004.001
  - FGT5004.002
  - FGT5039
  - FGT5005
  - FGT5007
  - FGT5008
  - FGT5011
  - FGT1600.501
  - FGT1072
  - FGT5013
  - FGT5014
  - FGT1611.501
  - FGT1599.501
  - FGT1599.502
  - FGT5038
  - FGT1040
  - FGT1555.501
  - FGT5016
  - FGT1557.502
  - FGT5027
  - FGT5028
  - FGT1557.503
  - FGT5012.005
  - FGT5020
  - FGT5032.002
  - FGT5032.003
  - FGT5019.003
  - FGT5009.001
  - FGT1499
  - FGT1499
  - FGT1048.003
  - FGT5009.002
  - FGT1600.502
  - FGT5029
  - FGT5037
  - FGT5036
- description: A non-volatile data storage device (hard drive, floppy disk, USB flash
    drive) with at least one formatted partition, typically mounted to the file system
    and/or assigned a drive letter
  id: DS0016
  name: Drive
  object-type: data source
  techniques: []
- description: A directive given to a computer program, acting as an interpreter of
    some kind, in order to perform a specific task
  id: DS0017
  name: Command
  object-type: data source
  techniques:
  - FGT1021
  - FGT5014
  - FGT1040
  - FGT1020.001
  - FGT1048.501
- description: 'A network security system, running locally on an endpoint or remotely
    as a service (ex: cloud environment), that monitors and controls incoming/outgoing
    network traffic based on predefined rules'
  id: DS0018
  name: Firewall
  object-type: data source
  techniques:
  - FGT1498.501
  - FGT1583.508
- description: A computer process that is configured to execute continuously in the
    background and perform system tasks, in some cases before any user has logged
    in
  id: DS0019
  name: Service
  object-type: data source
  techniques:
  - FGT1014
  - FGT1542.501
- description: A malicious online profile representing a user commonly used by adversaries
    to social engineer or otherwise target victims
  id: DS0021
  name: Persona
  object-type: data source
  techniques: []
- description: A computer resource object, managed by the I/O system, for storing
    data (such as images, text, videos, computer programs, or any wide variety of
    other media).
  id: DS0022
  name: File
  object-type: data source
  techniques:
  - FGT1014
  - FGT1542.501
  - FGT1195
  - FGT1020.001
  - FGT5032.002
  - FGT5032.003
  - FGT1195.002
  - FGT1195.003
- description: Mechanisms that allow inter-process communication locally or over the
    network. A named pipe is usually found as a file and processes attach to it
  id: DS0023
  name: Named Pipe
  object-type: data source
  techniques: []
- description: A Windows OS hierarchical database that stores much of the information
    and settings for software programs, hardware devices, user preferences, and operating-system
    configurations
  id: DS0024
  name: Windows Registry
  object-type: data source
  techniques: []
- description: Infrastructure, platforms, or software that are hosted on-premise or
    by third-party providers, made available to users through network connections
    and/or APIs
  id: DS0025
  name: Cloud Service
  object-type: data source
  techniques:
  - FGT5032.002
  - FGT5032.003
  - FGT5034
- description: A database and set of services that allows administrators to manage
    permissions, access to network resources, and stored data objects (user, group,
    application, or devices)
  id: DS0026
  name: Active Directory
  object-type: data source
  techniques: []
- description: A computer program that operates or controls a particular type of device
    that is attached to a computer. Provides a software interface to hardware devices,
    enabling operating systems and other computer programs to access hardware functions
    without needing to know precise details about the hardware being used
  id: DS0027
  name: Driver
  object-type: data source
  techniques: []
- description: Logon occurring on a system or resource (local, domain, or cloud) to
    which a user/device is gaining access after successful authentication and authorizaton
  id: DS0028
  name: Logon Session
  object-type: data source
  techniques:
  - FGT5039
  - FGT1078.003
  - FGT1021
  - FGT1078.004
  - FGT1599.501
  - FGT1599.502
  - FGT5038
  - FGT1020.001
  - FGT1555.501
  - FGT5029
  - FGT5037
  - FGT5036
- description: 'Data transmitted across a network (ex: Web, DNS, Mail, File, etc.),
    that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable
    format (ex: PCAP)'
  id: DS0029
  name: Network Traffic
  object-type: data source
  techniques:
  - FGT1199.501
  - FGT5004
  - FGT5004.001
  - FGT5004.002
  - FGT5039
  - FGT5005
  - FGT1014
  - FGT1542.501
  - FGT1600.501
  - FGT5021
  - FGT1021
  - FGT1599.501
  - FGT1599.502
  - FGT5038
  - FGT1020.001
  - FGT1555.501
  - FGT1018
  - FGT1046
  - FGT1599
  - FGT1557.502
  - FGT1557.503
  - FGT1565.002
  - FGT1565.002
  - FGT1565.002
  - FGT1572
  - FGT5009
  - FGT5009.001
  - FGT1499
  - FGT1499
  - FGT1048.003
  - FGT1048
  - FGT5009.002
  - FGT1600.502
  - FGT5029
  - FGT1572.501
  - FGT5031
  - FGT1498.503
  - FGT1599.505
  - FGT5012.008
  - FGT5019.005
  - FGT1200
  - FGT1048.501
- description: A virtual server environment which runs workloads, hosted on-premise
    or by third-party cloud providers
  id: DS0030
  name: Instance
  object-type: data source
  techniques: []
- description: A set of containerized computing resources that are managed together
    but have separate nodes to execute various tasks and/or applications
  id: DS0031
  name: Cluster
  object-type: data source
  techniques: []
- description: A standard unit of virtualized software that packages up code and all
    its dependencies so the application runs quickly and reliably from one computing
    environment to another
  id: DS0032
  name: Container
  object-type: data source
  techniques:
  - FGT1611
  - FGT5007
  - FGT5013
  - FGT5014
  - FGT1611.501
- description: A storage resource (typically a folder or drive) made available from
    one host to others using network protocols, such as Server Message Block (SMB)
    or Network File System (NFS)
  id: DS0033
  name: Network Share
  object-type: data source
  techniques: []
- description: Block object storage hosted on-premise or by third-party providers,
    typically made available to resources as virtualized hard drives
  id: DS0034
  name: Volume
  object-type: data source
  techniques:
  - FGT1611
  - FGT1611.501
- description: Information obtained (commonly via active network traffic probes or
    web crawling) regarding various types of resources and servers connected to the
    public Internet
  id: DS0035
  name: Internet Scan
  object-type: data source
  techniques: []
- description: A collection of multiple user accounts that share the same access rights
    to the computer and/or network resources and have common security rights
  id: DS0036
  name: Group
  object-type: data source
  techniques: []
- description: A digital document, which highlights information such as the owner's
    identity, used to instill trust in public keys used while encrypting network communications
  id: DS0037
  name: Certificate
  object-type: data source
  techniques:
  - FGT5034
- description: 'Information obtained (commonly through registration or activity logs)
    regarding one or more IP addresses registered with human readable names (ex: mitre.org)'
  id: DS0038
  name: Domain Name
  object-type: data source
  techniques: []
- description: Monitoring ability to detect new ports, devices on the network
  id: DS0039
  name: Asset
  object-type: data source
  techniques:
  - FGT1040
  - FGT1200
- description: Operational databases contain information about the status of the operational
    process and associated devices, including any measurements, events, history, or
    alarms that have occurred
  id: DS0040
  name: Operational Databases
  object-type: data source
  techniques:
  - FGT5018
  - FGT5018.002
- description: RF spectrum monitoring equipment, optionally including direction finding
    and geolocation
  id: FGDS5001
  name: RF Spectrum Monitor
  object-type: data source
  techniques:
  - FGT5035
- description: UE measurements of received power levels from all base stations nearby.
    Report to operator gNB radio signals (sent to all UEs to enable them to select
    gNB and connect) received at a given UE
  id: FGDS5002
  name: UE signal measurements
  object-type: data source
  techniques:
  - FGT1557.501
  - FGT5012.006
  - FGT1583.501
  - FGT1608.501
  - FGT5012.007
  - FGT1642.501
- description: Audit charging system records for anomaly
  id: FGDS5003
  name: Charging anomaly
  object-type: data source
  techniques:
  - FGT5021
  - FGT5023
- description: Scan voice calls for certain amount of losses to detect if the call
    is made over internet (IP)
  id: FGDS5004
  name: Scan voice calls
  object-type: data source
  techniques: []
- description: Keep track of SIM cards with unusual pattern
  id: FGDS5005
  name: SIM card pattern
  object-type: data source
  techniques:
  - FGT5026
- description: Monitor for excessive data usage; including using AI/ML
  id: FGDS5006
  name: UE data usage
  object-type: data source
  techniques:
  - FGT1499.501
  - FGT5025
- description: Number of access requests received from UEs (or a single UE) at the
    gNB. Keep track to avoid overload.
  id: FGDS5007
  name: UE access requests
  object-type: data source
  techniques:
  - FGT1499.002
  - FGT1499.002
- description: Leaking IR.21 information on the Internet can be found
  id: FGDS5008
  name: Search Internet for leaks
  object-type: data source
  techniques:
  - FGT1592.501
- description: Maintain logs of access to operator O&M resources like IR.21 databases.
  id: FGDS5009
  name: Access to operator resource
  object-type: data source
  techniques:
  - FGT1592.501
  - FGT5015
- description: UE transitions from 5GS to 4G/EPS with less or no security
  id: FGDS5010
  name: UE transition to less secure service
  object-type: data source
  techniques:
  - FGT5019.002
  - FGT5012.002
  - FGT1040.501
- description: Subscriber notifies service provider about DoS attack or other issues
  id: FGDS5011
  name: Subscriber notify provider
  object-type: data source
  techniques:
  - FGT1499.502
  - FGT5022
  - FGT5025
  - FGT1565.002
  - FGT1499.503
- description: Security Incident and event monitoring. Event logs recording user activities,
    exceptions, faults and information security events should be produced, kept and
    regularly reviewed
  id: FGDS5012
  name: SIEM
  object-type: data source
  techniques:
  - FGT1525
  - FGT5018.001
  - FGT5018.003
  - FGT5018.004
  - FGT5017
  - FGT1498.502
- description: 'The UE can tell that there is a 5G cell site that it can hear, but
    if it eventually gets connected to a 4G cell site '
  id: FGDS5013
  name: UE connecting to 4G
  object-type: data source
  techniques:
  - FGT1562.501
- description: Analyze SDN logs to detect unauthorized activity
  id: FGDS5014
  name: SDN Access Logs
  object-type: data source
  techniques:
  - FGT5004
  - FGT5004.001
  - FGT5004.002
- description: Automated hash verification of images
  id: FGDS5015
  name: Image verification
  object-type: data source
  techniques:
  - FGT1525
  - FGT5032.002
  - FGT5032.003
  - FGT1498.503
  - FGT5034
- description: Verify payload for GTP-U encapsulated packets
  id: FGDS5016
  name: Payload checking
  object-type: data source
  techniques:
  - FGT1572.501
  - FGT5031
- description: Monitor gNB and core network logs for NULL scheme usage for SUCI protection.
  id: FGDS5017
  name: Monitor null scheme usage
  object-type: data source
  techniques:
  - FGT5019.004
- description: Monitor provisioning logs in core network for changes in home network
    public key and home PLMN ID.
  id: FGDS5018
  name: Monitor provisioning logs
  object-type: data source
  techniques:
  - FGT5019.004
- description: Monitor when UE makes emergency call or when UE is moved to eNB in
    NSA mode.
  id: FGDS5019
  name: Monitor operations logs
  object-type: data source
  techniques:
  - FGT5019.004
- description: Monitor gNB logs for unplanned network service outages.
  id: FGDS5020
  name: Monitor unplanned service outage
  object-type: data source
  techniques:
  - FGT5024
- description: Monitor all 3rd party application onboarding processes and use host
    scanning to detect malware insertions.
  id: FGDS5021
  name: Monitor 3rd party application onboarding
  object-type: data source
  techniques:
  - FGT5034
- description: Monitor if any security configurations have been downgraded to weak
    or no security.
  id: FGDS5022
  name: Monitor security configurations
  object-type: data source
  techniques:
  - FGT1040
  - FGT1565.002
- description: Run at the UE side an application/tool to detect received silent SMS
    messages
  id: FGDS5102
  name: Silent SMS detector
  object-type: data source
  techniques:
  - FGT5019.006
  - FGT5012.007
- description: Automated policy compliance checks
  id: FGDS5023
  name: Audit policy violation
  object-type: data source
  techniques:
  - FGT1498.502
id: FiGHT
mitigations:
- description: Increase RACH resources on the gNB (bandwith, time slots)
  id: FGM5021
  name: Increase RACH (Random Access CHannel resources)
  object-type: mitigation
  techniques:
  - FGT1499.002
- description: When the subscriber affiliation is reflected in the home network identifier
    (part of subscriber identifier), and would benefit from not being sent in the
    clear, the subscriber's provider (home network) should be a proxy mobile network
    operator - whose identifier does not reveal the true affiliation of the subscriber.
  id: FGM5022
  name: Proxy home network
  object-type: mitigation
  techniques:
  - FGT5019.001
- description: Perform periodic authentication and authorization of consumer NFs by
    NRF
  id: FGM5023
  name: Periodic Authentication & Authorization of NFs
  object-type: mitigation
  techniques:
  - FGT5007
  - FGT5010
  - FGT5012.004
  - FGT1499.503
  - FGT5023
- description: Use strong data integrity protection algorithms.
  id: FGM5024
  name: Integrity protection of data communication
  object-type: mitigation
  techniques:
  - FGT5004
  - FGT5004.001
  - FGT5004.002
  - FGT1557.503
  - FGT1565.002
  - FGT1565.002
  - FGT1565.002
  - FGT1565.002
  - FGT1557.504
  - FGT1195.501
  - FGT1572
  - FGT5009.001
  - FGT5009.002
  - FGT1642.501
  - FGT1048.501
- description: Disable or remove an RF transmitter
  id: FGM5001
  name: Disable malicious transmitter
  object-type: mitigation
  techniques:
  - FGT5035
- description: User Equipment (UE) can reject e.g. RRC signaling such as RRC Release
    with Redirect info, if not integrity protected.
  id: FGM5002
  name: Discard RAN signaling received without integrity protection
  object-type: mitigation
  techniques:
  - FGT1562.501
- description: NFs such as NRF should cross check with TLS layer before issuing token
    to an NF
  id: FGM5003
  name: Cross check between application layer and transport layer
  object-type: mitigation
  techniques:
  - FGT5003
  - FGT5011
  - FGT5027
- description: Employ a SMS Router that intercepts incoming location queries (from
    other operators), configured so that it can't be subverted.
  id: FGM5004
  name: Correctly configure SMS firewall
  object-type: mitigation
  techniques:
  - FGT5002
  - FGT5012.008
  - FGT5019.005
  - FGT5019.006
  - FGT5012.007
- description: 'Physical protection of: communications centers, Telecommunications
    equipment room, Physically isolated operation areas, Equipment sited in other
    carrier''s or partner''s premises, cable/fibers, junction boxes, '
  id: FGM5005
  name: Physical and environmental protection
  object-type: mitigation
  techniques:
  - FGT5018
  - FGT5018.001
  - FGT5018.002
  - FGT5018.003
  - FGT5018.004
  - FGT1498.502
- description: This profile does not allow bidding down to 4G
  id: FGM5006
  name: Restrictive user profile
  object-type: mitigation
  techniques:
  - FGT5019.002
  - FGT5012.002
  - FGT1040.501
  - FGT5009.001
- description: Subscription that includes unlimited data can prevent DoS due to exhausion
    of data plan limits
  id: FGM5007
  name: Unlimited data plan
  object-type: mitigation
  techniques:
  - FGT1499.501
- description: On the UE, monitor installed applications for data usage and perform
    throttling if necessary
  id: FGM5008
  name: Monitor installed applications for data usage
  object-type: mitigation
  techniques:
  - FGT1499.501
- description: Services are refreshed periodically and/or terminated after completion
    of a request.
  id: FGM5010
  name: Non-Persistent Services
  object-type: mitigation
  techniques:
  - FGT5029
- description: Check if IMSI is served by the slice ID (NSSAI)
  id: FGM5012
  name: Slice ID check
  object-type: mitigation
  techniques:
  - FGT5012.005
- description: UDM/UDR should correctly implement UE authentication/registration status
    updates.
  id: FGM5013
  name: Timely updates to UE status
  object-type: mitigation
  techniques:
  - FGT5010
- description: UDM can check whether a requesting AMF is likely to be the one serving
    that UE.
  id: FGM5014
  name: UE location plausibility
  object-type: mitigation
  techniques:
  - FGT5010
- description: NEF should authorize API calls especially from external AFs for service
    accesses
  id: FGM5019
  name: Authorize external API calls
  object-type: mitigation
  techniques:
  - FGT5008
  - FGT5011
  - FGT5012.004
  - FGT5019.003
- description: Including EIR Equipment Identity Register
  id: FGM5020
  name: Secure subscriber repositories
  object-type: mitigation
  techniques:
  - FGT5015
  - FGT5022
- description: Use zero trust principles for application/NF protection
  id: FGM5033
  name: Zero Trust
  object-type: mitigation
  techniques:
  - FGT1040
  - FGT5020
- description: Separate repositositories must be maintained for development and production
    software to avoid access and image slipovers
  id: FGM5088
  name: Separate repositories for development and production
  object-type: mitigation
  techniques:
  - FGT1525
- description: Use image name and hash to verify image during deployment
  id: FGM5089
  name: Verify image in deployment
  object-type: mitigation
  techniques:
  - FGT1525
  - FGT5017
- description: Correlate logs between SDN controllers and network elements
  id: FGM5090
  name: Log correlation
  object-type: mitigation
  techniques:
  - FGT1525
  - FGT5004
  - FGT5004.001
  - FGT5004.002
  - FGT5005
- description: Enforce mutual authentication between SDN controller, network elements,
    SDN controller and SDN application
  id: FGM5091
  name: Mutual authentication
  object-type: mitigation
  techniques:
  - FGT5004
  - FGT5004.001
  - FGT5004.002
  - FGT5034
- description: 'UE warn user of lower security network. '
  id: FGM5092
  name: Warn user
  object-type: mitigation
  techniques:
  - FGT1562.501
- description: UDM/SIDF checks if SUCI freshness parameter from the same UE (with
    same SUPI) is identical during SUCI deconcealment within a short period of time
  id: FGM5093
  name: SUCI freshness parameter
  object-type: mitigation
  techniques:
  - FGT1499.502
- description: Network (AMF) should allocate new 5G-GUTI whenever possible; UPF and
    gNB should allocate unique Tunnel IDs. SMF should check newly allocated charging
    IDs.
  id: FGM5094
  name: Allocate new 5G identifiers judiciously
  object-type: mitigation
  techniques:
  - FGT5012.003
  - FGT5021
  - FGT5023
- description: Verify if the TLS certificate is valid for the endpoint
  id: FGM5095
  name: TLS certificate check
  object-type: mitigation
  techniques:
  - FGT1557.504
- description: Disable usage of location on UE device
  id: FGM5096
  name: Disable UE location use
  object-type: mitigation
  techniques:
  - FGT5012.002
- description: Restrict UE to bid down (from 5G) or use of less secure system
  id: FGM5097
  name: Disable acceptance of a less secure system
  object-type: mitigation
  techniques:
  - FGT1562.501
- description: Use UE only when needed. Turn power off when not in use.
  id: FGM5098
  name: Reduce UE usage
  object-type: mitigation
  techniques:
  - FGT5012.001
- description: Move UE close to gNB or indoors to make geo-location harder
  id: FGM5099
  name: Move UE close to gNB
  object-type: mitigation
  techniques:
  - FGT5035
  - FGT5012.001
- description: Raising the height of the UE may move it outside another RF source,
    e.g. jammer
  id: FGM5100
  name: Raise height of UE
  object-type: mitigation
  techniques:
  - FGT5035
- description: Isolate CDR databases from the rest of the IT systems/NOC resources
  id: FGM5101
  name: Isolate CDR database
  object-type: mitigation
  techniques: []
- description: Run at the UE side an application/tool to detect and not respond to
    silent SMS messages
  id: FGM5102
  name: 'Silent SMS blocker '
  object-type: mitigation
  techniques:
  - FGT5019.006
  - FGT5012.007
- description: Use a firewall or other rate limiter for signaling and user plane traffic
    coming into 5G network
  id: FGM5498
  name: Limit incoming signaling and user plane traffic
  object-type: mitigation
  techniques:
  - FGT1498.501
  - FGT1572.501
- description: Producer NF e.g. AUSF can rate limit authentication requests from the
    same SUCI/SUPI too many times in a short period. Or NRF not respond to requests
    after a given number of failed NSSAI lookups
  id: FGM5499
  name: Rate limiting by producer NF
  object-type: mitigation
  techniques:
  - FGT1499.002
  - FGT5028
- description: E.g. restrict access to IR.21 database
  id: FGM5500
  name: Restrict access to operator OA&M resources
  object-type: mitigation
  techniques:
  - FGT1592.501
- description: Operator should deploy TLS proxies or firewalls on the SBA that can
    inspect packets to detect anomalies
  id: FGM5501
  name: TLS proxy/firewalls with DPI on the SBA
  object-type: mitigation
  techniques:
  - FGT5003
  - FGT1437
- description: 'Examples: employ home routing vs. local bypass.'
  id: FGM5503
  name: Increase control of home network for user plane
  object-type: mitigation
  techniques:
  - FGT5025
- description: 'Cloud compute, cloud storage and any serverless activity should be
    isolated from other tenants  '
  id: FGM5504
  name: Resource Isolation in virtualization environment
  object-type: mitigation
  techniques:
  - FGT1583
- description: Hardware mediated  execution environment
  id: FGM5505
  name: Hardware mediated  execution environment
  object-type: mitigation
  techniques:
  - FGT1599.501
  - FGT1599.502
  - FGT5038
  - FGT1583
- description: Use of Network Slice Templates -Use of templates for network slicing
    can enforce baseline security and isolation requirements.  These templates can
    be created for networks, compute and 5G slice functions deployments.
  id: FGM5506
  name: network slice templates
  object-type: mitigation
  techniques:
  - FGT1599.501
  - FGT1599.502
  - FGT5038
- description: Continuity of power supplies to equipment deployed in the field.
  id: FGM5540
  name: Power supplies
  object-type: mitigation
  techniques:
  - FGT5018.001
- description: Vulnerability scanning is used to find potentially exploitable software
    vulnerabilities to remediate them.
  id: M1016
  name: Vulnerability Scanning
  object-type: mitigation
  techniques:
  - FGT1195
  - FGT1190
  - FGT1499
  - FGT1499
  - FGT1195.002
  - FGT1195.003
- description: Train users to be aware of access or manipulation attempts by an adversary
    to reduce the risk of successful spearphishing, social engineering, and other
    techniques that involve user interaction.
  id: M1017
  name: User Training
  object-type: mitigation
  techniques:
  - FGT1078.004
  - FGT1555.501
  - FGT5026
  - FGT1195.501
- description: Manage the creation, modification, use, and permissions associated
    to user accounts.
  id: M1018
  name: User Account Management
  object-type: mitigation
  techniques:
  - FGT1199.501
  - FGT1014
  - FGT1542.501
  - FGT5007
  - FGT1600.501
  - FGT1021
  - FGT1072
  - FGT1078.004
  - FGT5013
  - FGT1609.501
  - FGT5014
  - FGT1611.501
  - FGT1555.501
  - FGT5009.001
  - FGT5009.002
  - FGT1600.502
  - FGT5037
  - FGT5036
- description: Break and inspect SSL/TLS sessions to look at encrypted web traffic
    for adversary activity.
  id: M1020
  name: SSL/TLS Inspection
  object-type: mitigation
  techniques:
  - FGT1040
  - FGT5027
  - FGT1565.002
- description: Restrict access by setting directory and file permissions that are
    not specific to users or privileged accounts.
  id: M1022
  name: Restrict File and Directory Permissions
  object-type: mitigation
  techniques:
  - FGT5004
  - FGT5004.001
  - FGT5004.002
  - FGT1195.501
- description: Manage the creation, modification, use, and permissions associated
    to privileged accounts, including SYSTEM and root.
  id: M1026
  name: Privileged Account Management
  object-type: mitigation
  techniques:
  - FGT1611
  - FGT1078.003
  - FGT1072
  - FGT1078.004
  - FGT1609.501
  - FGT1599.501
  - FGT1599.502
  - FGT5038
  - FGT1040
  - FGT1020.001
  - FGT1555.501
  - FGT1599
  - FGT5037
  - FGT5036
  - FGT1200
- description: Set and enforce secure password policies for accounts.
  id: M1027
  name: Password Policies
  object-type: mitigation
  techniques:
  - FGT1078.003
  - FGT1072
  - FGT1078.004
  - FGT1599
- description: Use remote security log and sensitive file storage where access can
    be controlled better to prevent exposure of intrusion detection log data or sensitive
    information.
  id: M1029
  name: Remote Data Storage
  object-type: mitigation
  techniques:
  - FGT1072
- description: Architect sections of the network to isolate critical systems, functions,
    or resources. Use physical and logical segmentation to prevent access to potentially
    sensitive systems and information. Use a DMZ to contain any internet-facing services
    that should not be exposed from the internal network. Configure separate virtual
    private cloud (VPC) instances to isolate critical cloud systems.
  id: M1030
  name: Network Segmentation
  object-type: mitigation
  techniques:
  - FGT1199.501
  - FGT5004
  - FGT5004.001
  - FGT5004.002
  - FGT5007
  - FGT1072
  - FGT5013
  - FGT5014
  - FGT1611.501
  - FGT1599.501
  - FGT1599.502
  - FGT5038
  - FGT1040
  - FGT1018
  - FGT1046
  - FGT1557.502
  - FGT1499.503
  - FGT1195.501
  - FGT1498.502
  - FGT1583
  - FGT5034
  - FGT1200
- description: Use intrusion detection signatures to block traffic at network boundaries.
  id: M1031
  name: Network Intrusion Prevention
  object-type: mitigation
  techniques:
  - FGT1600.501
  - FGT1018
  - FGT1046
  - FGT1572
  - FGT5009.001
  - FGT5009.002
  - FGT1600.502
  - FGT1572.501
  - FGT5031
  - FGT1048.501
- description: Use two or more pieces of evidence to authenticate to a system; such
    as username and password in addition to a token from a physical smart card or
    token generator.
  id: M1032
  name: Multi-factor Authentication
  object-type: mitigation
  techniques:
  - FGT1021
  - FGT1072
  - FGT1078.004
  - FGT1599
- description: Block users or groups from installing unapproved software.
  id: M1033
  name: Limit Software Installation
  object-type: mitigation
  techniques:
  - FGT5039
  - FGT5005
  - FGT5032.002
  - FGT5032.003
  - FGT5034
- description: Prevent access to file shares, remote access to systems, unnecessary
    services. Mechanisms to limit access may include use of network concentrators,
    RDP gateways, etc.
  id: M1035
  name: Limit Access to Resource Over Network
  object-type: mitigation
  techniques:
  - FGT1525
  - FGT5021
  - FGT5013
  - FGT1609.501
  - FGT5014
  - FGT1611.501
  - FGT1599.501
  - FGT1599.502
  - FGT5038
  - FGT1557.502
  - FGT5032.002
  - FGT5032.003
- description: Use network appliances to filter ingress or egress traffic and perform
    protocol-based filtering. Configure software on endpoints to filter network traffic.
  id: M1037
  name: Filter Network Traffic
  object-type: mitigation
  techniques:
  - FGT1199.501
  - FGT1599
  - FGT5012.004
  - FGT1557.502
  - FGT1572
  - FGT1499
  - FGT1499
  - FGT1048.003
  - FGT1048
  - FGT1583.508
- description: Block execution of code on a system through application control, and/or
    script blocking.
  id: M1038
  name: Execution Prevention
  object-type: mitigation
  techniques:
  - FGT1611
  - FGT1609.501
- description: Use capabilities to prevent suspicious behavior patterns from occurring
    on endpoint systems. This could include suspicious process, file, API call, etc.
    behavior.
  id: M1040
  name: Behavior Prevention on Endpoint
  object-type: mitigation
  techniques:
  - FGT5008
  - FGT5011
  - FGT1040
- description: Protect sensitive information with strong encryption.
  id: M1041
  name: Encrypt Sensitive Information
  object-type: mitigation
  techniques:
  - FGT5004
  - FGT5004.001
  - FGT5004.002
  - FGT1600.501
  - FGT1599.501
  - FGT1599.502
  - FGT5038
  - FGT1040
  - FGT1040
  - FGT1020.001
  - FGT5016
  - FGT5012.002
  - FGT1040.501
  - FGT1557.503
  - FGT1557.504
  - FGT1195.501
  - FGT1583
  - FGT1600.502
  - FGT5019.004
  - FGT1572.501
  - FGT5031
  - FGT5037
  - FGT5036
- description: Remove or deny access to unnecessary and potentially vulnerable software
    to prevent abuse by adversaries.
  id: M1042
  name: Disable or Remove Feature or Program
  object-type: mitigation
  techniques:
  - FGT1018
  - FGT1046
- description: Use capabilities to prevent successful credential access by adversaries;
    including blocking forms of credential dumping.
  id: M1043
  name: Credential Access Protection
  object-type: mitigation
  techniques:
  - FGT1525
  - FGT1600.501
  - FGT1599
  - FGT5032.002
  - FGT5032.003
  - FGT5009.001
  - FGT5009.002
  - FGT1600.502
  - FGT5034
- description: Enforce binary and application integrity with digital signature verification
    to prevent untrusted code from executing.
  id: M1045
  name: Code Signing
  object-type: mitigation
  techniques:
  - FGT1014
  - FGT1542.501
  - FGT5032.002
  - FGT5032.003
  - FGT5034
  - FGT1195.002
- description: Use secure methods to boot a system and verify the integrity of the
    operating system and loading mechanisms.
  id: M1046
  name: Boot Integrity
  object-type: mitigation
  techniques:
  - FGT1014
  - FGT1542.501
  - FGT1600.501
  - FGT5009.002
  - FGT1600.502
- description: Perform audits or scans of systems, permissions, insecure software,
    insecure configurations, etc. to identify potential weaknesses.
  id: M1047
  name: Audit
  object-type: mitigation
  techniques:
  - FGT5039
  - FGT5005
  - FGT1014
  - FGT1542.501
  - FGT5008
  - FGT5021
  - FGT5013
  - FGT5014
  - FGT1611.501
  - FGT1040
  - FGT1557.504
  - FGT5009
  - FGT5037
  - FGT5036
  - FGT1200
- description: Restrict execution of code to a virtual environment on or in transit
    to an endpoint system.
  id: M1048
  name: Application Isolation and Sandboxing
  object-type: mitigation
  techniques:
  - FGT1611
- description: Use signatures or heuristics to detect malicious software.
  id: M1049
  name: Anti-virus & Anti-malware
  object-type: mitigation
  techniques:
  - FGT1525
  - FGT5001
- description: Use capabilities to detect and block conditions that may lead to or
    be indicative of a software exploit occurring.
  id: M1050
  name: Exploit Protection
  object-type: mitigation
  techniques:
  - FGT1190
  - FGT1499
  - FGT1499
  - FGT5029
- description: Perform regular software updates to mitigate exploitation risk.
  id: M1051
  name: Update Software
  object-type: mitigation
  techniques:
  - FGT1014
  - FGT1542.501
  - FGT1600.501
  - FGT1195
  - FGT1072
  - FGT5009.002
  - FGT1600.502
  - FGT5029
  - FGT1195.002
  - FGT1195.003
- description: Take and store data backups from end user systems and critical servers.
    Ensure backup and storage systems are hardened and kept separate from the corporate
    network to prevent compromise.
  id: M1053
  name: Data Backup
  object-type: mitigation
  techniques:
  - FGT5004
  - FGT5004.001
  - FGT5004.002
  - FGT5039
- description: Implement configuration changes to software (other than the operating
    system) to mitigate security risks associated to how the software operates.
  id: M1054
  name: Software Configuration
  object-type: mitigation
  techniques:
  - FGT1199.501
  - FGT5004
  - FGT5004.001
  - FGT5004.002
  - FGT1040
  - FGT5016
- description: This category is used for any applicable mitigation activities that
    apply to techniques occurring before an adversary gains Initial Access, such as
    Reconnaissance and Resource Development techniques.
  id: M1056
  name: Pre-compromise
  object-type: mitigation
  techniques:
  - FGT5016
  - FGT1583.501
  - FGT1588
  - FGT1587.501
  - FGT1587
  - FGT1588.002
  - FGT1588.501
- description: Randomize TEID allocations.
  id: FGM5507
  name: TEID allocation
  object-type: mitigation
  techniques:
  - FGT5031
- description: 'Refresh TEID allocations frequently. '
  id: FGM5508
  name: Refresh TEIDs
  object-type: mitigation
  techniques:
  - FGT5031
- description: Filter encapsulated GTP-U packets received from UE.
  id: FGM5509
  name: Filter GTP-U packets
  object-type: mitigation
  techniques: []
- description: Filter user plane packets received from UE which have destination address
    set core NF's IP address.
  id: FGM5510
  name: Filter packets to core NF sent by UE
  object-type: mitigation
  techniques:
  - FGT1599.505
- description: Monitor NAS messages from UE for incorrect or very large header length.
  id: FGM5511
  name: Verify NAS messages from UE
  object-type: mitigation
  techniques:
  - FGT1498.503
- description: Use high availability feature for all core network functions.
  id: FGM5512
  name: Use high availability
  object-type: mitigation
  techniques:
  - FGT1498.503
- description: Use Diameter End-to-end Signaling Security (DESS)
  id: FGM5513
  name: Use DESS security
  object-type: mitigation
  techniques:
  - FGT5012.008
  - FGT5019.005
- description: Minimize number of connections to eNB in NSA mode.
  id: FGM5514
  name: Minmize eNB connections
  object-type: mitigation
  techniques:
  - FGT5019.004
- description: Move mIAB node to another location to avoid RF jamming.
  id: FGM5515
  name: Move mIAB node
  object-type: mitigation
  techniques:
  - FGT5024
- description: 'Allow tokens with short lifetime to prevent AiTM attacks by replaying
    stolen tokens. '
  id: FGM5516
  name: Make xApp sessions short lived
  object-type: mitigation
  techniques:
  - FGT5034
- description: Use application layer data obfuscation technique for example use of
    Orbot as Tor proxy to send all traffic through Tor circuit.
  id: FGM5517
  name: Use obfuscation at application layer
  object-type: mitigation
  techniques:
  - FGT1040.501
  - FGT1195.002
- description: APIs in the system should use secure access and data transport using
    TLS 1.3 or latest.
  id: M1009
  name: Encrypt Network Traffic
  object-type: mitigation
  techniques:
  - FGT5037
  - FGT5036
- description: 'Create and enforce resource policy; policy can include SLA, quotas,
    QOS etc. '
  id: FGM5518
  name: Resource Policy enforcement
  object-type: mitigation
  techniques:
  - FGT1498.502
- description: 5G Operators should evaluate suppliers of services for their technical
    and administrative controls to ensure that it meets minimum standards for assured
    services. These evaluations may include SW, HD supply  chain, personnel and process
    used for service creation.
  id: M0817
  name: Supply chain management
  object-type: mitigation
  techniques:
  - FGT1195.502
  - FGT1195.002
- description: 5G operators should integrate performance and change management from
    their suppliers into their own OA&M tools to have complete visibility into service
  id: FGM5519
  name: Integrate Performance and Change Management
  object-type: mitigation
  techniques:
  - FGT1195.502
- description: Protect processes with high privileges that can be used to interact
    with critical system components through use of protected process light, anti-process
    injection defenses, or other process integrity enforcement measures.
  id: M1025
  name: Privileged Process Integrity
  object-type: mitigation
  techniques:
  - FGT5032.002
  - FGT5032.003
name: FiGHT Threat Matrix
tactics:
- description: "The adversary is trying to gather information they can use to plan\
    \ future operations.\r\n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0043/) "
  id: TA0043
  name: Reconnaissance
  object-type: tactic
- description: "The adversary is trying to establish resources they can use to support\
    \ operations.\r\n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0042/) "
  id: TA0042
  name: Resource Development
  object-type: tactic
- description: "The adversary is trying to get into your network.\r\n[View Here at\
    \ MITRE ATT&CK](https://attack.mitre.org/tactics/TA0001/)"
  id: TA0001
  name: Initial Access
  object-type: tactic
- description: "The adversary is trying to run malicious code.\r\n[View Here at MITRE\
    \ ATT&CK](https://attack.mitre.org/tactics/TA0002/)"
  id: TA0002
  name: Execution
  object-type: tactic
- description: "The adversary is trying to maintain their foothold.\r\n[View Here\
    \ at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0003/)"
  id: TA0003
  name: Persistence
  object-type: tactic
- description: "The adversary is trying to gain higher - level permissions.\r\n[View\
    \ Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0004/)"
  id: TA0004
  name: Privilege Escalation
  object-type: tactic
- description: "The adversary is trying to avoid being detected.\r\n[View Here at\
    \ MITRE ATT&CK](https://attack.mitre.org/tactics/TA0005/)"
  id: TA0005
  name: Defense Evasion
  object-type: tactic
- description: "The adversary is trying to steal account names and passwords.\r\n\
    [View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0006/)"
  id: TA0006
  name: Credential Access
  object-type: tactic
- description: "The adversary is trying to figure out your environment.\r\n[View Here\
    \ at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0007/)"
  id: TA0007
  name: Discovery
  object-type: tactic
- description: "The adversary is trying to move through your environment.\r\n[View\
    \ Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0008/)"
  id: TA0008
  name: Lateral Movement
  object-type: tactic
- description: "The adversary is trying to gather data of interest to their goal.\r\
    \n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0009/)"
  id: TA0009
  name: Collection
  object-type: tactic
- description: "The adversary is trying to communicate with compromised systems to\
    \ control them.\r\n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0011/)"
  id: TA0011
  name: Command and Control
  object-type: tactic
- description: "The adversary is trying to steal data.\r\n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0010/)"
  id: TA0010
  name: Exfiltration
  object-type: tactic
- description: "The adversary is trying to manipulate, interrupt, or destroy your\
    \ systems and data.\r\n[View Here at MITRE ATT&CK](https://attack.mitre.org/tactics/TA0040/)"
  id: TA0040
  name: Impact
  object-type: tactic
- description: The adversary is trying to obtain service without contractually paying
    for it
  id: TA5001
  name: Fraud
  object-type: tactic
techniques:
- access-required: service account, token, expanded privilege
  architecture-segment: Roaming, Application Layer, Supply Chain
  bluf: An adversary may breach or otherwise leverage a mobile network operator's
    (MNO's) roaming partners or their service partners to gain access to subscriber's
    services or obtain information about that subscriber from their home network.
  criticalassets:
  - Description: An adversary would want to compromise the cSEPP as it is the VPLMN
      end-point for the N32c channel to the HPLMN.
    Name: SEPP
  - Description: An adversary would want to compromise the VPLMN UPF as it is used
      as an endpoint on the roaming network for the N9 user plane interface between
      UPFs.
    Name: VPLMN UPF
  - Description: "An adversary would want to compromise a trusted VAS with access\
      \ to the MNO\u2019s core functions."
    Name: VAS
  description: " An adversary may breach or otherwise leverage a mobile network operator\u2019\
    s (MNO\u2019s) roaming partners or their service partners to gain access to subscriber\u2019\
    s services or obtain information about that subscriber from their home network.\
    \ Since these relationships are of a more trusted nature, end-to-end security\
    \ is not necessarily used.\r\n\r\nAn adversary may use the trusted relationship\
    \ with other mobile network operators and their related service providers such\
    \ as roaming hubs, roaming partners, national partners, SMS service providers,\
    \ lookup services to gain access to subscriber information at the subscriber\u2019\
    s home MNO. An adversary may take advantage of potentially weaker security at\
    \ a roaming partner of a targeted MNO. The roaming MNO or their service partners\
    \ could also be adversaries themselves. \r\n\r\nThese trusted relationships expose\
    \ more interfaces to the roaming partner and their service providers than described\
    \ in the related technique [FGT5029](/techniques/FGT5029). The information an\
    \ adversary can obtain or modify about a subscriber and the subscriber\u2019s\
    \ activity depends on the specific location and assets compromised and additional\
    \ techniques used. Information such as location, call records, messages, etc.\
    \ are potentially obtained. Adversary use of additional techniques to compromise\
    \ the VPLMN UPF (N9 endpoint) may result in direct compromise of user plane data.\
    \ The adversary may generate queries using specially crafted messages as described\
    \ in [FGT5029](/techniques/FGT5029) or obtain credentials and operate as an apparently\
    \ authorized partner would to collect information. Depending on the roaming partner\u2019\
    s configuration, core functions may be directly exposed to service providers used\
    \ by the roaming partner.\r\n\r\n"
  detections:
  - detects: Analysis of application logs on the HPLMN SEPP and PLMN NFs may indicate
      unusual control channel activity.
    fgdsid: DS0015
    name: Application Log
  - detects: Analysis of network traffic from VAS, and/or IPX may indicate unexpected
      or unusual traffic.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1199.501
  mitigations:
  - fgmid: M1018
    mitigates: Management of credentials used by partners to be scoped to the least
      privilege can minimize potential abuse. Does not mitigate misuse within allowed
      privileges.
    name: User Account Management
  - fgmid: M1030
    mitigates: Minimize exposure of functions to only those partner functions that
      need to access.
    name: Network Segmentation
  - fgmid: M1037
    mitigates: Ensure communication with functions such as a SEPP is constrained to
      necessary addresses, ports, and protocols.
    name: Filter Network Traffic
  - fgmid: M1054
    mitigates: Validation of credentials properly can mitigate some AITM attacks and
      ensure revoked/expired credentials are not allowed.
    name: Software Configuration
  name: MNO Roaming Partners
  object-type: technique
  platforms: SEPP
  preconditions:
  - Description: An adversary must already have compromised a trusted PLMN or one
      of their service providers, e.g. IPX, VAS, etc.
    Name: Compromised partner
  - Description: An adversary may need compromised legitimate credentials that could
      be used to obtain information from the MNO.
    Name: Compromised credentials
  - Description: An adversary may need to identify a vulnerability in an MNO network
      function to send specially crafted requests to obtain initial access.
    Name: Identified vulnerability
  procedureexamples:
  - Description: The service partner of the targeted MNO may themselves be targeted
      as part of an attack chain using that roaming partners supply chain.
    Name: Partner supply chain compromise
  - Description: A roaming partner, may have an adversary with a privileged position
      in the roaming or service partners organization and can use that position to
      attempt additional techniques against the targeted MNO.
    Name: Partner insider
  references:
  - <a name="1"> \[1\] </a> [5GS Roaming Guidelines Version 5.0 (non-confidential),
    NG.113-v5.0, GSMA, December 2021](https://www.gsma.com/newsroom/wp-content/uploads//NG.113-v5.0.pdf)
  - <a name="2"> \[2\] </a> [5G; Security Architecture and Procedures for 5G System,
    TS 33.501 v16.10.0 Release 16, Sections 9.9, 13.1, 13.2, 3GPP, March 2022](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169)
  - "<a name=\"3\"> \\[3\\] </a> [ETSI White Paper No. 46 \u2013 MEC security: Status\
    \ of standards support and future evolutions, 1st edition, ETSI, May 2021](https://www.etsi.org/images/files/ETSIWhitePapers/ETSI_WP_46-_MEC_security.pdf)"
  - "<a name=\"4\"> \\[4\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,\_ October 2021](https://arxiv.org/abs/2108.11206\_\_)"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1199
  tactics:
  - TA0001
  - TA0040
  typecode: fight_subtechnique_to_attack_technique
- access-required: User or Administrative access to repository
  addendums:
  - "#### Addendum Name: Compromised image\r\n##### Architecture Segments: Virtualization,\
    \ Cloud Service Provider, OA&M, Supply Chain\r\n An adversary may install a compromised\
    \ image in a 5G environment to achieve persistence. This could be achieved by\
    \ either poisoning an image repository, compromising the MANO, or other means.\r\
    \n\r\nThe 5G Virtual Network Function (VNF) software is either developed in house\
    \ or supplied by a product vendor.  Typically, software is stored in a deployment\
    \ repository for deployment or for an orchestrator to use as part of an automated\
    \ workload deployment activity.  An adversary may install a compromised image\
    \ in the repository of 5G VNFs and or VM (Virtual Machine)/Container images to\
    \ later establish Command and Control (C2) connection and subsequent modification,\
    \ discovery, and exfiltration operations.\r\n\r\nManagement and Orchestration\
    \ (MANO) is a framework for managing and orchestrating network functions virtualization\
    \ (NFV) infrastructure, resources, and services. It provides a standard approach\
    \ for the management and orchestration of network services in NFV environments,\
    \ including the automation of tasks such as network service deployment, scaling,\
    \ and network function lifecycle management.  A poisoned image can be installed\
    \ using compromised MANO tool set during image acquisition, repository manipulation\
    \ or deployment and configuration scripts.\r\n\r\n"
  architecture-segment: Virtualization, Cloud Service Provider, OA&M, Supply Chain
  bluf: Adversaries may implant cloud or container images with malicious code to establish
    persistence after gaining access to an environment.
  criticalassets:
  - Description: An adversary may target the 5G core network domain
    Name: Core components
  - Description: An adversary may target the 5G core network domain
    Name: RAN components
  - Description: An adversary may target CI/CD pipeline components
    Name: SDN components
  - Description: An adversary may target security and operations tools
    Name: System tools
  description: "Adversaries may implant cloud or container images with malicious code\
    \ to establish persistence after gaining access to an environment.\r\n[To read\
    \ more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1525)\r\
    \n"
  detections:
  - detects: Analyze logs and other CI/CD events to detect unauthorized activity
    fgdsid: FGDS5012
    name: SIEM
  - detects: An automated image hash verification should be performed
    fgdsid: FGDS5015
    name: Image verification
  id: FGT1525
  mitigations:
  - fgmid: FGM5088
    mitigates: Development and production repositories should be separated to avoid
      access and image slipovers. Production repositories should be access controlled
      for accounts responsible for deployments and operations accounts only.
    name: Separate repositories for development and production
  - fgmid: FGM5089
    mitigates: In addition to image name, deployment tools must use hash and verify
      image during deployment
    name: Verify image in deployment
  - fgmid: FGM5090
    mitigates: Logs from tools and repository must be corelated to ensure unauthorized
      activity is reported.
    name: Log correlation
  - fgmid: M1035
    mitigates: Access to repositories should be restricted to known networks from
      where any authorized actions need be executed.
    name: Limit Access to Resource Over Network
  - fgmid: M1043
    mitigates: Restricted Permissions to add images to repositories for person and
      non-person accounts
    name: Credential Access Protection
  - fgmid: M1049
    mitigates: Manual or automated image creation and storage must include image hash
    name: Anti-virus & Anti-malware
  name: Implant Internal Image
  object-type: technique
  platforms: VM, Container, Azure/AWS, IaaS, SDN
  postconditions:
  - Description: A compromised image deployed in the production can lead to variety
      of adversarial activities depending on what capabilities were added/deleted
      from the image.
    Name: A Compromised Image is deployed in production
  preconditions:
  - Description: An image can be manipulated, or a new image can be introduced to
      have same impact.  Privileged Access to tool or repo is required.
    Name: Credential and Access to repository and or image creation tools (i.e. Docker)
  references:
  - <a name="1"> \[1\] </a> [ENISA THREAT LANDSCAPE FOR 5G NETWORKS, December 2020,
    section 6.2. Accessed April 13, 2021](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks/)
  - <a name="2"> \[2\] </a> [Docker Documentation, Security, Content in Trust](https://docs.docker.com/engine/security/trust/)
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0003
  typecode: attack_technique_addendum
- access-required: N/A
  architecture-segment: Control Plane, Roaming
  bluf: A adversary positioned in an operator network may send an SMS delivery location
    query that will bypass the SMS home router of another operator, and which will
    allow to get the location of the user device.
  criticalassets:
  - Description: 'Coarse location: In the form of routing info (MSC address)'
    Name: UE location
  description: " An adversary positioned in an operator network may send an SMS delivery\
    \ location query that will bypass the SMS home router of another operator, allowing\
    \ the adversary to get the location of the user device.\r\n\r\nSMS home routing\
    \ bypassing is a technique that exploits incorrect implementation or configuration.\
    \ An adversary sends an SMS delivery location query that does not get intercepted\
    \ by the SMS home router, so it receives a response by providing the location\
    \ of the adversary\u2019s target UE. \r\n \r\nThis technique is applicable to\
    \ 3G, 4G, and 5G, since 5G systems still need to interconnect with SS7 networks.\
    \ 5G supports both SMS over IP and SMS over NAS. The routes for SMS are still\
    \ from SMSC (Short Message Service Center) to STP (Signaling Transfer Point) to\
    \ either IP-SM-GW (IP Short Message Gateway) for SMS over IP or SMSF (SMS Function)\
    \ for SMS over NAS. Refer to section 7.2 of [3].\r\n\r\n"
  detections:
  - detects: Logs of externally received messages requesting location of user or,
      logs of outgoing responses to such messages can detect anomalies. Logs are on
      the NF or functions which interface SMS home router such as MAP IWF or SMSC.
      See Figure 27 of [3].
    fgdsid: DS0015
    name: Application Log
  id: FGT5002
  mitigations:
  - fgmid: FGM5004
    mitigates: Correctly configure SMS firewall in home network. [4]
    name: Correctly configure SMS firewall
  name: Bypass home routing
  object-type: technique
  platforms: 5G
  preconditions:
  - Description: Access to a host that could pass as belonging to a different operator
      (roaming partner)
    Name: Compromised SMS Center or STP
  - Description: Access to the MSISDN of the user device
    Name: "Get target user\u2019s phone number"
  procedureexamples:
  - Description: Incorrect implementation/configuration or compromised home SMS router
      can allow bypass of the SMS location query messages. Deployed SMS router as
      in Section 7.2.2 of [3]
    Name: Send SMS location query via SS7 or Diameter
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [European Union Agency for Cybersecurity (ENISA),\
    \ \u201CSignaling security in telecom SS7/Diameter/5G\u201D, March 2018](https://www.enisa.europa.eu/publications/signalling-security-in-telecom-ss7-diameter-5g\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [GSM Association, \u201COfficial Document NG.111\
    \ - SMS Evolution\u201D, v2.0, Nov. 2020](https://www.gsma.com/newsroom/wp-content/uploads//NG.111-v2.0.pdf\
    \ )"
  - "<a name=\"4\"> \\[4\\] </a> [Kirill Puzankov: \u201CHidden Agendas: bypassing\
    \ GSMA recommendations on SS7 networks,\u201Daccessed on May 25, 2023](https://docplayer.net/136483279-Hidden-agendas-bypassing-gsma-recommendations-on-ss7-networks-kirill-puzankov.html)"
  status: Observed in earlier 3GPP generations and expected in 5G.
  tactics:
  - TA0005
  typecode: fight_technique
- architecture-segment: RAN
  bluf: An adversary may employ a fake base station to bid down (downgrade) the victim
    UE to a less secure Radio Access Network in order to exploit vulnerabilities in
    that network.
  criticalassets:
  - Description: Data that the UE sends to/from the network (including identifiers).
    Name: User data
  description: " An adversary may employ a false base station to bid down (downgrade)\
    \ the victim UE to a less secure Radio Access Network in order to exploit the\
    \ vulnerabilities in that network. \r\n\r\nAn adversary located between the victim\
    \ UE and real base stations may jam the 5G radio frequencies and use the false\
    \ base station to generate illegitimate over-the-air signaling to deny service\
    \ to 5G and induce the UE to operate over a less secure radio access network,\
    \ such as 3G, 4G. This requires a UE profile that permits attaching to networks\
    \ other than 5G.\r\n\r\nWhen the security profile in the UE allows connection\
    \ to a less secure service, adversary denies service to 5G, bids down victim UE\
    \ to less secure network (4G or 3G) with illegitimate signaling. Then the adversary\
    \ bids down the UE to 2G network and orders the UE to transmit with no or weak\
    \ encryption/integrity protection. However, note that 5G (Release 15 and later)\
    \ supports an anti-bid-down feature: during the Authentication and Key Agreement\
    \ (AKA) procedure, the network sends to the UE an \u201CABBA\u201D parameter (Anti\
    \ Bidding Down between Architectures), which indicates the security features that\
    \ the network possesses. When this feature is enabled, the UE is not to attach\
    \ to earlier generation networks.\r\n\r\nAlso known as downgrading, the bidding\
    \ down enables the adversary to perform additional following techniques using\
    \ over the air interfaces, such as eavesdropping of user SMS and voice calls,\
    \ user data or signaling manipulation, and privacy breaches.  These privacy breaches\
    \ may include exposure of the IMSI, location tracking of user, and impersonation\
    \ of a user. \r\n\r\n"
  detections:
  - detects: At the UE side, the UE can tell that there is a 5G cell site that it
      can hear, but if it eventually gets connected to a 4G cell site, then it may
      have suffered a bidding down attack
    fgdsid: FGDS5013
    name: UE connecting to 4G
  id: FGT1562.501
  mitigations:
  - fgmid: FGM5002
    mitigates: UE should discard RRC redirection messages that are not integrity protected,
      and go search for other gNBs. UE should only accept to register to networks
      that require mutual auth and strong encryption, also integrity protection of
      user plane. See [2]
    name: Discard RAN signaling received without integrity protection
  - fgmid: FGM5092
    mitigates: UE warns user of lower security network (and the user can take action
      to limit data or type of data, or to disconnect).
    name: Warn user
  - fgmid: FGM5097
    mitigates: Set security profile to prohibit bidding down to less secure service.
    name: Disable acceptance of a less secure system
  name: Bid down UE
  object-type: technique
  platforms: 5G RAN
  postconditions:
  - Description: UE is now vulnerable to 4G threats.
    Name: UE is connected to a 4G network
  preconditions:
  - Description: Adversary has procured a UE and gNB under its control, and the victim
      UE is nearby
    Name: False base station with strong signal and UE system
  procedureexamples:
  - Description: "UEs tend to attach to gNBs which have better signal condition than\
      \ the gNB the UE is currently attached. False gNB with stronger signal strength\
      \ than legitimate gNBs lures UE to connect, then sends RRC redirection message\
      \ that is not integrity protected, so that the UE can\u2019t check its legitimacy.\
      \ This RRCRelease message has the instruction for the UE to attach to a 4G cell\
      \ instead (i.e, RedirectInfo as E-UTRA Absolute Radio Frequency Channel Number\
      \ (E-ARFCN)"
    Name: False gNB redirects UE to 4G.
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [DEFCON 24 article \u201CForcing Targeted LTE Cellphone\
    \ Into Unsafe Network\u201D](https://www.scribd.com/document/350156530/forcing-targeted-lte-cellphone-into-unsafe-network)"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1562
  tactics:
  - TA0005
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: OA&M
  bluf: An adversary may gain access to an operator's roaming database (IR.21), which
    can reveal the critical network assets of both the operator and its roaming partners.
  criticalassets:
  - Description: Information on the IP addresses of the mobile network nodes, along
      with those of the interconnect/roaming nodes.
    Name: Mobile network topology, interconnects.
  - Description: Hostnames and IP addresses of core network functions like subscriber
      databases and functions involved in roaming exchanges (e.g. Access and Mobility
      Function (AMF)).
    Name: IP addresses of core NFs
  description: " An adversary may gain access to an operator's roaming database (IR.21),\
    \ which can reveal the critical network assets of both the operator and its roaming\
    \ partners.\r\n\r\nInternational Mobile Network Operators (MNOs) maintain information\
    \ about their network infrastructure, roaming/interconnection configuration, and\
    \ MNO partner billing agreements. This sensitive data is in a standardized format,\
    \ under the name \u201CIR.21\u201D. GSMA (an operator forum) administers databases\
    \ of IR.21 for all international MNO and allowing all MNOs access to it. This\
    \ type of sensitive information is intended to be close held and not be publicly\
    \ accessible; however, data leaks and insider attacks have occurred, and thus\
    \ this information can be and has been used by adversaries in their discovery\
    \ tactics.\r\n\r\n"
  detections:
  - detects: Leaking this information on the Internet is obvious
    fgdsid: FGDS5008
    name: Search Internet for leaks
  - detects: Access to IR.21 file should be logged.
    fgdsid: FGDS5009
    name: Access to operator resource
  id: FGT1592.501
  mitigations:
  - fgmid: FGM5500
    mitigates: Control access to IR.21 files in GSMA. Host/application hosting this
      file should guard against such leak.
    name: Restrict access to operator OA&M resources
  name: Internal resource search
  object-type: technique
  platforms: 5G Network
  postconditions:
  - Description: IP addresses of core network functions known
    Name: Discovered IP addresses
  preconditions:
  - Description: Adversary needs to access the operator databases or GSMA repositories
    Name: Access to GSMA account; in some cases, none.
  procedureexamples:
  - Description: Claro Americas, and Vivo telecom, had their IR.21 database accessible
      from an internet in 2016 (reference no longer available)
    Name: IR.21 accessible from the Internet
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT1592
  tactics:
  - TA0043
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: Control Plane, Network Slice
  bluf: An adversary may query the Network Repository Function (NRF) to discover restricted   Network
    Function (NF) services to further target that NF.
  criticalassets:
  - Description: It is possible for example to find out whether an operator provides
      services to a certain customer. Or whether a user is also part of a private
      slice e.g. DoD. There is slice isolation assurance loss with this threat.
    Name: Operator network components and services
  description: " An adversary may query the Network Repository Function (NRF) to discover\
    \ restricted Network Function (NF) services to further target that NF. \r\n\r\n\
    All active NFs in an operator network are to be securely registered with the NRF.\
    \ Part of this registration information includes the type of NF, the particular\
    \ services that NF provides, IP addresses, etc. \r\n\r\nConsumer NFs query the\
    \ NRF for Producers NFs they need to interact with, but the NRF is expected to\
    \ check that the Consumer NF is authorized to discover such Producer NFs. This\
    \ type of signaling to the NRF can be abused to identify and target one or more\
    \ NFs of interest. The NRF is expected to check discovery requests against the\
    \ sender\u2019s profile, but this is prone to misconfiguration and therefore might\
    \ not protect the restricted NF services.\r\n\r\nIn network slicing, the same\
    \ principles of NRFs apply, and service discovery is restricted per slice; however,\
    \ NFs in one slice may have a legitimate need to communicate with NFs in another\
    \ slice. If NF discovery authorization controls are not supported by the NRF,\
    \ the NF instance in one slice can discover NF instances belonging to other slices.\
    \ For example, an NF in one slice should not be inquiring about NFs in other slices,\
    \ unless it needs to communicate with them. \r\n\r\n\r\n"
  detections:
  - detects: Logging of all access requests/inquiries to NFs
    fgdsid: DS0015
    name: Application Log
  id: FGT5003
  mitigations:
  - fgmid: FGM5003
    mitigates: 'Ensure cross-layer checks at the NRF, between the certificate presented
      to it at the TLS connection setup stage and the identity and authorization requested
      presented to it at the OAuth Token request stage.

      Ensure the consumer is authorized to ask about this service.


      Authorization follows need-to-know rules, such as:

      1. an NF cannot query for NFs in other network slices

      2. an NF can only query for NFs that it needs to communicate with.'
    name: Cross check between application layer and transport layer
  - fgmid: FGM5501
    mitigates: Inspect proxy servers such as SCP (if deployed) for any suspicious
      use of access tokens such as unauthorized re-direct or replay of tokens
    name: TLS proxy/firewalls with DPI on the SBA
  name: Network Function Service Discovery
  object-type: technique
  platforms: 5G Network
  postconditions:
  - Description: Information about what other services are provided by a given MNO
    Name: Unauthorized probing of network services
  preconditions:
  - Description: NRF is by design open to connections from other network functions.
      Control of another NF in the operator domain may be required.
    Name: Access to NRF
  - Description: SCP is compromised to hijack tokens.
    Name: Access to SCP
  procedureexamples:
  - Description: A malicious NF can abuse access token issued by the NRF for one slice
      to access another shared NF in a different slice. Clause H.2.2.1 of [2]
    Name: Access token abuse
  - Description: Access tokens can be hijacked by a compromised intermediate proxy
      such as SCP (if deployed by operator). This attack can be followed by re-direct
      or replay of access tokens. Clause 3.9 of [3]
    Name: Access token hijack
  references:
  - "<a name=\"1\"> \\[1\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    , October 2021](https://arxiv.org/abs/2108.11206 )"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP Technical Report 33.926, \u201CSecurity Assurance\
    \ Specification (SCAS) threats and critical assets in 3GPP network product classes\u201D\
    , Release 17.](https://www.3gpp.org/DynaReport/33926.htm )"
  - "<a name=\"3\"> \\[3\\] </a> [Internet Engineering Task Force (IETF) \u201COAuth\
    \ 2.0 Security Best Current Practice\u201D, draft-ietf-oauth-security-topics-05,\
    \ June 2022.](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19)"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0007
  typecode: fight_technique
- access-required: User or Administrative access to repository
  architecture-segment: Virtualization
  bluf: An adversary may discover Software Defined Network (SDN) flow information,
    which could then open opportunity for lateral movement and unauthorized changes
    in the network.
  criticalassets:
  - Description: Adversary may target a particular network controller, network element,
      CI/CD, security, and operations tools to manipulate SDN network flows.
    Name: SDN Controller and Network Elements, operations, and security tools
  - Description: Adversary may target configuration or network flow data
    Name: SDN Configurations file, Network flow tables
  description: " An adversary may discover Software Defined Network (SDN) flow information,\
    \ which could then be used for lateral movement and unauthorized changes in the\
    \ network.\r\n\r\nTo achieve this, an adversary must compromise an SDN element\
    \ (e.g., controller, router, switch) to forge network data and launch other attacks,\
    \ such as denial of service.  While data forging could relate to data held by\
    \ any component of an SDN (e.g., network switches, controllers and/or SDN applications),\
    \ a threat specific to SDN consists of forging requests from accessible low level\
    \ SDN controllers to upper-level ones.  This could then drive the upper level\
    \ controllers\u2019 decisions on how to redefine large parts of the network. In\
    \ the literature, this scenario has been identified as a threat related to components\
    \ in the data plane and the controller plane of any SDN network (IP-WAN, IP-LAN,\
    \ RAN, Transport).\r\n\r\n\r\n"
  detections:
  - detects: Periodically audit SDN and Network element configuration and compare
      with baseline configuration to detect unauthorized changes
    fgdsid: DS0015
    name: Application Log
  - detects: Periodically audit network flow tables to detect unauthorized changes
      to flow data
    fgdsid: DS0029
    name: Network Traffic
  - detects: Analyze logs to detect unauthorized activity
    fgdsid: FGDS5014
    name: SDN Access Logs
  id: FGT5004
  mitigations:
  - fgmid: FGM5024
    mitigates: Strong integrity protection method should be employed on APIs carrying
      control plane traffic between Controller and network element as well as controller
      and SDN application to avoid adversary in the middle threats
    name: Integrity protection of data communication
  - fgmid: FGM5090
    mitigates: Logs from SDN Controller and network elements must be corelated to
      ensure unauthorize activity is reported. Similarly, flow rules change log should
      be reviewed and reconciled with authorized changes.
    name: Log correlation
  - fgmid: FGM5091
    mitigates: Mutual authentication between the SDN controller and network elements.  The
      SDN controller and SDN application can be used to prevent unauthorized access
    name: Mutual authentication
  - fgmid: M1022
    mitigates: 'Restricted Permissions to add images to SDN Controller and Network
      Elements for person and non-person accounts.


      Restrict permissions for person and non-person accounts to prevent flow rule
      insertion or modification'
    name: Restrict File and Directory Permissions
  - fgmid: M1030
    mitigates: Physical and logical segmentation can prevent lateral movements.
    name: Network Segmentation
  - fgmid: M1041
    mitigates: Strong encryption should be used on APIs carrying control plane traffic
      between Controller and network element as well as controller and SDN application
      to avoid adversary in the middle threats
    name: Encrypt Sensitive Information
  - fgmid: M1053
    mitigates: All SDN Configurations should be backed up and periodically audited
      to see differences between running configuration and back up configurations
    name: Data Backup
  - fgmid: M1054
    mitigates: Keep baseline configurations up to date to avoid loopholes due to stale
      configuration or configuration drift.
    name: Software Configuration
  name: Network Flow Manipulation
  object-type: technique
  platforms: SDN
  postconditions:
  - Description: Network flow compromise can lead to DOS, or change the traffic pattern
      and paths.  Adversary may change the path for network sniffing or for MiTM activity.
    Name: Network flow compromise
  preconditions:
  - Description: Privileged Access to SDN controller and Network elements
    Name: Credential and Access to SDN Controller and network elements
  references:
  - "<a name=\"1\"> \\[1\\] </a> [ENISA, \u201CThreat Landscape and Good Practice\
    \ Guide for Software Defined Networks/5G\u201D, Jan. 2016](https://www.enisa.europa.eu/publications/sdn-threat-landscape\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [Scott-Hayward, S., O'Callaghan, G., & Sezer, S.\
    \ \u201CSDN Security: A Survey\u201D. 2013 IEEE SDN for Future. Networks and Services\
    \ (SDN4FNS) (pp. 1-7)](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6702c553&tag=1\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,  October 2021](https://arxiv.org/abs/2108.11206 )"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0009
  - TA0007
  typecode: fight_technique
- access-required: User or Administrative access to repository
  architecture-segment: Virtualization
  bluf: An adversary may use the compromised SDN controller or Control plane API to
    modify network flow rules, or traffic management policies.
  criticalassets:
  - Description: Adversary may target a particular network controller, network element,
      CI/CD, security, and operations tools to manipulate SDN network flows.
    Name: SDN Controller and Network Elements, operations, and security tools
  - Description: Adversary may target configuration to manipulate controller and network
      element behavior
    Name: SDN controller Configuration file
  description: " An adversary may use the compromised SDN controller or Control plane\
    \ API to modify network flow rules, or traffic management policies.\r\n\r\nAn\
    \ SDN controller is a centralized control application for policy, device configuration,\
    \ and traffic flow management.  SDN controller compromise can allow an adversary\
    \ to change the traffic path for offensive or defensive evasion purposes as well\
    \ as cause denial of service to certain networks or end points.  SDN Controller\
    \ application is typically installed on a physical over virtual server and communicate\
    \ northbound to other OAM applications as well as southbound to network switches.\
    \  SDN controller acts as an Operating System for the Network in SDN architecture\
    \ and is widely deployed in data centers and wide area network connections (SD-WAN).\r\
    \n\r\n\r\n"
  detections:
  - detects: Periodically audit SDN and Network element configuration to detect unauthorized
      changes
    fgdsid: DS0015
    name: Application Log
  - detects: Periodically audit network flow tables to detect unauthorized changes
      to flow data
    fgdsid: DS0029
    name: Network Traffic
  - detects: Analyze logs to detect unauthorized activity
    fgdsid: FGDS5014
    name: SDN Access Logs
  id: FGT5004.001
  mitigations:
  - fgmid: FGM5024
    mitigates: Strong integrity protection method should be employed on APIs carrying
      control plane traffic between Controller and network element as well as controller
      and SDN application to avoid adversary in the middle threats
    name: Integrity protection of data communication
  - fgmid: FGM5090
    mitigates: Logs from SDN Controller and network elements must be corelated to
      ensure unauthorize activity is reported. Similarly flow rules change log should
      be reviewed and reconciled with authorized changes.
    name: Log correlation
  - fgmid: FGM5091
    mitigates: Mutual authentication between SDN controller and network elements,
      SDN controller and SDN application can prevent unauthorized access
    name: Mutual authentication
  - fgmid: M1022
    mitigates: 'Restricted Permissions to add application images to SDN Controller
      for person and non-person accounts.


      Restricted permissions for person and non-person accounts to prevent flow rule
      insertion or modification'
    name: Restrict File and Directory Permissions
  - fgmid: M1030
    mitigates: Physical and logical segmentation can prevent lateral movements. Segmentation
      techniques in the hosts and network will reduce the chances of lateral movement
      to the control.
    name: Network Segmentation
  - fgmid: M1041
    mitigates: Strong encryption should be used on APIs carrying control plane traffic
      between Controller and network element as well as controller and SDN application
      to avoid adversary in the middle threats
    name: Encrypt Sensitive Information
  - fgmid: M1053
    mitigates: SDN controller configurations should be backed up and periodically
      audited to see differences between running configuration and back up configurations
    name: Data Backup
  - fgmid: M1054
    mitigates: Keep baseline configuration up to date to avoid loopholes due to stale
      configuration or configuration drift.
    name: Software Configuration
  name: 'Controller '
  object-type: technique
  platforms: SDN Controller
  postconditions:
  - Description: Network flow compromise can lead to DOS, or change the traffic pattern
      and paths.  Adversary may change the path for network sniffing or for MiTM activity.
    Name: Network flow compromise
  preconditions:
  - Description: Privileged Access to SDN controller via direct login or through SDN
      control plane APIs
    Name: Credential and Access to SDN Controller
  references:
  - "<a name=\"1\"> \\[1\\] </a> [ENISA, \u201CThreat Landscape and Good Practice\
    \ Guide for Software Defined Networks/5G\u201D, Jan. 2016](https://www.enisa.europa.eu/publications/sdn-threat-landscape\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [Scott-Hayward, S., O'Callaghan, G., & Sezer, S.\
    \ \u201CSDN Security: A Survey\u201D. 2013 IEEE SDN for Future. Networks and Services\
    \ (SDN4FNS) (pp. 1-7)](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6702553&tag=1\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    , October 2021](https://arxiv.org/abs/2108.11206 )"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT5004
  tactics:
  - TA0009
  - TA0007
  typecode: fight_subtechnique
- access-required: User or Administrative access to repository
  architecture-segment: Virtualization
  bluf: An adversary may compromise a vSwitch in an SDN network to manipulate the
    network traffic  or cause denial of service
  criticalassets:
  - Description: Adversary may target a particular network controller, network element,
      CI/CD, security, and operations tools to manipulate SDN network flows in a vSwitch
    Name: SDN vSwitch, operations, and security tools
  - Description: Adversary may target configuration to manipulate vSwitch and network
      behavior
    Name: SDN vSwitch Configuration file
  - Description: Network flows are stored in Network Flow tables, usually refer to
      as route or switch tables that vSwitch uses to decide which packet forwarding
      port to use for incoming packets
    Name: SDN vSwitch flow table
  description: " An adversary may compromise a vSwitch in an SDN network to manipulate\
    \ the network traffic or cause denial of service\r\n\r\nAn SDN vSwitch is like\
    \ a layer 2 switch that connects devices to the network and performs packet forwarding\
    \ between the switch ports. This threat involves compromising an SDN vSwitch (an\
    \ SDN device responsible for packet/data switching between different ingress and\
    \ egress ports) to forge network data and launch other attacks (e.g., DoS). Adversary\
    \ may target vSwitch configuration or directly manipulate network flow tables\
    \ in memory to drive their decisions on how to redefine large parts of the network.\
    \ \r\n\r\n\r\n"
  detections:
  - detects: Periodically audit SDN and Network element configuration and compare
      with baseline configuration to detect unauthorized changes
    fgdsid: DS0015
    name: Application Log
  - detects: Periodically audit network flow tables to detect unauthorized changes
      to flow data
    fgdsid: DS0029
    name: Network Traffic
  - detects: Analyze logs to detect unauthorized activity
    fgdsid: FGDS5014
    name: SDN Access Logs
  id: FGT5004.002
  mitigations:
  - fgmid: FGM5024
    mitigates: Strong integrity protection method should be employed on APIs carrying
      control plane traffic between Controller and network element as well as controller
      and vSwitch to avoid adversary in the middle threats
    name: Integrity protection of data communication
  - fgmid: FGM5090
    mitigates: Logs from SDN Controller and network elements must be correlated to
      ensure unauthorized activity is reported. Similarly flow rules change log should
      be reviewed and reconciled with authorized changes.
    name: Log correlation
  - fgmid: FGM5091
    mitigates: Mutual authentication between SDN controller and vSwitch can prevent
      unauthorized access
    name: Mutual authentication
  - fgmid: M1022
    mitigates: 'Restricted Permissions to add application images to SDN vSwitch for
      person and non-person accounts.


      Restricted permissions for person and non-person accounts to prevent flow rule
      insertion or modification directly on the vSwitch'
    name: Restrict File and Directory Permissions
  - fgmid: M1030
    mitigates: Physical and logical segmentation can prevent lateral movements. Segmentation
      techniques in the hosts and network will reduce the chances of lateral movement
      to the control.
    name: Network Segmentation
  - fgmid: M1041
    mitigates: Strong encryption should be used on APIs carrying control plane traffic
      between Controller and network element as well as controller and vSwitch to
      avoid adversary in the middle threats
    name: Encrypt Sensitive Information
  - fgmid: M1053
    mitigates: SDN vSwitch configurations should be backed up and periodically audited
      to see differences between running configuration and back up configurations
    name: Data Backup
  - fgmid: M1054
    mitigates: Keep baseline configuration up to date to avoid loopholes due to stale
      configuration or configuration drift.
    name: Software Configuration
  name: vSwitch
  object-type: technique
  platforms: SDN vSwitch, Network Element
  postconditions:
  - Description: Network flow compromise can lead to DOS or change the traffic pattern
      and paths.  Adversary may change the path for network sniffing or for AiTM activity.
    Name: Network flow compromise
  preconditions:
  - Description: Privileged Access to SDN vSwitch via direct login or through SDN
      control plane APIs
    Name: Credential and Access to SDN vSwitch
  references:
  - "<a name=\"1\"> \\[1\\] </a> [ENISA, \u201CThreat Landscape and Good Practice\
    \ Guide for Software Defined Networks/5G\u201D, Jan. 2016](https://www.enisa.europa.eu/publications/sdn-threat-landscape\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [Scott-Hayward, S., O'Callaghan, G., & Sezer, S.\
    \ \u201CSDN Security: A Survey\u201D. 2013 IEEE SDN for Future. Networks and Services\
    \ (SDN4FNS) (pp. 1-7)](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6702553&tag=1\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    , October 2021](https://arxiv.org/abs/2108.11206 )"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT5004
  tactics:
  - TA0009
  - TA0007
  typecode: fight_subtechnique
- access-required: User or Administrative access to repository
  architecture-segment: OA&M, Virtualization
  bluf: Adversaries may bridge network boundaries by modifying a network device's
    Virtual Network Function Configuration.
  criticalassets:
  - Description: Adversary may target a particular network controller, network element,
      CI/CD, security to manipulate VNF behavior
    Name: VNF orchestrators/managers
  - Description: Adversary may target particular operations tools to manipulate VNF
      behavior
    Name: VNF operations tools
  - Description: Adversary may target particular security tools to manipulate VNF
      behavior
    Name: VNF security tools
  - Description: Adversary may target configuration in the VNF, stored in backups,
      or part of the code
    Name: VNF Configuration file
  description: " Adversaries may bridge network boundaries by modifying a Virtual\
    \ Network Function\u2019s Configuration.\r\n\r\nAny VNF that serves as a Middlebox\
    \ or Proxy can be targeted by adversary for configuration exploits (Network Address\
    \ Translation (NAT), Gateways, Security Edge Protection Proxies (SEPPs), IP Exchange\
    \ (IPXs) entities). Configuration stored on the device determines the device behavior\
    \ for middle boxes such as NAT or application GWs.  Start up and run time configuration\
    \ data can be manipulated for nefarious purposes.  SDN VNF unauthorized configuration\
    \ changes can lead modified 5G traffic flows and may bridge otherwise isolated\
    \ slices. \r\n\r\n"
  detections:
  - detects: Image life cycle and runtime events
    fgdsid: DS0007
    name: Image
  - detects: Audit configuration - Periodically audit VNF configuration to detect
      unauthorized changes
    fgdsid: DS0015
    name: Application Log
  - detects: Access Logs - Analyze logs to detect unauthorized activity to VNF and
      other tools used in lifecycle management and security of the VNF
    fgdsid: DS0028
    name: Logon Session
  - detects: Audit network flow - Audit network flows to VNF and other tools used
      in lifecycle management and security of the VNF
    fgdsid: DS0029
    name: Network Traffic
  id: FGT5039
  mitigations:
  - fgmid: M1033
    mitigates: VNF Access Rights -Restricted Permissions to add images to VNFs (Network
      Element) for person and non-person accounts
    name: Limit Software Installation
  - fgmid: M1047
    mitigates: Logs from VNFs must be corelated with other OA&M and Security monitoring
      tools to ensure unauthorize activity is reported. SEIM like system should be
      deployed to correlate events.
    name: Audit
  - fgmid: M1053
    mitigates: Configuration back ups -All VNF Configurations should be backed up
      and periodically audited to see differences between running configuration and
      back up configurations as well as comparison between configuration catalogue
      and running instance
    name: Data Backup
  name: Manipulate Virtual Network Function (VNF) Configuration
  object-type: technique
  platforms: SDN vSwitch, Network Element
  postconditions:
  - Description: VNF compromise can lead to DOS or change in the traffic pattern and
      paths.
    Name: Unexpected and unusual VNF behavior
  preconditions:
  - Description: Privileged Access to VNF or VNF managers via direct login or through
      Control Plane APIs
    Name: Credential and Access
  procedureexamples:
  - Description: Active configuration changes can be made when direct access to VNF
      or its element managers is available
    Name: Active configuration changes
  - Description: Configuration as a code repository or back up configuration store
      can be manipulated to cause an NF to take compromised configuration upon reboot
      or re-instantiation
    Name: Stored or Coded configuration
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0005
  typecode: fight_technique
- addendums:
  - "#### Addendum Name: VM and Container Breakout\r\n##### Architecture Segments:\
    \ Virtualization, OA&M\r\n Adversary may be able to break out of VM/Container\
    \ to host to compromise co-resident tenant VM/Container for discovery and exfiltration\
    \ and host-based privilege escalation.  \r\n\r\nVM guest OS may escapes from its\
    \ VM encapsulation to interact directly with the hypervisor. This gives the adversary\
    \ access to all VMs and, if guest privileges are high enough, the host machine\
    \ as well. Although few if any instances are known, experts consider VM escape\
    \ to be the most serious threat to VM security.\r\n\r\nSimilarly, a container\
    \ may also create privileged access to Host file system or execution environment.\r\
    \n\r\n5G deployments may include PNFs as well as VNFs.  VNFs may be deployed over\
    \ Type1 or Type2 VMs or as Containers over guest OS, or over a VM.  Examples of\
    \ 5G functions deployed as CNF due to scaling requirements may include 5G Core\
    \ capabilities of AMF, SMF, UPF and RAN Capabilities of CU, DU, RIC, x-Apps, r-Apps.\
    \  A container or VM escape can expose control and user plane traffic as well\
    \ as credentials to allow adversary to further carry out attacks on the network.\r\
    \n\r\n"
  architecture-segment: Virtualization, OA&M
  bluf: Adversaries may break out of a container to gain access to the underlying
    host.
  criticalassets:
  - Description: Any capabilities deployed as VNF or CNF
    Name: VNF, CNF
  - Description: Host OS, VM host server becomes a bridging device between tenant
      VMs and Containers if compromised
    Name: VM, Contianer host
  - Description: In addition to application data exposure, credential exposure is
      usually a key target for adversary to open the doors for many other exploits.
    Name: Credentials
  description: "Adversaries may break out of a container to gain access to the underlying\
    \ host.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1611)\r\
    \n"
  detections:
  - detects: Monitor process creation and OS API execution activity.
    fgdsid: DS0009
    name: Process
  - detects: Monitor for the deployment of suspicious or unknown container images
      and pods in your environment, particularly containers running as root.
    fgdsid: DS0032
    name: Container
  - detects: Monitor cluster-level (Kubernetes) data and events associated with changing
      containers' volume configurations.
    fgdsid: DS0034
    name: Volume
  id: FGT1611
  mitigations:
  - fgmid: M1026
    mitigates: 'Rootless containers: Ensure containers are not running as root by
      default. In Kubernetes environments, consider defining a Pod Security Policy
      that prevents pods from running privileged containers.'
    name: Privileged Account Management
  - fgmid: M1038
    mitigates: Use read-only containers, read-only file systems, and minimal images
      when possible, to prevent the running of commands.
    name: Execution Prevention
  - fgmid: M1048
    mitigates: Consider utilizing seccomp, seccomp-bpf, or a similar solution that
      restricts certain system calls such as mount. In Kubernetes environments, consider
      defining a Pod Security Policy that limits container access to host process
      namespaces, the host network, and the host file system
    name: Application Isolation and Sandboxing
  name: Escape to Host
  object-type: technique
  platforms: Windows, Linux, MacOS
  procedureexamples:
  - Description: Container was configured to bind to the host root directory
    Name: S0600
  - Description: Hildegard used the BOtB tool that can break out of Container
    Name: S0601
  - Description: "Peirates\_can gain a reverse shell on a host node by mounting the\
      \ Kubernetes hostPath."
    Name: S0683
  - Description: "Siliscape maps the hosts\u2019s C drive to the contianer by creating\
      \ a global symbolic link of NtSetInformationSymbolicLink"
    Name: S0623
  - Description: TeamTNT has deployed privileged containers that mount the filesystem
      of victim machine
    Name: G0139
  references:
  - <a name="1"> \[1\] </a> [ETSI NFV SEC023, Container security spec (WIP) v004.](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC023_Container_Security_Spec)
  - "<a name=\"2\"> \\[2\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,  October 2021](https://arxiv.org/abs/2108.11206 )"
  - "<a name=\"3\"> \\[3\\] </a> [Github, \u201CAwesome VM exploit\u201D](https://github.com/WinMin/awesome-vm-exploit\
    \ )"
  - <a name="4"> \[4\] </a> [Project Zero](https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html
    )
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0008
  - TA0004
  typecode: attack_technique_addendum
- access-required: Administrative access, Access to install scraper malware
  architecture-segment: Virtualization
  bluf: An adversary may be able to read memory registers to discover privileged information
    such as local password comparison, encryption key etc.
  criticalassets:
  - Description: Adversary may target a particular network controller, network element,
      CI/CD, security, and operations tools to collect data
    Name: SDN controller and network elements (or any target host)
  - Description: Adversary may target configuration or network flow data
    Name: SDN configurations file, Network flow tables
  description: " An adversary may be able to read memory registers to discover privileged\
    \ information such as local password comparison, encryption key etc.\r\n\r\nAn\
    \ adversary can achieve this by scanning the physical memory used by a given software\
    \ program.  This will give the adversary access to any information that the program\
    \ has access to, which could be sensitive. While memory scraping can affect components\
    \ of any layer of the network, this type of threat has been primarily a focus\
    \ of SDN application servers where the adversary can have greater advantage, if\
    \ successful, in discovering sensitive information (credentials such as token\
    \ and keys). \r\n\r\nAdversaries may use memory scraping to target different components\
    \ of the core network, a core dump of an SDN controller (e.g. as the result of\
    \ malicious software) can be used to exploit private data. Once successfully performed,\
    \ memory scraping can be used to extract sensitive SDN data (e.g. flow rules at\
    \ the northbound API).[2]\r\n\r\n"
  detections:
  - detects: Analyze logs to detect unauthorized activity
    fgdsid: DS0015
    name: Application Log
  - detects: All inbound and outbound connections should be audited for unauthorized
      activity
    fgdsid: DS0029
    name: Network Traffic
  id: FGT5005
  mitigations:
  - fgmid: FGM5090
    mitigates: Logs from SDN controller and network elements must be correlated to
      ensure unauthorize activity (file transfer, patch installs, process init) is
      reported.
    name: Log correlation
  - fgmid: M1033
    mitigates: Restrict permissions to add software to SDN controller and network
      elements for person and non-person accounts
    name: Limit Software Installation
  - fgmid: M1047
    mitigates: SDN controllers and network elements scanned for file changes and processes.
    name: Audit
  name: Memory Scraping
  object-type: technique
  platforms: SDN, Hosts
  preconditions:
  - Description: Privileged access to SDN controller and network elements to transfer
      and install malware to the target host.
    Name: Credential and access to SDN controller and network elements
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, section 6.2, December\
    \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [ENISA, \u201CThreat Landscape and Good Practice\
    \ Guide for Software Defined Networks/5G\u201D, Jan. 2016](https://www.enisa.europa.eu/publications/sdn-threat-landscape\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [ETSI GS NFV-SEC 009 V1.1.1, \u201CNFV Security:\n\
    Report on use cases and technical approaches for multi-layer host administration\u201D\
    , December 2015](https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/009/01.01.01_60/gs_nfv-sec009v010101p.pdf\
    \ )"
  - "<a name=\"4\"> \\[4\\] </a> [N. Huq, \u201CPoS RAM Scraper Malware: Past, Present,\
    \ and Future,\u201D Trend Micro, accessed May 25, 2023](https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf\
    \ )"
  - "<a name=\"5\"> \\[5\\] </a> [J. Hizver, \u201CTaxonomic Modeling of Security\
    \ Threats in Software Defined Networking\u201D, Blackhat Conference, Aug. 2015](https://www.blackhat.com/docs/us-15/materials/us-15-Hizver-Taxonomic-Modeling-Of-Security-Threats-In-Software-Defined-Networking-wp.pdf\
    \ )"
  - "<a name=\"6\"> \\[6\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    , October 2021](https://arxiv.org/abs/2108.11206 )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  tactics:
  - TA0009
  typecode: fight_technique
- access-required: NF Service Account credentials
  addendums:
  - "#### Addendum Name: Control plane signaling disguise for C2\r\n##### Architecture\
    \ Segments: Control Plane\r\n An adversary may use Control Plane signaling between\
    \ Network Functions (NFs) of the Service Based Architecture to disguise adversary\u2019\
    s C2 communication.\r\n\r\nThe 5G NFs may implement TLS and HTTP/2 for their communications\
    \ (e.g. via Service Based Interfaces), which means the traffic will be encrypted.\
    \ This type of communication between authorized NFs may be used to avoid detection\
    \ by using legitimate protocols and port numbers and encrypting that data. Encryption\
    \ makes it difficult to employ detection techniques to identify suspicious traffic\
    \ patterns. In addition, HTTP/2 optional parameters may be used to communicate\
    \ between a core NF and an external application function via NEF   or between\
    \ an NF in visited PLMN and an NF in home PLMN via SEPP.\r\nIn the same fashion,\
    \ an adversary may use encrypted channels between authenticated NFs to disguise\
    \ C2 communication.\r\n\r\n"
  architecture-segment: Control Plane
  bluf: Adversaries may communicate using application layer protocols to avoid detection/network
    filtering by blending in with existing traffic.
  criticalassets:
  - Description: IP addresses. FQDNs and TLS connections of core NFs are used for
      nefarious purposes
    Name: Operator resource identifiers and signaling
  description: "Adversaries may communicate using application layer protocols to avoid\
    \ detection/network filtering by blending in with existing traffic.\r\n[To read\
    \ more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1437)\r\
    \n"
  detections: []
  id: FGT1437
  mitigations:
  - fgmid: FGM5501
    mitigates: "Employ TLS proxies with DPI firewalls. TLS proxy/firewall can employ\
      \ DPI to decrypt the packets and send them off to their destination, but only\
      \ after logging what the packet contains. \nThe firewalls/proxies connect to\
      \ a SIEM whose data is being kept up to date with current threats. Service communication\
      \ proxy (SCP) can be also used for this purpose."
    name: TLS proxy/firewalls with DPI on the SBA
  name: Application Layer Protocol
  object-type: technique
  platforms: 5G Network
  procedureexamples:
  - Description: 'The signaling AF to NEF to UDM and back from UDM to NEF to AF is
      used in several procedures [1]. Example: NIDD (non-IP data delivery) (see clause
      4.25 of [2]), or VN (Virtual Network) group management. See clause 4.15.6 of
      [2].'
    Name: Third party app (AF) to Network Exposure Function (NEF) to Core NF used
      as a data exfiltration channel
  - Description: AMF in vPLMN communicates to AUSF in hPLMN during UE authentication.
      This channel can be used to disguise C2 communication.
    Name: An NF in vPLMN to an NF in hPLMN via SEPP
  references:
  - "<a name=\"1\"> \\[1\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    , October 2021](https://arxiv.org/abs/2108.11206 )"
  - "<a name=\"2\"> \\[2\\] </a> [3rd Generation Partnership Project (3GPP) TS 23.502,\
    \ \u201CProcedures for the 5G System (5GS); Stage 2 (Release 17)\u201D, Technical\
    \ Specification, v17.4.0, March 2022.](https://www.3gpp.org/DynaReport/23502.htm)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0011
  typecode: attack_technique_addendum
- access-required: Administrative access
  addendums:
  - "#### Addendum Name: Infrastructure local account\r\n##### Architecture Segments:\
    \ OA&M\r\n An adversary may use local administrative privileges to bypass network\
    \ controls responsible for access controls and software to achieve persistence.\
    \  \r\n\r\nIn a 5G deployment, unmanned locations or low security sites may be\
    \ exposed to adversary using local communication, auxiliary or serial interfaces\
    \ to gain access to device using device local account. \r\n\r\nAn adversary with\
    \ a legitimate or compromised local network operator administrative account may\
    \ perform unauthorized administration of devices and systems.  Some devices always\
    \ maintain local accounts in addition to networked IDAM/ICAM.  Unauthorized administration\
    \ of devices and systems can be done using these local administrative accounts.\
    \ \r\n\r\n"
  architecture-segment: OA&M
  bluf: Adversaries may obtain and abuse credentials of a local account as a means
    of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
  criticalassets:
  - Description: Any 5G, Network, OSS and Security capability deployed as PNF supporting
      local accounts
    Name: Physical Network Functions
  - Description: Any Virtualization and Network host supporting local account
    Name: Infrastructure servers
  description: "Adversaries may obtain and abuse credentials of a local account as\
    \ a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense\
    \ Evasion.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1078/003)\r\
    \n"
  detections:
  - detects: User Account authentication
    fgdsid: DS0002
    name: User Account
  - detects: Logon session
    fgdsid: DS0028
    name: Logon Session
  id: FGT1078.003
  mitigations:
  - fgmid: M1026
    mitigates: Privileged account management
    name: Privileged Account Management
  - fgmid: M1027
    mitigates: Passwords Policies to ensure secure local accounts across all devices
      that necessitate local accounts
    name: Password Policies
  name: Local Accounts
  object-type: technique
  platforms: Infrastructure, PNF
  references:
  - "<a name=\"1\"> \\[1\\] </a> [ENISA \u201CThreat Landscape and Good Practice Guide\
    \ for Software Defined Networks/5G\u201D, Jan. 2016, Table 1, and 2](https://www.enisa.europa.eu/publications/sdn-threat-landscape)"
  - "<a name=\"2\"> \\[2\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,\_ October 2021](https://arxiv.org/abs/2108.11206\_\_)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  subtechnique-of: FGT1078
  tactics:
  - TA0003
  typecode: attack_subtechnique_addendum
- access-required: Administrative access
  addendums:
  - "#### Addendum Name: Unauthorized software in NFVI\r\n##### Architecture Segments:\
    \ Virtualization, OA&M\r\n An adversary may implant rootkits in the Network Function\
    \ Virtualization Infrastructure (NFVI) that will hide the presence of programs,\
    \ files, network connections, services, drivers, and other system components.\r\
    \n\r\nRootkits are a special type of malware designed to remain hidden on a target\
    \ computer. These Rootkits can be created for hardware and firmware for CMOS and\
    \ other chips, Kernel, Memory, and Applications. \r\n\r\nAdversaries may implant\
    \ rootkits during device manufacturing process, use compromised CI/CD pipeline,\
    \ direct access to device to implant rootkits in the Cloud, MEC, RAN, UE components.\r\
    \n\r\nAdversaries may use rootkit compromise for other actions such as credential\
    \ dumping, configuration changes, or attack other components in the network. Rootkits\
    \ are hard to detect and may not be easily identified by end point protection\
    \ software.  Host suspected of rootkit infection may need to be quarantined and\
    \ rebuilt from scratch with known good software.\r\n\r\n"
  architecture-segment: Virtualization, OA&M
  bluf: Adversaries may use rootkits to hide the presence of programs, files, network
    connections, services, drivers, and other system components.
  criticalassets:
  - Description: NFVI components that support virtualization and network connecting
      the virtual functions.
    Name: Physical, Virtual, and cloud native functions
  - Description: Any compute entity that supports data processing functions, including
      Linux/Windows hosts, VMs, and or specialty equipment that has address and interacts
      with other NFVI elements.
    Name: Hosts
  description: "Adversaries may use rootkits to hide the presence of programs, files,\
    \ network connections, services, drivers, and other system components.\r\n[To\
    \ read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1014)\r\
    \n"
  detections:
  - detects: Software image inconsistency. Signature and checksum mismatch
    fgdsid: DS0007
    name: Image
  - detects: Kernel executing unknown processes or unauthorized processes not typical
      of the host.
    fgdsid: DS0008
    name: Kernel
  - detects: Active processes or process log may reveal unauthorized activity due
      to rootkits
    fgdsid: DS0009
    name: Process
  - detects: Background services not typically associated with the host
    fgdsid: DS0019
    name: Service
  - detects: File changes of any sort that cannot be traced back to authorized change.
    fgdsid: DS0022
    name: File
  - detects: Network traffic pattern may reveal remote C2 communication from rootkit
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1014
  mitigations:
  - fgmid: M1018
    mitigates: User Account Management
    name: User Account Management
  - fgmid: M1045
    mitigates: Code Signing
    name: Code Signing
  - fgmid: M1046
    mitigates: Boot integrity
    name: Boot Integrity
  - fgmid: M1047
    mitigates: System audits can reveal anomalous behavior that may be caused by rootkits.
    name: Audit
  - fgmid: M1051
    mitigates: Update Software
    name: Update Software
  name: Rootkit
  object-type: technique
  platforms: Infrastructure, PNF, VNF Hosts
  references:
  - <a name="1"> \[1\] </a> [ETSI NFV SEC025, Secure E2E VNF & NS management spec
    (WIP) v006, retrieved April 26, 2021](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_%26_NS_management)
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0005
  typecode: attack_technique_addendum
- access-required: Administrative access
  architecture-segment: Virtualization, OA&M
  bluf: An adversary may implant malware in the Network Function Virtualization Infrastructure
    (NFVI) that will load during the pre-boot sequence to achieve persistence.
  criticalassets:
  - Description: Any network functions within NFVI sphere of responsibility
    Name: Physical, Virtual, and Cloud Native Functions
  - Description: Any hosts in NFVI within 5G security zone or in CI/CD pipeline, security
      and OSS tools
    Name: Hosts
  description: " An adversary may implant malware in the Network Function Virtualization\
    \ Infrastructure (NFVI) that will load during the pre-boot sequence to achieve\
    \ persistence.\r\n\r\nAn adversary may implant unauthorized software in the NFVI\
    \ to persist in the boot sequence or launch malicious software. 5G VNF deployments\
    \ rely on underlying NFVI (Kubernetes, Openstack) resources and do not offer any\
    \ checks of their own to validate resources.  Possibilities exist to add malware\
    \ in deployment pipelines, image building and storage process and thru add on\
    \ tools.  Unless Hardware Mediated Execution Environment (HMEE) is used to validate\
    \ host resources, malware inserted during boot process may not be easily detected.\
    \  \r\n\r\n"
  detections:
  - detects: Software image inconsistency.  Signature and checksum mismatch
    fgdsid: DS0007
    name: Image
  - detects: Kernel executing unknow processes or unauthorized processes not typical
      of the host.
    fgdsid: DS0008
    name: Kernel
  - detects: Active processes or process log may reveal unauthorized activity due
      to rootkits
    fgdsid: DS0009
    name: Process
  - detects: Degraded performance; system may have reboots, or unexpected performance
      degradation, may be slow to respond to inputs.
    fgdsid: DS0013
    name: Sensor Health
  - detects: Background services not typically associated with the host
    fgdsid: DS0019
    name: Service
  - detects: File changes of any sort that cannot be traced back to authorized change.
    fgdsid: DS0022
    name: File
  - detects: Network traffic pattern may reveal remote C2 communication from rootkit
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1542.501
  mitigations:
  - fgmid: M1018
    mitigates: User Account Management, active monitoring of access attempts to CI/CD
      tools
    name: User Account Management
  - fgmid: M1045
    mitigates: Code Signing of all 5G NF and infra node software
    name: Code Signing
  - fgmid: M1046
    mitigates: Boot integrity, TPM and remote attestation
    name: Boot Integrity
  - fgmid: M1047
    mitigates: System audits can reveal anomalous behavior that may be caused by rootkits.  Audits
      of software repositories
    name: Audit
  - fgmid: M1051
    mitigates: Update Software for 5G NF and infra node software
    name: Update Software
  name: Unauthorized software in NFVI
  object-type: technique
  platforms: Infrastructure, PNF, VNF Hosts
  references:
  - <a name="1"> \[1\] </a> [ETSI NFV SEC025, Secure E2E VNF & NS management spec
    (WIP) v006, retrieved April 26, 2021](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_%26_NS_management)
  status: This is a theoretical behavior
  subtechnique-of: FGT1542
  tactics:
  - TA0003
  - TA0005
  typecode: fight_subtechnique_to_attack_technique
- access-required: 'Radio access, '
  addendums:
  - "#### Addendum Name: Base station flood with fictitious access requests\r\n#####\
    \ Architecture Segments: Control Plane\r\n An adversary may transmit an overwhelming\
    \ number of access requests to a gNB to degrade the ability of legitimate UE to\
    \ obtain access.\r\n\r\nAn adversary transmits large number of access requests\
    \ over Random Access CHannel (RACH) to degrade the ability of legitimate UE to\
    \ obtain access from the gNB. May be done via a compromised UE or a fake UE.\r\
    \n\r\n\r\n"
  - "#### Addendum Name: UDM DOS via SUCI replay\r\n##### Architecture Segments: Control\
    \ Plane\r\n An adversary may use a device (user or base station) to replay registration\
    \ requests with valid a Subscription Concealed Identifier (SUCI) in order to degrade\
    \ the availability of UDM to other device users.\r\n\r\nAn adversary may intercept\
    \ a legitimate SUCI sent by a legitimate device to a base station. The adversary\
    \ can then replay this SUCI in a registration request towards the network many\
    \ times, possibly from a fake base station or UE being used to send to the core\
    \ network.  This will cause the core network function in charge of deconcealment\
    \ of the SUCI, namely the UDM-SIDF (Unified Data Management - Subscription Identifier\
    \ De-Concealing Function), to work on this computationally intensive asymmetric\
    \ cryptographic operation. A Denial of Service attack on the UDM can cause the\
    \ available processing power of the UDM to decrease and thus impact its ability\
    \ to respond to the requests of legitimate UEs.\r\n\r\n"
  architecture-segment: Control Plane
  bluf: Adversaries may target the different network services provided by systems
    to conduct a denial of service (DoS).
  criticalassets:
  - Description: Adversary targets access requests in Random Access CHannel (RACH)
    Name: RACH
  - Description: UDM/SIDF resources are used for de-concealment of SUCI sent by legitimate
      UEs
    Name: UDM/SIDF resources
  description: "Adversaries may target the different network services provided by\
    \ systems to conduct a denial of service (DoS).\r\n[To read more, please see the\
    \ MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1499/002)\r\
    \n"
  detections:
  - detects: Excessive number of access requests received at gNB.
    fgdsid: FGDS5007
    name: UE access requests
  - detects: Excessive number of SUCI containing requests received at the AMF. UDM
      slow response
    fgdsid: FGDS5007
    name: UE access requests
  id: FGT1499.002
  mitigations:
  - fgmid: FGM5021
    mitigates: Increase RACH resources.
    name: Increase RACH (Random Access CHannel resources)
  - fgmid: FGM5499
    mitigates: Rate limiting of incoming messages at NFs. The Security Anchor Function
      (SEAF) or the Authentication Server Function (AUSF), which are NFs upstream
      from SIDF, can apply rate limiting if they receive the same SUCI multiple times
      within a short period.
    name: Rate limiting by producer NF
  name: Service Exhaustion Flood
  object-type: technique
  platforms: 5G RAN, 5G
  postconditions:
  - Description: Legitimate UEs have low probability of successfully requesting access
    Name: Less service for legitimate UEs
  - Description: Legitimate UEs have low probability of successfully obtaining access
    Name: Less service for legitimate UEs
  preconditions:
  - Description: Adversary must be able to transmit to gNB with sufficient power to
      be received.
    Name: Transmit to gNB with sufficient power to succeed in flooding.
  - Description: Access to fake Base Station or fake UE to replay SUCI
    Name: Acquire base station or UE
  procedureexamples:
  - Description: Adversary transmits an overwhelming number of access requests over
      Random Access CHannel (RACH) to degrade the ability of legitimate UE to obtain
      access. May be done via a compromised UE or a SDR running OAI-5G modified software.
    Name: ' Access request flooding'
  - Description: 'SUCI is replayed by fake or compromised UE or gNB to the network.


      UDM needs to process repeated SUCI messages from the same UE which will eventually
      drain resources of UDM and cause DoS attack on legitimate UE. Sections 5.2.2.1.2
      & 5.2.2.2.2 of [1]'
    Name: SUCI replay
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"1\"> \\[1\\] </a> [3rd Generation Partnership Project (3GPP) TR 33.846:\
    \ \u201CStudy on Authentication Enhancements in the 5G System\u201D, Technical\
    \ Report, v17.0.0, Dec. 2021.](https://www.3gpp.org/DynaReport/33846.htm )"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  subtechnique-of: FGT1499
  tactics:
  - TA0040
  typecode: attack_subtechnique_addendum
- access-required: admin
  architecture-segment: OA&M, Control Plane
  bluf: 'An adversary, such as an insider to the MNO or vendor, could install a malicious
    NF into the core network, in order to launch other attacks or get access to information. '
  criticalassets:
  - Description: Network services provided to UEs.
    Name: Network services
  description: " An adversary, such as an insider to the MNO or vendor, may install\
    \ a malicious NF into the core network, in order to launch other attacks or get\
    \ access to information. \r\n\r\nAn adversary could introduce an unauthorized\
    \ network function (NF) or function embedding trojan malware in the service base\
    \ architecture (SBA) by registering it in the NRF, in order to exploit other APIs.\
    \ A clone of a legitimate NF can also be used to register itself in the NRF. The\
    \ new NF can be deployed as a PNF, cloud VNF or containerized NF. This adversary\
    \ could be an insider (to the MNO) or a vendor or service provider. By having\
    \ an unauthorized network function installed or activated, an adversary may gain\
    \ access to resources in the network to perform other type of attacks such as\
    \ Denial of Service, the distribution of malicious software, or obtaining sensitive\
    \ information.\r\n\r\n\r\n"
  detections:
  - detects: Monitor application logs of core NFs.
    fgdsid: DS0015
    name: Application Log
  - detects: Monitor for newly constructed containers that may deploy a container
      into an environment to facilitate execution or evade defenses.
    fgdsid: DS0032
    name: Container
  id: FGT5007
  mitigations:
  - fgmid: FGM5023
    mitigates: Cross check newly registered NFs. Out of band mechanism for cross checking
      new NFs that are registered in NRF are as expected by network administrator.
      NRF may use additional OAuth2.0 token information.
    name: Periodic Authentication & Authorization of NFs
  - fgmid: M1018
    mitigates: Enforce the principle of least privilege by limiting container dashboard
      access to only the necessary users.
    name: User Account Management
  - fgmid: M1030
    mitigates: Deny direct remote access to internal systems through the use of network
      proxies, gateways, and firewalls.
    name: Network Segmentation
  name: Registration of malicious network functions
  object-type: technique
  platforms: 5G
  procedureexamples:
  - Description: 'Rogue or cloned NF calls Nnrf_NF Management API to register one
      of these functions: AMF, SMF, UDM, AUSF, NEF, PCF, SMSF, NSSF, UPF, etc. Clause
      5.2.7 of [3]'
    Name: Unauthorized use of API
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, November 2019.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [3rd Generation Partnership Project (3GPP) TS 23.502,\
    \ \u201CProcedures for the 5G System (5GS); Stage 2 (Release 17)\u201D, Technical\
    \ Specification, v17.4.0, March 2022.](https://www.3gpp.org/DynaReport/23502.htm)"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0002
  typecode: fight_technique
- architecture-segment: RAN, O-RAN
  bluf: An adversary transmits radio signals to degrade reception and demodulation
    of signals to the UE or gNB/eNB.
  criticalassets:
  - Description: UE and gNB basic operations.
    Name: Radio receivers at base station and user equipment
  description: " An adversary transmits radio signals to degrade reception and demodulation\
    \ of signals to the UE or gNB/eNB. \r\n\r\nConsists of numerous methods, including\
    \ noise jamming, generating false synchronization signals, and replaying modified\
    \ portions of legitimate signals to degrade demodulation. Jamming in 5G (NR) is\
    \ different from 3G and similar to 4G, but at high level the same principles are\
    \ applied. This technique is similar to the ATT&CK for Mobile technique T1464.\r\
    \n\r\n\r\n"
  detections:
  - detects: Identify source and location of jammer.
    fgdsid: FGDS5001
    name: RF Spectrum Monitor
  id: FGT5035
  mitigations:
  - fgmid: FGM5001
    mitigates: Disable jamming source.
    name: Disable malicious transmitter
  - fgmid: FGM5099
    mitigates: Move user equipment closer to base station to overpower jamming signal.
    name: Move UE close to gNB
  - fgmid: FGM5100
    mitigates: Increase height of User Equipment to avoid jamming signal.
    name: Raise height of UE
  name: Radio Jamming
  object-type: technique
  platforms: 5G radio access
  procedureexamples:
  - Description: Jammer device is used to perform noise jamming of the radio interface,
      See [1].
    Name: Noise jamming via jammer device
  - Description: 'Rogue UE sends fake uplink synchronization signals to the gNB:


      Sounding Reference Signal (SRS)


      Phase Tracking Reference Signal (PTRS)


      Demodulation Reference Signal (DMRS)'
    Name: False synchronization signals
  - Description: Fake base station replays modified portions of legitimate signals
      from gNB or towards gNB.
    Name: Replay legitimate signals
  references:
  - "<a name=\"1\"> \\[1\\] </a> [Y. Arjoune and S. Faruque, \u201CSmart Jamming Attacks\
    \ in 5G New Radio: A Review\u201D (2020), 10th Annual Computing and Communication\
    \ Workshop and Conference (CCWC)](https://ieeexplore.ieee.org/abstract/document/9031175/\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [Lichtman, et al. \u201C5G NR Jamming, Spoofing,\
    \ and Sniffing: Threat Assessment and Mitigation\u201D (2018), 2018 IEEE International\
    \ Conference on Communications Workshops](https://arxiv.org/pdf/1803.03845.pdf)"
  status: Observed in earlier 3GPP generations and expected in 5G.
  tactics:
  - TA0040
  typecode: fight_technique
- access-required: N/A
  architecture-segment: User Plane
  bluf: An adversary can divert user plane traffic for one or more UEs via a user-plane
    function, to monitor user data
  criticalassets:
  - Description: All user plane subscriber data
    Name: Subscriber data
  description: " An adversary can divert user plane traffic for one or more UEs via\
    \ a user-plane function, to monitor user data.\r\n\r\nTraffic diversion is a threat\
    \ relating to network elements of the user plane. A compromised or misconfigured\
    \ NF (as documented in the procedures below: UPF, SMF, \u2026) is used to send\
    \ or cause to send a command to a user plane (routing) function that results in\
    \ altering the traffic flow. This threat involves compromising a network element\
    \ to divert traffic flows and allow a malicious actor to eavesdrop on user traffic.\
    \ \r\n\r\nAn adversary positioned between the UE and the UPF may intercept unprotected\
    \ data packets and change the destination IP address of the packets, so that the\
    \ UPF ends up sending them to a different data network. \r\n\r\nRedirection attacks\
    \ on the core network result in not only communication interception, but also\
    \ in billing discrepancies.\r\n\r\n\r\n"
  detections:
  - detects: Monitor AF to NEF APIs for illegitimate traffic redirection requests.
      Monitor Nnef_TrafficInfluence_Update API calls from AF to NEF for traffic redirection
      requests to unauthorized DNN & S-NSSAI.
    fgdsid: DS0015
    name: Application Log
  id: FGT5008
  mitigations:
  - fgmid: FGM5019
    mitigates: Authorize all API calls by external AFs to NEF
    name: Authorize external API calls
  - fgmid: M1040
    mitigates: Monitor internal API calls between NFs for suspicious activities
    name: Behavior Prevention on Endpoint
  - fgmid: M1047
    mitigates: Audit insecure NF configurations
    name: Audit
  name: 'Redirection of traffic via user plane network function  '
  object-type: technique
  platforms: 5G Network
  postconditions:
  - Description: If an adversary redirects to their own server, they can access the  subscriber
      data, who will not be aware that the traffic is being intercepted.
    Name: Subscriber data intercept
  preconditions:
  - Description: An adversary must have control of the UPF IP address or a UPF
    Name: Acquire UPF IP address/control
  - Description: An adversary must first control the SMF or NEF, or AF
    Name: Control SMF/NEF/AF
  procedureexamples:
  - Description: "An adversary controlling the SMF can redirect existing UE traffic\
      \ by sending to UPF a N4 Session Modification Request (or: selecting another\
      \ UPF- or, by sending to UPF another \u201CRedirect server\u201D [which the\
      \ adversary controls] in the FAR in the N4 session (\u201CThe UPF reports to\
      \ the SMF whether it supports traffic redirection enforcement in the UPF through\
      \ the \u2018UP-Function Features\u2019 IE.\u201D [6]) Clause 5.8.2.3.3 of [5]\n\
      \nSimilarly, the SMF can send a session modification request to the UPF and\
      \ redirect UE traffic. See clauses 4.4.1.2 & 4.4.1.3 of [4]."
    Name: Rogue or misconfigured SMF
  - Description: "The \u201CApplication Function influence on traffic routing\u201D\
      \ service is designed for MEC applications for local processing of data traffic\
      \ in order to reduce latency. However, this capability can be misused by rogue\
      \ AF or rogue/misconfigured NEF. The traffic redirection occurs after the NEF\
      \ takes action that affects the UPF behavior. Clause 5.6.7 Table 5.6.7-1 first\
      \ row \u201CTraffic Description\u201D of [5], clause 4.3.6 of [4]."
    Name: Rogue AF or rogue/misconfigured NEF
  - Description: "An adversary positioned e.g. on a router can exploit the fact that\
      \ the N3 interface may not use IPSec protection. In this case, a UE\u2019s uplink\
      \ data may be sent to a different data network or destination in the data network:\
      \ the adversary intercepts the UE packets encapsulated in GTP-U tunnel, and\
      \ changes the destination IP address."
    Name: Access on N3 interface
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [ENISA \u201CThreat Landscape for 5G Networks Report\u201D\
    , Nov 2019.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks)"
  - "<a name=\"3\"> \\[3\\] </a> [\u201CBhadra framework\u201D: S.P. Rao, S. Holtmanns,\
    \ T. Aura, \u201CThreat modeling framework for mobile communication systems\u201D\
    ](https://arxiv.org/abs/2005.05110v1 )"
  - "<a name=\"4\"> \\[4\\] </a> [3GPP TS 23.502 \u201CTechnical Specification Group\
    \ Services and System Aspects; Procedures for the 5G System (5GS)\u201D.](https://www.3gpp.org/DynaReport/23502.htm)"
  - "<a name=\"5\"> \\[5\\] </a> [3GPP TS 23.501 \u201CTechnical Specification Group\
    \ Services and System Aspects; System architecture for the 5G System (5GS)\u201D\
    .](https://www.3gpp.org/DynaReport/23501.htm)"
  - "<a name=\"6\"> \\[6\\] </a> [\u201CUltra Cloud Core 5G User Plane Function, Release\
    \ 2020.02 - Configuration and Administration Guide\u201D, Cisco Systems, Accessed\
    \ May 25, 2023](https://www.cisco.com/c/en/us/td/docs/wireless/ucc/upf/Ultra-Cloud-Core-5G-UPF-Config-Guide.html)"
  - "<a name=\"7\"> \\[7\\] </a> [\u201C5G Security Issues.\u201D Positive Technologies](https://www.gsma.com/membership/resources/positive-technologies-5g-security-issues/)"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0009
  - TA0040
  typecode: fight_technique
- access-required: admin
  architecture-segment: Control Plane
  bluf: An adversary-controlled AMF registers itself in the UDM as serving a victim
    UE in order to pave the way for other attacks such as fraud or UE subscription
    data retrieval.
  criticalassets:
  - Description: Functionality of this core network function
    Name: UDM functionality
  - Description: Data (user plane or signaling) belonging to the UE
    Name: UE data
  - Description: Physical geo-location (coarse or fine) of the UE
    Name: UE location
  description: " An adversary-controlled AMF registers itself in the UDM as serving\
    \ a victim UE in order to pave the way for other attacks such as fraud or UE subscription\
    \ data retrieval. \r\n\r\nA UE can be legitimately de-registered or be caused\
    \ to de-register. The UDM is the core network function that holds the current\
    \ registration status and data of an UE. UEs register with an AMF, which then\
    \ becomes its serving AMF. An adversary can exploit an incorrectly implemented\
    \ UDM that does not update the authentication status of a UE upon a de-registration\
    \ event, or that allows the authentication status to be incorrect. This flaw allows\
    \ a malicious AMF to register itself in UDM (via Nudm_UECM_Registration Request\
    \ API call). That is, an adversary controlling an AMF can register that AMF Identifier\
    \ in the UDM as the serving AMF for that UE. \r\n\r\nThis technique also applies\
    \ to the SMF and SMSF (SMS Function), not just AMF, using the same API to the\
    \ UDM. \r\n\r\nFor an adversary to achieve this, a UDM must be incorrectly implemented.\
    \ The improperly configured UDM needs to be able to perform all of the basic functions,\
    \ except that it does not mark a UE as de-registered when it powers off or goes\
    \ to airplane mode or is legitimately (or illegitimately) de-registered by the\
    \ network.\r\n \r\n"
  detections: []
  id: FGT5010
  mitigations:
  - fgmid: FGM5023
    mitigates: "Periodic authentication / authorization of NF consumer e.g. AMF by\
      \ NRF will help detect rogue AMFs. \nNot currently in 3GPP/GSMA (TBC) specs,\
      \ but it can be enhanced. It\u2019s process management (OA&M)"
    name: Periodic Authentication & Authorization of NFs
  - fgmid: FGM5013
    mitigates: Implement security as per clause 6.1.9 of [4], namely OAuth2.0
    name: Timely updates to UE status
  - fgmid: FGM5014
    mitigates: Cross check whether the requesting AMF is likely to be the one serving
      that UE now. Validate the expected geography of where UE actually may be, in
      comparison to the area that the requester AMF is supposed to serve.
    name: UE location plausibility
  name: Fraudulent AMF registration for UE in UDM
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: A rogue AMF could mount other attacks on the victim UE, but the UE
      is not currently registered on the network. For example, the AMF can ask the
      LMF for the location of that UE; this may work if the UE is actually registered
      to this network, otherwise, it will return the last known location.
    Name: Follow on attacks by rogue AMF
  preconditions:
  - Description: If the UDM does not store the authentication status of a UE, or the
      authentication status is incorrect
    Name: Faulty UDM implementation
  procedureexamples:
  - Description: An adversary in control of an AMF registers that AMF in UDM (via
      Nudm_UECM_Registration Request) as serving a given UE that de-registered. If
      the UDM implementation does not update the authentication status of UEs as de-registered,
      it will accept that AMF. The adversary-controlled AMF can then potentially perform
      additional hostile actions such as fraud, claiming to have provided services
      for the UE, or obtaining other UE information from the UDM such as subscriber
      data, or asking for the UE location from the LMF (Location Management Function).
    Name: Adversary registers an AMF it controls as the one serving a given UE that
      just de-registered
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3rd Generation Partnership Project (3GPP) TR 33.926:\
    \ \u201CSecurity Assurance Specification (SCAS) threats and critical assets in\
    \ 3GPP network product classes\u201D, Technical Report, v17.3.0, Dec. 2021, clause\
    \ E.2.2.3](https://www.3gpp.org/DynaReport/33926.htm )"
  - "<a name=\"2\"> \\[2\\] </a> [3rd Generation Partnership Project (3GPP) TR 33.846,\u201D\
    \ Study on authentication enhancements in the 5G System (5GS)\u201D, Technical\
    \ Report, v17.0.0, December 2021, clause 5.3.1.2](https://www.3gpp.org/DynaReport/33846.htm\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"4\"> \\[4\\] </a> [3GPP TS 29.503: \u201C5G System; Unified Data Management\
    \ Services; Stage 3\u201D](https://www.3gpp.org/DynaReport/29503.htm)"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0009
  typecode: fight_technique
- access-required: admin
  architecture-segment: Control Plane
  bluf: 'An adversary controlling an (external) Application Function (AF) presents
    a fraudulent OAuth access token to access Network Exposure Function (NEF) services. '
  criticalassets:
  - Description: Network services exposed by NEF
    Name: Operator Services
  description: " An adversary controlling an (external) Application Function (AF)\
    \ may present a fraudulent OAuth access token to access Network Exposure Function\
    \ (NEF) services. \r\n\r\nA mobile network operator has access to a variety of\
    \ user and network data by virtue of the services it provides to subscribers.\
    \ As a business extension, some of these capabilities, events and data can be\
    \ offered to other partner business entities. The Network Exposure Function securely\
    \ exposes such cellular network services to authorized third-party applications.\
    \ The standard mandates TLS between NEF and AF and authorization via OAuth 2.0.\r\
    \n\r\nExamples of the data that can be shared are: device analytics, user traffic\
    \ routing, device location and mobility events: for example, notifications are\
    \ sent whenever a user (which is e.g. part of a group subscribed to a third party\
    \ service) enters a certain geographical perimeter (e.g. a mall or campus), since\
    \ the operator keeps track of the base stations to which devices are connected.\r\
    \n\r\nA malicious AF with a fraudulent (stolen, altered, or constructed) access\
    \ token may invoke the NEF services arbitrarily. \r\n\r\n\r\n"
  detections:
  - detects: Logs of connection attempts to NEF
    fgdsid: DS0015
    name: Application Log
  id: FGT5011
  mitigations:
  - fgmid: FGM5003
    mitigates: Ensure NEF checks AF credentials across layers (TLS, OAuth2.0), and
      has a list (provided out of band) with all the allowed AF by unique identifier
      (or type of AF), and to which service they are allowed access (this access may
      be general, not per UE).
    name: Cross check between application layer and transport layer
  - fgmid: FGM5019
    mitigates: NEF should authorize API calls from external AFs for all service accesses,
      via OAuth token verification.
    name: Authorize external API calls
  - fgmid: M1040
    mitigates: Prevent suspicious API calls
    name: Behavior Prevention on Endpoint
  name: Unauthorized access to Network Exposure Function (NEF) via token fraud
  object-type: technique
  platforms: 5G Network
  postconditions:
  - Description: Adversary has access to network services exposed by NEF
    Name: Network services exposed by NEF
  preconditions:
  - Description: Access to some MNO services to gain knowledge about tokens to access
      the NEF
    Name: MNO service access
  procedureexamples:
  - Description: An adversary may conduct OAuth2.0 attacks that are applicable to
      machine-to-machine communication (not email phishing type attacks). Fraudulent
      token is mentioned in section I.2.2.2 of [1]. Other threats are listed in [2].
    Name: OAuth 2.0 attacks
  references:
  - <a name="1"> \[1\] </a> [3GPP TR 33.926 Security Assurance Specification (SCAS)
    threats and critical assets in 3GPP network product classes.](https://www.3gpp.org/DynaReport/33926.htm)
  - "<a name=\"2\"> \\[2\\] </a> [Internet Engineering Task Force, IETF RFC 6819 \u201C\
    OAuth 2.0 Threat Model and Security Considerations\u201D, Jan. 2013.](https://datatracker.ietf.org/doc/html/rfc6819\
    \ )"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0008
  - TA0001
  typecode: fight_technique
- access-required: Air interface
  architecture-segment: Control Plane, RAN
  bluf: Adversary can track a device (get cell-level location) by listening for the
    same device ID being sent to the network.
  criticalassets:
  - Description: Location is accurate to a cell area, since the sniffer device has
      to be close enough to hear the UE send its 5G GUTI
    Name: UE location
  description: " An adversary can track a device (get cell-level location) by listening\
    \ for the same device ID being sent to the network. \r\n\r\nThe AMF handles UE\
    \ registration every time the UE connects to the network anew. As part of this\
    \ registration, a 5G Globally Unique Temporary Identifier (5G-GUTI) is assigned\
    \ to the UE, so as to protect the UE permanent identifier. The UE sends this identifier\
    \ in the clear to the network as part of service procedures it initiates, and\
    \ so this identifier can be eavesdropped by any UE  or wireless sniffer nearby.\r\
    \n\r\nThis is a passive attack. If AMF doesn't allocate a new 5G-GUTI in certain\
    \ registration scenarios, an adversary could keep on tracking the user using the\
    \ old 5G-GUTI after these registration procedures. This attack has been observed\
    \ in 4G where the UE were allocated the same GUTI. \r\n\r\n"
  detections: []
  id: FGT5012.003
  mitigations:
  - fgmid: FGM5094
    mitigates: Ensure AMF implementation allocates new 5G-GUTI every time possible.
    name: Allocate new 5G identifiers judiciously
  name: 5G-GUTI reuse
  object-type: technique
  platforms: 5G radio access
  preconditions:
  - Description: Adversary must be present in the same area where the UE is located.
    Name: Adversary present in the vicinity of victim UE
  procedureexamples:
  - Description: "Reportedly several operators do not re-allocate GUTI with every\
      \ UE registration, or they do not re-allocate often enough or they use predictable\
      \ pattern, as in [1], [2]. \nExact 5G-GUTI refresh mechanism is left to implementation.\
      \ Mandatory refresh of 5G-GUTI is to be done by AMF for initial registration,\
      \ mobility registration update and network-initiated service request message\
      \ due to paging, see clause 6.12.3 of [3].\nIt is not necessary for the adversary\
      \ to have a UE to listen, a simpler listening device suffices."
    Name: Listen in for re-used 5G-GUTIs to determine UE presence in that area.
  references:
  - "<a name=\"1\"> \\[1\\] </a> [B. Hong, S. Bae, Y. Kim, \u201CGUTI Reallocation\
    \ Demystified: Cellular Location Tracking with Changing Temporary Identifier\u201D\
    , NDSS Symposium, 2018.](https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_02A-4_Hong_paper.pdf\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [3rd Generation Partnership Project (3GPP) TR 33.926:\
    \ \u201CSecurity Assurance Specification (SCAS) threats and critical assets in\
    \ 3GPP network product classes\u201D, Technical Report, v17.3.0, December. 2021,\
    \ clause K.2.7.1](https://www.3gpp.org/DynaReport/33926.htm )"
  - "<a name=\"3\"> \\[3\\] </a> [3rd Generation Partnership Project (3GPP) TR 33.501:\
    \ \u201CSecurity architecture and procedures for 5G system\u201D, Technical Specification,\
    \ v17.5.0, March 2022](https://www.3gpp.org/DynaReport/33501.htm )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT5012
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- access-required: None
  architecture-segment: RAN, Control Plane, User Plane
  bluf: An adversary may alter network signaling so as to disable encryption over
    the radio interface, thus allowing for eavesdropping of user data or signaling
    on that interface.
  criticalassets:
  - Description: UE user plane data privacy.
    Name: UE data
  - Description: UE signaling data privacy
    Name: UE signaling
  description: " An adversary may alter network signaling so as to disable encryption\
    \ over the radio interface, thus allowing for eavesdropping of user data or signaling\
    \ on that interface.\r\n\r\nThe protection of the radio interface link is chosen\
    \ by the network when the User Equipment (UE) first registers to the network.\
    \ Normally, all data and signaling is encrypted. However, under some circumstances\
    \ (e.g. emergency calls, when the UE is not registered in the serving network),\
    \ no encryption keys can be derived and so no encryption is applied\u2014in this\
    \ case the algorithm is called NULL. \r\n\r\nSeveral procedures and interfaces\
    \ can be implemented incorrectly or misused and may result in use of the NULL\
    \ encryption algorithm to protect user signaling -- Non-Access Stratum (NAS) or\
    \ Access Stratum (AS) Control Plane (CP) -- ; or user data -- AS User Pane (UP)\
    \ -- over the radio interface. These can be followed by another adversarial behavior\
    \ whereby eavesdropping can be done over the air interface for data and signaling.\r\
    \n\r\n"
  detections:
  - detects: Check configuration changes in gNB, SMF, AMF; Configuration audits by
      OSS/BSS.
    fgdsid: DS0015
    name: Application Log
  - detects: Inspect radio traffic and watch for unauthorized changes as the packets
      move through the interfaces.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1600.501
  mitigations:
  - fgmid: M1018
    mitigates: Network element security safeguards for gNBs, AMFs and SMFs. Includes
      measures in clause 5.3.4 of [2] for gNBs (e.g. software updates, OA&M access
      security, secure boot)
    name: User Account Management
  - fgmid: M1031
    mitigates: Implement network intrusion prevention methods
    name: Network Intrusion Prevention
  - fgmid: M1041
    mitigates: Ensure gNB implementation and SMF implementations are both checking
      the UE CP and UP security policy against the most trustworthy source and taking
      action to not enable NULL encryption except for emergency calls
    name: Encrypt Sensitive Information
  - fgmid: M1043
    mitigates: Implement credential access protection methods
    name: Credential Access Protection
  - fgmid: M1046
    mitigates: Network element security safeguards for gNBs, AMFs and SMFs. Includes
      measures in clause 5.3.4 of [2] for gNBs (e.g. software updates, OA&M access
      security, secure boot)
    name: Boot Integrity
  - fgmid: M1051
    mitigates: Network element security safeguards for gNBs, AMFs and SMFs. Includes
      measures in clause 5.3.4 of [2] for gNBs (e.g. software updates, OA&M access
      security, secure boot)
    name: Update Software
  name: Radio Interface
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: 'Control Plane: All UE signaling data may be revealed if both NAS
      and AS CP (RRC) security algorithms are weakened.


      User Plane: Subscriber (user plane) data may be revealed if AS UP security algorithms
      are weakened.'
    Name: UE data unprotected on air interface
  preconditions:
  - Description: "A rogue gNB may be required to change the UE\u2019s CP and UP supported\
      \ algorithms to NULL. It\u2019s easier to achieve control over a gNB than over\
      \ the AMF or SMF itself. But then if the AMF and SMF are not rogue just not\
      \ configured to do these additional checks, then control over a rogue gNB is\
      \ sufficient.\nThis attack is possible with only control over the AMF, in which\
      \ case the algorithm for CP and UP protection is changed to NULL."
    Name: Rogue or misconfigured AMF or SMF or gNB
  procedureexamples:
  - Description: "Adversary (e.g. with fake gNB) intentionally configures NULL encryption\
      \ algorithm to have highest priority in gNB. These algorithms are sent to the\
      \ UE in the (Access Stratum) AS Security Mode Command. Normally the activation\
      \ of algorithms for the AS is done by the gNB based on that policy received\
      \ from the SMF, but a fake gNB can ignore the SMF. Clauses 6.7.3 & D.1 of [2].\n\
      \nAdversary with control over a legitimate gNB, and who currently serves the\
      \ UE, tells the SMF that the UE Control Plane (CP) and User Plane (UP) policy\
      \ is NULL encryption, and the (legitimate but not correctly implemented) SMF\
      \ doesn\u2019t check that against the locally-stored UE UP policy and lets the\
      \ CP and UP data be transmitted with NULL encryption. Clause 6.6.1 of [2]"
    Name: Fake or misconfigured base station
  - Description: 'Adversary makes the unauthorized change in the SMF CP and UP local
      policy to enable NULL encryption for CP & UP traffic.

      Alternatively, adversary exploits an SMF that is not implemented to check (for
      every UE it serves) that the algorithm received from gNB (which may be compromised
      or fake) matches the (more trusted) local policy. That local policy in turn
      should be checked that it is the same as the UE policy stored in the UDM, which
      has the higher trust. Any of these failures can result in the SMF enabling the
      CP and UP traffic over the radio interface to use NULL encryption.'
    Name: Rogue or misconfigured Session Management Function (SMF)
  - Description: "Adversary with control over AMF (or control over the configuration\
      \ of AMF) can affect UE procedures such as NAS Security Mode Command, such that\
      \ the UE's NAS data is not protected, i.e. prioritize NULL algorithm for either\
      \ NAS encryption or integrity.\n \nThis can be followed by another attack behavior\
      \ whereby eavesdropping can be done over the air interface for data and signaling.\
      \ Clauses 5.3.2 and 5.5.1 of [2]"
    Name: Rogue or misconfigured Access and Mobility Management Function (AMF) non-roaming
  - Description: "Compromised source AMF sends incorrect UE context information to\
      \ legitimate target AMF during either (a) Initial registration and roaming or\
      \ (b) Handover (N2 based). \nThe source AMF sends NULL  encryption algorithm\
      \ information as part of the \u201CUEContextTransfer\u201D (initial registration\
      \ and roaming) or \u201CCreateUEContext\u201D (N2 handover) service request\
      \ messages. All UE data will be sent in cleartext after registration or handover\
      \ is completed. Clauses 4.2.2.2.2, 4.9.1.3.1 and 5.2.2.1 of [3] The element\
      \ in the UE context is the ueSecurityCapability which the rogue AMF sets to\
      \ NULL only."
    Name: Rogue or misconfigured AMF during roaming/handover
  - Description: "Compromised source MME/AMF sends incorrect UE context information\
      \ to legitimate target AMF during EPS to 5GS handover and roaming with and without\
      \ N26 interface.\n\nSource AMF sends NULL encryption algorithm information as\
      \ part of the \u201CUEContextTransfer\u201D or \n\u201CRelocateUEContext\u201D\
      \ service request messages. All UE data will be sent in clear text after roaming\
      \ or handover is completed. Clauses 4.11.1.2.2.2, 4.11.1.3.3, 4.11.2.3 and 5.2.2.1\
      \ of [3] The element in the UE context is the ueSecurityCapability which the\
      \ rogue AMF sets to NULL only."
    Name: Rogue or misconfigured AMF/MME during EPS roaming/handover
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TR 33.926 \u201CSecurity Assurance Specification\
    \ (SCAS) threats and critical assets in 3GPP network product classes\u201D.](https://www.3gpp.org/DynaReport/33926.htm\
    \  )"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS 33.501 \u201CSecurity architecture and procedures\
    \ for 5G System\u201D.](https://www.3gpp.org/DynaReport/33501.htm  )"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS 23.502 \u201CProcedures for the 5G System\
    \ (5GS)\u201D.](https://www.3gpp.org/DynaReport/23502.htm  )"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1600
  tactics:
  - TA0005
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: User Plane
  bluf: An adversary controlling a user-plane function (gNB or UPF) disrupts user
    traffic by assigning the new traffic a TEID already in use.
  criticalassets:
  - Description: Billing data of legitimate UE
    Name: UE billing data
  - Description: "UE\u2019s reception of its data is disrupted."
    Name: UE data interruption
  description: " An adversary controlling a user-plane function (gNB or UPF) may disrupt\
    \ user traffic by assigning the new traffic a TEID already in use.\r\n\r\nThe\
    \ Tunnel Identifier, TEID, is part of the Core Network Tunnel information and\
    \ is assigned locally by the UPF and also by the gNB/ng-eNB for user plane routing\
    \ for each UE served. The failure to guarantee the uniqueness of the TEID for\
    \ a PDU session results in interruption of the routing of the user traffic. It\
    \ also creates charging errors. If multiple PDU sessions were to share the same\
    \ TEID at the same time, the counts for the network usage of a single PDU session\
    \ will be in fact the counts for the network usage of multiple sessions, creating\
    \ charging errors.\r\n\r\nRogue or erroneous configuration/implementation in gNB\
    \ or UPF can cause an existing TEID to be assigned to a new PDU session. This\
    \ can also happen during EPS to 5GS handover or roaming.\r\n\r\n"
  detections:
  - detects: Packet inspection over the N3 interface. If two packets are seen to have
      the same TEID on the RAN to UPF interface, then it can be verified that they
      indeed belong to the same UE. It may be difficult to detect as it is per UE
      and per PDU session.
    fgdsid: DS0029
    name: Network Traffic
  - detects: Charging system reports anomaly of subscriber CDRs. Periodic CDR audits
      can detect anomaly.
    fgdsid: FGDS5003
    name: Charging anomaly
  id: FGT5021
  mitigations:
  - fgmid: FGM5094
    mitigates: Ensure UPF and gNB/NG-eNB check for uniqueness for every new TEID they
      allocate locally. The newly assigned TEID must not have been in use in the past
      given certain amount of time (which should be set to the reasonable maximum
      tunnel lifetimes observed).
    name: Allocate new 5G identifiers judiciously
  - fgmid: M1035
    mitigates: Limit Access to Resource Over Network
    name: Limit Access to Resource Over Network
  - fgmid: M1047
    mitigates: The UPF and g/eNB must keep a log of the TEIDs currently in use (which
      they assigned), and purge TEIDs once the tunnel is torn down. This log must
      be checked every time a new TEID is allocated.
    name: Audit
  name: Tunnel Endpoint ID (TEID) uniqueness failure
  object-type: technique
  platforms: 5G Network
  postconditions:
  - Description: UE user plane data gets disrupted
    Name: UE data disruption
  - Description: Incorrect subscribers' charging records are generated
    Name: Incorrect charging
  preconditions:
  - Description: Faulty implementation at gNB or UPF ; or, control over gNB, and UPF
    Name: Control or misconfiguration of gNB or UPF
  procedureexamples:
  - Description: 'Rogue or wrong configuration/implementation in gNB or UPF can cause
      existing TEID to be assigned to a new N3 reference point or PDU session. Clause
      J.2.2.2 of [1]


      Duplicate TEID allocation can happen during EPS to 5GS handover or roaming.


      Duplicate TEID can cause traffic disruption, charging issues and eavesdropping
      of legitimate subscriber data by adversary. Clause 5.8.2.3 of [2], clause 4.11.1.2.2
      of [3]'
    Name: Rogue or misconfigured gNB or UPF
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TR 33.926 \u201CSecurity Assurance Specification\
    \ (SCAS) threats and critical assets in 3GPP network product classes\u201D.](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3002)"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS 23.501 \u201CSystem architecture for the\
    \ 5G System (5GS)\u201D.](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3144)"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS 23.502, \u201CProcedures for the 5G System\
    \ (5GS); Stage 2 (Release 17)\u201D, Technical Specification, v17.4.0, March 2022.](https://www.3gpp.org/DynaReport/23502.htm\_\
    )"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0040
  typecode: fight_technique
- access-required: User, Administrative access
  addendums:
  - "#### Addendum Name: VNF Access Services\r\n##### Architecture Segments: OA&M\r\
    \n Adversary may use non-functional remote communication interfaces (SNMP/RPC,\
    \ SSH) to change host configuration to enable host compromise.\r\n\r\nCloud tenants\
    \ may deploy additional network services with their containers in their containers\
    \ along with the main functionality of the 5G Virtual Network Function (VNF).\
    \   These services can be deployed as part of the VNF itself, since they allow\
    \ for VNF monitoring or remote configuration. To this end, it is possible that\
    \ possibly unsafe remote access services such as SSH may be deployed into the\
    \ containers. If these network services are directly accessible over the Internet\
    \ (or from another tenant of the CaaS), then they are vulnerable to intrusion\
    \ attacks. For example, adversaries may attempt to guess access credentials or\
    \ to exploit known vulnerabilities in the management services APIs. If successful,\
    \ the adversary now can use the access to this container through these services\
    \ for additional follow-on techniques.\r\n\r\n"
  architecture-segment: OA&M
  bluf: Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078)
    to log into a service that accepts remote connections, such as telnet, SSH, and
    VNC.
  criticalassets:
  - Description: 5G or RAN Network functions including VNF and PNFs
    Name: Network functions
  - Description: Virtualized 5G environment relies on underlying compute and SDN network
      elements which may be of interest to adversary
    Name: Hosts, VMs, or Infrastructure elements
  description: "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078)\
    \ to log into a service that accepts remote connections, such as telnet, SSH,\
    \ and VNC.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1021)\r\
    \n"
  detections:
  - detects: Audit command logs
    fgdsid: DS0017
    name: Command
  - detects: 5G NFs have defined interfaces, any other session establishment activity
      may be unauthorized.  Monitor traffic patterns and session sources along with
      blocked/denied activity.
    fgdsid: DS0028
    name: Logon Session
  - detects: Monitor network traffic for expected and unexpected attempted and established
      connections
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1021
  mitigations:
  - fgmid: M1018
    mitigates: Limit the accounts that may use remote services. Limit the permissions
      for accounts that are at higher risk of compromise; for example, configure SSH
      so users can only run specific programs.
    name: User Account Management
  - fgmid: M1032
    mitigates: Use multi-factor authentication on remote service logons where possible.
    name: Multi-factor Authentication
  name: Remote Services
  object-type: technique
  platforms: PNF, VNF Hosts
  references:
  - "<a name=\"1\"> \\[1\\] </a> [Fraunhofer AISEC, \u201CThreat Analysis of Container-as-a-Service\
    \ for Network Function \u201C, Retrieved April 28 2022](https://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Publikationen/Studien_TechReports/englisch/caas_threat_analysis_wp.pdf)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0008
  - TA0007
  typecode: attack_technique_addendum
- access-required: User/NPE/Administrative access
  addendums:
  - "#### Addendum Name: 5G Supply Chain Compromise\r\n##### Architecture Segments:\
    \ OA&M, Virtualization, RAN, O-RAN\r\n Adversaries may manipulate products or\
    \ product delivery mechanisms prior to deployment in an MNO\u2019s production\
    \ environment for the purpose of data or system compromise.\r\n\r\n5G deployments\
    \ are expected to have various deployment models comprise of vendor supplied VNF/CNFs,\
    \ open-source software, and dedicated physical appliances from suppliers as well\
    \ as white label hardware.  It is also expected that 5G services to end-consumer\
    \ may include third party services to support resources required by 5G Core and\
    \ RAN elements such as third party back haul, MEC or commercial Cloud data centers\
    \ resources. The resources also include O-RAN elements such as O-DU, O-RU and\
    \ O-CU. Adversary may use a software, hardware, or service supply chain to insert\
    \ compromised components (binaries, Firmware, compromised processing chips) in\
    \ the supply chain of a targeted MNO or taint entire supply chain first to have\
    \ option to select a target from victims receiving compromised products. Opensource\
    \ communities may be vulnerable to accidental or intentional compromise.  These\
    \ days a lot of reputable vendors also use open-source components in their license\
    \ products, Opensource community may become a conduit to a target victim.\r\n\r\
    \n"
  architecture-segment: OA&M, Virtualization, RAN, O-RAN
  bluf: "Adversaries may manipulate products or product delivery mechanisms prior\
    \ to receipt by a final consumer for the purpose of data or system compromise.\n\
    \nSupply chain compromise can take place at any stage of the supply chain including:\n\
    \n* Manipulation of development tools\n* Manipulation of a development environment\n\
    * Manipulation of source code repositories (public or private)\n* Manipulation\
    \ of source code in open-source dependencies\n* Manipulation of software update/distribution\
    \ mechanisms\n* Compromised/infected system images (multiple cases of removable\
    \ media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric\
    \ USB Malware) \n* Replacement of legitimate software with modified versions\n\
    * Sales of modified/counterfeit products to legitimate distributors\n* Shipment\
    \ interdiction\n\nWhile supply chain compromise can impact any component of hardware\
    \ or software, adversaries looking to gain execution have often focused on malicious\
    \ additions to legitimate software in software distribution or update channels.(Citation:\
    \ Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five\
    \ SK 2011) Targeting may be specific to a desired victim set or malicious software\
    \ may be distributed to a broad set of consumers but only move on to additional\
    \ tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation:\
    \ Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects\
    \ that are used as dependencies in many applications may also be targeted as a\
    \ means to add malicious code to users of the dependency.(Citation: Trendmicro\
    \ NPM Compromise)."
  criticalassets:
  - Description: Network functions are prime target to impact 5G communication services
    Name: CORE, RAN VNFs
  - Description: OSS tools have privileged access and broad reachability and may be
      used to change configuration of the network by adversary.
    Name: OSS Tools
  - Description: Security tools have privileged access and broad reachability may
      be used to evade defenses and allow for lateral movements by the adversary
    Name: Security tools
  - Description: CI/CD tools may be used for inserting malware or poisoned images
      as well as change the network elements deployed and their behavior.
    Name: CI/CD Tools
  description: "Adversaries may manipulate products or product delivery mechanisms\
    \ prior to receipt by a final consumer for the purpose of data or system compromise.\n\
    \nSupply chain compromise can take place at any stage of the supply chain including:\n\
    \n* Manipulation of development tools\n* Manipulation of a development environment\n\
    * Manipulation of source code repositories (public or private)\n* Manipulation\
    \ of source code in open-source dependencies\n* Manipulation of software update/distribution\
    \ mechanisms\n* Compromised/infected system images (multiple cases of removable\
    \ media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric\
    \ USB Malware) \n* Replacement of legitimate software with modified versions\n\
    * Sales of modified/counterfeit products to legitimate distributors\n* Shipment\
    \ interdiction\n\nWhile supply chain compromise can impact any component of hardware\
    \ or software, adversaries looking to gain execution have often focused on malicious\
    \ additions to legitimate software in software distribution or update channels.(Citation:\
    \ Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five\
    \ SK 2011) Targeting may be specific to a desired victim set or malicious software\
    \ may be distributed to a broad set of consumers but only move on to additional\
    \ tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation:\
    \ Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects\
    \ that are used as dependencies in many applications may also be targeted as a\
    \ means to add malicious code to users of the dependency.(Citation: Trendmicro\
    \ NPM Compromise).\r\n[To read more, please see the MITRE ATT&CK page for this\
    \ technique](https://attack.mitre.org/techniques/T1195)\r\n"
  detections:
  - detects: Perform physical inspection of hardware to look for potential tampering.
      Perform integrity checking on pre-OS boot mechanisms that can be manipulated
      for malicious purposes and compare against known good baseline behavior.
    fgdsid: DS0013
    name: Sensor Health
  - detects: Use verification of distributed binaries through hash checking or other
      integrity checking mechanisms. Scan downloads for malicious signatures and attempt
      to test software and updates prior to deployment while taking note of potential
      suspicious activity.
    fgdsid: DS0022
    name: File
  id: FGT1195
  mitigations:
  - fgmid: M1016
    mitigates: Vulnerability Scanning of software before it is brought into MNO environment
      as well as regular scans to detect abnormal behavior
    name: Vulnerability Scanning
  - fgmid: M1051
    mitigates: Update Software regularly
    name: Update Software
  name: Supply Chain Compromise
  object-type: technique
  platforms: Infrastructure, CI/CD, OA&M Tools, VNFs
  references:
  - "<a name=\"1\"> \\[1\\] </a> [ETSI NFV SEC001, \u201CNetwork Functions Virtualization\
    \ (NFV); NFV Security; Problem Statement\u201D, Jan. 2014, section 6.9](https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf\
    \ )"
  - <a name="2"> \[2\] </a> [The Untold Story of the Boldest Supply-Chain Hack Ever](https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/)
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0001
  - TA0006
  typecode: attack_technique_addendum
- access-required: User/NPE/Administrative access
  addendums:
  - "#### Addendum Name: 5G Orchestration and Deployment Tools\r\n##### Architecture\
    \ Segments: OA&M, Virtualization, Supply Chain, RAN, UE\r\n An adversary may use\
    \ CI/CD tools to gain access to production hosts/VNFs for discovery, data exfiltration\
    \ and for deployment of lateral movements tools.  \r\n\r\nIn 5G deployments, MNO\u2019\
    s development and deployment tools offer a conduit to 5G production RAN and Core\
    \ network functions. CI/CD tools have a greater access to Software during development\
    \ lifecycle, an adversary may be able to find a back door to software in production\
    \ environment- a very similar scenario to SolarWinds hack, where compromised software\
    \ was deployed on thousands of hosts via a software upgrade carrying compromised\
    \ image.  \r\n\r\nManagement and Orchestration is a framework for managing and\
    \ orchestrating network functions virtualization (NFV) infrastructure, resources,\
    \ and services. It provides a standard approach for the management and orchestration\
    \ of network services in NFV environments, including the automation of tasks such\
    \ as network service deployment, scaling, and network function lifecycle management.\
    \ MANO toolset if misconfigured or APIs not properly secured can provide an attack\
    \ vector to adversary with grave consequences to network and its services.\r\n\
    \r\n"
  architecture-segment: OA&M, Virtualization, Supply Chain, RAN, UE
  bluf: Adversaries may gain access to and use third-party software suites installed
    within an enterprise network, such as administration, monitoring, and deployment
    systems, to move laterally through the network.
  criticalassets:
  - Description: Software development and deployment tools in MNO (and supplier) environments
    Name: CI/CD Tools
  - Description: Scanning, monitoring, and end point protection tools
    Name: Security Tools
  - Description: Operation and system support tools
    Name: OSS Tools
  description: "Adversaries may gain access to and use third-party software suites\
    \ installed within an enterprise network, such as administration, monitoring,\
    \ and deployment systems, to move laterally through the network.\r\n[To read more,\
    \ please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1072)\r\
    \n"
  detections:
  - detects: Monitor for newly executed processes that do not correlate to known good
      software. Analyze the process execution trees, historical activities from the
      third-party application (such as what types of files are usually pushed), and
      the resulting activities or events from the file/binary/script pushed to systems.
    fgdsid: DS0009
    name: Process
  - detects: Often these third-party applications will have logs of their own that
      can be collected and correlated with other data from the environment. Ensure
      that third-party application logs are on-boarded to the enterprise logging system
      and the logs are regularly reviewed. Audit software deployment logs and look
      for suspicious or unauthorized activity. A system not typically used to push
      software to clients that suddenly is used for such a task outside of a known
      admin function may be suspicious. Monitor account login activity on these applications
      to detect suspicious/abnormal usage. Perform application deployment at regular
      times so that irregular deployment activity stands out.
    fgdsid: DS0015
    name: Application Log
  id: FGT1072
  mitigations:
  - fgmid: M1018
    mitigates: User Account Management, limited and least privileged user accounts
    name: User Account Management
  - fgmid: M1026
    mitigates: Privileged Account Management, unique, least privileged accounts and
      regularly audit access attempts audits
    name: Privileged Account Management
  - fgmid: M1027
    mitigates: Password Policies, no credential sharing, create traceability
    name: Password Policies
  - fgmid: M1029
    mitigates: Remote Data Storage, restrict access and monitor repository activity
    name: Remote Data Storage
  - fgmid: M1030
    mitigates: Network Segmentation allows limit movements, insert application aware
      firewalls between segments
    name: Network Segmentation
  - fgmid: M1032
    mitigates: Multi-factor Authentication adds additional layer of security for compromised
      credentials as well as increased accountability
    name: Multi-factor Authentication
  - fgmid: M1051
    mitigates: Update Software regularly to eliminate persistence
    name: Update Software
  name: Software Deployment Tools
  object-type: technique
  platforms: 'Infrastructure, PNF, VNF Hosts, '
  procedureexamples:
  - Description: "Silence\_has used RAdmin, a remote software tool used to remotely\
      \ control workstations and ATMs"
    Name: '[G0091](https://attack.mitre.org/groups/G0091)'
  - Description: "It is believed that a patch management system for an anti-virus\
      \ product commonly installed among targeted companies was used to distribute\
      \ the\_Wiper\_malware"
    Name: '[S0041](https://attack.mitre.org/software/S0041)'
  references:
  - "<a name=\"1\"> \\[1\\] </a> [ETSI NFV SEC001, \u201CNetwork Functions Virtualization\
    \ (NFV); NFV Security; Problem Statement\u201D, Jan. 2014, section 6.9](https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,\_ October 2021](https://arxiv.org/abs/2108.11206\_\_)"
  - <a name="3"> \[3\] </a> [Dell SecureWorks. (2013, March 21). Wiper Malware Analysis
    Attacking Korean Financial Sector. Retrieved May 13, 2015.](http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/)
  - "<a name=\"4\"> \\[4\\] </a> [Silence \u2013 a new Trojan attacking financial\
    \ organizations (accessed 06/20/2023)](https://securelist.com/the-silence/83009/)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0002
  - TA0008
  typecode: attack_technique_addendum
- access-required: User/NPE/Administrative access
  addendums:
  - "#### Addendum Name: Container Management- Unauthorized access\r\n##### Architecture\
    \ Segments: Virtualization, OA&M, RAN, O-RAN\r\n An adversary may use privileged\
    \ accounts of valid, role-based accounts for management services to gain access\
    \ to network elements.\r\n\r\nAn adversary may also use a valid account with excessive\
    \ privileges (i.e., does not follow least privilege policy) to gain access to\
    \ container execution environment. If access rights are not tailored to specific\
    \ needs of users, the risk to attack container execution increases.\r\n\r\nInternal\
    \ or external adversary may gain access to management account credentials (e.g.\
    \ due to weak account management practices) allowing access to VNF containers\
    \ for persistence, and defense evasion.\r\n\r\n"
  architecture-segment: Virtualization, OA&M, RAN, O-RAN
  bluf: Valid accounts in cloud environments may allow adversaries to perform actions
    to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
  criticalassets:
  - Description: RAN and Core CNFs
    Name: Containerized network functions
  - Description: Cloud, Kubernetes, or Openstack administrative controllers
    Name: Cloud/virtualized container Management controllers
  description: "Valid accounts in cloud environments may allow adversaries to perform\
    \ actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense\
    \ Evasion.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1078/004)\r\
    \n"
  detections:
  - detects: Monitor user account authentication activity.  Monitor the activity of
      cloud accounts to detect abnormal or malicious behavior, such as accessing information
      outside of the normal function of the account or account usage at atypical hours.  Repeated
      attempts may be indictive of password guessing or brute force password cracking.  Password
      policies supporting lockout requiring administrative reset may help.
    fgdsid: DS0002
    name: User Account
  - detects: Monitor for suspicious account behavior across cloud services that share
      account.  Logon session logs and meta data helps determine if the session was
      an authorized activity.
    fgdsid: DS0028
    name: Logon Session
  id: FGT1078.004
  mitigations:
  - fgmid: M1017
    mitigates: Applications may send push notifications to verify a login as a form
      of multi-factor authentication (MFA). Train users to only accept valid push
      notifications and to report suspicious push notifications.
    name: User Training
  - fgmid: M1018
    mitigates: Periodically review user accounts and remove those that are inactive
      or unnecessary. Limit the ability for user accounts to create additional accounts.
    name: User Account Management
  - fgmid: M1026
    mitigates: Review privileged cloud account permission levels routinely to look
      for those that could allow an adversary to gain wide access.
    name: Privileged Account Management
  - fgmid: M1027
    mitigates: Ensure that cloud accounts, particularly privileged accounts, have
      complex, unique passwords across all systems on the network. Passwords and access
      keys should be rotated regularly. This limits the amount of time credentials
      can be used to access resources if a credential is compromised without your
      knowledge. Rotate access keys regularly.
    name: Password Policies
  - fgmid: M1032
    mitigates: Use multi-factor authentication for cloud and virtualization OSS accounts
      used for VNF deployments, especially privileged accounts.
    name: Multi-factor Authentication
  name: Cloud Accounts
  object-type: technique
  platforms: Infrastructure, CI/CD, OA&M Tools
  procedureexamples:
  - Description: Peirates is a post-exploitation Kubernetes exploitation framework
      with a focus on gathering service account tokens for lateral movement and privilege
      escalation. The tool is written in GoLang and publicly available on GitHub
    Name: S0683
  references:
  - <a name="1"> \[1\] </a> [ETSI NFV SEC023, Container Security Spec, section 5.4.4,
    Accessed 6/27/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC023_Container_Security_Spec/NFV-SEC023v005.zip)
  - <a name="2"> \[2\] </a> [Peirates](https://github.com/inguardians/peirates)
  - "<a name=\"3\"> \\[3\\] </a> [Kubernetes Used in Brute-Force Attacks Tied to Russia\u2019\
    s APT28](https://vulners.com/threatpost/THREATPOST:B25070E6CF075EEA6B20C4D8D25ADBE8)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  subtechnique-of: FGT1078
  tactics:
  - TA0005
  - TA0003
  - TA0004
  - TA0001
  typecode: attack_subtechnique_addendum
- access-required: User/NPE/Administrative access, compromised Keys/tokens
  architecture-segment: OA&M, Virtualization
  bluf: An adversary may use a fake or compromised container management controller
    to deploy fake VNFs to collect information from the network.
  criticalassets:
  - Description: Container and container engine may expose privileged information
      to adversary directly from process or through container engine.
    Name: Container and Container engines
  - Description: In Container management architecture (Kubernetes for example) adversary
      may use Kublet commands or API proxy to gain access to information and control
      of the container.
    Name: Container Management Controller system
  - Description: NF orchestrators
    Name: NFO
  description: " An adversary may use a fake or compromised container management controller\
    \ to deploy fake VNFs to collect information from the network.\r\n\r\nInstantiation\
    \ of malicious Virtual Network Functions (VNF) can also be achieved by compromised\
    \ VIM by inclusion of concealed software within legitimate (Virtual Infrastructure\
    \ Manager) VIM, or allocating virtual resources for fake instances, or using malicious\
    \ or compromised identity provider (reuses the same identity for several VNFs\
    \ with same key pair without knowledge of MANO). Adversary may use malicious attestation\
    \ server attacks, etc. VNF instantiation may allow adversary to register VNF with\
    \ 5G core to launch further attacks. \r\n\r\n"
  detections:
  - detects: Monitor POD creation and modification events.
    fgdsid: DS0014
    name: Pod
  - detects: Audit application logs (NFVO, VIM).  Configuration management databases
      (CMDB) and other asset management systems may help with the detection of computer
      systems or network devices that should not exist on a network.
    fgdsid: DS0015
    name: Application Log
  - detects: Monitor container creation, container start events
    fgdsid: DS0032
    name: Container
  id: FGT5013
  mitigations:
  - fgmid: M1018
    mitigates: Enforce the principle of least privilege by limiting container dashboard
      access to only the necessary users.
    name: User Account Management
  - fgmid: M1030
    mitigates: Deny direct remote access to internal systems through the use of network
      proxies, gateways, and firewalls.
    name: Network Segmentation
  - fgmid: M1035
    mitigates: Limit communications with the container service to local Unix sockets
      or remote access via SSH. Require secure port access to communicate with the
      APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes
      API Server, and container orchestration web applications.
    name: Limit Access to Resource Over Network
  - fgmid: M1047
    mitigates: Scan images before deployment, and block those that are not in compliance
      with security policies. In Kubernetes environments, the admission controller
      can be used to validate images after a container deployment request is authenticated
      but before the container is deployed.
    name: Audit
  name: Malicious VNF Instantiation
  object-type: technique
  platforms: ICAM, CI/CD, OA&M Tools
  procedureexamples:
  - Description: "Peirates can deploy a pod that mounts its node\u2019s root file\
      \ system, then execute a command to create a reverse shell on the node"
    Name: S0683
  - Description: Doki was run through a deployed container
    Name: S0600
  - Description: TeamTNT has deployed different types of containers into victim environments
      to facilitate execution.
    Name: G0139
  references:
  - '<a name="1"> \[1\] </a> [ETSI NFV SEC025, Secure End-to-End VNF and NS management
    specification

    Release 4, section 4.4.3, accessed 6/28/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_&_NS_management/NFV-SEC025v0012.zip)'
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0007
  - TA0009
  typecode: fight_technique
- access-required: User/NPE/Administrative access, compromised Keys/tokens
  architecture-segment: OA&M, Virtualization
  bluf: An adversary may use an NFVI controller to gain access to data from a suspended
    or stopped VNF to extract sensitive information.
  criticalassets:
  - Description: Container and container engine may expose privileged information
      to adversary directly from process or thru container engine.
    Name: Container and Container engines
  - Description: In Container management architecture (Kubernetes for example) adversary
      may use Kublet commands or API proxy to gain access to information and control
      of the container.
    Name: Container Management Controller system
  description: " An adversary may use an NFVI controller to gain access to data from\
    \ a suspended or stopped VNF to extract sensitive information.\r\n\r\nA container\
    \ administration service such as the Docker daemon, the Kubernetes API server,\
    \ or the kubelet may allow remote management of containers within an environment.\
    \  An unauthorized access to terminated/suspended VNF in NFVI can expose data\
    \ not erased from a state change process. This may include virtual resources released\
    \ from a terminated VNF or from a VNF that has released resources after a move\
    \ or a scaling process. This may also enable inclusion of concealed software in\
    \ NFVI to prevent the deletion/erasure of data and states of the VNF that has\
    \ been terminated. Data may include application data, cryptographic keys (service\
    \ accounts).\r\n\r\n\r\n"
  detections: []
  id: FGT1609.501
  mitigations:
  - fgmid: M1018
    mitigates: Enforce authentication and role-based access control on the container
      service to restrict users to the least privileges required.
    name: User Account Management
  - fgmid: M1026
    mitigates: In Kubernetes environments, consider defining a Pod Security Policy
      that prevents pods from running privileged containers
    name: Privileged Account Management
  - fgmid: M1035
    mitigates: Limit communications with the container service to local Unix sockets
      or remote access via SSH. Require secure port access to communicate with the
      APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes
      API Server
    name: Limit Access to Resource Over Network
  - fgmid: M1038
    mitigates: Use read-only containers, read-only file systems, and minimal images
      when possible to prevent the execution of commands.
    name: Execution Prevention
  name: Accessing Terminated VNF
  object-type: technique
  platforms: CI/CD, OA&M Tools
  procedureexamples:
  - Description: Peirates can use kubectl or the Kubernetes API to run commands.
    Name: Kubectl
  - Description: Siloscape can send kubectl commands to victim clusters through an
      IRC channel and can run kubectl locally to spread once within a victim cluster.
    Name: Kubectl via IRC channels
  references:
  - '<a name="1"> \[1\] </a> [ETSI NFV SEC025, Secure End-to-End VNF and NS management
    specification

    Release 4, section 4.4.6, accessed 6/28/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_&_NS_management/NFV-SEC025v0012.zip)'
  status: This is a theoretical behavior
  subtechnique-of: FGT1609
  tactics:
  - TA0006
  - TA0007
  typecode: fight_subtechnique_to_attack_technique
- access-required: User/NPE/Administrative access
  architecture-segment: Virtualization, OA&M
  bluf: An adversary running a malicious Virtual Network Function (VNF) may identify
    network resources co-resident on the same physical host.
  criticalassets:
  - Description: Adversary may identify high value 5G network functions targets for
      its exploits
    Name: VNF identity
  - Description: Adversary may identify RAN, Core or slice VNFs for further exploits.
    Name: Network identity
  description: " An adversary running a malicious Virtual Network Function (VNF) may\
    \ identify network resources co-resident on the same physical host.\r\n\r\nAn\
    \ adversary may identify a VNF in shared resource by observing protocols or standard\
    \ ports in use on the node.  A hardware and network resource separation is required\
    \ to provide isolation and protection from an adversary mapping capabilities in\
    \ the network for certain VNF/VNFc (container).\r\n\r\n"
  detections:
  - detects: Monitor POD creation and modification events.
    fgdsid: DS0014
    name: Pod
  - detects: Audit application logs (NFVO, VIM).  Configuration management databases
      (CMDB) and other asset management systems may help with the detection of computer
      systems or network devices that should not exist on a network.
    fgdsid: DS0015
    name: Application Log
  - detects: Monitor command history on VNFs and hosts
    fgdsid: DS0017
    name: Command
  - detects: Monitor container creation, container start events
    fgdsid: DS0032
    name: Container
  id: FGT5014
  mitigations:
  - fgmid: M1018
    mitigates: Enforce the principle of least privilege by limiting container dashboard
      access to only the necessary users.
    name: User Account Management
  - fgmid: M1030
    mitigates: Deny direct remote access to internal systems through the use of network
      proxies, gateways, and firewalls.  Segment execution environment with node and
      network.
    name: Network Segmentation
  - fgmid: M1035
    mitigates: Limit communications with the container service to local Unix sockets
      or remote access via SSH. Require secure port access to communicate with the
      APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes
      API Server, and container orchestration web applications.
    name: Limit Access to Resource Over Network
  - fgmid: M1047
    mitigates: Scan images before deployment, and block those that are not in compliance
      with security policies. In Kubernetes environments, the admission controller
      can be used to validate images after a container deployment request is authenticated
      but before the container is deployed.
    name: Audit
  name: Shared resource discovery
  object-type: technique
  platforms: virtualization, CI/CD, OA&M Tools
  procedureexamples:
  - Description: "Peirates can deploy a pod that mounts its node\u2019s root file\
      \ system, then execute a command to create a reverse shell on the node"
    Name: S0683
  - Description: Doki was run through a deployed container
    Name: S0600
  - Description: TeamTNT has deployed different types of containers into victim environments
      to facilitate execution.
    Name: G0139
  references:
  - '<a name="1"> \[1\] </a> [Network Functions Virtualisation (NFV) Release 4;

    Security;Isolation and trust domain specification

    Release 4, section 4.2.1, Access 4/12/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain)'
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0007
  typecode: fight_technique
- access-required: User/NPE/Administrative access
  architecture-segment: OA&M, Virtualization
  bluf: An adversary may compromise a target Virtual Network Function (VNF) to gain
    unauthorized access to the data from the underlying resources shared with other
    VNFs.
  criticalassets:
  - Description: Adversary may identify high value 5G network functions targets for
      its exploits
    Name: VNF and VNF Data
  description: " An adversary may compromise a target Virtual Network Function (VNF)\
    \ to gain unauthorized access to the data from the underlying resources shared\
    \ with other VNFs.\r\n\r\nA malicious VNF instantiated in the VNF infrastructure\
    \ may be able to access the resources reserved for another tenant VNF, if root\
    \ or escalated privilege is gained due to misconfiguration of host or container.\
    \  This exploitation can lead to unauthorized data access in shared resources.\
    \  Multiple techniques can be used to isolate VNF or VNFc (container) where sharing\
    \ virtualization resources is a business requirement to ensure a co-resident compromised\
    \ or malicious VNF/VNFc cannot access shared resources or read data therein.\r\
    \n\r\n\r\n"
  detections:
  - detects: Monitor process activity on node, hosts and VNFs.
    fgdsid: DS0009
    name: Process
  - detects: Audit application logs (NFVO, VIM).  Configuration management databases
      (CMDB) and other asset management systems may help with the detection of computer
      systems or network devices that should not exist on a network.
    fgdsid: DS0015
    name: Application Log
  - detects: Monitor container creation, container start events
    fgdsid: DS0032
    name: Container
  - detects: Monitor volume or storage modifications, attachment or read actions.
    fgdsid: DS0034
    name: Volume
  id: FGT1611.501
  mitigations:
  - fgmid: M1018
    mitigates: Enforce the principle of least privilege by limiting container dashboard
      access to only the necessary users.
    name: User Account Management
  - fgmid: M1030
    mitigates: Deny direct remote access to internal systems through the use of network
      proxies, gateways, and firewalls.  Segment execution environment with node and
      network.
    name: Network Segmentation
  - fgmid: M1035
    mitigates: Limit communications with the container service to local Unix sockets
      or remote access via SSH. Require secure port access to communicate with the
      APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes
      API Server, and container orchestration web applications.
    name: Limit Access to Resource Over Network
  - fgmid: M1047
    mitigates: Scan images before deployment, and block those that are not in compliance
      with security policies. In Kubernetes environments, the admission controller
      can be used to validate images after a container deployment request is authenticated
      but before the container is deployed.
    name: Audit
  name: Malicious privileged container VNF Shared Resource Access
  object-type: technique
  platforms: CI/CD, OA&M Tools
  procedureexamples:
  - Description: "Peirates can deploy a pod that mounts its node\u2019s root file\
      \ system, then execute a command to create a reverse shell on the node"
    Name: S0683
  - Description: Doki was run through a deployed container
    Name: S0600
  - Description: TeamTNT has deployed different types of containers into victim environments
      to facilitate execution.
    Name: G0139
  references:
  - '<a name="1"> \[1\] </a> [Network Functions Virtualisation (NFV) Release 4;

    Security; Isolation and trust domain specification

    Release 4, section 4.2.1, Accessed 4/12/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain)'
  status: This is a theoretical behavior
  subtechnique-of: FGT1611
  tactics:
  - TA0004
  typecode: fight_subtechnique_to_attack_technique
- access-required: User/NPE/Administrative access
  architecture-segment: Network Slice, Cloud Service Provider
  bluf: 'Adversaries may gain unauthorized access to information via  a Virtual Network
    Function (VNF) shared for service designed for two different slices. '
  criticalassets:
  - Description: NFVI includes orchestrators, network managers, and network elements
    Name: NFVI
  - Description: 5G Core, RAN and NON-SBI functions, virtual resources supporting
      VNF
    Name: VNFs
  - Description: Network slice SLA data, some information may be exposed if application
      functions are shared
    Name: Slice Control and User Plane data
  - Description: The application related data and sensitive parameters associated
      with a VNF
    Name: VNF application data and sensitive parameters
  description: " Adversaries may gain unauthorized access to information via a Virtual\
    \ Network Function (VNF) shared for service designed for two different slices.\r\
    \n\r\n5G functions deployment and slice creation is supported by NFVI resources.\
    \ Network Function Virtualization Infrastructure (NFVI) can be exploited by compromise\
    \ or abuse of trust on a VNF Orchestrator (VNFO) or VNF Manager (VNFM).  An adversary\
    \ may be able to create a network slice (NS) using the VNF (Common VNF) of a target\
    \ Slice or create slice resources that share the NFVI resources of the target\
    \ slice. Malicious co-tenancy activities can lead to unauthorized access to data,\
    \ misuse of resources, or management actions. \r\n\r\n"
  detections:
  - detects: Monitor systems performance
    fgdsid: DS0013
    name: Sensor Health
  - detects: Audit logs - Auditing logs for security, authentication and authorization
      activity, host access, hosts, virtualization orchestrator and managers can reveal
      behavioral anomalies
    fgdsid: DS0015
    name: Application Log
  - detects: Audit Policy Violations - Automated user and resource policy compliance
      checks and instrumentation to alert on violation attempts
    fgdsid: DS0028
    name: Logon Session
  - detects: Monitor network flows
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1599.501
  mitigations:
  - fgmid: FGM5505
    mitigates: Hardware Mediated Execution Environment -Employ secure, hardware- based
      execution integrity as part of host/server design
    name: Hardware mediated  execution environment
  - fgmid: FGM5506
    mitigates: Use of Network Slice Templates -Use of templates for network slicing
      can enforce baseline security and isolation requirements.  These templates can
      be created for networks, compute and 5G slice functions deployments.
    name: network slice templates
  - fgmid: M1026
    mitigates: Least Privilege Access Control Policy - Access control policies should
      be granular to allow for optimal access to service requirements.
    name: Privileged Account Management
  - fgmid: M1030
    mitigates: 'Security and Trust zones -Security and trust zones can help isolate
      resources and can be mapped to business needs.

      Micro and Nano segmentation- Implementing segmentation policy at granular level,
      network and compute resources can prevent some co-residency threats when mapped
      to SLAs, Users, and Resource policies.


      Physical separation- Hardware, network, and point of presence can be separated
      to provide additional isolation.'
    name: Network Segmentation
  - fgmid: M1035
    mitigates: Resource Policy enforcement -Create and enforce resource policy; policy
      can include SLA, quotas, QOS etc.
    name: Limit Access to Resource Over Network
  - fgmid: M1041
    mitigates: Encryption can be used to protect data at rest and in transit
    name: Encrypt Sensitive Information
  name: Malicious co-tenancy  exploit of NFVI (Network Slice)
  object-type: technique
  platforms: OA&M, Virtualization, Slice
  procedureexamples:
  - Description: A legitimate tenant 1 uses the Os-ma-nfvo interface to read the NS
      information of another tenant 2 sharing the NFVO. The tenant 1 may get sensitive
      information on the NS topology for a NS of a competitor (tenant 2).
    Name: Create Malicious Co-Tenancy
  - Description: A malicious tenant on-boards unused NS/VNF just to consume on-boarding
      resources (e.g. fill the NS and VNF registries or software image repository)
      to limit the space available for other tenant.
    Name: Consume on-boarding resources
  - Description: A malicious tenant uses the Os-ma-nfvo interface to manage the NSs
      of another tenant. For example, this malicious tenant may scale down the NS
      of a competitor to get more resources for his own NS or scale up to increase
      resource cost of another tenant.
    Name: Manipulate network slices of another tenant
  references:
  - <a name="1"> \[1\] </a> [ETSI NFV SEC026 Isolation and trust domain specification,
    section 4.2.2](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain)
  status: This is a theoretical behavior
  subtechnique-of: FGT1599
  tactics:
  - TA0005
  typecode: fight_subtechnique_to_attack_technique
- access-required: User/NPE/Administrative access
  architecture-segment: Network Slice, Cloud Service Provider
  bluf: Adversaries may use a less secure slice to gain access to information in a
    more secure slice that uses the VNF (Common VNF) built on common infrastructure
    to misuse resources allocated to target VNFs or slice.
  criticalassets:
  - Description: NFVI includes orchestrators, network managers, and network elements
    Name: NFVI
  - Description: 5G Core, RAN and NON-SBI functions, virtual resources supporting
      VNF
    Name: VNFs
  - Description: Network slice SLA data, some information may be exposed if application
      functions are shared
    Name: Slice Control and User Plane data
  - Description: The application related data and sensitive parameters associated
      with a VNF
    Name: VNF application data and sensitive parameters
  - Description: LI application server manages user activity monitoring requests and
      monitoring set up of the user voice calls, SMS and data
    Name: VNF Lawful Interception (LI) data
  description: " Adversaries may use a less secure slice to gain access to information\
    \ in a more secure slice that uses the VNF (Common VNF) built on common infrastructure\
    \ to misuse resources allocated to target VNFs or slice.\r\n\r\nA compromised\
    \ (intentionally or simply misconfigured) VNF instantiated in one slice subnet\
    \ may access resources of another slice subnet. A common Network function Virtualization\
    \ Orchestrator (NFVO) or Virtualized Infrastructure Manager (VIM) without proper\
    \ safeguards may allow an adversary to starve a target slice or VNFs of the resources\
    \ it needs to meet the SLA and to create opportunities information exposure.\r\
    \n\r\n\r\n\r\n"
  detections:
  - detects: Monitor systems performance
    fgdsid: DS0013
    name: Sensor Health
  - detects: Audit logs - Auditing logs for security, authentication and authorization
      activity, host access, hosts, virtualization orchestrator and managers can reveal
      behavioral anomalies
    fgdsid: DS0015
    name: Application Log
  - detects: Audit Policy Violations - Automated user and resource policy compliance
      checks and instrumentation to alert on violation attempts
    fgdsid: DS0028
    name: Logon Session
  - detects: Monitor network flows
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1599.502
  mitigations:
  - fgmid: FGM5505
    mitigates: Hardware Mediated Execution Environment -Employ secure, hardware- based
      execution integrity as part of host/server design
    name: Hardware mediated  execution environment
  - fgmid: FGM5506
    mitigates: Use of Network Slice Templates -Use of templates for network slicing
      can enforce baseline security and isolation requirements.  These templates can
      be created for networks, compute and 5G slice functions deployments.
    name: network slice templates
  - fgmid: M1026
    mitigates: Least Privilege Access Control Policy - Access control policies should
      be granular to allow for optimal access to service requirements.
    name: Privileged Account Management
  - fgmid: M1030
    mitigates: 'Security and Trust zones -Security and trust zones can help isolate
      resources and can be mapped to business needs.

      Micro and Nano segmentation- Implementing segmentation policy at granular level,
      network and compute resources can prevent some co-residency threats when mapped
      to SLAs, Users, and Resource policies.


      Physical separation- Hardware, network, and point of presence can be separated
      to provide additional isolation.'
    name: Network Segmentation
  - fgmid: M1035
    mitigates: Resource Policy enforcement -Create and enforce resource policy; policy
      can include SLA, quotas, QOS etc.
    name: Limit Access to Resource Over Network
  - fgmid: M1041
    mitigates: Encryption can be used to protect data at rest and in transit
    name: Encrypt Sensitive Information
  name: Network Slice infrastructure resource hijacking
  object-type: technique
  platforms: Slice, CSP
  procedureexamples:
  - Description: If a service provider uses network slicing and creates two slice
      subnets by creating network service instances on the same NFV environment (i.e.
      the same NFVO and functional blocks) and thus being built with resources of
      the same NFVI-PoP(s), this may lead to unauthorized access to resources/data
      of another slice.
    Name: Use of common virtual orchestrators and infrastructure managers
  references:
  - <a name="1"> \[1\] </a> [ETSI NFV SEC026 Isolation and trust domain specification,
    section 4.2.3](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain)
  status: This is a theoretical behavior
  subtechnique-of: FGT1599
  tactics:
  - TA0005
  typecode: fight_subtechnique_to_attack_technique
- access-required: User/NPE/Administrative access
  architecture-segment: Network Slice, OA&M, Virtualization
  bluf: An adversary may use compromised container management SW (or account) in MANO
    domain to gain access to target VNFs and its resources for unauthorized access
    to resources/data of another slice in NFVI or resource exhaustion of target application
    resulting in denial of service.
  criticalassets:
  - Description: NFVI includes orchestrators, network managers, and network elements
    Name: NFVI
  - Description: 5G Core, RAN and Non-SBI functions, virtual resources supporting
      VNF
    Name: VNFs
  - Description: Network slice SLA data, some information may be exposed if application
      functions are shared
    Name: Slice Control and User Plane data
  - Description: The application related data and sensitive parameters associated
      with a VNF
    Name: VNF application data and sensitive parameters
  description: " An adversary may use compromised container management SW (or account)\
    \ in MANO domain to gain access to target VNFs and its resources for unauthorized\
    \ access to resources/data of another slice in NFVI or resource exhaustion of\
    \ target application resulting in denial of service.\r\n\r\nNetwork Slice has\
    \ a logical boundary, and within NS certain performance SLAs are guaranteed. \
    \ A malicious software or adversarial actions in the NFV-MANO, modifies the affinity\
    \ and anti-affinity rules for the constituents of VNFs/NSs in the catalogue or\
    \ during an instantiation operation requested to the VIM, modifying the virtual\
    \ resource isolation needs for these VNFs/NSs and enabling further attacks. This\
    \ can result in placing adversary\u2019s virtualized application on the same VM\
    \ or container engine as target NF and allow for further attacks of container\
    \ or VM escape or resource exhaustion.\r\n\r\n"
  detections:
  - detects: Monitor systems performance
    fgdsid: DS0013
    name: Sensor Health
  - detects: Audit logs - Auditing logs for security, authentication and authorization
      activity, host access, hosts, virtualization orchestrator and managers can reveal
      behavioral anomalies
    fgdsid: DS0015
    name: Application Log
  - detects: Audit Policy Violations - Automated user and resource policy compliance
      checks and instrumentation to alert on violation attempts
    fgdsid: DS0028
    name: Logon Session
  - detects: Monitor network flows
    fgdsid: DS0029
    name: Network Traffic
  id: FGT5038
  mitigations:
  - fgmid: FGM5505
    mitigates: Hardware Mediated Execution Environment -Employ secure, hardware- based
      execution integrity as part of host/server design (M1041).
    name: Hardware mediated  execution environment
  - fgmid: FGM5506
    mitigates: Use of Network Slice Templates -Use of templates for network slicing
      can enforce baseline security and isolation requirements.  These templates can
      be created for networks, compute and 5G slice functions deployments.
    name: network slice templates
  - fgmid: M1026
    mitigates: Least Privilege Access Control Policy - Access control policies should
      be granular to allow for optimal access to service requirements.
    name: Privileged Account Management
  - fgmid: M1030
    mitigates: 'Security and Trust zones -Security and trust zones can help isolate
      resources and can be mapped to business needs.

      Micro and Nano segmentation- Implementing segmentation policy at granular level,
      network and compute resources can prevent some co-residency threats when mapped
      to SLAs, Users, and Resource policies.


      Physical separation- Hardware, network, and point of presence can be separated
      to provide additional isolation.'
    name: Network Segmentation
  - fgmid: M1035
    mitigates: Resource Policy enforcement -Create and enforce resource policy; policy
      can include SLA, quotas, QOS etc.
    name: Limit Access to Resource Over Network
  - fgmid: M1041
    mitigates: Encryption can be used to protect data at rest and in transit
    name: Encrypt Sensitive Information
  name: Network Slice application resource hijacking
  object-type: technique
  platforms: Slice
  references:
  - "<a name=\"1\"> \\[1\\] </a> [Fraunhofer AISEC, \u201CThreat Analysis of Container-as-a-Service\
    \ for Network Function, accessed April 28, 2021](https://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Publikationen/Studien_TechReports/englisch/caas_threat_analysis_wp.pdf)"
  status: This is a theoretical behavior
  tactics:
  - TA0040
  typecode: fight_technique
- access-required: User/NPE/Administrative access
  addendums:
  - "#### Addendum Name: Network Elements\r\n##### Architecture Segments: User Plane,\
    \ Control Plane, Roaming, Virtualization\r\n Adversaries may sniff network traffic\
    \ to capture information about 5G environment, control and user plane data including\
    \ authentication material, equipment identifiers.\r\n\r\nA compromise of network\
    \ function (NF) supporting Service based (SBI), Non-Service Based (non-SBI), Roaming\
    \ interfaces, and virtual network elements may allow an adversary to capture network\
    \ traffic.  \r\n\r\n\r\n The following Network interfaces are in the scope of\
    \ this technique addendum:\r\n\r\n1.\t\u201CNon-SBI\u201D (non-Service Based Interface)\
    \ network interfaces are within 5G core and RAN, and between the RAN and the 5G\
    \ Core (e.g. N2, N3, N4, Xn). \r\n\r\n2.\tSBI network interfaces are between core\
    \ NFs within an operator network; they use REST APIs.\r\n\r\n3.\tRoaming and interconnect\
    \ interfaces, including IPX, are between network operators (between SEPPs, or\
    \ other interworking functions like AMF/MME (N26) and between UPFs (N9)).\r\n\r\
    \nAn adversary with access to the non-SBI interfaces not using encryption can\
    \ monitor traffic exchange and obtain UE information such as user identifiers,\
    \ serving network identifiers, and location info. \r\n\r\nThe adversary with access\
    \ to the SBI links, may eavesdrop signaling messages if TLS encryption is not\
    \ enabled. This leads to disclosure of UE authentication and authorization information,\
    \ and NF IP addresses and other topology information.\r\n\r\nThe adversary positioned\
    \ on an IPX node may collect data over the N32 interface while a UE is roaming,\
    \ if a SEPP has used encryption on some parts of the messages sent, or used a\
    \ weak cipher for JWE encryption. Similarly, an adversary positioned on a SEPP\
    \ can observe or easily decrypt signaling messages sent on the N32 interface.\r\
    \n\r\nSimilarly, if the EPC interworking interface N26 for non-roaming is not\
    \ encrypted, all subscriber signaling data may be exposed to adversary.\r\n\r\n\
    Adversary may also use compromised virtualized network elements to (vSwitch/vRouter,\
    \ Virtual Firewalls) to span traffic to a sniffing port for access to traffic\
    \ flows and user/system data. In a virtualized environment access can be gained\
    \ much more easily as the servers making up a function are more likely to be physically\
    \ and virtually distributed and the SDN vSwitch would allow an adversary to fork\
    \ IP packets flowing between hosts remotely much more easily. Such forking is\
    \ very difficult to detect or prevent from within a 3GPP NF or VM, and adversaries\
    \ may be able to read data in transit. \r\n\r\nAn adversary may utilize these\
    \ observations for several follow-on techniques.\r\n\r\n"
  - "#### Addendum Name: Fronthaul\r\n##### Architecture Segments: User Plane, Control\
    \ Plane, Roaming, Virtualization\r\n Adversaries may sniff network traffic to\
    \ capture information about fronthaul user plane.\r\n\r\nORAN Alliance has defined\
    \ the open fronthaul interface which connects one O-DU to one or more O-RUs inside\
    \ the gNB. The fronthaul interface makes it possible to distribute the physical\
    \ layer functionalities between RU and DU, and to control RU operations from DU.\
    \ ORAN Alliance has selected a specific configuration (split 7.2x) for splitting\
    \ of the physical layer among those proposed by 3GPP. The lower part of the physical\
    \ layer (low PHY) resides in RU and performs Orthogonal Frequency Division Multiplexing\
    \ (OFDM) phase compensation, inverse FFT and Cyclic Prefix (CP) insertion for\
    \ frequency-to-time conversion in downlink, and FFT and CP removal in uplink.\
    \ The physical layer in DU (high PHY) performs scrambling, modulation, layer mapping,\
    \ and resource element mapping. Fronthaul consists of four types of interfaces:\
    \ Control or C plane is used to carry control plane messages, User or U plane\
    \ is used to carry user plane data, Synchronization or S plane is used to carry\
    \ timing information and Management or M plane is used to carry management data.\r\
    \n\r\nO-RAN fronthaul interface needs to implement strict performance requirements\
    \ which includes very high throughput and very low latency. See clause 4.4 of\
    \ [2]. Some security features may not be implemented by MNOs to meet those requirements\
    \ and to reduce processing delay. Hence, Adversary on the Side (AoTS) attack on\
    \ open fronthaul interface is possible which results in passive eavesdropping\
    \ of U plane data. The adversary may use a simple sniffer device to monitor all\
    \ U plane communications which is normally not encrypted at lower 3 layers (RLC,\
    \ MAC and PHY). Confidentiality and integrity protection requirements are not\
    \ specified by ORAN alliance for control, user and synchronization (CUS) planes,\
    \ and those are mandatory for M plane. See clause 6.1 of [2] and clause 5.4 of\
    \ [3].\r\n\r\nNote: The user plane data in PDCP and above layers remains encrypted\
    \ on Fronthaul U plane and this eavesdrop attack will not impact any of those\
    \ data unless PDCP security is also broken by the adversary.\r\n\r\n"
  architecture-segment: User Plane, Control Plane, Roaming, Virtualization
  bluf: Adversaries may sniff network traffic to capture information about an environment,
    including authentication material passed over the network.
  criticalassets:
  - Description: Sensitive User signaling such as authentication data, user location
      for the N32 interface
    Name: UE data on roaming signaling interface
  - Description: User data for the N9 interface
    Name: UE data on roaming user plane interface
  - Description: Signaling data, provisioning data, service discovery
    Name: UP, CP Data
  - Description: Sensitive subscriber user plane data will be available to the adversary.
    Name: Sensitive subscriber data
  description: "Adversaries may sniff network traffic to capture information about\
    \ an environment, including authentication material passed over the network.\r\
    \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1040)\r\
    \n"
  detections:
  - detects: Monitor processes which may sniff data.
    fgdsid: DS0009
    name: Process
  - detects: Monitor for allowed modifications relative to the agreed upon modifications
      per roaming agreements and agreements with IPX.
    fgdsid: DS0015
    name: Application Log
  - detects: Monitor commands given to NFs which may help data sniffing.
    fgdsid: DS0017
    name: Command
  - detects: Monitoring ability to detect new ports, devices on the network
    fgdsid: DS0039
    name: Asset
  - detects: Monitor if security configurations in O-RU and O-DU are downgraded to
      weak or no security levels.
    fgdsid: FGDS5022
    name: Monitor security configurations
  id: FGT1040
  mitigations:
  - fgmid: FGM5033
    mitigates: Use zero trust for NF protection
    name: Zero Trust
  - fgmid: M1020
    mitigates: Encrypt using TLS all links between NFs and between NF and SCP
    name: SSL/TLS Inspection
  - fgmid: M1040
    mitigates: Monitor to ensure configurations do not change from acceptable options
    name: Behavior Prevention on Endpoint
  - fgmid: M1041
    mitigates: 'Non-SBI: Use encryption (IPSec) on these interfaces. Sections 9.2,
      9.3, 9.4, 9.8, 9.9 of [2], and for N26 interfaces, see 4.3.1. of [3].


      SBI: Encrypt using TLS all links between NFs and between NF and SCP if one is
      deployed. TLS must use certificates for both client and server, and the certificate
      must include the SBA node type and must be checked against what the expectation
      is for that other party. The TLS profile should adhere to those in TS 33.210
      [9]. IPSec can be optionally used to protect TLS traffic further at a lower
      layer. Section 13.1.0 of [2] and also [8], [9].


      Roaming: For SEPP, see sections 4.2.3.3, 4.3., 4.4. of [4], and sections 13.1
      and 13.2 of [2].'
    name: Encrypt Sensitive Information
  - fgmid: M1054
    mitigates: Ensure for MNO services that serve roaming partners that the minimum
      acceptable configuration is adequate and complies with [2] TS 33.501 clause
      13.2.4.9.
    name: Software Configuration
  - fgmid: M1026
    mitigates: Implement strong access control for all types of interfaces on originating
      switch and any intermediary devices on the fronthaul.
    name: Privileged Account Management
  - fgmid: M1030
    mitigates: Implement network segmentation.
    name: Network Segmentation
  - fgmid: M1041
    mitigates: Ensure fronthaul user plane data is protected with strong encryption
      algorithm. This will have performance impact on devices implementing it.
    name: Encrypt Sensitive Information
  - fgmid: M1047
    mitigates: Perform hardware and software installation audits of all O-RAN open
      fronthaul components.
    name: Audit
  name: Network Sniffing
  object-type: technique
  platforms: 5G Network, RAN
  postconditions:
  - Description: As a follow-on attack, adversary may launch application layer fingerprinting
      attack based on the data collected at MAC and RLC layers. [See FGT1040.501]
    Name: Application layer finger printing
  preconditions:
  - Description: Adversary must have physical access to open fronthaul network to
      collect data.
    Name: Adversary has access to open fronthaul network.
  procedureexamples:
  - Description: Adversary with access to the non-SBI interfaces (Xn, N2, N3, N4,
      N9) not using encryption can monitor traffic exchange and obtain UE information
      such as user identifiers, serving network identifiers, and location info. Non-SBI
      interfaces may not be encrypted for at least user plane or for control plane
      packets. See sections D.2.2., L.2.2., L.2.3 of [1]
    Name: Non-SBI compromise
  - Description: The adversary with access to the SBI links, for example, with control
      over the 5G Service Communication Proxy (SCP) or a network infrastructure node
      (proxy, router, switch), may eavesdrop signaling messages if TLS encryption
      is not enabled. This leads to disclosure of UE authentication and authorization
      information, and NF IP addresses and other topology information. See [6], [7].
    Name: SBI node compromise
  - Description: 'Adversary positioned on an IPX node can observe UE data if in the
      clear or easily decrypted: If a SEPP has not properly removed clear text information
      elements (IE) when replacing them with encrypted versions consistent with the
      previously negotiated protection policy or if the SEPP used a weak cipher for
      JWE encryption. See section G.2.4 of [1].'
    Name: IPX node compromise
  - Description: The adversary positioned on a SEPP, can observe information elements
      on the N32c interface including cipher suites used, keys, protection policies
      exchanged, and error messages received from the peer SEPP.  Observations on
      the N32f interface include cell ID and Physical Cell ID, SUPI, NF to NF signaling
      for a given victim UE. An adversary may utilize these observations for a number
      of follow-on techniques.
    Name: SEPP compromise
  - Description: 'Adversary launches AoTS attack on open fronthaul U plane data traffic
      by using a simple sniffer device. The fronthaul U plane data usually does not
      have encryption due to stringent performance requirements. Hence an eavesdrop
      attack is possible by a simple device.


      This attack can only eavesdrop on user plane data below PDCP layer. Any user
      plane data in PDCP and above layers are not impacted by this attack. See clause
      5.4.1.2, T-UPLANE-01 of [1], clause 6.1 of [2] and clause 5.4 of [3].'
    Name: Eavesdrop on U plane data on open fronthaul interface.
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TR 33.926 \u201CSecurity Assurance Specification\
    \ (SCAS) threats and critical assets in 3GPP network product classes\u201D, March\
    \ 2022](https://www.3gpp.org/DynaReport/33926.htm)"
  - "<a name=\"2\"> \\[2\\] </a> [3rd Generation Partnership Project (3GPP), \u201C\
    Security Architecture and Procedures for 5G System\u201D, TS 33.501 v16.10.0 Release\
    \ 16, March 2022](https://www.3gpp.org/DynaReport/33501.htm)"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS 23.501 \u201CSystem architecture for the\
    \ 5G System (5GS)\u201D, March 2022](https://www.3gpp.org/DynaReport/23501.htm)"
  - "<a name=\"4\"> \\[4\\] </a> [3rd Generation Partnership Project (3GPP), \u201C\
    5G Security Assurance Specification (SCAS) for the Security Edge Protection Proxy\
    \ (SEPP) network product class\u201D, TS 33.517, ver. 17.0.0, Jun. 2021](https://www.3gpp.org/DynaReport/33517.htm)"
  - "<a name=\"5\"> \\[5\\] </a> [G. Green, \u201C5G Security when Roaming \u2013\
    \ Part 2,\u201D Mpirical, Lancaster, UK, May 21,2021](https://www.mpirical.com/blog/5g-security-when-roaming-part-2)"
  - "<a name=\"6\"> \\[6\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    , October 2021](https://arxiv.org/abs/2108.11206 )"
  - <a name="7"> \[7\] </a> [G. Koien, "On Threats to the 5G Service Based Architecture",
    2021.](https://www.researchgate.net/publication/349455036_On_Threats_to_the_5G_Service_Based_Architecture)
  - "<a name=\"8\"> \\[8\\] </a> [\u201CThe Transport Layer Security (TLS) Protocol\u201D\
    , Version 1.2. RFC 5246](https://www.ietf.org/rfc/rfc5246.txt)"
  - "<a name=\"9\"> \\[9\\] </a> [3GPP TS 33.210 \u201CNetwork Domain Security (NDS);\
    \ IP network layer security\u201D](https://www.3gpp.org/DynaReport/33210.htm)"
  - "<a name=\"10\"> \\[10\\] </a> [3GPP TR 33.848 \u201CStudy on Security Impacts\
    \ of Virtualization\u201D. (WIP) Section 5.15.2](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3574)"
  - <a name="1"> \[1\] </a> [O-RAN Threat Model 6.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="2"> \[2\] </a> [O-RAN WG4 Control, User, and Synchronization Plane Specification
    12.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="3"> \[3\] </a> [O-RAN WG4 Management Plane Specification 12.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0007
  - TA0009
  - TA0006
  typecode: attack_technique_addendum
- access-required: User/NPE/Administrative access
  addendums:
  - "#### Addendum Name: Network traffic duplication\r\n##### Architecture Segments:\
    \ OA&M, Virtualization\r\n An adversary may use compromised virtualized network\
    \ elements to (vSwitch, vRouter, Virtual Firewalls) to span traffic to sniffing\
    \ port for access to user plane and control plane data.\r\n\r\nIn a virtualized\
    \ environment, access can be gained much more easily as the servers making up\
    \ a function are more likely to be virtually distributed and the SDN vSwitch would\
    \ allow an adversary to fork IP packets flowing much more easily between hosts\
    \ remotely. Most network devices/software have capabilities for traffic duplication\
    \ for troubleshooting or legal purposes (Lawful Interception). Such forking is\
    \ very difficult to detect or prevent from within a 3GPP NF or VM. An adversary\
    \ could read data in transit without being detected by application monitoring\
    \ software.\r\n\r\n"
  architecture-segment: OA&M, Virtualization
  bluf: Adversaries may leverage traffic mirroring in order to automate data exfiltration
    over compromised infrastructure.
  criticalassets:
  - Description: Virtual switch, Virtual Router, Virtual Firewalls, Virtual Load Balancers,
      SDN Controllers
    Name: Virtual elements
  description: "Adversaries may leverage traffic mirroring in order to automate data\
    \ exfiltration over compromised infrastructure.\r\n[To read more, please see the\
    \ MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1020/001)\r\
    \n"
  detections:
  - detects: Monitor all user accounts accessing network devices to detect abnormal
      activity
    fgdsid: DS0002
    name: User Account
  - detects: Monitor Command executions on the devices
    fgdsid: DS0017
    name: Command
  - detects: Network elements use active and start up configuration files, monitoring
      configuration drifts can reveal abnormal activity
    fgdsid: DS0022
    name: File
  - detects: Monitor log on sessions and escalation to higher privilege activity on
      the devices
    fgdsid: DS0028
    name: Logon Session
  - detects: Monitor network traffic for new traffic flows, analyze socket connections
      and protocol used to determine abnormal behavior.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1020.001
  mitigations:
  - fgmid: M1026
    mitigates: Manage accounts with privilege to make changes either in the device
      or its controller.
    name: Privileged Account Management
  - fgmid: M1041
    mitigates: Encrypt sensitive data flows for Control plane and User plane traffic
    name: Encrypt Sensitive Information
  name: Traffic Duplication
  object-type: technique
  platforms: 5G
  references:
  - '<a name="1"> \[1\] </a> [3GPP TR 33.848 Security Impacts of Virtualization,

    Section 5.15.2](https://www.3gpp.org/DynaReport/33848.htm)'
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  subtechnique-of: FGT1020
  tactics:
  - TA0007
  - TA0010
  typecode: attack_subtechnique_addendum
- access-required: Service Account
  architecture-segment: Application Layer
  bluf: Adversaries may gain unauthorized access to a Hardware Security Module (HSMs)
    to sign  keys and/or other derived key material that can be used to achieve additional
    goals.
  criticalassets:
  - Description: A physical computing device that safeguards and manages digital key
      material, performs operations such as encryption and decryption, signature generation.
    Name: HSM
  description: " Adversaries may gain unauthorized access to a Hardware Security Module\
    \ (HSM) to sign keys and/or other derived key material that can be used to achieve\
    \ additional goals. \r\n\r\nAn HSM is a hardware component that handles keying\
    \ material (storage, computation). They can take the form of a plug-in card or\
    \ an external device that attaches directly to a server. An HSM contains secure\
    \ crypto-processor chips. MNOs use HSM\r\nappliances as a Root of Trust to secure\
    \ their PKI infrastructure, which is used to sign certificates for gNBs and NFs.\
    \ \r\n\r\nAlthough an HSM protects key material from compromise and from export\
    \ if configured properly, an adversary may obtain privileges allowing them to\
    \ utilize a legitimate HSM functions, e.g., through PKCS #11 function calls, Cryptoki\
    \ library, etc., such that an adversary may obtain signatures and derivative key\
    \ material seen as legitimate by other MNO NFs. \r\n\r\n"
  detections:
  - detects: Analyze the application logs for access from appropriate NFs and appropriate/typical
      use
    fgdsid: DS0015
    name: Application Log
  - detects: Analyze access logs for appropriate use by admins
    fgdsid: DS0028
    name: Logon Session
  - detects: Monitor for activity from unexpected sources
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1555.501
  mitigations:
  - fgmid: M1017
    mitigates: Train users to be aware of access or manipulation attempts by an adversary
      to reduce the risk of unauthorized access to the HSM
    name: User Training
  - fgmid: M1018
    mitigates: Restrict users of HSM to minimal privileges from only permitted NFs
    name: User Account Management
  - fgmid: M1026
    mitigates: Ensure administrative accounts for HSM are carefully managed to minimize
      potential admin credential compromise. This may include use of privileged access
      workstations, privileged account management solutions, separation of duties
      approaches, etc.
    name: Privileged Account Management
  name: Hardware Security Module Key Signing
  object-type: technique
  platforms: HSM
  postconditions:
  - Description: Adversary would have the ability to perform signing and cryptographic
      operations that would permit the adversary to masquerade as a legitimate authorized
      user and perform operations against NFs.
    Name: Adversary is able to perform crypto operations fraudulenty.
  preconditions:
  - Description: Adversary acquires credentials with legitimate privileges to conduct
      operations using the HSM. Adversary has a position to initiate transactions
      with the HSM.
    Name: Obtain service account credentials
  procedureexamples:
  - Description: An adversary would compromise a function or service that has privileges
      to perform operations using the HSM and use other techniques to obtain the credentials.
      The adversary may perform operations from the compromised environment or exfiltrate
      the credentials to another system to perform the operations and conduct further
      activities.
    Name: Credential compromise
  references:
  - "<a name=\"1\"> \\[1\\] </a> [Baseline Security Controls\_\u2013NO-009, FS.31\
    \ version 2.0,GSMA, February 2020](https://www.gsma.com/security/wp-content/uploads/2020/02/FS.31-v2.0.pdf)"
  - <a name="2"> \[2\] </a> [A New Trust Model For The 5G Era, Thales, October 2020](https://cpl.thalesgroup.com/sites/default/files/content/research_reports_white_papers/field_document/2020-10/New-Trust-Model-For-5G-Era-WP.pdf)
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1555
  tactics:
  - TA0006
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: Control Plane
  bluf: An adversary may compromise the Equipment Identity Register (EIR) function
    and adds new equipment, modifies status (ok vs. stolen or prohibited) of mobile
    device.
  criticalassets:
  - Description: Device databases should be kept from tampering.
    Name: Integrity of device database
  - Description: UE status should be kept accurate.
    Name: User equipment status integrity
  description: " An adversary may compromise\_the Equipment Identity Register (EIR)\
    \ function and\_adds new equipment, modifies status (ok vs. stolen or prohibited)\
    \ of mobile device.\r\n\r\nEIR is an optional component (applicable to 3G, 4G,\
    \ 5G) storing the status of a mobile equipment and optionally which  Permanent\
    \ Equipment Identifier (PEI) it is allowed to use. Compromising it can allow an\
    \ adversary to modify status of devices (e.g. \"stolen\", \"prohibited'). \r\n\
    \r\nNote: Modifying the EIR does not affect the subscription data such as access\
    \ to network slice, customer data, or allow fraudulent use of service. \r\n\r\n"
  detections:
  - detects: Difficult to detect unauthorized changes. Inspect logs of what changes
      were made and by whom in the EIR
    fgdsid: FGDS5009
    name: Access to operator resource
  id: FGT5015
  mitigations:
  - fgmid: FGM5020
    mitigates: Secure EIR
    name: Secure subscriber repositories
  name: Device Database Manipulation
  object-type: technique
  platforms: 5G Network
  procedureexamples:
  - Description: 'Reference [1], DC-003, calls for the MNOs to employ an EIR. The
      rest of the attack is theoretical: an adversary may modify some of the entries
      in the EIR database, e.g. device status (stolen, etc.)


      The AMF is the only function that checks the EIR based on PEI, upon UE registration
      (using the API N5g-eir_EquipmentIdentityCheck_Get).'
    Name: EIR database compromise
  references:
  - "<a name=\"1\"> \\[1\\] </a> [GSM Association, \u201CGSM Association Official\
    \ Document FS.31, Baseline Security Controls.\u201D, v3.0, Sep. 2023](https://www.gsma.com/security/resources/fs-31-gsma-baseline-security-controls\
    \ )"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0040
  typecode: fight_technique
- access-required: N/A
  architecture-segment: Control Plane, Network Slice
  bluf: An adversary-controlled UE may send high volumes of signaling messages to
    core network functions in order to cause a denial of service.
  criticalassets:
  - Description: AMF functionality serving the UEs should be available always.
    Name: Network services (AMF)
  description: " An adversary-controlled UE may send high volumes of signaling messages\
    \ to core network functions in order to cause a denial of service.\r\n\r\nUpon\
    \ power on or coming out of flight mode, a UE needs to register with 5G network\
    \ in order to get services from the network. After it gets connected to the network,\
    \ UE sends several signaling messages to maintain the connection and to request\
    \ new services. If any of those signaling messages are sent repeatedly to 5G network,\
    \ the network spends its resources to process those request messages, which may\
    \ overwhelm some critical Network Functions (NFs) such as Access and Mobility\
    \ Function (AMF).\r\n\r\nA malicious UE sends repeated Attach requests which cause\
    \ AMF to start many registrations. Alternatively, when a load balancing Service\
    \ Communication Proxy (SCP) is not employed, an adversary in the network sends\
    \ many otherwise-legitimate control messages to a NF so as to overload it. Network\
    \ service is degraded for all other users in that area (served by AMF).\r\n\r\n"
  detections:
  - detects: Application layer DoS attack detection mechanism can be used to detect
      repeated attempt of UE attach-detach cycle within a short period.
    fgdsid: DS0018
    name: Firewall
  id: FGT1498.501
  mitigations:
  - fgmid: FGM5498
    mitigates: 'Employ a firewall or other rate control box on the N2 interface [from
      RAN to AMF]


      (May not be available in the market). Employ a NAS-MM (Non-access stratum Mobility
      Mgmt) application layer proxy at the edge of the network, having the capability
      to limit UE request rate.

      In addition, SCP can act as load balancer between the service consumer (AMF)
      and service producer (UDM). (Annex E of [2])'
    name: Limit incoming signaling and user plane traffic
  name: Flooding of core network component
  object-type: technique
  platforms: 5G network
  postconditions:
  - Description: 'If AMF services are down, all services for the existing UEs which
      use NAS layer will not be available. For example: mobility, session management
      (QoS etc.), PDU session set up / tear down, SMS over NAS, location management.
      New UE connection attempts will also fail when AMF services are down. Clause
      8.2.2.1 of [2].'
    Name: AMF service will not be available to legitimate users during attack.
  procedureexamples:
  - Description: "Because network slices and network functions can be shared, malicious\
      \ UE can create control plane storms.\n\nAMF Message Flooding for a shared slice\
      \ with shared NFs:\n(1) An initial AMF validates if the user (UE) is allowed\
      \ to access the subscribed S-NSSAI: AMF contacts the UDM to request the UE\u2019\
      s Slice Selection Subscription data.  The initial UDM may contact the UDR for\
      \ the UE's Slice Selection Subscription data, then provides the data to the\
      \ AMF.\n(2) During the t0 to t-delta time interval that it takes to perform\
      \ (1), the UE drops the initial AMF then re-attaches to the AMF, restarting\
      \ the validation.\n(3) The UE recursively performs (2), which recursively performs\
      \ (1), creating a \"UE-AMF-UDM-UDR-AMF\" message storm sandwiched in between\
      \ an \"Attach-Detach\" storm.\n(4) Since this is a shared slice with shared\
      \ NFs, the control plane storm (Attach-UE-AMF-UDM-UDR-AMF-Detach-Attach-recursively\
      \ repeat) creates a DoS condition."
    Name: Control plane signaling storm from (at least) one malicious UE
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - '<a name="2"> \[2\] </a> [3GPP TS 23.501: System architecture for the 5G System
    (5GS)](https://www.3gpp.org/DynaReport/23501.htm  )'
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT1498
  tactics:
  - TA0040
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: Roaming
  bluf: An adversary exploits interconnection/interworking between MNOs to obtain
    information about roaming user sessions or commit fraud.
  criticalassets:
  - Description: Adversaries may need to compromise a vSEPP to perform certain activities
      to ensure they look legitimate.
    Name: SEPP
  - Description: Adversaries may need to compromise a vPLMN NF to perform certain
      activities to ensure they look legitimate
    Name: NFs in the vPLMN
  - Description: Adversary will need to compromise keys used to sign IE modifications
      at IPX
    Name: IPX signing keys
  description: " An adversary exploits interconnection/interworking between MNOs to\
    \ obtain information about roaming user sessions or commit fraud. \r\n\r\nThe\
    \ adversary with a position on a trusted partners environment, see [FGT1199.501](/techniques/FGT1199.501),\
    \ is in a position to send legitimate looking messages to a PLMN interfaces and\
    \ network functions and modify, in some circumstances, legitimate messages. Through\
    \ these messages, the adversary may obtain sensitive information about the PLMN\u2019\
    s subscribers. With the ability to send messages seen by the PLMN as legitimate,\
    \ the trusted partner may also commit fraud.\r\n\r\n\r\n\r\n"
  detections:
  - detects: Monitor for use of IE modification by IPX and respond when unexpected
      IE modifications are seen.
    fgdsid: DS0015
    name: Application Log
  id: FGT5016
  mitigations:
  - fgmid: M1041
    mitigates: Block or limit cipher choices used for JWS. Use of weak JWS ciphers
      could allow unauthorized disclosure
    name: Encrypt Sensitive Information
  - fgmid: M1054
    mitigates: Block unauthorized IE modifications by IPX. Allow only communication
      where authorized IpxId is not NULL
    name: Software Configuration
  - fgmid: M1056
    mitigates: Avoid using PRINS and use direct SEPP-SEPP with HTTP/s.  Use of the
      SEPP to SEPP solution instead of allowing an IPX to potentially observe and
      manipulate information avoids the problem. A future SEPP hub solution may also
      mitigate this risk by providing a more scalable SEPP to SEPP solution.
    name: Pre-compromise
  name: Abuse of Inter-operator Interfaces
  object-type: technique
  platforms: IPX, SEPP, VAS
  preconditions:
  - Description: Adversary will need to compromise keys used to sign IE modifications
      at IPX
    Name: IPX key compromise
  - Description: Compromise of the initiating SEPP, typically the VPLMN SEPP, would
      permit an adversary to establish a protection policy that would allow IPX modification.
    Name: Compromise of initiating SEPP
  procedureexamples:
  - Description: In one approach, the adversary, in a position on an IPX, could modify
      the messages between the vPLMN (visited PLMN) and hPLMN (home PLMN) if PRINS
      is used, resulting in possible information modification and/or disclosure.  Modification
      of an Information element (IE) could enable possible denial of service and/or
      information disclosure and this is addressed in [FGT5029](/techniques/FGT5029).
    Name: Manipulate data between two PLMNs
  - Description: If the adversary controls a vPLMN SEPP they may modify signaling
      on N32 and/or generate requests to hPLMN NFs. The adversary controlled vSEPP
      could terminate TLS connections to hPLMN NFs and proxy requests as an adversary-in-the-middle,
      see [FGT1557.502](/techniques/FGT1557.502). Legitimate looking requests that
      could result in information disclosure or fraud may involve Value Added Service
      (VAS), e.g., VAS providing SEPP to the VPLMN
    Name: Compromise SEPP and modify signaling it sends
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [\u201CSecurity Assurance Specification (SCAS) threats\
    \ and critical assets in 3GPP network product classes,\u201D 3rd Generation Partnership\
    \ Project (3GPP), TR 33.926 ver.17.3.0, Dec. 2021, sec. G.2.4.1-G.2.4.2](https://www.3gpp.org/DynaReport/33926.htm)"
  - "<a name=\"3\"> \\[3\\] </a> [G. Green, \u201C5G Security when Roaming \u2013\
    \ Part 2,\u201D Mpirical, Lancaster, UK, May 21, 2021](https://www.mpirical.com/blog/5g-security-when-roaming-part-2)"
  - "<a name=\"4\"> \\[4\\] </a> [\u201CSecurity architecture and procedures for 5G\
    \ System,\u201D 3GPP, TS 33.501 ver. 16.3.0, July 2020, Sec. 13.1.2,13.2](https://www.3gpp.org/DynaReport/33501.htm)"
  - "<a name=\"5\"> \\[5\\] </a> [\u201C5G System; Public Land Mobile Network (PLMN)\
    \ Interconnection; Stage 3,\u201D 3GPP, TS 29.573 ver.16.9.0, March 2022](https://www.3gpp.org/DynaReport/29573.htm)"
  - "<a name=\"6\"> \\[6\\] </a> [P.Tommassen, \u201C5G Security When Roaming,\u201D\
    \ iBasis, October 6, 2020](https://ibasis.com/5g-security-when-roaming/)"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0009
  - TA5001
  typecode: fight_technique
- addendums:
  - "#### Addendum Name: Core-network scanning\r\n##### Architecture Segments: OA&M\r\
    \n An adversary may discover operator network related information (identifiers).\
    \ \r\n\r\nAdversaries may attempt to get a listing of earlier generation systems\
    \ (e.g. 3G) that do not use IP address, hostname, but instead, other identifiers,\
    \ such as point codes (like IP addresses for SS7 protocols, point to point) and\
    \ Global Titles. Examples are GTScan, SigPloit, SCTPScan and GTPScan. \r\n\r\n\
    Note: This is scanning for 3G, 4G and 5G core components address info.  This is\
    \ scanning for open ports to determine protocol use without compromising the host/NF.\r\
    \n\r\n"
  architecture-segment: OA&M
  bluf: Adversaries may attempt to get a listing of other systems by IP address, hostname,
    or other logical identifier on a network that may be used for Lateral Movement
    from the current system.
  criticalassets:
  - Description: Data (IP address or FQDN, ports) relating to network nodes.
    Name: MNO core network component data.
  description: "Adversaries may attempt to get a listing of other systems by IP address,\
    \ hostname, or other logical identifier on a network that may be used for Lateral\
    \ Movement from the current system.\r\n[To read more, please see the MITRE ATT&CK\
    \ page for this technique](https://attack.mitre.org/techniques/T1018)\r\n"
  detections:
  - detects: SIEM tools using network firewalls. Detect port scanners.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1018
  mitigations:
  - fgmid: M1030
    mitigates: Ensure proper network segmentation is followed to protect critical
      servers and devices.
    name: Network Segmentation
  - fgmid: M1031
    mitigates: Use network intrusion detection/prevention systems to detect and prevent
      remote service scans.
    name: Network Intrusion Prevention
  - fgmid: M1042
    mitigates: Ensure that unnecessary ports and services are closed to prevent risk
      of discovery and potential exploitation.
    name: Disable or Remove Feature or Program
  name: Remote System Discovery
  object-type: technique
  platforms: 5G Network
  postconditions:
  - Description: Adversary now knows identifiers of some network nodes, and so these
      nodes can now be spoofed or targeted for Denial of Service.
    Name: Identifier of some network nodes is known
  preconditions:
  - Description: Adversaries need access to such tools.
    Name: Access to scanning tool
  procedureexamples:
  - Description: Adversaries may employ pen testing tools such as GTScan, SigPloit,
      SCTPScan and GTPScan.
    Name: Use of pen testing tools.
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0007
  typecode: attack_technique_addendum
- addendums:
  - "#### Addendum Name: Core-network scanning\r\n##### Architecture Segments: OA&M\r\
    \n An adversary may discover operator network related information (identifiers).\
    \ \r\n\r\nAdversaries may attempt to get a listing of earlier generation systems\
    \ (e.g. 3G) that do not use IP address, hostname, but instead, other identifiers,\
    \ such as point codes (like IP addresses for SS7 protocols, point to point) and\
    \ Global Titles. Examples are GTScan, SigPloit, SCTPScan and GTPScan. \r\n\r\n\
    Note: This is scanning for 3G, 4G and 5G core components address info. This is\
    \ scanning for open ports to determine protocol use without compromising the host/NF.\r\
    \n\r\n"
  architecture-segment: OA&M
  bluf: Adversaries may attempt to get a listing of services running on remote hosts
    and local network infrastructure devices, including those that may be vulnerable
    to remote software exploitation.
  criticalassets:
  - Description: Data (IP address or FQDN, ports) relating to network nodes.
    Name: MNO core network component data.
  description: "Adversaries may attempt to get a listing of services running on remote\
    \ hosts and local network infrastructure devices, including those that may be\
    \ vulnerable to remote software exploitation.\r\n[To read more, please see the\
    \ MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1046)\r\
    \n"
  detections:
  - detects: SIEM tools using network firewalls. Detect port scanners.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1046
  mitigations:
  - fgmid: M1030
    mitigates: Ensure proper network segmentation is followed to protect critical
      servers and devices.
    name: Network Segmentation
  - fgmid: M1031
    mitigates: Use network intrusion detection/prevention systems to detect and prevent
      remote service scans.
    name: Network Intrusion Prevention
  - fgmid: M1042
    mitigates: Ensure that unnecessary ports and services are closed to prevent risk
      of discovery and potential exploitation.
    name: Disable or Remove Feature or Program
  name: Network Service Discovery
  object-type: technique
  platforms: 5G Network
  postconditions:
  - Description: Adversary now knows identifiers of some network nodes, and so these
      nodes can now be spoofed or targeted for Denial of Service.
    Name: Identifier of some network nodes revealed
  preconditions:
  - Description: Adversaries need access to such tools.
    Name: Access to scanning tool
  procedureexamples:
  - Description: Adversaries may employ pen testing tools such as GTScan, SigPloit,
      SCTPScan and GTPScan.
    Name: Use of pen testing tools.
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0007
  typecode: attack_technique_addendum
- access-required: User/NPE/Administrative access
  addendums:
  - "#### Addendum Name: Compromise Network Isolation\r\n##### Architecture Segments:\
    \ OA&M, Virtualization, Network Slice\r\n An adversary may compromise network\
    \ separation controls to gain access to one or more of the 5G security zones or\
    \ networks.  \r\n\r\n5G is a system of systems and may be composed of several\
    \ network and security zones, as well as slices.  A compromise of controls placed\
    \ to maintain security zones or network segmentation based on IP networks, application\
    \ groups or slices may allow an adversary to gain unauthorized access to networks\
    \ or services. This may occur at a Core, RAN, Cloud or Slice boundary.\r\n\r\n\
    Once the adversary has infiltrated the internals of the network, it has ample\
    \ opportunities and a much broader attack surface to explore. The adversary can,\
    \ e.g., conduct privilege escalation and process injection for gaining administrative\
    \ rights, attempt password cracking of valid user accounts on the nodes, exploit\
    \ vulnerabilities in databases and file systems, and take advantage of improper\
    \ configurations of routers and switches.\r\n\r\nThe boundaries of a network and\
    \ its security zones can exist between various technologies, such as 4G and 5G,\
    \ or between different partners, such as private networks, mobile operators, or\
    \ Mobile Virtual Network Operators (MVNOs). These boundaries can also exist between\
    \ different network components, such as radio access, core, edge, and cloud, as\
    \ well as between national or international links and operator cores, and service\
    \ providers or operator cores.\r\nIn some cases, firewalls may be used to separate\
    \ these zones, such as SS7 protocol, Diameter protocol, 5G APIs, enhanced SCP\
    \ (Service Communication Proxy), IP (Internet Protocol), SIP (Session Initiation\
    \ Protocol), and GTP (GPRS Tunneling Protocols) firewalls. Alternatively, an interworking\
    \ function may be used to translate one protocol into another. However, it's important\
    \ to note that privileged access is not always necessary to bypass a firewall\
    \ or exploit an interworking function. Often, insufficient filtering may be the\
    \ cause, or the filtering may not be sufficiently deep.\r\n\r\n\r\n"
  architecture-segment: OA&M, Virtualization, Network Slice
  bluf: Adversaries may bridge network boundaries by compromising perimeter network
    devices or internal devices responsible for network segmentation.
  criticalassets:
  - Description: Devices enforcing network segmentation and creating perimeter for
      applications may include firewalls, SDN controllers, or Proxies.
    Name: Devices enforcing segmentation controls
  description: "Adversaries may bridge network boundaries by compromising perimeter\
    \ network devices or internal devices responsible for network segmentation.\r\n\
    [To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1599)\r\
    \n"
  detections:
  - detects: Network Traffic should be monitored for traffic flows and messaging contents
      to determine abnormal activity.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1599
  mitigations:
  - fgmid: M1026
    mitigates: Manage accounts for privileged users for the security zones in the
      5G network.
    name: Privileged Account Management
  - fgmid: M1027
    mitigates: "Password Policies \u2013 follow NIST Guidelines.  This may also include\
      \ token policies if security tokens are used."
    name: Password Policies
  - fgmid: M1032
    mitigates: Enable Multi-factor Authentication for privileged users
    name: Multi-factor Authentication
  - fgmid: M1037
    mitigates: Filter Network Traffic, per protocol
    name: Filter Network Traffic
  - fgmid: M1043
    mitigates: Protect credentials of management entities
    name: Credential Access Protection
  name: Network Boundary Bridging
  object-type: technique
  platforms: OA&M
  postconditions:
  - Description: If network boundaries are breached, monitoring system may detect
      unusual network flow
    Name: Unusual network traffic flows
  - Description: Adversary may attempt to discover networks and live hosts on the
      networks
    Name: Network mapping activity
  - Description: Adversary may attempt connect to hosts in the target network after
      profiling hosts and network mapping.
    Name: Connection attempts from unusual hosts
  preconditions:
  - Description: Privileged access to device implementing the network separation controls
    Name: Privileged access
  procedureexamples:
  - Description: "An adversary may impersonate a trusted source (roaming partner or\
      \ VAS) to avoid filtering by firewall, and to transport data in and out of the\
      \ targeted operator\u2019s network. ([1])"
    Name: Impersonate roaming partner/VAS (Value Added Service) provider
  - Description: An adversary may abuse the remote service offered for network MANO
      tools, to make configuration changes to SDN flow tables and cause packet filtering
      to not detect flow across boundaries. ([2])
    Name: MANO abuse to change SDN (Software Defined Networking) configuration
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,  October 2021](https://arxiv.org/abs/2108.11206 )"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0005
  typecode: attack_technique_addendum
- access-required: Physical
  architecture-segment: Physical & Environmental
  bluf: 'An adversary aims to destroy, expose, alter, disable, steal, or gain unauthorized
    access to physical assets such as infrastructure, hardware, or interconnection,
    affecting QoS or service availability. '
  criticalassets:
  - Description: Radio access units, information and communications technology equipment,
      optical interconnection facilities, cloud data center, edge computing facilities
    Name: Physical infrastructure
  description: " An adversary aims to destroy, expose, alter, disable, steal, or gain\
    \ unauthorized access to physical assets such as infrastructure, hardware, or\
    \ interconnection, affecting Quality of Service (QoS) or service availability.\
    \ \r\n\r\nActions taken by actors aimed at destroying, disabling, or stealing\
    \ physical assets supporting the 5G Network. A physical attack to 5G critical\
    \ assets may disrupt, interfere, and ultimately cause unavailability of the network\
    \ service. Despite the existence of physical protection mechanisms (e.g., physical\
    \ surveillance and surveillance cameras, security locks, security guards), physical\
    \ breaches and insider threat attacks may still occur.\r\n\r\n\r\n"
  detections:
  - detects: Asset tracking tools. Security Management and Detection
    fgdsid: DS0040
    name: Operational Databases
  id: FGT5018
  mitigations:
  - fgmid: FGM5005
    mitigates: 'Communications Centers.

      Communication centers should provide a full set of physical and environmental
      controls aimed to assure access control, monitoring, continuity of operations
      and protection against environmental disasters.'
    name: Physical and environmental protection
  name: Vandalism of Network Infrastructure
  object-type: technique
  platforms: Physical
  postconditions:
  - Description: Destruction or damage of these assets may cause an unavailability
      of resources.
    Name: Service unavailability
  - Description: Destruction or damage of these assets may cause information destruction.
    Name: Information destruction
  preconditions:
  - Description: "Improper physical security of Data Centers / Telecommunication equipment\
      \ room. \n\nImproper isolation of physical security perimeter between tenants.\n\
      \nImproper environmental protection controls.\n\nInadequate / defective security\
      \ devices."
    Name: Improper physical security of 5G core component infrastructure
  - Description: "Improper physical security of telecommunications equipment rooms\
      \ and equipment sited in partners\u2019 or users\u2019 premises.\n\nImproper\
      \ physical security of physically isolated operation areas.\n\nInadequate /\
      \ defective security devices."
    Name: gNB component infrastructure
  - Description: 'Improper physical security of telecommunications equipment rooms.


      Improper physical security of physically isolated operations areas.


      Inadequate / defective security devices.'
    Name: NFVI
  - Description: 'Unprotected data center interconnection channels.


      Improper physical security perimeter or isolation between tenants.'
    Name: SDN
  - Description: 'Improper physical and environmental security of edge computing facilities


      Improper security monitoring of edge computing facilities


      Insecure service environment.'
    Name: MEC host
  procedureexamples:
  - Description: Unauthorized access, destruction of assets and impairment of operations
    Name: Communication center
  - Description: Unauthorized access, destruction of assets and impairment of operations
    Name: Telecommunications equipment room
  - Description: Unauthorized access, destruction of assets and impairment of operations
    Name: Physically isolated operation areas
  - Description: unauthorized access, destruction of assets and impairment of operations
    Name: Equipment sited in other carrier's or partner's premises
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, November 2019.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks\
    \ )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  tactics:
  - TA0040
  typecode: fight_technique
- access-required: None
  architecture-segment: Physical & Environmental
  bluf: An adversary targets unprotected cables and junction boxes in order to disrupt
    service.
  criticalassets:
  - Description: Data cables used in the operator network infrastructure
    Name: Data cables
  - Description: Power cables used in the operator network infrastructure
    Name: Power cables
  description: " An adversary targets unprotected cables and junction boxes in order\
    \ to disrupt service.\r\n \r\nFibers routed between pieces of equipment without\
    \ proper physical protection are susceptible to damage, which can critically affect\
    \ network reliability.\r\n\r\n"
  detections:
  - detects: 'Security Incident and event monitoring

      Event logs recording user activities, exceptions, faults and information security
      events should be produced, kept and regularly reviewed. Additional considerations:
      development of use-case specific alert rules, integration and correlation of
      data at all levels (network, application), integration and correlation with
      service provider-level monitoring mechanisms.'
    fgdsid: FGDS5012
    name: SIEM
  id: FGT5018.001
  mitigations:
  - fgmid: FGM5005
    mitigates: 'Secure junction boxes.

      Optical fiber junction boxes / splice closures should only be accessible to
      maintenance personnel and maintenance vehicles. A closure should be located
      away from high traffic or conditions that could cause damage to the closure
      or injury to personnel. [2] 11.2.3 advocates for cabling security.'
    name: Physical and environmental protection
  - fgmid: FGM5540
    mitigates: Power supply facilities in the isolated area such as mobile base stations
      should preferably provide an uninterruptible power supply with capacity for
      all loading and capable of withstanding primary power supply failures for the
      duration of likely outages. If that is impossible, a mechanism to provide uninterruptible
      power to critical equipment should be installed. Batteries may need to be augmented
      with a private electric generator, especially in isolated areas.
    name: Power supplies
  name: Cabling and junction boxes
  object-type: technique
  platforms: Data transmission infrastructure and power supply
  postconditions:
  - Description: Destruction or damage of these assets may cause an unavailability
      of resources.
    Name: Service unavailability
  - Description: Destruction or damage of these assets may cause information destruction
    Name: Information destruction
  preconditions:
  - Description: Fibers routed between pieces of equipment without proper protection
      are susceptible to damage, which can critically affect network reliability.
      The fiber cable management system should therefore ensure that every fiber is
      protected from physical damage.
    Name: Unprotected cables
  - Description: Lack of protection of junction boxes / splice closures. Improper
      cable routing also causes increased congestion in the termination panel and
      the cableways, increasing the possibility of bend radius violations and long-term
      failure.
    Name: ' Unprotected junction boxes'
  procedureexamples:
  - Description: An adversary may damage cabling and junction boxes
    Name: Disrupt service via physical damage
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, page 210, December\
    \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [ISO/IEC 27011:(2016), \u201CInformation technology\
    \ \u2014 Security techniques \u2014 Code of practice for Information security\
    \ controls based on ISO/IEC 27002 for telecommunications organizations\u201D](https://www.iso.org/obp/ui/#iso:std:iso-iec:27011:ed-2:v1:en\
    \ )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT5018
  tactics:
  - TA0040
  typecode: fight_subtechnique
- access-required: Physical
  architecture-segment: Physical & Environmental
  bluf: An adversary uses unrestricted access to exploit, damage, or destroy Radio
    Access hardware that lack adequate security
  criticalassets:
  - Description: ' RAN-CU & DU, C-RAN MEC and mmWave equipment'
    Name: Radio access hardware (gNB)
  description: " An adversary uses unrestricted access to exploit, damage, or destroy\
    \ Radio Access hardware that lack adequate security.\r\n\r\nThe use of small-cell\
    \ antennas requires hardware to be placed in highly accessible locations, such\
    \ as, commercial and residential buildings, ground-level structures, and existing\
    \ street furniture (bus stops, info kiosks, and billboards). These solutions count\
    \ on sharing site spaces in existing infrastructure to reduce costs due to the\
    \ increased amount of hardware required to maintain Quality of Service (QoS).\r\
    \n\r\n"
  detections:
  - detects: 'Event logs recording user activities, exceptions, faults and information
      security events should be produced, kept and regularly reviewed. Additional
      considerations: development of use-case specific alert rules, integration and
      correlation of data at all levels (network, application), integration and correlation
      with service provider-level monitoring mechanisms.'
    fgdsid: DS0040
    name: Operational Databases
  id: FGT5018.002
  mitigations:
  - fgmid: FGM5005
    mitigates: Sites should be provided with a full set of physical and environmental
      controls aimed to assure access control, monitoring, continuity of operations
      and protection against vandalism.
    name: Physical and environmental protection
  name: Radio Access Hardware
  object-type: technique
  platforms: Radio access hardware
  postconditions:
  - Description: Destruction or damage of these assets may cause unavailability of
      resources
    Name: Service unavailability
  - Description: Destruction or damage of these assets may cause information destruction
    Name: Information destruction
  preconditions:
  - Description: Despite the virtualized structure of the 5G network and all involved
      network functions, there will be a strong dependency on the physical infrastructure,
      especially in the initial migration/hybrid 5G deployments.
    Name: Improper physical security of radio access hardware
  procedureexamples:
  - Description: Classified as a deliberate physical attack, this threat relates to
      actions taken by actors aimed at destroying, disabling or stealing physical
      assets supporting the 5G Network. A physical attack to 5G critical assets may
      disrupt, interfere and ultimately cause unavailability of the network service.
      Despite the existence of physical protection mechanisms (e.g., physical surveillance
      and surveillance cameras, security locks, security guards), physical breaches
      and insider threat attacks may still occur.
    Name: Physical sabotage/vandalism of the network infrastructure
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, page 202, December\
    \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [El-Shorbagy, A.-moniem. \u201C5G Technology and\
    \ the Future of Architecture\u201D. Procedia Computer Science, (2021), volume\
    \ 182, p121\u2013131.](https://doi.org/10.1016/j.procs.2021.02.017 )"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT5018
  tactics:
  - TA0040
  typecode: fight_subtechnique
- access-required: None
  architecture-segment: Physical & Environmental
  bluf: An adversary may seek physical access to isolated/remote edge servers using
    covert methods of entry with the intent to damage or destroy edge computing facilities,
    gaining unauthorized access at system level as an entry point to all hosted resources,
    theft of data on local storage, vandalism, and sabotage.
  criticalassets:
  - Description: Destruction of edge computing facilities, unauthorized access at
      system level as an entry point to all hosted resources, theft of data on local
      storage, vandalism and/or sabotage of equipment.
    Name: Edge facility equipment
  description: " An adversary may seek physical access to isolated/remote edge servers\
    \ using covert methods of entry with the intent to damage or destroy edge computing\
    \ facilities, gaining unauthorized access at system level as an entry point to\
    \ all hosted resources, theft of data on local storage, vandalism, and sabotage.\r\
    \n\r\nEdge computing facilities are, by their nature, seated in geographically\
    \ distributed locations. Normally, the first choice will be communications shelters\
    \ already operated by MNO. While communications shelters have physical security\
    \ controls in place, these are calibrated to risks associated with communication\
    \ equipment value. An additional risk assessment is needed to assess suitability\
    \ in the context of additional risks incurred by presence of computing facilities\
    \ and data.\r\n\r\n"
  detections:
  - detects: 'Event logs recording user activities, exceptions, faults and information
      security events should be produced, kept and regularly reviewed. Additional
      considerations: development of use-case specific alert rules, integration and
      correlation of data at all levels (network, application), integration and correlation
      with service provider-level monitoring mechanisms.'
    fgdsid: FGDS5012
    name: SIEM
  id: FGT5018.003
  mitigations:
  - fgmid: FGM5005
    mitigates: Edge sites should be provided with a full set of physical and environmental
      controls aimed to assure access control, monitoring, continuity of operations
      and protection against environmental disasters. Failure to do so may lead to
      unauthorized access, destruction of assets and impairment of operations.
    name: Physical and environmental protection
  name: Edge servers
  object-type: technique
  platforms: Edge server
  postconditions:
  - Description: Destruction of assets, unauthorized access, theft of data on local
      storage, vandalism, sabotage
    Name: Service unavailability
  - Description: Destruction or damage of these assets may cause information destruction
    Name: Information destruction
  preconditions:
  - Description: 'Mobile-edge computing have to be integrated in the network-wide
      Security Incident and Monitoring System, but with additional considerations:
      development of use-case specific alert rules, integration and correlation of
      data at all levels (network, application), integration and correlation with
      service provider -level monitoring mechanisms. Failure to do so may leave advanced
      or sustained threats undetected, as well as technical failures or malfunctions
      of local resources.'
    Name: Improper security monitoring of edge computing facilities
  procedureexamples:
  - Description: Adversary may obtain physical access to remote edge servers and cause
      damage to them.
    Name: Damage edge servers
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, page 202, December\
    \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [ISO/IEC 27011:(2016), \u201CInformation technology\
    \ \u2014 Security techniques \u2014 Code of practice for Information security\
    \ controls based on ISO/IEC 27002 for telecommunications organizations\u201D](https://www.iso.org/obp/ui/#iso:std:iso-iec:27011:ed-2:v1:en)"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT5018
  tactics:
  - TA0040
  typecode: fight_subtechnique
- access-required: Physical
  architecture-segment: Physical & Environmental
  bluf: An adversary accesses a shared site, or remote location, with intent to steal
    valuable materials (such as copper, batteries, and fuel) for resale.
  criticalassets:
  - Description: Physical assets and commodities used by the mobile network operators
      in their infrastructure.
    Name: Physical assets and commodities
  description: " An adversary accesses a shared site, or remote location, with intent\
    \ to steal valuable materials (such as copper, batteries, and fuel) for resale.\r\
    \n\r\nAs towers are often located in remote locations, base stations are prime\
    \ marks for thieves and vandals in search of an easy target. These sites contain\
    \ a wealth of valuable copper wire, high-performance batteries, and fuel. Thieves\
    \ and vandals take advantage of remote locations of cell sites by trespassing\
    \ freely, without the fear of being identified. Copper wires and battery theft\
    \ exploit the second-hand market fueled by the worldwide demand for these goods.\r\
    \n\r\n"
  detections:
  - detects: 'Event logs recording user activities, exceptions, faults and information
      security events should be produced, kept and regularly reviewed. Additional
      considerations: development of use-case specific alert rules, integration and
      correlation of data at all levels (network, application), integration and correlation
      with service provider-level monitoring mechanisms.'
    fgdsid: FGDS5012
    name: SIEM
  id: FGT5018.004
  mitigations:
  - fgmid: FGM5005
    mitigates: 'Implement physical and environmental controls

      Shared/Remote sites should be provided with a full set of physical and environmental
      controls aimed to assure access control, monitoring, continuity of operations
      and protection against environmental disasters. Failure to do so may lead to
      unauthorized access, destruction of assets and impairment of operations.'
    name: Physical and environmental protection
  name: Theft of Assets
  object-type: technique
  platforms: remote/shared location physical assets
  postconditions:
  - Description: Theft of these assets may cause an unavailability of resources.
    Name: Service unavailability
  - Description: Theft of these assets may cause an increase in maintenance costs
      for the operator.
    Name: Increased maintenance costs
  preconditions:
  - Description: 'Remote/shared sites have to be integrated in the network-wide Security
      Incident and Monitoring System, but with additional considerations: development
      of use-case specific alert rules, integration and correlation of data at all
      levels (network, application), integration and correlation with service provider
      -level monitoring mechanisms. Failure to do so may leave advanced or sustained
      threats undetected, as well as technical failures or malfunctions of local resources.'
    Name: Improper security monitoring of remote/shared facilities
  procedureexamples:
  - Description: "Copper\u2019s value transforms remote cellular base stations into\
      \ prime targets for thieves. The costs for telecom and tower operators to replace\
      \ the cost of the cable and damage to the site can be thousands of dollars per\
      \ incident. This is not taking into consideration the additional costs of loss\
      \ of network service. Even the theft of a small amount of copper can cause extensive\
      \ damage to site equipment, costing cell towers owners thousands of dollars\
      \ in repairs, replacement, and network downtime. There are several expensive\
      \ copper items at cell sites that are very attractive to thieves, such as the\
      \ ground wires, copper grounding busbars, and waveguides"
    Name: Cable/Copper Theft
  - Description: Battery theft can easily become the root cause of cell services outage.
      Similarly, to the case of cable theft, telecom towers are increasingly affected
      by the rise of battery theft and vandalism incidents.
    Name: Battery Theft
  - Description: Fuel is a major asset at telecom sites that can easily and directly
      be sold by thieves. The threat of diesel theft is widespread in many emerging
      markets and even in the rural areas of the developed markets.
    Name: ' Fuel Theft'
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, page 202, December\
    \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [Baars, J. \u201CWhite Paper - Telecom Sites Physical\
    \ Security\u201D, December 2019, Asentria](https://www.asentria.com/blog/telecom-sites-physical-security-white-paper/.\
    \ )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT5018
  tactics:
  - TA0040
  typecode: fight_subtechnique
- access-required: admin/user
  architecture-segment: Control Plane
  bluf: An adversary in the core network exploits signaling protocols to obtain the
    location of the UE.
  criticalassets:
  - Description: NEF, AMF, SMF, UPF, NWDAF, GMLC, LMF
    Name: Operator network components
  - Description: UE/Subscriber geographical location
    Name: UE location
  description: " An adversary in the core network exploits signaling protocols to\
    \ obtain the location of the UE. \r\n\r\nUser location tracking is part of normal\
    \ cellular operation. Adversaries with access to core network or a core network\
    \ function (NF) can misuse signaling protocols (e.g., SS7, GTP and Diameter or\
    \ the SBI API calls), or exploit vulnerabilities in the signaling plane, in order\
    \ to obtain location information for a given UE.\r\n\r\nNote: In case of 3G/4G\
    \ core networks using SS7, this technique is covered by [ATT&CK Mobile T1430.002\
    \ Location Tracking: Impersonate SS7 nodes]().\r\n \r\n\r\n"
  detections: []
  id: FGT5012.004
  mitigations:
  - fgmid: FGM5023
    mitigates: Periodic authentication / authorization of NF consumer e.g. AMF by
      NRF will help detect rogue AMFs. Not currently in 3GPP specs, but it can be
      enhanced.
    name: Periodic Authentication & Authorization of NFs
  - fgmid: FGM5019
    mitigates: NEF authorizes 3rd party AFs for location service using policy. Nnef_Location
      API called by AF should be authorized properly. AF uses GPSI as UE identity.
    name: Authorize external API calls
  - fgmid: M1037
    mitigates: Filter out request messages that come from external (to the operator)
      sources to guard against SS7 attacks.
    name: Filter Network Traffic
  name: Core Network Function Signaling
  object-type: technique
  platforms: 5G
  preconditions:
  - Description: Adversary may pretend to be an operator supporting only earlier generations.
    Name: Access to SS7 network
  - Description: Adversary has to gain control of one core NF.
    Name: "Access to operator\u2019s network function"
  - Description: UE identifier required for all Core network function abuse.
    Name: Knowledge of the UE SUPI or GPSI 5G-GUTI of target UE
  procedureexamples:
  - Description: "From [3], there were recent successful attacks on SS7 whereby an\
      \ attacker with access to the SS7 interconnection can find a user\u2019s location,\
      \ as well as billing data and Short Message Service (SMS) messages. In addition,\
      \ the attacker can also eavesdrop on user data."
    Name: Adversary uses SS7 interconnect (IWF) to a 5G network without protection
      (firewalls, etc). to obtain UE location information
  - Description: The AMF gets UE location legitimately from LMF (Nlmf-loc API). Clause
      8.3 of [5]. In addition, an adversary can modify AMF behavior so that it doesn't
      allocate a new 5G-GUTI to a given UE, so that that UE can be tracked via listening
      devices in the area, see [FGT5012.003](/techniques/FGT5012.003).
    Name: 'Adversary gains control of a core NF to get location info for a given UE:
      AMF case'
  - Description: Incorrect implementation/configuration in NEF can allow a rogue application
      function (AF) to access UE location information using LMF services. Clause 6.1.2
      of [5].
    Name: 'Adversary gains control of a core NF to get location info for a given UE:
      AF case'
  - Description: "The SMF can obtain a UE's location whenever the AMF sends it a PDU\
      \ update request:  Nsmf_PDUSession_UpdateSMContextRequest (which contains UE\
      \ location info, which can be: E-UTRA or NR cell id, location timestamp, \u201C\
      geographicalInformation\u201D in hex format as in TS 23.032, only ellipsoid\
      \ point with uncertainty circle.). Clause 5.2.8.2.6 of [4]."
    Name: 'Adversary gains control of a core NF to get location info for a given UE:
      SMF case'
  - Description: The UDM can legitimately ask the AMF for the location of a UE using
      Namf_Location service. Clause 5.2.2.1 of [4].
    Name: 'Adversary gains control of a core NF to get location info for a given UE:
      UDM case'
  - Description: The UPF has access to serving cell ID for UEs that are actively sending
      data (RRC connected).
    Name: 'Adversary gains control of a core NF to get location info for a given UE:
      UPF case'
  - Description: 'The NEF can legitimately ask AMF Namf_EventExposure or ask GMLC
      directly - then GMLC gives the NEF a location report (Note: NEFs serve as location
      proxies to internal and external AFs in the same way GMLCs serve as proxies
      to external LCS clients). Clause 5.2.2.1 of [4].'
    Name: 'Adversary gains control of a core NF to get location info for a given UE:
      NEF case'
  - Description: The NWDAF can get coarse UE location by subscribing to events from
      AMF. Clause 5.2.2.1 of [4].
    Name: 'Adversary gains control of a core NF to get location info for a given UE:
      NWDAF case'
  - Description: The GMLC can legitimately ask the AMF for the location of a given
      UE using Namf_Location service. Clause 5.2.2.1 of [4].
    Name: 'Adversary gains control of a core NF to get location info for a given UE:
      GMLC case'
  - Description: The LMF can initiate location procedure with the UE. Clauses 6.11.1,
      6.11.2, 6.11.3 of [5].
    Name: 'Adversary gains control of a core NF to get location info for a given UE:
      LMF case'
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,\_ October 2021](https://arxiv.org/abs/2108.11206\_\_)"
  - "<a name=\"3\"> \\[3\\] </a> [S. Holtmanns, S. P. Rao, I. Oliver, \u201CUser location\
    \ tracking attacks for LTE networks using the interworking functionality\u201D\
    , 2016 IFIP Networking Conference.](https://ieeexplore.ieee.org/document/7497239\
    \ )"
  - "<a name=\"4\"> \\[4\\] </a> [3GPP TS 23.502 \u201CProcedures for the 5G System\
    \ (5GS)\u201D](https://www.3gpp.org/DynaReport/23502.htm)"
  - "<a name=\"5\"> \\[5\\] </a> [3GPP TS 23.273 \u201C5G System (5GS) Location Services\
    \ (LCS)\u201D](https://www.3gpp.org/DynaReport/23273.htm)"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT5012
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- access-required: admin
  architecture-segment: Roaming
  bluf: An adversary may attempt to position themselves between two mobile network
    operators as an adversary in the middle (AITM) to support follow-on behaviors
    such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).
  criticalassets:
  - Description: Adversary would target the SEPP
    Name: SEPP function
  description: " An adversary may attempt to position themselves between two mobile\
    \ network operators as an adversary in the middle (AITM) to support follow-on\
    \ behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data\
    \ Manipulation](/techniques/FGT1565.002).\r\n\r\nRoaming and interconnect interfaces,\
    \ including IPX, are between network operators, namely: between Security Edge\
    \ Protection Proxy (SEPP)s, or between interworking functions like Access and\
    \ Mobility Management Function (AMF) / 4G Mobility Management Function (MME) (N26\
    \ interface), or between User Plane Function (UPF)s (N9 interface).\r\n\r\nAn\
    \ adversary with control of the Visited Public Land Mobile Network (VPLMN) SEPP\
    \ may obtain roaming subscriber information by providing fraudulent signaling\
    \ information to the Home PLMN (HPLMN) and collect information about the roaming\
    \ subscriber. The adversary could be an insider on a VPLMN that is a roaming partner,\
    \ having connections to the HPLMN via one or more IPX providers or directly between\
    \ V-SEPP and H-SEPP. The HPLMN trusts the info from the VPLMN, but it is being\
    \ sent fraudulently by the VPLMN. The V-SEPP may also be located at a Value-Added-Services\
    \ (VAS) provider [1] where compromise of the VAS is a pre-condition instead of\
    \ compromise of the VPLMN.\r\n\r\nThe adversary may possibly achieve an AITM position\
    \ on an IP Exchange (IPX) network used by either the home PLMN or the visited\
    \ PLMN and through which the roaming traffic may flow. The adversary may attempt\
    \ to control a device in the path or re-direct traffic to a device the adversary\
    \ controls.\r\n\r\n"
  detections:
  - detects: Monitor for access to SEPP application/appliance for unexpected access.
    fgdsid: DS0015
    name: Application Log
  - detects: Analyze network traffic to/from SEPP to determine if from unexpected
      source/dest and consistent with expected traffic from other operators.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1557.502
  mitigations:
  - fgmid: M1030
    mitigates: Limit network exposure of vSEPP from other core services in hPLMN
    name: Network Segmentation
  - fgmid: M1035
    mitigates: Minimize access to vSEPP from limited locations such as a privileged
      access workstation
    name: Limit Access to Resource Over Network
  - fgmid: M1037
    mitigates: Ensure only traffic from expected sources can reach the SEPP
    name: Filter Network Traffic
  name: 'Roaming and Interconnection '
  object-type: technique
  platforms: SEPP, VAS, IPX
  preconditions:
  - Description: Adversary would need to be in control of the vSEPP which may be managed
      by a VAS
    Name: SEPP control
  references:
  - "<a name=\"1\"> \\[1\\] </a> [P.Tommassen, \u201C5G Security When Roaming,\u201D\
    \ iBasis, October 6, 2020](https://ibasis.com/5g-security-when-roaming/)"
  - "<a name=\"2\"> \\[2\\] </a> [\u201C5G System; Public Land Mobile Network (PLMN)\
    \ Interconnection; Stage 3,\u201D 3GPP, TS 29.573 ver.16.9.0, March 2022](https://www.3gpp.org/DynaReport/29573.htm\_\
    )"
  - "<a name=\"3\"> \\[3\\] </a> [\u201CSecurity architecture and procedures for 5G\
    \ System,\u201D 3GPP, TS 33.501 ver. 16.3.0, July 2020, Sec. 13.1.2,13.2](https://www.3gpp.org/DynaReport/33501.htm)"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1557
  tactics:
  - TA0009
  - TA0006
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: RAN, Control Plane
  bluf: An adversary may discover the permanent subscriber identifier via various
    means
  criticalassets:
  - Description: UE/User IMSI, SUPI
    Name: UE Permanent identifier
  description: " An adversary may obtain a UE permanent identifier via various means.\r\
    \n\r\nAn adversary may obtain UE identifying information from 5G UEs after the\
    \ UE has been bid down (downgraded) to a lower security protocol e.g. 4G, since\
    \ in 4G and 3G it is possible for the network to ask the UE to send its IMSI (International\
    \ Subscriber Identifier) in the clear over the radio interface. The UE identity\
    \ can also be obtained by the adversary if NULL scheme is used for Subscriber\
    \ Permanent Identifier (SUPI) concealment.\r\n\r\nThe 5G UE sends an encrypted\
    \ identifier (called Subscriber Concealed Identifier (SUCI)) over the radio interface\
    \ as part of the initial registration to the 5G network. Some non-UE specific\
    \ information is part of the Subscriber Permanent Identifier or SUPI and is not\
    \ encrypted (e.g., home network name).\r\n\r\n"
  detections: []
  id: FGT5019
  mitigations: []
  name: Subscriber Profile Identifier Discovery
  object-type: technique
  platforms: 5G
  procedureexamples:
  - Description: Adversary may use the radio access network to determine the IMSI
      of a particular UE is in the area.
    Name: Use radio access to obtain UE permanent identifier
  - Description: Adversary may use the core network signaling find the IMSI of a particular
      UE, given e.g., MSISDN
    Name: Use core network signaling to obtain UE permanent identifier
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  tactics:
  - TA0007
  - TA0009
  typecode: fight_technique
- architecture-segment: RAN
  bluf: 'An adversary may intercept unencrypted radio transmissions of a UE''s SUCI
    to identify the home network of the UE. '
  criticalassets:
  - Description: Home network identifier is sent unconcealed by UE over the air per
      standard. UE privacy such as its home network location is revealed to the adversary
      when UE is roaming in another country or region.
    Name: UE privacy
  description: " An adversary may intercept unencrypted radio transmissions of a UE\u2019\
    s SUCI to identify the home network of the UE. \r\n\r\nAdversary can tell what\
    \ the home network of UE is from the unencrypted portion of the Subscriber Concealed\
    \ Identity (SUCI), which is normally sent over the radio interface by a UE seeking\
    \ to connect. This can be of value to an adversary when the home location is unusual.\
    \ \r\n\r\nBackground information: In 5G, the UE\u2019s permanent identity, SUPI\
    \ (Subscriber Permanent Identifier), includes a home network identifier and a\
    \ user-specific identifier, and is never sent unencrypted over the radio interface.\
    \ Instead, a SUCI is sent when the UE goes through initial registration to the\
    \ serving network procedures; this de-concealment operation can only be done by\
    \ the UE\u2019s home network. However, the Home Network identifier part of the\
    \ SUCI is sent unencrypted, so that the serving network (while UE is roaming in\
    \ another country or region) knows how to route the registration message to UE\u2019\
    s home network for authentication. The home network may constitute sensitive information\
    \ in some special cases.  \r\n\r\n"
  detections: []
  id: FGT5019.001
  mitigations:
  - fgmid: FGM5022
    mitigates: When the subscriber affiliation is reflected in the home network identifier
      (part of subscriber identifier) and would benefit from not being sent in the
      clear, the subscriber's provider (home network) should be a proxy mobile network
      operator - whose identifier does not reveal the true affiliation of the subscriber.
    name: Proxy home network
  name: Intercept Home Network via SUCI
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: When home network is unusual (e.g., US home network in Afghanistan),
      allows attacker to identify UE as target of interest for geolocation, degradation
      of service, loss of traffic confidentiality, or physical attack.
    Name: Target association
  preconditions:
  - Description: Adversary requires sufficient signal to noise and interference ratio
      and must be present in the same area as the UE.
    Name: Ability to receive SUCI over the air
  procedureexamples:
  - Description: "Receive SUCI and extract the field \u201Chome network identifier\u201D\
      , which is never concealed."
    Name: Intercept home network over the radio interface
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TS 23.003: \"Numbering, Addressing and Identification\u201D\
    , Version 17.6.0, Section 2.2B](https://www.3gpp.org/DynaReport/23003.htm  )"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT5019
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- architecture-segment: RAN
  bluf: An adversary may intercept the UE permanent identifier (SUPI) from a UE that
    is bid down to a less secure protocol.
  criticalassets:
  - Description: Unique and non-transient user identity
    Name: UE identifier
  description: " An adversary may intercept the UE permanent identifier (SUPI) from\
    \ a UE that is bid down to a less secure protocol. \r\n\r\nThe UE SUPI constitutes\
    \ key data that identifies UE as target of interest for other follow-on behaviors\
    \ such as geolocation, degradation of service, loss of traffic confidentiality,\
    \ or physical attack. From the network side, the SUPI can be used to obtain other\
    \ sensitive information about this UE.\r\n\r\nBackground information: In 5G, the\
    \ UE\u2019s permanent identity, SUPI (Subscriber Permanent Identifier), is never\
    \ sent unencrypted over the radio interface. In WiFi, 3G and 4G however, the UE\u2019\
    s permanent identity IMSI may be sent unencrypted over the radio interface (e.g.\
    \ in cases where the serving network is not able to identify the UE via a temporary\
    \ identifier). In 5G, SUPI can be either IMSI or Network Access Identifier (NAI).\
    \ See clause 2.2A of [3].\r\n\r\nWhen a 5G UE\u2019s Radio Capability profile\
    \ allows the bidding down of the cellular protocol from 5G to 4G or 3G or WiFi\
    \ an adversary can take advantage of this. The adversary first denies service\
    \ to 5G and bids down victim UE to less secure protocol, for example by using\
    \ a fake base station. Then, the adversary actively interrogates or passively\
    \ intercepts unencrypted International Mobile Subscriber Identifier (IMSI) for\
    \ 2G/3G/4G or Media Access Control (MAC) for WiFi.\r\n\r\n"
  detections:
  - detects: UE transitions to less secure service
    fgdsid: FGDS5010
    name: UE transition to less secure service
  id: FGT5019.002
  mitigations:
  - fgmid: FGM5006
    mitigates: Restrictive user security profile can dictate that the UE will refuse
      to networks that are not 5G. The prevention of bidding-down is achieved via
      user security profile stored in the UE.
    name: Restrictive user profile
  name: Intercept bid-down SUPI
  object-type: technique
  platforms: 5G radio
  postconditions:
  - Description: Allows an adversary to identify UE as target of interest for geolocation,
      degradation of service, loss of traffic confidentiality, or physical attack.
    Name: Target association
  preconditions:
  - Description: User security profile must allow bidding down.
    Name: Permissive user security profile
  - Description: Denying service to 5G and bidding down (e.g. from a fake or compromised
      base station) must have occurred for this 5G UE. Adversary must be present in
      the same area as the UE.
    Name: Bid down operation successful
  procedureexamples:
  - Description: Adversary with fake or compromised base station sends an Identity
      Request NAS message to the UE to get back the SUPI. This occurs after the UE
      has been bid down from 5G. Clause 5.4.4 of [2]
    Name: Obtain permanent UE identifier SUPI from bid-down UE
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS 24.301 \u201CNon-Access-Stratum (NAS) protocol\
    \ for Evolved Packet System (EPS)\u201D; Stage 3](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1072)"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS 23.003: \"Numbering, Addressing and Identification\u201D\
    , Version 17.6.0, Section 2.2B](https://www.3gpp.org/DynaReport/23003.htm  )"
  status: This is a theoretical behavior
  subtechnique-of: FGT5019
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- access-required: None
  architecture-segment: RAN
  bluf: An adversary may non-cooperatively geolocate a UE from UE radio signals externals.
  criticalassets:
  - Description: UE/subscriber geographical location
    Name: UE location
  description: " An adversary may non-cooperatively geolocate a UE from UE radio signal\
    \ externals.\r\n\r\nAn adversary may geolocate an unknown UE by using Radio access\
    \ technology or \u201CRF externals\u201D, such as Direction of Arrival, Time of\
    \ Arrival, Frequency of Arrival, Time Difference of Arrival, and Frequency Difference\
    \ of Arrival of UE signals, or the 5G New Radio (5G NR) multi RTT (Round trip\
    \ time) and angle-based methods, or non-3GPP access data (e.g. WiFi access points/IP\
    \ addresses).\r\n\r\nThe UE does its own geolocation from base station transmissions,\
    \ but an adversary with multiple receivers can geolocate a UE from the differential\
    \ time of arrival of UE transmitted signal events completely independently of\
    \ the process the UE is doing to geo-locate itself. \r\n\r\n"
  detections: []
  id: FGT5012.001
  mitigations:
  - fgmid: FGM5098
    mitigates: Reduce usage. Use UE only when needed. Turn UE off if not needed for
      period of time.
    name: Reduce UE usage
  - fgmid: FGM5099
    mitigates: Move UE closer to base station and/or reduce height of UE above terrain
      and/or move indoors or into multipath environment.
    name: Move UE close to gNB
  name: Passive radio signals observation
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Geolocation can make electronic attack for degradation of service
      more effective, bidding down to defeat ID and traffic confidentiality more effective,
      and can expose subscriber to physical attack.
    Name: Subsequent attack
  preconditions:
  - Description: Attacker must have radio line-of-sight to target for most accurate
      geolocation.
    Name: Line-of-sight
  procedureexamples:
  - Description: Adversary geolocates unknown UE using some combination of Direction
      of Arrival, Time-of-Arrival, and/or Frequency-of-Arrival of UE signal externals.
    Name: Externals geolocation
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [X. Hu et.al. \u201CA Systematic Analysis Method\
    \ for 5G Non-Access Stratum Signaling Security\u201D, IEEE Access, August 2019.](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
    \ )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT5012
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- access-required: RAN
  architecture-segment: RAN
  bluf: An adversary may elicit location reports from UE that is bid down to less
    secure format or passively observes location reports from UE employing null encryption.
  criticalassets:
  - Description: UE/Subscriber geographical location
    Name: UE location
  description: " An adversary may elicit location reports from UE that is bid down\
    \ to less secure format or may passively observe location reports from UE employing\
    \ null encryption.\r\n\r\nAn adversary may eavesdrop messages exchanged between\
    \ the UE and the network, if encryption for the radio interface is not employed.\
    \ These messages of interest contain location reports that the UE sends to the\
    \ network upon (legitimate) request from the network. \r\n\r\n"
  detections:
  - detects: Subscriber transitions to less secure service.
    fgdsid: FGDS5010
    name: UE transition to less secure service
  id: FGT5012.002
  mitigations:
  - fgmid: FGM5006
    mitigates: Restrictive subscriber security profile. Do not use unencrypted systems.
      Set subscriber security profile to prohibit bidding down to less secure service.
    name: Restrictive user profile
  - fgmid: FGM5096
    mitigates: "Disable location on UE device for all applications which use UE\u2019\
      s physical location. This is only a partial mitigation because location measurements\
      \ will be sent by the UE to gNB."
    name: Disable UE location use
  - fgmid: M1041
    mitigates: Avoid systems that employ null encryption. De-register when only NULL
      encryption is offered
    name: Encrypt Sensitive Information
  name: Self Location Measurement
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Geolocation can make electronic attack for degradation of service
      more effective, bidding down to defeat ID and traffic confidentiality more effective,
      and can expose subscriber to physical attack.
    Name: Subsequent attack
  preconditions:
  - Description: Subscriber security profile must allow bidding down to less secure
      format OR system does not employ over-the-air encryption.
    Name: Permissive subscriber security profile OR system does not employ over-the-air
      encryption.
  - Description: Adversary must be present in the same area where the UE is located.
    Name: Adversary present in the vicinity of victim UE
  procedureexamples:
  - Description: Victim UE is using a 5G system with null encryption or is bid down
      to a less secure protocol. UE geolocation or geolocation measurement data is
      passively observed or, if bid down, actively ordered through illegitimate signaling.
    Name: Self-location measurement
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT5012
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- architecture-segment: RAN, O-RAN
  bluf: An adversary may eavesdrop on unencrypted sensitive subscriber data to capture
    information to and from a UE that has been bid down to a less secure format, such
    as Wi-Fi or an earlier mobile network generation.
  criticalassets:
  - Description: All user plane data sent by UE over the air can be intercepted in
      the clear.
    Name: User plane traffic confidentiality
  - Description: UE/subscriber geographical location.
    Name: UE location
  - Description: All signaling data (not NAS) including measurement reports sent by
      UE over the air can be intercepted in the clear.
    Name: Signaling traffic confidentiality
  - Description: "UE\u2019s private information is leaked to the adversary such as\
      \ which websites they are using and the time and day the websites are visited."
    Name: "UE\u2019s internet usage pattern"
  description: " An adversary may eavesdrop on unencrypted sensitive subscriber data\
    \ on the air interface to capture information and to fingerprint application layer\
    \ usage pattern of victim UE.\r\n\r\nAn adversary may employ a back-to-back fake\
    \ gNB-UE combination to eavesdrop on the communication and relay communication\
    \ between the intended recipient and the intended source, over the radio interface.\
    \ \r\n\r\nThis attack assumes a successful bid down UE attack or else the network\
    \ uses no (\u201CNULL\u201D) encryption on the radio interface.\r\n\r\nLTE layer\
    \ 2 RLC/MAC metadata (e.g. PDCP packet length) may be eavesdropped by adversary\
    \ on the air interface as all layer 2 data below PDCP layer are sent without encryption\
    \ in LTE. Once the metadata is collected, an Artificial Intelligence/Machine learning\
    \ (AI/ML) tool can be used to track which websites the UE applications are using\
    \ even though PDCP and higher layer data are encrypted. The adversary must be\
    \ in the same area where the victim UE is located to sniff the downlink air link\
    \ messages sent to UE from gNB. The same attack is possible in 5G as layer 2 protocols\
    \ have not changed in the 5G 3GPP specification.\r\n\r\n"
  detections:
  - detects: UE transitions to less secure service. UE responds to requests that were
      not sent by legitimate network.
    fgdsid: FGDS5010
    name: UE transition to less secure service
  id: FGT1040.501
  mitigations:
  - fgmid: FGM5006
    mitigates: Set security profile in the UE to prohibit bidding down to less secure
      service.
    name: Restrictive user profile
  - fgmid: M1041
    mitigates: Avoid systems that employ null encryption. De-register when only NULL
      encryption is offered.
    name: Encrypt Sensitive Information
  - fgmid: FGM5517
    mitigates: 'Obfuscation can be done at the application layer to avoid fingerprint
      detection of UE''s internet usage. An example of application layer obfuscation
      is to use Orbot as Tor proxy that sends and receives all traffic through a Tor
      circuit. This is not highly effective as some metadata can still be used to
      fingerprint applications.


      Encryption of metadata such as PDCP length can be done to prevent this attack.
      It introduces large overhead on UE and hence it is not proposed in the 3GPP
      [6].'
    name: Use obfuscation at application layer
  name: Radio interface
  object-type: technique
  platforms: 5G RAN
  postconditions:
  - Description: Transient technique. Works only as long as adversary is able to retain
      connection.
    Name: Temporary loss of subscriber data confidentiality.
  - Description: Further attacks are possible on the victim UE based on the data collected,
      e.g. bank fraud or attacks from social media sites.
    Name: "Further attacks based on UE\u2019s internet usage"
  preconditions:
  - Description: Subscriber security profile in the UE must allow bidding down to
      less secure service OR system must employ null encryption.
    Name: Permissive subscriber security profile in the UE OR system employs null
      encryption.
  - Description: See [FGT1562.501](/techniques/FGT1562.501).
    Name: "Successful \u201CBid down UE\u201D attack"
  - Description: Adversary must be positioned in the same area as the victim UE with
      an airlink message sniffer device to collect the downlink data sent by gNB to
      the UE.
    Name: Adversary in the same vicinity as victim UE
  procedureexamples:
  - Description: 'The adversary employs a back-to-back fake gNB-UE combination.

      After a successful bidding down attack, all sensitive subscriber data (CP &
      UP) including location data may be visible to the adversary. See [2], clause
      6.7.4 of [3], and [4].'
    Name: Eavesdrop on air interface for a given UE
  - Description: Alternatively, if the 5G system employs null encryption, all subscriber
      data traffic (CP & UP) including location data can be collected in the clear.
      Clause 4.4 of [1].
    Name: Eavesdrop on air interface for any UE
  - Description: Adversary collects layer 2 metadata of downlink data sent to the
      victim UE from gNB using an airlink sniffer device. Then it processes the metadata
      using an ML classifier such as k-NN. The classifier can reveal with high accuracy
      which websites are visited by the UE application [5]. It is a passive attack.
    Name: Passive collection of airlink messages leads to UE application fingerprinting
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [Hu, X. et al: \u201CA Systematic Analysis Method\
    \ for 5G Non-Access Stratum Signalling Security\u201D, August 2019](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
    \  )"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS33.501 \u201CSecurity architecture and procedures\
    \ for 5G System\u201D.](https://www.3gpp.org/DynaReport/33501.htm)"
  - "<a name=\"4\"> \\[4\\] </a> [Zaenab D. Shakir, J. Zec, I. Kostanic, \u201CPosition\
    \ location based on measurement reports in LTE cellular networks\u201D, 2018 IEEE\
    \ 19th Wireless and Microwave Technology Conference (WAMICON), 2018.](https://ieeexplore.ieee.org/document/8363501\
    \ )"
  - "<a name=\"5\"> \\[5\\] </a> [ACM article, : \u201CImproving 4G/5G air interface\
    \ security: A survey of existing attacks on different LTE layers\u201D.](https://dl.acm.org/doi/abs/10.1016/j.comnet.2021.108532)"
  - "<a name=\"6\"> \\[6\\] </a> [ACM article, Katharina Kohls et al: \u201CLost traffic\
    \ encryption: fingerprinting LTE/4G traffic on layer two\u201D.](https://dl.acm.org/doi/10.1145/3317549.3323416)"
  - "<a name=\"7\"> \\[7\\] </a> [L. Zhai et al: \u201CIdentify What You are Doing:\
    \ Smartphone Apps Fingerprinting on Cellular Network Traffic\u201D.](https://ieeexplore.ieee.org/document/9631415)"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT1040
  tactics:
  - TA0009
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: RAN
  bluf: An adversary may position itself on the radio interface, to support follow-on
    behaviors such as  [Network Sniffing](/techniques/FGT1040) or [Transmitted Data
    Manipulation](/techniques/FGT1565.002).
  criticalassets:
  - Description: All signaling transmitted to and from subscriber can be modified
      or intercepted in the clear
    Name: Subscriber signaling
  - Description: UE/subscriber geographical location can be intercepted.
    Name: UE location
  - Description: All data and voice transmitted to and from subscriber can be modified
      or intercepted in the clear
    Name: Subscriber traffic
  description: " An adversary may position itself on the radio interface, to support\
    \ follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted\
    \ Data Manipulation](/techniques/FGT1565.002).\r\n\r\nAdversary can deploy a fake\
    \ gNB, eNB (a 4G base station) or WiFi access point, or a back-to-back fake gNB-UE\
    \ combination to act as an adversary-in-the-middle, in order to intercept, inject\
    \ and possibly modify communication and relay communication to and from intended\
    \ recipient over the radio interface. \r\n\r\nThis attack assumes the following\
    \ to have taken place: the UE has been bid-down (see [Bid down UE](/techniques/FGT1562.501))\
    \ to a less secure Radio Access Network such as 4G, or the UE connects to an eNB\
    \ because the network is 5G Non-Standalone, or due to EPS fallback, or the UE\
    \ connects to a WiFi access point (to access 5G services).\r\n\r\n"
  detections:
  - detects: UE measurements of received power levels from all base stations nearby,
      and their identifiers Reference clause 6.24 of [3]
    fgdsid: FGDS5002
    name: UE signal measurements
  id: FGT1557.501
  mitigations: []
  name: Radio interface
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Transient technique; works only as long as adversary-in-the-middle
      is able to retain connection.
    Name: Temporary loss of subscriber data confidentiality or integrity.
  preconditions:
  - Description: Subscriber security profile must allow bidding down to less secure
      service OR system must employ null integrity or encryption.
    Name: Permissive subscriber security profile OR system employs null integrity
      or encryption.
  procedureexamples:
  - Description: The adversary employs a back to back gNB-UE combination. When UE
      security profile allows bidding down, or the UE connects to 4G due to EPS fallback,
      or to WiFi, an adversary acts as an adversary-in-the-middle to intercept and
      possibly modify communication to and from intended recipient.
    Name: Adversary-in-the-Middle on air interface for a given UE
  - Description: Alternatively, if the 5G system employs null integrity or encryption,
      subscriber data traffic can be eavesdropped or modified in transit over the
      air interface
    Name: Adversary-in-the-Middle on air interface for any UE
  - Description: "Adversary uses a fake base station to broadcast spoofed configuration\
      \ messages to UEs nearby. Reference [3] (appendix B) contains a taxonomy of\
      \ attacks against 5G UEs, passive and active. One concerns message attacks (fake\
      \ MIB/SIB \u2013 Master Information Block/System Information Block)"
    Name: Spoofed configuration messages from fake base station
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, section 4.4, December\
    \ 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [Hu, X. et al: \u201CA Systematic Analysis Method\
    \ for 5G Non-Access Stratum Signalling Security\u201D, August 2019](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [3rd Generation Partnership Project (3GPP) TR 33.809:\
    \ \u201CStudy on  5G security enhancements against False Base Stations (FBS)\u201D\
    , Technical Report, v0.18.0, February 2022.](https://www.3gpp.org/DynaReport/33809.htm\
    \ )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT1557
  tactics:
  - TA0009
  - TA0006
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: UE
  bluf: A malicious app consumes subscriber data allocation so as to deny or degrade
    service to that UE
  criticalassets:
  - Description: Communications is denied until additional data usage is purchased.
    Name: Assured user communications
  description: " A malicious app consumes subscriber data allocation to deny or degrade\
    \ service to that UE. \r\n\r\nA malicious application might consume a UE's limited\
    \ data plan, denying or throttling service.\r\n\r\n\r\n"
  detections:
  - detects: Excessive data usage reported by UE or service provider.
    fgdsid: FGDS5006
    name: UE data usage
  id: FGT1499.501
  mitigations:
  - fgmid: FGM5007
    mitigates: Unlimited data plan. Attack is mitigated with a true unlimited data
      plan
    name: Unlimited data plan
  - fgmid: FGM5008
    mitigates: Monitor installed applications on UE for data usage.
    name: Monitor installed applications for data usage
  name: Consume data allocation to deny or degrade service
  object-type: technique
  platforms: 5G UE
  postconditions:
  - Description: Sustained degraded communication of legitimate UEs until additional
      data is purchased.
    Name: Degraded communication of legitimate UEs.
  preconditions:
  - Description: There are several methods to achieve this
    Name: A malicious app or set of apps have to have been installed on the UE
  procedureexamples:
  - Description: Convince user to download or maliciously introduce application that
      consumes excessive data
    Name: Malicious data consumption application
  references:
  - <a name="1"> \[1\] </a> [Android devices ensnared in DDoS botnet, Feb. 2021](https://www.zdnet.com/article/android-devices-ensnared-in-ddos-botnet/
    )
  - <a name="2"> \[2\] </a> [Massive Android DDoS Botnet Derailed, Aug. 2017](https://www.darkreading.com/attacks-breaches/massive-android-ddos-botnet-derailed)
  status: This is a theoretical behavior
  subtechnique-of: FGT1499
  tactics:
  - TA0040
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: RAN
  bluf: An adversary may trigger a fraud alert by sending fake registrations for a
    given UE.
  criticalassets:
  - Description: Communications is denied
    Name: Assured user communications
  description: " An adversary may trigger a fraud alert by sending fake registrations\
    \ for a given UE.\r\n\r\nAn adversary might deny RAN access to a UE by triggering\
    \ a fraud alert through attempting simultaneous registrations at geographically\
    \ impossible locations. When the UE security profile allows, the adversary can\
    \ illegitimately use a known Subscription Permanent Identifier (SUPI) or, if a\
    \ valid Subscription Concealed Identifier (SUCI) is known, use a legitimate SUCI\
    \ for false registrations. \r\n\r\n"
  detections:
  - detects: Subscriber contacts service provider to determine why service is denied.
    fgdsid: FGDS5011
    name: Subscriber notify provider
  id: FGT1499.502
  mitigations:
  - fgmid: FGM5093
    mitigates: UDM/SIDF checks the freshness parameter of SUCI received from the same
      UE (having the same SUPI). If replayed by adversary within a short period of
      time, freshness test will fail.
    name: SUCI freshness parameter
  name: Trigger fraud alert to deny service
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Denial of service continues until service provider is convinced there
      is no fraud.
    Name: Sustained denial of service
  preconditions:
  - Description: There are several methods to achieve this by capturing over the air
      messages using a wireless sniffer.
    Name: A valid SUPI or SUCI must be intercepted by attacker.
  procedureexamples:
  - Description: "Adversary may capture a registration attempt for a given UE, then\
      \ replay it right away to a gNB much further away \u2013 so that the network\
      \ receives two registrations at about the same time e.g. from two regions far\
      \ away: New York and Georgia.  \nThe network will trigger a fraud alert. Thus,\
      \ RAN access may be denied to that victim UE because of the attempted simultaneous\
      \ registrations at geographically impossible locations."
    Name: "Adversary replays registration attempt for a victim UE to a gNB much further\
      \ away (\u201Cgeographically impossible\u201D)."
  status: This is a theoretical behavior
  subtechnique-of: FGT1499
  tactics:
  - TA0040
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: Control Plane, OA&M
  bluf: An adversary may alter the subscriber profile  to achieve fraud, via SBI (Service
    Based Interfaces) or OA&M interfaces.
  criticalassets:
  - Description: UE voice and data records accuracy
    Name: UE call/data records
  - Description: The UE static profile data
    Name: UE static profile
  description: " An adversary may alter the subscriber profile to achieve fraud, via\
    \ SBI (Service Based Interfaces) or OA&M interfaces.\r\n\r\nThe subscriber profile\
    \ is a mostly static set of data relating to a device, such as: phone number,\
    \ group membership, data access configuration, and others. The dynamic data is\
    \ the serving AMF (which is associated with a very coarse geographical location).\
    \ This profile resides in the UDM. If the UDM is compromised, it can make any\
    \ change to the user profile. The AMF serving the UE can get a fresh copy of the\
    \ subscriber profile. \r\n\r\nAnother type of profile is the \u201CUE context\u201D\
    , and is also held at the UDM; it is a dynamic (valid for a session) set of data\
    \ relating to the current state of the UE. The UE context can be modified in the\
    \ UDM legitimately by certain NF such as AMF and SMF.\r\n\r\nAn adversary in the\
    \ core network (e.g. in control of a core NF such as AMF, UDM or PCF) can retrieve\
    \ subscriber profile from the repository UDM/UDR, and may be able to alter at\
    \ least part of it, e.g., AMF can update the serving AMF entry. The UDM can naturally\
    \ alter any portion of the profile.\r\n\r\nAn OA&M based attack (adversary has\
    \ access to the provisioning interface) on the UDM/UDR would allow all changes\
    \ to the UE profile (e.g., change from post-paid to pre-paid or vice-versa).\r\
    \n\r\n"
  detections:
  - detects: Subscriber contacts Customer service to complain (in some limited cases)
    fgdsid: FGDS5011
    name: Subscriber notify provider
  id: FGT5022
  mitigations:
  - fgmid: FGM5020
    mitigates: Secure subscriber repositories
    name: Secure subscriber repositories
  name: Alter Subscriber Profile
  object-type: technique
  platforms: 5G Network
  procedureexamples:
  - Description: 'AMF/SMF can use Nudm_UECM_Update to modify UE context in the UDM.
      AMF or SMF can change some parameters in the UE context (which is like a subscriber
      profile, but valid only for a session; Clause 5.2.3.2.5 of [3]. The parameters
      are: PEI (Permanent Equipment Identifier), analyticsID (for NWDAF), UE capabilities,
      Intersystem continuity context, SMF FQDN'
    Name: AMF or SMF modifies UE context.
  - Description: "Rogue AF/NEF via UDM can modify UE\u2019s configuration for a given\
      \ external service (e.g. pay for video for a game today). When the victim UE\
      \ changes state from idle mode to connected mode, it will receive the modified\
      \ services which may be inferior to the services originally provisioned. Example:\
      \ NEF can use Nudm_ParameterProvision update service to update UE subscription\
      \ data. Clause 5.6.2.2 of [4] & clauses 4.15.6.2, 4.15.6.3, 4.15.6.3a of [3]."
    Name: "Rogue AF/NEF modifies UE\u2019s configuration for a given external service."
  - Description: Compromised GUI or CLI based attack on subscriber database in UDR
    Name: Compromised OA&M can modify subscriber profile data in UDR
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [S. Holtmanns, I. Oliver and Y. Miche, \u201CMobile\
    \ Subscriber Profile Data Privacy Breach via 4G Diameter Interconnection\u201D\
    , 2017.](https://www.riverpublishers.com/journal_read_html_article.php?j=JICTS/6/3/4\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS 23.502, \u201CProcedures for the 5G System\
    \ (5GS); Stage 2 (Release 17)\u201D, Technical Specification, v17.4.0, March 2022.\_\
    section 4.11.1.2.2](https://www.3gpp.org/DynaReport/23502.htm\_)"
  - "<a name=\"4\"> \\[4\\] </a> [3GPP TS 29.503, \u201C5G System; Unified Data Management\
    \ Services; Stage 3\u201D](https://www.3gpp.org/DynaReport/29503.htm)"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA5001
  typecode: fight_technique
- architecture-segment: Network Slice
  bluf: 'An adversary controlling a Network Function (NF) or slice can gain access
    to a different network slice data by interacting with other NFs. '
  criticalassets:
  - Description: "UE (served by that slice) related information. Slice specific configuration\
      \ \u2013 e.g. what NFs are part of it and SLAs of the slice."
    Name: Confidentiality of slice-specific resources
  - Description: The functionality of any core NF that is shared between slices (AMF,
      SMF, PCF,.. )
    Name: Core NFs
  description: " An adversary controlling a Network Function (NF) or slice can gain\
    \ access to a different network slice data by interacting with other NFs. \r\n\
    \r\nEvery network slice has an identifier, part of which is sensitive just like\
    \ a UE permanent identifier.  If this Slice Differentiator (SD) is discovered,\
    \ then a malicious NF and/or malicious slice can use the guessed SD to gain unauthorized\
    \ information or resource access to that victim slice. This is done by tricking\
    \ the NRF to issue a token for a slice that the requestor NF is not authorized\
    \ to access, then using that token to get information from the shared NF. It is\
    \ assumed that the shared NF is serving both own slice and the victim slice.\r\
    \n\r\n"
  detections:
  - detects: Check logs of requests/responses at the shared NF. E.g., each entry should
      contain UE ID (SUPI), NF consumer that requested it, slice Ids of both.
    fgdsid: DS0015
    name: Application Log
  id: FGT5027
  mitigations:
  - fgmid: FGM5003
    mitigates: The attack can be mitigated if the NRF performs additional checks.
      The NRF authorizes the NF service consumer to obtain tokens only for authorized
      slice(s). (3GPP SA3 investigating as of early 2022). A cross check with the
      TLS certificate of requester should be performed as well at the NRF.
    name: Cross check between application layer and transport layer
  - fgmid: M1020
    mitigates: Inspect TLS layer encryption
    name: SSL/TLS Inspection
  name: Spoof network slice identifier
  object-type: technique
  platforms: 5G network
  preconditions:
  - Description: See [FGT5028](/techniques/FGT5028)
    Name: Slice identifier was discovered
  - Description: This is common in practice
    Name: Two slices share one common NF
  - Description: This is implicit in the standards that do not mandate this check.
    Name: NRF does not check requester slice identifier and the target (consumer)
      slice identifier.
  procedureexamples:
  - Description: "A malicious NF and/or malicious slice can use the guessed identifier\
      \ Slice Differentiator (SD) to gain unauthorized information or resource access\
      \ to a different slice. The NF asks the NRF for an OAuth token for an NF in\
      \ that other slice. The reason is the requested SD (actually, the entire NSSAI)\
      \ is included in the OAuth token without verification whether requester is allowed\
      \ access to it. The NRF issues that OAuth token because it is for a producer\
      \ NF that serves both the requester\u2019s slice and the targeted (victim) slice.\
      \ \nThis seems to be a poor approach to access control- one that relies on knowing\
      \ an identifier, and so access is given if that identifier\u2014presumably kept\
      \ secret\u2014is found out. See section 3.1.3.1 of [1]."
    Name: Adversary NF in one slice uses guessed slice identifier of another slice
      to gain unauthorized access to resources in that slice.
  references:
  - '<a name="1"> \[1\] </a> [AdaptiveMobile Security, "A Slice in Time: Slicing Security
    in 5G Core Networks", 17032021-v1.00](https://info.adaptivemobile.com/network-slicing-security)'
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0005
  - TA0009
  typecode: fight_technique
- architecture-segment: Network Slice
  bluf: An adversary may guess the identifier of a different network slice, which
    allows for follow-on behaviors against that slice that require that identifier.
  criticalassets:
  - Description: Confidentiality of slice specific resources.
    Name: Slice-specific resources
  - Description: AMF and UDM have NSSAI information. AMF requests and UDM responds.
    Name: AMF and UDM
  description: " An adversary may guess the identifier of a different network slice,\
    \ which allows for follow-on behaviors against that slice that require that identifier.\r\
    \n\r\nThe NSSAI is a slice identifier. It contains two elements: a Slice Service\
    \ Type (SST) (several 3GPP defined values) and a Slice Differentiator (SD), which\
    \ should be unique within that type. Consumer NFs may need to access services\
    \ of Producer NFs belonging to a different slice. Any \u201Cconsumer NF\u201D\
    \ can ask the Network Repository Function (NRF) for an OAuth token towards this\
    \ goal, but it must include the Slice identity-- which contains a SD \u2013 in\
    \ the request.\r\n\r\nIn Release 16 or earlier, the SD was not mandatory and random.\
    \  Hence \u201Cbrute forcing\u201D or \"enumeration\" can be used to guess the\
    \ SD. Thus if the consumer NF is compromised and wants to discover other slice\
    \ IDs, it can ask the NRF for OAuth tokens but with guessed slice identities,\
    \ until a valid one is returned.\r\n\r\n"
  detections:
  - detects: 'Logs at the NRF of failed NSSAI lookups. If a NF asks for NSSAIs that
      do not exist, then flag that or take action.


      AMF can ask the UDM about NSSAIs legitimately. Keep AMF and UDM logs of transactions
      involving asks about NSSAIs.'
    fgdsid: DS0015
    name: Application Log
  id: FGT5028
  mitigations:
  - fgmid: FGM5499
    mitigates: NRF protection against brute-force attacks. NRF should not respond
      to requests after a given number of failed NSSAI lookups (See detections).
    name: Rate limiting by producer NF
  name: 'Discover network slice identifier '
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Now the adversary knows the SD of a given slice it is not authorized
      to contact.
    Name: Unauthorized disclosure of SD/NSSAI
  preconditions:
  - Description: 'For NF discovery service, clause 5.2.7.1 of [3] lists the following
      service consumers: AMF, SMF, PCF, NEF, NSSF, SMSF, AUSF, CHF, NRF, NWDAF, I-CSCF,
      SCSCF, IMS-AS, SCP, UDM, AF, DCCF, MBSF, 5G DDNMF, TSCTSF.'
    Name: Compromise of core consumer NF
  procedureexamples:
  - Description: "Any \u201Cconsumer NF\u201D can ask the NRF for information with\
      \ a guessed slice identifier, until a non-error response is returned. The NRF\
      \ services that are candidates for this operation are ([2]): discovery and Access\
      \ token (Nnrf_NFDiscovery and Nnrf_AccessToken). For the Discovery service,\
      \ in the GET NF instances, the parameters can be included \u201Cplmn-specific-snssai-list\u201D\
      , which contains the S-NSSAIs that are served by the NF supposedly being discovered.\
      \ Then the 200OK result contains the NFProfile, which includes the S-NSSAIs.\
      \ Section 3.1.3 of [1]."
    Name: An adversary in control of a network function asks the NRF for a token for
      a guessed SD until a legitimate response is received.
  references:
  - '<a name="1"> \[1\] </a> [AdaptiveMobile Security, "A Slice in Time: Slicing Security
    in 5G Core Networks", 17032021-v1.00.](https://info.adaptivemobile.com/network-slicing-security)'
  - "<a name=\"2\"> \\[2\\] </a> [3rd Generation Partnership Project (3GPP) TS 29.510,\
    \ \u201C; Network function repository services; Stage 3\u201D, v17.4.0, Dec 2021.](https://www.3gpp.org/DynaReport/29510.htm)"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS 23.502 \u201CProcedures for the 5G System\
    \ (5GS); Stage 2\u201D](https://www.3gpp.org/DynaReport/23502.htm)"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0007
  typecode: fight_technique
- architecture-segment: Roaming
  bluf: 'An adversary in a roaming partner operator may send altered service usage
    for a given UE to the home operator of that UE. '
  criticalassets:
  - Description: Operator loses revenue.
    Name: Operator revenue
  description: " An adversary in a roaming partner operator may send altered service\
    \ usage for a given UE to the home operator of that UE.\r\n\r\nService fraud involves\
    \ bypassing controls to gain access to services or resources which the adversary\
    \ is not entitled to or charged for. This applies to 3G, 4G and 5G.\r\nA dishonest\
    \ roaming partner could falsify a UE service usage or route traffic through several\
    \ partner networks inducing high termination fees to claim revenue in the form\
    \ of service charges.\r\n\r\n"
  detections:
  - detects: Usage data analysis via AI/ML
    fgdsid: FGDS5006
    name: UE data usage
  - detects: Cross-check with subscriber services (if subscriber complains).
    fgdsid: FGDS5011
    name: Subscriber notify provider
  id: FGT5025
  mitigations:
  - fgmid: FGM5503
    mitigates: Employ home-routing instead of local breakout for user traffic (but
      this means more delay and lower quality of service).
    name: Increase control of home network for user plane
  name: Falsify interconnect invoice
  object-type: technique
  platforms: 5G
  procedureexamples:
  - Description: Signaling fraud may be undertaken by a partner operator, via false
      charging over international signaling interconnection. Clause 5.3 of [1]. Reference
      [2] mentions service fraud.
    Name: False charging
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, November 2019.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    , October 2021](https://arxiv.org/abs/2108.11206 )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  tactics:
  - TA5001
  typecode: fight_technique
- architecture-segment: UE
  bluf: Adversary may clone a SIM card (namely the IMSI, credential stored therein)
    and use it fraudulently to obtain telecom service at the expense of the user of
    the device with that legitimate SIM card
  criticalassets:
  - Description: SUPI, master secret key K etc.
    Name: Subscriber sensitive data
  description: " Adversary may clone a SIM card (namely the SUPI, credential stored\
    \ therein) and use it fraudulently to obtain telecom service at the expense of\
    \ the user of the device with that legitimate SIM card.\r\n\r\nNote 1: This threat\
    \ is applicable to 3G, 4G and 5G. It may or may not be possible depending on how\
    \ secure the SIM/USIM card is. Some manufacturers of lower tier USIMs may leave\
    \ their devices vulnerable.\r\n\r\nNote 2: USIM card technology is independent\
    \ of 3GPP generations. Releases 15, 16 brought improvements to the USIM technology.\
    \ \r\n\r\nNote 3: If two devices (one legitimate, one cloned SIM) from two different\
    \ locations attempt to connect to that home operator at the same time, both will\
    \ be dropped as a precaution against the suspected SIM cloning. \r\n\r\n"
  detections:
  - detects: Investigate unusual USIM card patterns.
    fgdsid: FGDS5005
    name: SIM card pattern
  id: FGT5026
  mitigations:
  - fgmid: M1017
    mitigates: M(V)NO procures USIM cards from reputable manufacturers, and oversees
      delivery process.
    name: User Training
  name: SIM cloning
  object-type: technique
  platforms: 5G UE
  postconditions:
  - Description: "With the cloned USIM card, adversary now has access to the victim\u2019\
      s permanent identifier (SUPI), master secret key K and operator key (OPc). Those\
      \ can be used for unauthorized access to 5G network."
    Name: Access to user credentials
  preconditions:
  - Description: Adversary needs physical access to USIM card during manufacturing
      of USIMs or during transport to MNOs and the cloned USIM card needs to be activated
      by the MNO.
    Name: Access to USIM card
  procedureexamples:
  - Description: Adversary gets physical access to the victim USIM card, extracts
      the USIM card contents (SUPI, K and OPc) and then provisions the contents in
      an empty and writeable USIM. This can be done via SIM cloning software.
    Name: Duplicate captured USIM card
  references:
  - "<a name=\"1\"> \\[1\\] </a> [Martin Brisfors, Sebastian Forsmark, Elena Dubrova:\
    \ \u201CHow Deep Learning Helps Compromising USIM\u201D](https://dl.acm.org/doi/abs/10.1007/978-3-030-68487-7_9)"
  - "<a name=\"2\"> \\[2\\] </a> [Jinghao Zhao, Boyan Ding, Yunqi Guo, Zhaowei Tan,\
    \ Songwu Lu, \u201CSecureSIM: Rethinking Authentication and Access Control for\
    \ SIM/eSIM\u201D](https://dl.acm.org/doi/pdf/10.1145/3447993.3483254)"
  status: Observed in earlier 3GPP generations and expected in 5G.
  tactics:
  - TA5001
  - TA0006
  typecode: fight_technique
- architecture-segment: Control Plane, User Plane
  bluf: An adversary with access to Non-Service Based Interfaces (Non-SBI) network
    nodes (including routers/switches/load balancers) may position themselves in order
    to  support follow-on behaviors such as  [Network Sniffing](/techniques/FGT1040)
    or [Transmitted Data Manipulation](/techniques/FGT1565.002).
  criticalassets:
  - Description: UE user plane data integrity and confidentiality
    Name: UE user plane data
  - Description: UE signaling data integrity and confidentiality
    Name: UE signaling data
  description: " An adversary with access to Non-Service Based Interfaces (Non-SBI)\
    \ network nodes (including routers/switches/load balancers) may position themselves\
    \ in order to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040)\
    \ or [Transmitted Data Manipulation](/techniques/FGT1565.002).\r\n\r\n\u201CNon-SBI\u201D\
    \ network interfaces are within the Radio Access Network (RAN) (e.g. Xn, F1, E1)\
    \ and core (e.g. N4), and between the RAN and the 5G Core (e.g. N2, N3 interfaces).\
    \ \r\n\r\nIf the network does not provide confidentiality or integrity protection\
    \ for control plane and user plane packets on the non-SBI interfaces, then an\
    \ AITM attack is possible. \r\n\r\nNote that the Non-Access Stratum (NAS) packets\
    \ sent on the N2 interface from the UE to the core function AMF are already integrity/confidentiality\
    \ protected. However, unlike radio communications, operator RAN to core communications\
    \ are not always employing the confidentiality or integrity protection mandated\
    \ by 3GPP standards.\r\n\r\n"
  detections:
  - detects: Check configuration changes in all switches/routers. Configuration audits
      by OSS/BSS
    fgdsid: DS0015
    name: Application Log
  - detects: Inspect network traffic content and watch for unauthorized changes as
      the packets move through the routers/middle boxes
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1557.503
  mitigations:
  - fgmid: FGM5024
    mitigates: Use integrity (IPSec) on all non-SBI interfaces
    name: Integrity protection of data communication
  - fgmid: M1041
    mitigates: Use encryption (IPSec) on all non-SBI interfaces
    name: Encrypt Sensitive Information
  name: 'Non-SBI '
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Both UE signaling and normal data communication with network will
      be impacted.
    Name: Both CP and UP data are eavesdropped or modified
  preconditions:
  - Description: Malware or wrong configuration in switches/routers between RAN and
      core, between gNBs, in gNB itself, in SMF or UPF.
    Name: Compromised or misconfigured switches/routers or gNB
  procedureexamples:
  - Description: Integrity or confidentiality protection can be disabled on N2 interface
      for Control Plane (CP), N3 interface for User Plane (UP) and Xn, F1 and E1 interfaces
      for CP and UP. Clauses 9.2, 9.3 and 9.4 of [2]
    Name: Compromised or misconfigured switches or routers between RAN and core and
      between gNBs
  - Description: Network does not provide protection on N2, N3, Xn, F1 and E1 interfaces,
      see clause D.2.2 of [1]
    Name: Adversary configures the non-SBI interfaces to not use IPSec.
  - Description: Compromised or misconfigured Session Management Function (SMF) or
      User Plane Function (UPF) can cause data manipulation on N4 interface between
      them, which in turn can cause DoS attack by diverting user traffic away from
      the intended recipient. It can also cause charging errors. If weak encryption
      algorithm is used on the N4 interface, adversary can eavesdrop on sensitive
      subscriber data. Clause L.2.3 of [1]
    Name: N4 Interface is compromised
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TR 33.926 \u201CSecurity Assurance Specification\
    \ (SCAS) threats and critical assets in 3GPP network product classes\u201D.](https://www.3gpp.org/DynaReport/33926.htm\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS 33.501 \u201CSecurity architecture and procedures\
    \ for 5G System\u201D.](https://www.3gpp.org/DynaReport/33501.htm )"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1557
  tactics:
  - TA0009
  - TA0006
  typecode: fight_subtechnique_to_attack_technique
- access-required: user, N/A, N/A
  addendums:
  - "#### Addendum Name: Fronthaul User Plane Data\r\n##### Architecture Segments:\
    \ O-RAN\r\n Adversary manipulates User Plane data on Fronthaul interface between\
    \ O-DU and O-RU to re-direct the data to a wrong destination or get discarded\
    \ by the recipient due to incorrect message parameters.\r\n\r\nORAN Alliance has\
    \ defined the open fronthaul interface which connects one O-DU to one or more\
    \ O-RUs inside the gNB. The fronthaul interface makes it possible to distribute\
    \ the physical layer functionalities between RU and DU, and to control RU operations\
    \ from DU. ORAN Alliance has selected a specific configuration (split 7.2x) for\
    \ splitting the physical layer among those proposed by 3GPP. The lower part of\
    \ the physical layer (low PHY) resides in RU and performs Orthogonal Frequency\
    \ Division Multiplexing (OFDM) phase compensation, inverse FFT and Cyclic Prefix\
    \ (CP) insertion for frequency-to-time conversion in downlink, and FFT and CP\
    \ removal in uplink. The physical layer in DU (high PHY) performs scrambling,\
    \ modulation, layer mapping, and resource element mapping. Fronthaul consists\
    \ of four types of interfaces: Control or C plane is used to carry control plane\
    \ messages, User or U plane is used to carry user plane data, Synchronization\
    \ or S plane is used to carry timing information and Management or M plane is\
    \ used to carry management data.\r\n\r\nO-RAN fronthaul interface needs to implement\
    \ strict performance requirements which includes very high throughput and very\
    \ low latency. See clause 4.4 of [2]. Some security features may not be implemented\
    \ by MNOs to meet those requirements and to reduce processing delay. Hence, AiTM\
    \ attack on open fronthaul interface is possible which results in manipulation\
    \ of U plane data. The adversary may manipulate RLC and MAC layers of the user\
    \ plane data to cause DoS attack and/or session redirection attack (e.g. DNS redirection)\
    \ on legitimate subscribers. Confidentiality and integrity protection requirements\
    \ are not specified by ORAN alliance for control, user and synchronization (CUS)\
    \ planes, and those are mandatory for M plane. See clause 6.1 of [2] and clause\
    \ 5.4 of [3].\r\n\r\nNote: The user plane data in PDCP and above layers remains\
    \ integrity protected on Fronthaul U plane and this data manipulation attack will\
    \ not impact any of those data unless PDCP security is also broken by the adversary.\r\
    \n\r\n"
  - "#### Addendum Name: Layer 2 Redirection of DNS Requests\r\n##### Architecture\
    \ Segments: Control Plane, User Plane, Roaming\r\n An adversary can manipulate\
    \ encrypted traffic to achieve redirection of DNS requests sent by the victim\
    \ UE to the network over the radio interface.\r\n\r\nUsing a fake gNB and fake\
    \ UE device, the adversary can modify DNS requests the UE sends over the air,\
    \ even though they are encrypted, if the adversary knows the correct DNS address\
    \ and there is no integrity protection on user plane data[1].  User plane integrity\
    \ protections prevent this attack on typical 5G RAN links, however these protections\
    \ are optional.  Alternatively, an adversary may have bid-down the UE as a precondition\
    \ to achieve the effect.\r\n  \r\n"
  - "#### Addendum Name: Network Interfaces\r\n##### Architecture Segments: Control\
    \ Plane, User Plane, Roaming\r\n Adversary with access to a non-Service Based\
    \ Interface (non-SBI) node or an SBI Network Function (NF), or a function on the\
    \ roaming/interconnect interfaces, may manipulate or spoof user plane and control\
    \ plane traffic on that interface without integrity protection, towards a DOS\
    \ or other attacks on the UE or a NF.\r\n\r\nThe following Network interfaces\
    \ are in the scope of this document.\r\n\r\n1. \u201CNon-SBI\u201D (non-Service\
    \ Based Interface) network interfaces are within 5G core (e.g. N4) and RAN (e.g.\
    \ Xn, F1, E1), and between the RAN and the 5G Core (e.g. N2, N3 interfaces). \r\
    \n\r\n2. SBI network interfaces are between core NFs within an operator network;\
    \ they use REST APIs.\r\n\r\n3. Roaming and interconnect interfaces, including\
    \ IPX, are between network operators (between SEPPs (N32), between UPFs (N9),\
    \ or interworking functions like between AMF and MME (N26)).\r\n\r\nUnlike radio\
    \ communications, within operator RAN and from RAN to core communications do not\
    \ always employ integrity protection as per standards. If the gNB does not provide\
    \ integrity protection for control plane (CP) packets sent on the N2/Xn-C/F1-C/E1\
    \ interfaces or does not provide user plane (UP) integrity protection for user\
    \ plane packets sent on the N3/Xn-U/F1-U interfaces, or UPF does not provide integrity\
    \ protection for user plane packets sent on the N9 interface, then data manipulation\
    \ (alteration of messages, insertion/spoofing of messages, or replay of legitimate\
    \ signaling messages) is possible. This may result in DOS. \r\n\r\nThe adversary\
    \ with access to the SBI links, for example, with control over a middlebox (not\
    \ including the Service Communication Proxy or SCP), may manipulate or inject\
    \ spoofed signaling messages if TLS integrity is not enabled or is using a weak\
    \ algorithm.\r\n \r\nIf an IPX disables JWS signature or uses a weak algorithm\
    \ for JWS signature, an AiTM may manipulate data over the N32 interface while\
    \ a UE is roaming.\r\n\r\nSimilarly, if the EPC interworking interface N26 for\
    \ non-roaming is not integrity protected, all subscriber signaling data may be\
    \ manipulated by adversary. Refer clause 4.3.1 of [3].\r\n\r\n"
  - "#### Addendum Name: Radio Interface\r\n##### Architecture Segments: RAN\r\n Adversary\
    \ with access to radio interface manipulates user and control plane traffic received\
    \ on that interface without integrity protection, for example to redirect traffic,\
    \ or obtain location information of the UE.\r\n\r\nIf the gNB does not provide\
    \ integrity for control plane or user plane packets on radio interfaces, then\
    \ data manipulation (alteration of data frame content, insertion/spoofing of messages,\
    \ or replay of old messages) is possible. \r\n\r\n"
  architecture-segment: Control Plane, User Plane, Roaming
  bluf: 'Adversaries may alter data en route to storage or other systems in order
    to manipulate external outcomes or hide activity, thus threatening the integrity
    of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018)
    By manipulating transmitted data, adversaries may attempt to affect a business
    process, organizational understanding, and decision making.


    Manipulation may be possible over a network connection or between system processes
    where there is an opportunity deploy a tool that will intercept and change information.'
  criticalassets:
  - Description: Legitimate subscribers can be denied access or existing subscriber
      sessions can be terminated or directed to malicious server.
    Name: Subscriber network access
  - Description: Whoever controls the DNS Servers controls how and what end users
      connect to over the network, making DNS Servers a type of critical infrastructure.
    Name: DNS Servers
  - Description: Any of the subscriber user plane data sourced or destined to the
      UE
    Name: UE data
  - Description: Any of the signaling traffic sourced or destined to the UE
    Name: UE signaling
  - Description: Any of the subscriber data sent by or towards the UE
    Name: UE user plane data
  - Description: Any of the signaling traffic sent by or towards the UE
    Name: UE signaling
  description: "Adversaries may alter data en route to storage or other systems in\
    \ order to manipulate external outcomes or hide activity, thus threatening the\
    \ integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus\
    \ Sony 2018) By manipulating transmitted data, adversaries may attempt to affect\
    \ a business process, organizational understanding, and decision making.\n\nManipulation\
    \ may be possible over a network connection or between system processes where\
    \ there is an opportunity deploy a tool that will intercept and change information.\r\
    \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1565/002)\r\
    \n"
  detections:
  - detects: Monitor if security configurations in O-RU and O-DU are downgraded to
      weak or no security levels.
    fgdsid: FGDS5022
    name: Monitor security configurations
  - detects: 'Data transmitted across a network (ex: Web, DNS, Mail, File, etc.),
      that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable
      format (ex: PCAP)'
    fgdsid: DS0029
    name: Network Traffic
  - detects: Inspect network traffic and watch for unauthorized changes as the packets
      move through the interfaces.
    fgdsid: DS0029
    name: Network Traffic
  - detects: Legitimate UEs notify their service provider about DoS attack and abnormal
      session terminations.
    fgdsid: FGDS5011
    name: Subscriber notify provider
  - detects: Radio traffic content can be examined to detect unauthorized modification.
      Inspect radio traffic and watch for unauthorized changes as the packets move
      through the interfaces.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1565.002
  mitigations:
  - fgmid: FGM5024
    mitigates: Ensure fronthaul user plane data is protected with integrity protection.
      This has performance impact on devices which implement integrity protection.
    name: Integrity protection of data communication
  - fgmid: FGM5024
    mitigates: Use strong data integrity protection algorithms
    name: Integrity protection of data communication
  - fgmid: M1020
    mitigates: Break and inspect SSL/TLS sessions to look at encrypted web traffic
      for adversary activity.
    name: SSL/TLS Inspection
  - fgmid: FGM5024
    mitigates: Use integrity (IPSec) on all non-SBI interfaces, TLS 1.3 on all SBI
      interfaces including roaming interfaces (e.g. N32).
    name: Integrity protection of data communication
  - fgmid: FGM5024
    mitigates: Use integrity on radio interface for both control plane and user plane
    name: Integrity protection of data communication
  name: Transmitted Data Manipulation
  object-type: technique
  platforms: RAN, 5G, 5G network, 5G radio
  postconditions:
  - Description: Legitimate subscribers are denied access or existing sessions can
      be terminated.
    Name: DoS Attack
  - Description: Subscriber sessions are redirected to a malicious server.
    Name: Session redirection
  - Description: Adversary has redirected the end user to their own DNS system and
      can now conduct adversary-in-the-middle attacks.
    Name: DNS control
  - Description: Both UE signaling and user plane data communication with network
      will be impacted. This can cause DoS attack for legitimate subscribers.
    Name: UE data manipulation
  - Description: Both UE registration and other data communication with network will
      be impacted.
    Name: Both Control Plane (CP) and User Plane (UP) data are modified by AitM attack
  preconditions:
  - Description: Adversary must have physical access to open fronthaul network to
      collect data and then manipulate and replay the data.
    Name: Adversary has access to open fronthaul network.
  - Description: Adversary must have deployed a fake gNB and a fake UE which modify
      the payload and then replays the message towards the gNB.
    Name: Adversary in the Middle
  - Description: 'See technique Weaken Integrity: Network Interfaces.'
    Name: Weakened or disabled integrity protection
  - Description: gNB is compromised or incorrectly configured to disable integrity
      protection on control and user plane interfaces.
    Name: Malware or incorrect configuration in gNB.
  procedureexamples:
  - Description: 'Adversary launches AiTM attack on open fronthaul U plane data traffic
      by using a simple sniffer and replay device. The fronthaul U plane data usually
      does not have integrity protection due to stringent performance requirements.
      Hence a data manipulation attack is possible by a simple device. DoS attack
      can be done by manipulating RLC header with bogus data and those messages will
      get discarded by the recipient. Session redirection attack can be launched by
      changing the destination MAC address in the MAC header which will re-direct
      the packets to an adversary-controlled server.


      This attack can only manipulate user plane data below PDCP layer. Any user plane
      data in PDCP and above layers are not compromised by this attack. See clause
      5.4.1.2, T-UPLANE-01 of [1], clause 6.1 of [2] and clause 5.4 of [3].'
    Name: Manipulate U plane data on open fronthaul interface.
  - Description: In this active attack named aLTEr, adversary exploits the fact that
      LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected,
      which allows an adversary to modify the message payload. This is applicable
      in 5G when the user data integrity algorithm is set to NULL.
    Name: Adversary employs the aLTEr procedure
  - Description: 'If gNB is compromised or misconfigured, CP and UP data can be manipulated
      by adversary on N2, N3, F1, E1 and Xn interfaces. Clause D.2.2 of [1], 5.3.3
      of [2]


      If AMF or SMF is compromised or misconfigured, CP data can be manipulated by
      adversary on N2 and N4 interfaces. Clauses 5.5.2 & 9.9 of [2]


      If UPF is compromised or misconfigured, UP data can be manipulated by adversary
      on N3 interface. Clause D.2.2 of [1], 9.3 of [2]'
    Name: Data manipulation on the non-SBI
  - Description: "If NF is compromised or misconfigured, CP data can be manipulated\
      \ on SBI interface. Clause 13.1 of [2] (DoS attack) \n\nIf SCP is compromised\
      \ or misconfigured, CP data can be manipulated on SBI. Clause 5.9.2.4 of [2]\
      \ (DoS attack)\n\nAn access token may be manipulated to gain unauthorized access\
      \ to another NF. See technique Unauthorized access to Network Exposure Function\
      \ (NEF) via token fraud. \n\nA rogue or misconfigured AMF can obtain the temporary\
      \ UE ID (5G-GUTI or 5G-S-TMSI) during UE registration and service request and\
      \ later use the ID to spoof signaling messages to retrieve sensitive subscriber\
      \ information. Clauses 4.2.2.2.2 & 4.2.3.2 of [4]. (Unauthorized access)\n\n\
      Note: This attack is possible in both non-roaming and roaming scenarios."
    Name: Data manipulation on the SBI
  - Description: 'If SEPP or IPX component is compromised or misconfigured, CP data
      can be manipulated by adversary on N32 interface. Clauses 9.9, 13.1, 13.2 of
      [2]


      If UPF is compromised or misconfigured, UP data can be manipulated by adversary
      on N9 interface. Clause 9.9 of [2]


      If AMF or MME is compromised or misconfigured, CP data can be manipulated by
      adversary on N26 interface. Clause K.2.1 of [1], 8.4 of [2]'
    Name: Data manipulation on roaming/interconnect
  - Description: '[3] describes an attack on 4G but applicable to 5G where radio interface
      integrity is not applied, whereby an adversary changes the DNS request sent
      by the victim UE over the radio interface so as to redirect to its own DNS server.
      See technique DNS Manipulation.'
    Name: Altering DNS requests not integrity protected over the radio interface.
  - Description: 'Adversary replays NAS messages to check whether a UE is in the area.
      See technique Locate UE: NAS exploit'
    Name: Replay NAS messages to get UE location
  - Description: RRC messages can be manipulated by AiTM to cause authentication of
      legitimate subscribers to fail. Also, AiTM can manipulate RRC or UP messages
      of an existing data session which can cause disruption or termination of session.
    Name: DoS attack by data manipulation
  references:
  - <a name="1"> \[1\] </a> [O-RAN Threat Model 6.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="2"> \[2\] </a> [O-RAN WG4 Control, User, and Synchronization Plane Specification
    12.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="3"> \[3\] </a> [O-RAN WG4 Management Plane Specification 12.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
  - "<a name=\"1\"> \\[1\\] </a> [D. Rupprecht, K. Kohls, T. Holtz, and C. Popper,\
    \ \u201CBreaking LTE on Layer Two\u201D https://alter-attack.net](https://www.gsma.com/security/wp-content/uploads/2023/10/0008-breaking_lte_on_layer_two.pdf)"
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TR33.926 \u201CSecurity Assurance Specification\
    \ (SCAS) threats and critical assets in 3GPP network product classes.\u201D](https://www.3gpp.org/DynaReport/33926.htm)"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS33.501 \u201CSecurity architecture and procedures\
    \ for 5G System.\u201D](https://www.3gpp.org/DynaReport/33501.htm)"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS 23.501 \u201CSystem architecture for the\
    \ 5G System (5GS)\u201D](https://www.3gpp.org/DynaReport/23501.htm)"
  - "<a name=\"4\"> \\[4\\] </a> [3GPP TS 23.502 \u201CProcedures for the 5G System\
    \ (5GS)\u201D](https://www.3gpp.org/DynaReport/23502.htm)"
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TR 33.926 \u201CSecurity Assurance Specification\
    \ (SCAS) threats and critical assets in 3GPP network product classes\u201D.](https://www.3gpp.org/DynaReport/33926.htm\
    \  )"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS 33.501 \u201CSecurity architecture and procedures\
    \ for 5G System\u201D.](https://www.3gpp.org/DynaReport/33501.htm  )"
  - "<a name=\"3\"> \\[3\\] </a> [D. Rupprecht, K. Kohls, T. Holtz, and C. Popper,\
    \ \u201CBreaking LTE on Layer two\u201D,  in Proc. IEEE Symposium on Security\
    \ and Privacy (SP), 2019, pp. 1-16.](https://alter-attack.net/media/breaking_lte_on_layer_two.pdf)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  subtechnique-of: FGT1565
  tactics:
  - TA0040
  - TA0009
  typecode: attack_subtechnique_addendum
- architecture-segment: RAN, Control Plane
  bluf: 'An adversary may obtain the UE location using radio access or core network '
  criticalassets:
  - Description: UE/User geographical location, coarse or fine-grained
    Name: UE location
  description: " An adversary may obtain the UE location using radio access or core\
    \ network.\r\n\r\nAdversary may employ various means to obtain UE location (coarse,\
    \ fine) using radio access or core network. The UE consists of Mobile Equipment\
    \ (ME), that is, the device, and the Universal Subscriber Identity Module (USIM)\
    \ card.\r\n\r\n"
  detections: []
  id: FGT5012
  mitigations: []
  name: Locate UE
  object-type: technique
  platforms: 5G Network
  procedureexamples:
  - Description: Adversary may use the radio access network to determine that a particular
      UE is in the area, or where exactly the UE is located
    Name: Use radio access to locate UE
  - Description: Adversary may use the core network signaling to trigger the procedure
      of locating a particular UE via RAN
    Name: Use core network signaling to locate UE
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [S.P. Rao, S. Holtmanns, T. Aura: \u201CThreat modeling\
    \ framework for mobile communication systems\u201D, May 2020](https://arxiv.org/abs/2005.05110v1\
    \ )"
  - <a name="3"> \[3\] </a> [S. Tomasin, Stefano & Centenaro, Marco & Seco-Granados,
    Gonzalo & Roth, Stefan & Sezgin, Aydin. (2021). Location-Privacy Leakage and Integrated
    Solutions for 5G Cellular Networks and Beyond. Sensors. 21. 5176. 10.3390/s21155176.](https://www.researchgate.net/publication/353641837_Location-Privacy_Leakage_and_Integrated_Solutions_for_5G_Cellular_Networks_and_Beyond)
  status: Observed in earlier 3GPP generations and expected in 5G.
  tactics:
  - TA0007
  - TA0009
  typecode: fight_technique
- access-required: User/Admin of slice
  architecture-segment: Network Slice, Control Plane
  bluf: 'An adversary uses a legitimate access token for a shared Network Function
    (NF) to get location info of a user of a different slice. '
  criticalassets:
  - Description: UE/Subscriber geographical location, coarse or fine-grained
    Name: UE location
  description: " An adversary may use a legitimate access token for a shared Network\
    \ Function (NF) to get location info of a user of a different slice.\r\n\r\nAn\
    \ adversary controlling a slice or a NF in a slice obtains an access token for\
    \ a shared 5G core NF (e.g., AMF) and uses it to get location info for an SUPI\
    \ of a user belonging to a different slice but still served by same NF.\r\n\r\n"
  detections:
  - detects: Regularly audit applications and interface messaging logs. Check logs
      of requests/responses at the shared NF. E.g., each entry should contain SUPI,
      NF consumer that requested it, slice IDs of both.
    fgdsid: DS0015
    name: Application Log
  id: FGT5012.005
  mitigations:
  - fgmid: FGM5012
    mitigates: Cross check requested SUPI is served by (belongs to) the slice ID (NSSAI)
      of the consumer NF (and presented in the authorization Token). That is, this
      attack could be mitigated if the shared network function (NF service producer)
      checks the SUPI in a service request and the requesting NF service consumer
      are being served by the same slice. (3GPP SA3 is investigating if 3GPP specifications
      allow for such check)
    name: Slice ID check
  name: Shared Network Function in slice
  object-type: technique
  platforms: 5G core
  postconditions:
  - Description: Target slice information is leaked, slice confidentiality is breached
      due to sharing the NF between slices.
    Name: "UE\u2019s location is tracked by rogue NF"
  preconditions:
  - Description: 'Two slices share one common NF that is able to get UE location info.
      Adversary has control of one slice or at least a NF in that slice -- where said
      NF is allowed to talk to the AMF.


      The following core NFs can legitimately ask for or obtain directly the location
      of a UE (some granularity): AMF, UDM, NEF, NWDAF, GMLC, LMF. The following core
      NFs can only get limited/coarse location: SMF, UPF, PCF.'
    Name: Access shared NF in a different slice
  procedureexamples:
  - Description: Malicious NF of a compromised slice gets access token for a shared
      AMF, but then asks AMF for the location of a UE in the target slice. The AMF
      checks that the authorization (OAuth) token is ok, which it is, but does not
      check that the UE ID is served by target slice, while the requester NF is from
      compromised slice. Section 3.1.5 of [1].
    Name: Malicious NF belonging to compromised Network Slice gets an access token
      for the target AMF, which serves both target slice and compromised slice.
  references:
  - '<a name="1"> \[1\] </a> [AdaptiveMobile Security, "A Slice in Time: Slicing Security
    in 5G Core Networks", 17032021-v1.00, March 2021.](https://info.adaptivemobile.com/network-slicing-security
    )'
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT5012
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- architecture-segment: Control Plane
  bluf: An adversary in the 5G core who has compromised a proxy or middlebox may position
    themselves  between Network Functions (NFs) that are communicating via the Service
    Based Interfaces (SBI), in order to support follow-on behaviors such as  [Network
    Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).
  criticalassets:
  - Description: There are many procedures that can be impacted if an adversary gets
      in the middle of a TLS connection between two network functions on the SBI.
    Name: 5G Core network services, including service discovery
  - Description: Core functions handle UE signaling for the provisioning and configuration
      of services.
    Name: Control plane (provisioning and configuration) data for UEs
  description: " An adversary in the 5G core who compromised a proxy or middlebox\
    \ may position themselves between Network Functions (NFs) that are communicating\
    \ via the Service Based Interfaces (SBI), in order to support follow-on behaviors\
    \ such as  [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).\r\
    \n\r\nSBI network interfaces are between core NFs within an operator network.\
    \ An adversary may compromise a proxy on the SBI, such as the Service Communication\
    \ Proxy (SCP), API proxy, or a load-balancer. Then an adversary may also exploit\
    \ improper TLS configuration (including weaker cipher, profile) of the SBI connections,\
    \ which may arise for example due to the use of TLS profiles forbidden in 3GPP\
    \ TS 33.310 for NF mutual authentication and NF transport layer protection.\r\n\
    \r\n\r\n"
  detections: []
  id: FGT1557.504
  mitigations:
  - fgmid: FGM5024
    mitigates: Use TLS 1.3 or TLS 1.2 integrity protection with only strong cipher
      suites.
    name: Integrity protection of data communication
  - fgmid: FGM5095
    mitigates: TLS certificate thorough checking. Ensure that all certificates received
      over a connection are valid for the current server endpoint, and abort the handshake
      if they are not. In some usages, it may be simplest to refuse any change of
      certificates during renegotiation.
    name: TLS certificate check
  - fgmid: M1041
    mitigates: Use TLS 1.3 or TLS 1.2 encryption with only strong cipher suites.
    name: Encrypt Sensitive Information
  - fgmid: M1047
    mitigates: Audit NF configuration for interfaces, e.g. if TLS is disabled or what
      version of TLS is being used.
    name: Audit
  name: 'Service Based Interface '
  object-type: technique
  platforms: 5G Network
  procedureexamples:
  - Description: If a TLS client connects to a malicious server and presents a client
      credential, the server can then impersonate the client at any other server that
      accepts the same credential. Concretely, the malicious server performs an adversary-in-the-middle
      attack on three successive handshakes between the honest client and server,
      and succeeds in impersonating the client on the third handshake. See [5], clause
      4.2.2.2 of [2].
    Name: Triple Handshake
  - Description: An adversary in control of SCP can eavesdrop or alter signaling data
      between any two core NFs.
    Name: SCP as AITM
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks)"
  - "<a name=\"2\"> \\[2\\] </a> [3rd Generation Partnership Project (3GPP) TS 33.117,\
    \ \u201CCatalogue of general security assurance requirements (Release 17)\u201D\
    , v17.0.0, June 2021.](https://www.3gpp.org/DynaReport/33117.htm  )"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS 33.310 \u201CNetwork Domain Security (NDS);\
    \ Authentication Framework (AF)\u201D](https://www.3gpp.org/DynaReport/33310.htm\
    \ )"
  - <a name="4"> \[4\] </a> [G. Koien, "On Threats to the 5G Service Based Architecture",
    2021.](https://www.researchgate.net/journal/Wireless-Personal-Communications-1572-834X/publication/349455036_On_Threats_to_the_5G_Service_Based_Architecture/links/6030a03a4585158939b7bcae/On-Threats-to-the-5G-Service-Based-Architecture.pdf)
  - "<a name=\"5\"> \\[5\\] </a> [3SHAKE: \u201CTriple Handshakes Considered Harmful:\
    \ Breaking and Fixing Authentication over TLS\u201D](https://mitls.org/pages/attacks/3SHAKE)"
  status: This is a theoretical behavior
  subtechnique-of: FGT1557
  tactics:
  - TA0009
  - TA0006
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: Control Plane, User Plane, RAN
  bluf: An adversary controlling a gNB or control plane or user plane Network Function
    (NF) may manipulate signaling to result in DOS on one or more UEs
  criticalassets:
  - Description: Communications is denied to legitimate UEs
    Name: Network services
  description: " An adversary controlling a gNB or control plane or user plane Network\
    \ Function (NF) may manipulate signaling to result in DOS for one or more UEs.\
    \ \r\n\r\nAdversary may use a false base station to deny service to a User Equipment\
    \ (UE) by issuing registration reject messages or other such messages to deny\
    \ radio access, or posing as a legitimate base station, but not relaying traffic\
    \ to or from the intended recipient.  Adversary may compromise a core NF and thus\
    \ manipulate signaling for the UE registration or session management procedures,\
    \ in order to deny service to that UE.\r\n\r\n"
  detections:
  - detects: Subscriber notifies provider of no or degraded service
    fgdsid: FGDS5011
    name: Subscriber notify provider
  id: FGT1499.503
  mitigations:
  - fgmid: FGM5023
    mitigates: Periodically re-authenticate NFs in the network to assess whether they
      have been compromised. Remote attestation may also be employed
    name: Periodic Authentication & Authorization of NFs
  - fgmid: M1030
    mitigates: Implement industry standard core and edge network function security
      protection
    name: Network Segmentation
  name: DOS a UE via gNB or NF signaling
  object-type: technique
  platforms: 5G
  preconditions:
  - Description: Adversary needs access to a fake or compromised gNB or a compromised
      NF.
    Name: Compromise gNB or NF
  procedureexamples:
  - Description: "Adversary with a fake UE can send a De-registration request to the\
      \ victim UE's gNB with the victim\u2019s 5G-GUTI. Or, adversary with a fake\
      \ gNB can send Deregistration request to the victim UE."
    Name: DOS via gNB control
  - Description: Adversary with fake UE can try to register as the victim UE, and
      when the victim UE tries to RRC connect again, it will be rejected. See [2]
    Name: DOS via impersonating UE
  - Description: "Adversary controlling Access and Mobility Management Function (AMF)\
      \ can cause authentication to fail or deny SMS service by deactivating SMS for\
      \ a given SUPI [1]. Control of AMF (with or without its Security Anchor Function\
      \ (SEAF) functionality) can give an adversary the ability to manipulate the\
      \ AKA procedure (e.g. change parameters exchanged) between the AMF and any other\
      \ UE, so that (at the simplest) the UE fails authentication and cannot get services.\
      \ \nAlternatively, rogue or misconfigured AMF modifies the registration accept\
      \ message for legitimate subscribers to deny access to some or all services\
      \ that are configured in their profile."
    Name: DOS via AMF control
  - Description: Adversary controlling Session Management Function (SMF) can release
      an existing PDU session or not create a new one; or send a N4 Session Release
      request to User Plane Function (UPF) currently serving the UE.
    Name: DOS via SMF control
  - Description: Adversary controlling UPF can send a report of PDU session inactivity,
      which results in de-activating the UE session. Or alter secondary authentication
      between DN AAA and SMF so it fails
    Name: DOS via UPF control
  - Description: Adversary controlling Authentication Server Function (AUSF) can produce
      incorrect AKA parameters or change data out of UDM.
    Name: DOS via AUSF control
  - Description: Adversary controlling Unified Data Management (UDM) can  fail the
      SUPI de-concealing operation, so that the UE key will be different and Non-Access
      Stratum (NAS) Security Mode Command (SMC) will fail (e.g., responding to SUCI
      de-concealment with an incorrect SUPI). See clause E.2.2.1 of [3].
    Name: DOS via UDM control
  - Description: "Adversary controlling Authentication Credential Repository and Processing\
      \ Function (ARPF) can either (a) Alter the root key (K) or provide wrong root\
      \ key for the UE; or (b) Generate wrong authentication vector (AV) during UE\
      \ authentication procedure using EAP-AKA\u2019 or 5G AKA.\nBoth will result\
      \ in authentication failure for the UE. Section 6.1.3 of [4]"
    Name: DOS via ARPF control
  - Description: Adversary controlling the Unified Data Repository (UDR) may give
      UDM incorrect security parameters, or remove UE authentication status.
    Name: DOS via UDR control
  - Description: Adversary controlling Policy and Charging Function (PCF) may return
      a very restrictive policy for that UE.
    Name: DOS via PCF control
  - Description: Adversary controlling the Network Slicing Selection Function (NSSF)  and/or
      the Network Slicing Selection Authentication and Authorization Function (NSSAAF)
      may deny UE access to a slice by mishandling NSSAI (saying it's unavailable)
      or altering authentication params so that authentication procedure fails.
    Name: DOS via NSSF and NSSAAF control
  - Description: Adversary controlling Charging Function (CHF) may send a message
      to SMF to start PDU session release.
    Name: DOS via CHF control
  - Description: Adversary controlling SMS Function (SMSF) may achieve DOS only for
      SMS for a given UE; i.e. the device does not receive or send text messages.
    Name: DOS via SMSF control
  - Description: Adversary controlling 5G-Equipment Identity Register (5G EIR) can
      mark UE as stolen.
    Name: DOS via 5G EIR control
  - Description: Adversary controlling home network Security Edge Protection Proxy
      (SEPP) or visited SEPP can alter or discard registration request/response message
      and/or other signaling messages to deny access for a UE.
    Name: DOS via Home or visited network SEPP
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [Hu, X. et al: \u201CA Systematic Analysis Method\
    \ for 5G Non-Access Stratum Signalling Security\u201D, August 2019](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [3rd Generation Partnership Project (3GPP) TR 33.926:\
    \ \u201CSecurity Assurance Specification (SCAS) threats and critical assets in\
    \ 3GPP network product classes\u201D, Technical Report, v17.3.0, December. 2021.](https://www.3gpp.org/DynaReport/33926.htm\
    \ )"
  - "<a name=\"4\"> \\[4\\] </a> [3rd Generation Partnership Project (3GPP) TS 33.501:\
    \ \u201CSecurity architecture and procedures for 5G System\u201D, Technical Specification,\
    \ v17.6.0, June 2022](https://www.3gpp.org/DynaReport/33501.htm )"
  status: This is a theoretical behavior
  subtechnique-of: FGT1499
  tactics:
  - TA0040
  typecode: fight_subtechnique_to_attack_technique
- access-required: admin
  architecture-segment: Control Plane
  bluf: An adversary controlling a control plane network function may manipulate signaling
    to retrieve UE subscription information
  criticalassets:
  - Description: Subscriber data can be permanent (not updateable) or updateable (like
      the current serving PLMN, AMF etc)
    Name: UDM and subscriber/UE data
  description: " Adversary controlling a control plane network function (NF) may manipulate\
    \ signaling to retrieve UE subscription information.\r\n\r\nThe AMF, SMF, NEF,\
    \ SMSF and the UDM itself can use legitimate signaling to retrieve the subscription\
    \ data of a given UE, assuming its SUPI is known. The subscription data is stored\
    \ in the UDM or UDR. \r\n\r\nThe UE data in the UDM is referred to as the \u201C\
    Session Data Management Subscription data\u201D, and it includes access and mobility\
    \ subscription data, SMS subscription data, slice information (the UE\u2019s NSSAIs),\
    \ \"supported features\", serving PLMN ID. This threat consists of a compromised\
    \ NF to ask the UDM for the data for a given SUPI or GPSI. \r\n\r\n"
  detections:
  - detects: Monitor logs
    fgdsid: DS0015
    name: Application Log
  id: FGT5020
  mitigations:
  - fgmid: FGM5033
    mitigates: 'Standard 5G enterprise/core network security functionality

      E.g. Zero trust principles for OA&M.'
    name: Zero Trust
  name: Retrieve UE subscription data
  object-type: technique
  platforms: 5G Core Network
  preconditions:
  - Description: Adversary must know the SUPI or GPSI of victim UE
    Name: SUPI or GPSI
  procedureexamples:
  - Description: An AMF can extract subscription data (including NSSAIs) for any given
      UE SUPI by asking the UDM (uses Nudm_SDM_Get service  (SDM=SubscriberDataManagement)).
      The UDM does not check that that AMF is the one serving the UE, i.e. the AMF
      does not need to register itself first as serving the UE, via the Nudm_UECM_Registration
      Request. Table 5.2.3.1-1 of [1]
    Name: AMF retrieves subscription data from UDM.
  - Description: "A rogue AMF in visited PLMN can retrieve the UE\u2019s sensitive\
      \ information during 5GS to EPC roaming. AMF calls Nsmf_PDUSession_ContextRequest\
      \ API to v/hSMF. SMF sends the UE SM context in response which can reveal the\
      \ following UE information: SUPI, S-NSSAI, DNN, UE IP address etc. Clause 4.11.1.2.1\
      \ & Table 5.2.8.2.10-1 of [1]"
    Name: AMF in visited PLMN retrieves UE information during 5GS to EPC roaming.
  - Description: "The SMF can send to UDM a Nudm-sdm message and retrieve \u201CSession\
      \ mgmt subscription data\u201D, i.e. DNN configuration for all network slices."
    Name: SMF retrieves subscription data from UDM
  - Description: The UDM can legitimately get UE subscription data from UDR.
    Name: UDM can look up any UE (in UDR if one is employed).
  - Description: The SMSF can get the UE subscription data via Nudm_sdm API.
    Name: SMSF retrieves UE subscription data from UDM
  - Description: The NEF can get the UE subscription data via Nudm_sdm API.
    Name: NEF retrieves some of the UE subscription data from UDM.
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3rd Generation Partnership Project (3GPP) 23.502\
    \ \u201CProcedures for the 5G System (5GS)\u201D, March 2022.](https://www.3gpp.org/DynaReport/23502.htm)"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0009
  typecode: fight_technique
- architecture-segment: Control Plane
  bluf: An adversary controlling a control plane  network function may manipulate
    signaling or parameters to achieve charging/billing fraud where victim is UE or
    operator itself
  criticalassets:
  - Description: Communications is denied
    Name: UE call/data records accuracy
  description: " An adversary controlling a control plane network function (NF) may\
    \ manipulate signaling or parameters to achieve charging/billing fraud where victim\
    \ is UE or operator itself. \r\n\r\nThere are multiple procedures to support this\
    \ adversarial behavior, and they depend on the NF that is compromised.\r\n\r\n"
  detections:
  - detects: Management system (OSS/BSS) checks uniqueness of charging ID for all
      new PDU sessions in non-roaming scenario and existing PDU sessions in handover
      and roaming scenario
    fgdsid: FGDS5003
    name: Charging anomaly
  id: FGT5023
  mitigations:
  - fgmid: FGM5023
    mitigates: Periodic authentication / authorization of NF consumer e.g. SMF/PCF/CHF/NEF/AF
      by NRF will help detect rogue NFs.
    name: Periodic Authentication & Authorization of NFs
  - fgmid: FGM5094
    mitigates: Rigorous checks of unique mapping of charging ID to PDU session (applicable
      to the SMF case). Management system (OSS/BSS) can generate alert for possible
      intervention.
    name: Allocate new 5G identifiers judiciously
  name: Charging fraud via NF control
  object-type: technique
  platforms: 5G
  procedureexamples:
  - Description: 'An adversary may control the SMF and assign the same SMF Charging
      Identifier to a device data flow as that of an existing victim device, to cause
      charging errors. Clause 5.1.4 & annex A.1 of [3].


      The SMF can also pause charging for a given UE (even though not warranted),
      clause 4.4.4 of [4].

      The SMF can also misreport 5G data used by a given UE.'
    Name: SMF control
  - Description: An adversary with control over the PCF can change policy so that
      UE is allowed to consume a service it was not subscribed to - but it will still
      be traceable to that UE. Clause 4.3.2 of [5].
    Name: PCF control
  - Description: An adversary with control over the CHF can ignore when PCF tells
      it that the spending limit for this subscriber has been reached or can ignore
      the SMS records from the SMSF (SMSF uses POST to put in data), or can ignore
      the 5G data the SMF reports ([3])
    Name: CHF control
  - Description: "Adversary on AF can attack a weak NEF. Or, the NEF can be compromised\
      \ and conduct this attack without even an AF. \nAn AF can ask the NEF to change\
      \ the \u201Cchargeable party\u201D Clause 4.4.8 of [6], clause 4.4.4 of [7].\n\
      \nThis is meant to support the AF being the chargeable party, but it\u2019s\
      \ imaginable how the AF can put a different AF as chargeable: it has to send\
      \ the AF identifier, UE IP address, Sponsor ID, ASP ID, etc. even AppID."
    Name: NEF control or Application Function (AF) control exploiting weak NEF
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3rd Generation Partnership Project (3GPP) TR 33.926:\
    \ \u201CSecurity Assurance Specification (SCAS) threats and critical assets in\
    \ 3GPP network product classes\u201D, Technical Report, v17.3.0, December. 2021](https://www.3gpp.org/DynaReport/33926.htm\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS 32.255 \u201CTelecommunication management;\
    \ Charging management; 5G data connectivity domain charging; Stage 2\u201D](https://www.3gpp.org/DynaReport/32255.htm)"
  - "<a name=\"4\"> \\[4\\] </a> [3GPP TS 23.502 \u201CProcedures for the 5G System\
    \ (5GS)\u201D](https://www.3gpp.org/DynaReport/23502.htm)"
  - "<a name=\"5\"> \\[5\\] </a> [3GPP TS 23.503 \u201CPolicy and charging control\
    \ framework for the 5G System (5GS); Stage 2\u201D](https://www.3gpp.org/DynaReport/23503.htm)"
  - "<a name=\"6\"> \\[6\\] </a> [3GPP TS 29.522 \u201C5G System; Network Exposure\
    \ Function Northbound APIs; Stage 3\u201D](https://www.3gpp.org/DynaReport/29522.htm)"
  - "<a name=\"7\"> \\[7\\] </a> [3GPP TS 29.122 \u201CT8 reference point for Northbound\
    \ APIs\u201D](https://www.3gpp.org/DynaReport/29122.htm)"
  status: This is a theoretical behavior
  tactics:
  - TA5001
  typecode: fight_technique
- access-required: physical or malware insertion
  architecture-segment: UE
  bluf: 'An adversary may get access to several SIM credentials either by physical
    access to SIM card inventory or by injecting malware on SIM vendor server. '
  criticalassets:
  - Description: Adversary is after getting the keys to decrypt cellular communications
      for those sets of SIMs whose credentials it captured.
    Name: Privacy of subscriber data
  description: " An adversary may get access to several SIM credentials either by\
    \ physical access to SIM card inventory or by injecting malware on SIM vendor\
    \ server. \r\n\r\nUnauthorized actors use various means to intercept/steal SIM\
    \ data in transit from SIM card vendors towards the HSS or the UDR/UDM in the\
    \ operator's network and by gaining physical access to the SIM card inventory\
    \ in order to obtain customer credentials.\r\n\r\n"
  detections: []
  id: FGT1195.501
  mitigations:
  - fgmid: FGM5024
    mitigates: Protect the files where SIM data is stored by integrity protection.
    name: Integrity protection of data communication
  - fgmid: M1017
    mitigates: 'Personnel security: Train personnel in SIM card OEMs to be wary of
      social engineering and other attempts of unauthorized parties to gain access
      to any relevant resource, and to report suspicious activities.'
    name: User Training
  - fgmid: M1022
    mitigates: Restrict access to files exchanged between SIM vendor and MNO.
    name: Restrict File and Directory Permissions
  - fgmid: M1030
    mitigates: Physical and cyber security of IT systems, servers.
    name: Network Segmentation
  - fgmid: M1041
    mitigates: Protect the files where SIM data is stored by encryption.
    name: Encrypt Sensitive Information
  name: SIM Credential Theft
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: "Subscriber\u2019s sensitive signaling and user plane data are exposed\
      \ to the adversary."
    Name: Subscriber data leak
  preconditions:
  - Description: "Adversary needs to either implant malware in SIM vendor\u2019s server\
      \ or have physical access to the SIM card inventory."
    Name: Implant malware or physical access
  procedureexamples:
  - Description: An adversary may implant malware on a SIM vendor server or gain physical
      access to their SIM cards and thus obtain SIM credentials.
    Name: "Infiltrate SIM vendor\u2019s network."
  references:
  - "<a name=\"1\"> \\[1\\] </a> [GSMA FS.28 \u201CSecurity Guidelines for Exchange\
    \ of UICC Credentials\u201D, Version 1.0, November 2020.](https://www.gsma.com/security/resources/fs-28-security-guidelines-for-exchange-of-uicc-credentials/\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [Gemalto article on SIM credential threat: \u201C\
    GEMALTO PRESENTS THE FINDINGS OF ITS INVESTIGATIONS INTO THE ALLEGED HACKING OF\
    \ SIM CARD ENCRYPTION KEYS BY BRITAIN'S GOVERNMENT COMMUNICATIONS HEADQUARTERS\
    \ (GCHQ) AND THE U.S. NATIONAL SECURITY AGENCY (NSA)\u201D.](https://www.thalesgroup.com/en/markets/digital-identity-and-security/press-release/gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-sim-card-encryption-keys)"
  - "<a name=\"3\"> \\[3\\] </a> [BBC article: \u201CUS and UK accused of hacking\
    \ Sim card firm to steal codes\u201C.](https://www.bbc.com/news/technology-31545050)"
  - "<a name=\"4\"> \\[4\\] </a> [Securitytoday.com article: \u201CU.S. and Britain\
    \ Work Together to Pull off SIM Card Heist\u201D.](https://securitytoday.com/articles/2015/02/20/us-and-britain-work-together-to-pull-off-sim-card-heist.aspx?admgarea=ht.government)"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT1195
  tactics:
  - TA0006
  - TA0001
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: User Plane
  bluf: An adversary may compromise the operator's SMS Center (SMSC) to collect SMS
    messages to/from the UEs.
  criticalassets:
  - Description: User data from SMS
    Name: User data
  description: " An adversary may compromise the operator's SMS Center (SMSC) to collect\
    \ SMS messages to/from the UEs. \r\n\r\nThe SMSC is a server in 3G, 4G, and 5G\
    \ networks, and it communicates in 5G with the SMS Function (SMSF) and IMS function\
    \ IP-SM-GW, using MAP protocol.\r\n\r\nAn adversary can eavesdrop the SMS data\
    \ to/from certain subscribers (identified by IMSI or MSISDN), by compromising\
    \ the operator\u2019s SMSC.  Similar techniques can be applied to other operator\
    \ functions such as IP-SM-GW or STF, SMSF, towards the same goal.\r\n\r\n\r\n"
  detections: []
  id: FGT5001
  mitigations:
  - fgmid: M1049
    mitigates: Check telecom servers for malware or use endpoint security solution.
      Implement the latest patches in Linux systems and use strong anti-virus software
      to detect malware.
    name: Anti-virus & Anti-malware
  name: Network-side SMS collection
  object-type: technique
  platforms: 5G Network
  preconditions:
  - Description: Adversary must first develop the malware to achieve the procedures
      herein.
    Name: Malware developed
  procedureexamples:
  - Description: "A data miner program may be loaded by an installation script. The\
      \ script targets and saves SMS messages (the contents, the IMSI and the source\
      \ and destination phone number). This is highly targeted to given IMSI numbers\
      \ (e.g., proponents of movements against the Chinese gov\u2019t). (note: Call\
      \ Data Records (CDRs) were also targeted for certain IMSIs, the info therein\
      \ is called metadata, i.e. time, duration, phone numbers). [1], [2]."
    Name: Malware loaded into a Linux running SMSC server
  references:
  - "<a name=\"1\"> \\[1\\] </a> [Dynamic Ciso.com \u201CNew Malware Discovered by\
    \ FireEye APT41, Infects SMS Servers Within Telecoms\u201D, Nov 1, 2019, retrieved\
    \ March 4, 2022.](https://dynamicciso.com/new-malware-discovered-by-fireeye-apt41infects-sms-servers-within-telecoms)"
  - "<a name=\"2\"> \\[2\\] </a> [Leong, Raymond, Perez, Dan & Dean, Tyler, \u201C\
    MESSAGETAP: Who\u2019s Reading Your Text Messages\u201D FireEye. 31 Oct 2019.](https://www.mandiant.com/resources/messagetap-who-is-reading-your-text-messages)"
  status: Observed in earlier 3GPP generations and expected in 5G.
  tactics:
  - TA0009
  typecode: fight_technique
- architecture-segment: Control Plane
  bluf: Adversary may compromise the 5G Charging Function (CHF) in order to steal
    sensitive subscriber call related data/CDRs.
  criticalassets:
  - Description: Confidentiality of sensitive subscriber data in the form of (calls/data/SMS).
    Name: Subscriber data
  description: " Adversary may compromise the 5G Charging Function (CHF) in order\
    \ to steal sensitive subscriber call related data/CDRs.\r\n\r\nAdversary may compromise\
    \ 5G CHF by either cloning a legitimate CHF or by implanting malware inside a\
    \ legitimate 5G CHF in order to steal subscriber\u2019s call and SMS related metadata.\
    \ The information may be used to enable follow-on privacy attacks such as tracking\
    \ internet usage and call/SMS activities of certain subscribers.\r\n\r\nIn earlier\
    \ generations of 3GPP networks, CDRs are generated on switches, and then moved\
    \ to billing servers. In 5G, Converged Charging System (CCS) is responsible for\
    \ generating CDRs for subscribers based on their data usage. CHF is part of the\
    \ CCS. CHF communicates to other core NFs via Service Based Interface (SBI). It\
    \ receives data usage information from core NFs such as SMF. The CDRs are processed\
    \ by charging data processing functions external to the 5G network \u2013 that\
    \ is, by the Offline Charging System (OFCS) for postpaid customers and by the\
    \ Online Charging System (OCS) for prepaid customers.\r\n\r\n\r\n"
  detections:
  - detects: 'Log and raise alarms for any suspicious deployment activities in core:
      Update image, cloning an existing NF etc.'
    fgdsid: FGDS5012
    name: SIEM
  id: FGT5017
  mitigations:
  - fgmid: FGM5089
    mitigates: Verify image hash of every core NF by periodic checks
    name: Verify image in deployment
  name: 'Charging Data Record (CDR) collection '
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Exposure of subscriber sensitive information such as call/data/text
      metadata.
    Name: Leakage of subscriber data
  preconditions:
  - Description: Adversary either clones a legitimate CHF or implants malware in a
      legitimate CHF.
    Name: Adversary compromises a legitimate CHF
  procedureexamples:
  - Description: "Adversary may use a compromised CHF to collect CDR\u2019s belonging\
      \ to a target subscriber, or a group of subscribers based on their SUPI or GPSI\
      \ (phone number). The collected CDRs may be used to track internet usage and\
      \ call/SMS activities of target subscriber(s). [3]"
    Name: Compromised CHF steals CDRs
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TS 32.291 \u201CCharging management; 5G system,\
    \ charging service; Stage 3\u201D](https://www.3gpp.org/DynaReport/32291.htm)"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0009
  - TA0007
  typecode: fight_technique
- access-required: physical/gNB
  architecture-segment: RAN, Control Plane
  bluf: An adversary may geolocate a UE by modifying Non-Access Stratum (NAS) signaling.
  criticalassets:
  - Description: UE/Subscriber geographical location, coarse or fine-grained.
    Name: UE location
  description: " An adversary may geolocate a UE using modified Non-Access Stratum\
    \ (NAS) signaling. \r\n\r\nNAS is signaling that is exchanged for registration\
    \ and authentication between the UE and the Access and Mobility Function (AMF),\
    \ via the gNB as a pass-through. Adversary uses a fake gNB to intercept, modify\
    \ and/or replay NAS messages to probe for UE presence in a that cell, which leads\
    \ to coarse location. The victim UE tried to connect to a nearby gNB, and adversary\
    \ then lured UEs to connect to it (e.g., by increasing the transmit power of the\
    \ fake gNB). \r\n\r\n"
  detections:
  - detects: Operator standard means to detect presence of fake gNBs. gNB radio signals
      (sent to all UEs to enable them to select gNB and connect) are received and
      reported by UEs to the operator, who can then run cross checks with the signals
      that the UEs should have received if all gNBs nearby were legitimate. Clause
      6.24 of [2].
    fgdsid: FGDS5002
    name: UE signal measurements
  id: FGT5012.006
  mitigations: []
  name: NAS Exploit
  object-type: technique
  platforms: 5G Network
  preconditions:
  - Description: Adversary must install a fake gNB that it can control what messages
      it sends to UEs.
    Name: Control of fake gNB in the area where the victim UE may be located.
  - Description: Adversary must acquire a fake UE to achieve the NAS SMC attack.
    Name: Control of fake UE in the NAS SMC attack.
  procedureexamples:
  - Description: "Adversary eavesdrops one NAS message from the legitimate network\
      \ (the Auth_Req (R, AUTN), or the NAS Security Mode Command (SMC)), then replays\
      \ that NAS message whenever it wants to check whether the victim UE is nearby,\
      \ since the type of error (or response, in the case of SMC) received from the\
      \ responder indicates whether it's the victim UE or not. Thus, adversary can\
      \ probe for UE\u2019s presence in a that cell, which leads to coarse location\
      \ data. See [1]."
    Name: Replay of NAS message
  references:
  - "<a name=\"1\"> \\[1\\] </a> [X. Hu et.al. \u201CA Systematic Analysis Method\
    \ for 5G Non-Access Stratum Signalling Security\u201D, IEEE Access, August 2019.](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [3rd Generation Partnership Project (3GPP) TR 33.809:\
    \ \u201CStudy on 5G security enhancements against False Base Stations (FBS)\u201D\
    , Technical Report, v0.18.0, February 2022.](https://www.3gpp.org/DynaReport/33809.htm\
    \ )"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT5012
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- access-required: User/NPE/Administrative access
  architecture-segment: RAN, O-RAN
  bluf: An adversary may compromise a component of gNodeB to affect radio network
    configuration
  criticalassets:
  - Description: Configuration and data related to gNodeB
    Name: RAN Service Management and Orchestration
  - Description: RIC and Configuration and data related to gNodeB
    Name: ORAN RIC
  - Description: xApp and Configuration and data related to gNodeB, Realtime optimization
      data
    Name: xApps
  - Description: rApp and Configuration and data related to gNodeB, non-Realtime optimization
      data
    Name: rApps
  description: " An adversary may compromise a component of gNodeB to affect radio\
    \ network configuration.\r\n\r\nThe 3GPP standards assume that RAN functions are\
    \ securely deployed, properly implemented, and do not contain components with\
    \ malicious intent. If that assumption fails, malicious activity can take place.\r\
    \n \r\nThe gNB is the termination point for encryption and integrity protection,\
    \ if user plane traffic is sent in clear, it can potentially be exposed to an\
    \ adversary controlling the gNodeB. \r\n\r\nO-RAN Architecture puts network intelligence\
    \ and management capability in Service Management and Orchestration (SMO) framework,\
    \ with Near-Real-Time Radio Intelligent Controller (Near-RT RIC) and Non-Real-Time\
    \ RIC (Non-RT RIC) that can change the network behavior. It further allows xApps\
    \ and rApps with standard interfaces to agents (if configured) outside the controlled\
    \ network that can also read data and send configuration changes.  A compromise\
    \ of any of these components can potentially cause unintended changes to the network\
    \ and expose user information.\r\n\r\n\r\nUnauthorized access to and manipulation\
    \ of the gNB component can be carried out by a supply chain attack or as a result\
    \ of malicious updates using operator\u2019s management and deployment tools.\
    \ Adversaries may also gain access by physically connecting to the device through\
    \ an unsecured USB, serial, or COM port on the base station (or device hosting\
    \ virtual CU/DU/RU/RIC), or by remotely logging in using SSH or Telnet if strong\
    \ access control is not implemented.\r\n\r\nIn distributed deployment architectures,\
    \ APIs present additional threat vectors that can be exploited by attackers. In\
    \ shared RAN scenarios, the use of service configuration and management tools\
    \ by multiple parties may increase the risk vectors.\r\n\r\n\r\n3GPP does not\
    \ dictate deployment models, so it is possible that improper security hardening\
    \ and separation of networks between RAN VNF and Core VNF in the same Cloud or\
    \ MEC may further allow lateral movements of adversary if a gNodeB component is\
    \ compromised.\r\n\r\n\r\n"
  detections: []
  id: FGT5032
  mitigations: []
  name: gNodeB Component Manipulation
  object-type: technique
  platforms: O-RAN
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0002
  typecode: fight_technique
- access-required: User/NPE/Administrative access
  architecture-segment: RAN, O-RAN
  bluf: An adversary may compromise a RAN Intelligent Controller (RIC) to affect radio
    network configuration.
  criticalassets:
  - Description: Configuration and date related to gNodeB
    Name: RAN Service Management and Orchestration
  - Description: RIC and Configuration and data related to gNodeB
    Name: O-RAN RIC
  description: " \r\n\r\nAn adversary may compromise a RAN Intelligent Controller\
    \ (RIC) to affect radio network configuration.\r\nO-RAN architecture includes\
    \ the RAN Intelligence Controllers (RICs), which consists of the Non-Real-Time\
    \ RAN Intelligent Controller (Non-RT RIC) and the Near-Real-Time RAN Intelligent\
    \ Controller (Near-RT RIC), to optimize radio resource management of gNB components.\
    \ The Non-RT RIC is embedded in the Service and Management Orchestration function\
    \ (SMO) framework and hosts rApps to provide policy-based guidance, machine learning\
    \ model management and enrichment information to the Near-RT RIC function for\
    \ the purpose of RAN optimization. The Near-RT RIC is a logical function that\
    \ hosts xApps and enables near real-time control and optimization of the functions\
    \ and resources of gNB components O-CU-CP, O-CU-UP and O-DU, steered via the policies\
    \ and enrichment data provided from the Non-RT RIC.\r\nO-RAN RIC functions integrate\
    \ and interact with xApps and rApps, which can bring information and instructions\
    \ to the RIC from outside of the O-RAN architecture. A compromise of the RIC components\
    \ (by any means) can potentially lead to unauthorized changes in O-CU or O-DU\
    \ via E2 Interface.\r\n\r\n\r\n"
  detections: []
  id: FGT5032.001
  mitigations: []
  name: RAN Intelligent Controller (RIC)
  object-type: technique
  platforms: O-RAN
  references:
  - <a name="1"> \[1\] </a> [O-RAN.WG3.RICARCH-R003-v04.00](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="2"> \[2\] </a> [O-RAN.WG2.Non-RT-RIC-ARCH-R003-v03.00](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="3"> \[3\] </a> [O-RAN.WG2.Non-RT-RIC-ARCH-TR-v01.01](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="4"> \[4\] </a> [O-RAN.WG11.Threat-Model.O-R003-v06.00](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="5"> \[5\] </a> [Federal Office of information Security, Study 5G RAN
    Risk Analysis](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/5G/5GRAN-Risk-Analysis.pdf?__blob=publicationFile&v=5)
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT5032
  tactics:
  - TA0002
  typecode: fight_subtechnique
- access-required: Privileged Access
  architecture-segment: RAN, O-RAN
  bluf: 'An adversary may compromise an xApp to affect the radio network configuration. '
  criticalassets:
  - Description: "UE data includes UE\u2019s coarse location, temporary identifier\
      \ and correlation of UE temporary identifier to other service-related data e.g.,\
      \ DNN, NSSAI etc. See clause 6.2.1 of [2]."
    Name: ' UE data'
  - Description: Sensitive network data such as QoS policies of a slice
    Name: Sensitive network data
  - Description: Configuration data such as configuration regarding radio resource
      management (RRM), QoS, and spectrum allocation
    Name: RAN configuration data
  description: " \r\nAn adversary may compromise an xApp to affect the radio network\
    \ configuration.\r\n\r\nThe O-RAN architecture includes the RAN Intelligence Controllers\
    \ (RIC), which consists of the Non-Real-Time RAN Intelligent Controller (Non-RT\
    \ RIC) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC), to optimize\
    \ radio resource management of gNB components. The Non-RT RIC is embedded in the\
    \ Service Management and Orchestration (SMO) framework and hosts rApps to provide\
    \ policy-based guidance, machine learning model management and enrichment information\
    \ to the Near-RT RIC function for the purpose of RAN optimization. \r\n\r\nThe\
    \ Near-RT RIC is a logical function that hosts xApps and enables near-real-time\
    \ control and optimization of the functions and resources of gNB components [O-RAN\
    \ Central Unit-Control Plane (O-CU-CP), O-RAN Central Unit-User Plane (O-CU-UP)\
    \ and O-RAN Distributed Unit (O-DU)], steered via the policies and enrichment\
    \ data provided from the Non-RT RIC. \r\n\r\nThe O-RAN platform can perform both\
    \ non-real-time optimization and near-real-time optimization of O-RAN elements\
    \ through the Non-RT RIC and Near-RT RIC. Non-real-time optimization may be used\
    \ for higher-level optimization and is facilitated by the Non-RT RIC. Use cases\
    \ such as policy-based guidance and AI/ML are examples of those appropriate for\
    \ non real-time-optimization. Near-real-time optimization enables certain capabilities\
    \ and is facilitated by the Near-RT RIC. Use cases such as radio resource management\
    \ and Quality of Service (QoS) optimization are examples of those appropriate\
    \ for near-real-time optimization. \r\n\r\nxApps are applications designed to\
    \ run on the Near-RT RIC to provide the desired RAN functionality. xApps are independent\
    \ of the Near-RT RIC and may be provided by any third party. \r\n\r\nxApps on\
    \ the Near-RT RIC can collect near-real-time information from gNB components (O-CU-CP,\
    \ O-CU-UP and O-DU) and influence behavior of those components, thereby impacting\
    \ 5G base station performance and delivery of services to a group of UEs or a\
    \ single UE.\r\n\r\nxApps may be compromised during the delivery to the service\
    \ provider, either through the external supply chain from vendor to the service\
    \ provider or through the internal CI/CD pipeline. Malicious code may be inserted\
    \ in the xApp application package that could compromise the application. Adversary\
    \ may also obtain xApp credentials or compromise a 3rd party infrastructure the\
    \ application is hosted on.\r\n\r\nA compromise of an xApp (or through xApp Agent)\
    \ can potentially lead to unauthorized changes in O-CU or O-DU via E2 Interface.\r\
    \n\r\n"
  detections:
  - detects: Monitor xApp lifecycle management events from logs regarding onboarding,
      authentication/authorization of xApps to Near-RT RIC. Audit logs and telemetry
      data for unauthorized activity.
    fgdsid: DS0015
    name: Application Log
  - detects: Monitor and alert on changes to xApp and cloud configuration files during
      runtime
    fgdsid: DS0022
    name: File
  - detects: Perform real-time audits and post-processing of logs. Detect which parts
      of the O-RAN are accessed by xApps.
    fgdsid: DS0025
    name: Cloud Service
  - detects: Verify xApp image hash
    fgdsid: FGDS5015
    name: Image verification
  id: FGT5032.002
  mitigations:
  - fgmid: M1033
    mitigates: Use only trusted supply chain, rigorous scanning of software images.
      Limit Software Installations especially from 3rd party sources.
    name: Limit Software Installation
  - fgmid: M1035
    mitigates: Limit access to xApp instance
    name: Limit Access to Resource Over Network
  - fgmid: M1043
    mitigates: Use capabilities to prevent successful credential access by adversaries
    name: Credential Access Protection
  - fgmid: M1045
    mitigates: Verify digital signature of xApp
    name: Code Signing
  - fgmid: M1025
    mitigates: Enforce least privilege access for cloud components
    name: Privileged Process Integrity
  name: xApp
  object-type: technique
  platforms: O-RAN
  postconditions:
  - Description: Adversary affects the radio network configuration, accesses configuration
      data, and perform other unauthorized activities
    Name: Affected Network Radio Configuration
  - Description: Adversary degrades network operation or in the worst case, causes
      network outage
    Name: Network operations impacted
  - Description: "UE and subscriber\u2019s sensitive data is revealed to the adversary"
    Name: Sensitive UE data exposed to adversary
  preconditions:
  - Description: Adversary has access to xApp (e.g., application package, credentials)
    Name: Adversary access to xApp
  procedureexamples:
  - Description: Adversary compromising external supply chain or internal CI/CD pipeline
      to implement backdoor into xApp
    Name: xApp access via backdoor
  - Description: Adversary obtains xApp credentials through various means and compromises
      the xApp
    Name: xApp access via stolen credentials
  - Description: Adversary may compromise the infrastructure the O-RAN platform is
      deployed on and gain access to xApp
    Name: xApp access via compromised 3rd party hosting infrastructure provider
  references:
  - <a name="1"> \[1\] </a> [O-RAN Security Threat Model 6.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="2"> \[2\] </a> [O-RAN WG3 Near-RT RIC Architecture 4.00 Version](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="3"> \[3\] </a> [Federal Office of information Security, Study 5G RAN
    Risk Analysis](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/5G/5GRAN-Risk-Analysis.pdf?__blob=publicationFile&v=5)
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT5032
  tactics:
  - TA0002
  typecode: fight_subtechnique
- access-required: Privileged Access
  architecture-segment: RAN, O-RAN
  bluf: An adversary may compromise an rApp to affect the radio network configuration.
  criticalassets:
  - Description: "UE data includes UE\u2019s coarse location, temporary identifier\
      \ and correlation of UE temporary identifier to other service-related data e.g.,\
      \ DNN, NSSAI etc. See clause 6.2.1 of [2]."
    Name: ' UE data'
  - Description: Sensitive network data such as QoS policies of a slice
    Name: Sensitive network data
  - Description: Configuration data such as configuration regarding radio resource
      management (RRM), QoS, and spectrum allocation
    Name: RAN configuration data
  description: " \r\nAn adversary may compromise an rApp to affect the radio network\
    \ configuration.\r\n\r\nO-RAN architecture includes the RAN Intelligence Controllers\
    \ (RICs), which consists of the Non-Real-Time RAN Intelligent Controller (Non-RT\
    \ RIC) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC), to optimize\
    \ radio resource management of gNB components. The Non-RT RIC is embedded in the\
    \ Service Management and Orchestration (SMO) framework and hosts rApps to provide\
    \ policy-based guidance, machine learning model management and enrichment information\
    \ to the Near-RT RIC function for the purpose of RAN optimization. \r\n\r\nrApps\
    \ are applications that use the functionalities in the Non-RT RIC Framework to\
    \ provide value-added services related to RAN operation and optimization. \_rApps\
    \ are deployed on the Non-RT RIC. rApps can provide better efficiency and optimization\
    \ of the RAN and can access or produce various services and data, enabling achievements\
    \ of use case objectives.\r\n\r\nrApps may be compromised during the delivery\
    \ to the service provider, either through the external supply chain from vendor\
    \ to the service provider or through the internal CI/CD pipeline. Malicious code\
    \ may be inserted in the rApp application package that could compromise the application.\
    \ Adversary may also obtain rApp credentials or compromise a 3rd party infrastructure\
    \ the application is hosted on.\r\n\r\nA compromise of an rApp (or through rApp\
    \ Agent) can potentially lead to unauthorized changes in O-CU or O-DU via A1 interface.\r\
    \n\r\n"
  detections:
  - detects: Monitor rApp lifecycle management events from logs regarding onboarding,
      authentication/authorization of rApps. Audit logs and telemetry data for unauthorized
      activity.
    fgdsid: DS0015
    name: Application Log
  - detects: Monitor and alert on changes to rApp and cloud configuration files during
      runtime
    fgdsid: DS0022
    name: File
  - detects: Perform real-time audits and post-processing of logs. Detect which parts
      of the O-RAN are accessed by rApps.
    fgdsid: DS0025
    name: Cloud Service
  - detects: Verify rApp image hash
    fgdsid: FGDS5015
    name: Image verification
  id: FGT5032.003
  mitigations:
  - fgmid: M1033
    mitigates: Use only trusted supply chain, rigorous scanning of software images.
      Limit Software Installations especially from 3rd party sources.
    name: Limit Software Installation
  - fgmid: M1035
    mitigates: Limit access to rApp instance
    name: Limit Access to Resource Over Network
  - fgmid: M1043
    mitigates: Use capabilities to prevent successful rApp credential access by adversaries.
    name: Credential Access Protection
  - fgmid: M1045
    mitigates: Verify digital signature of rApp
    name: Code Signing
  - fgmid: M1025
    mitigates: Enforce least privilege access for cloud components
    name: Privileged Process Integrity
  name: rApp
  object-type: technique
  platforms: O-RAN
  postconditions:
  - Description: Adversary affects the radio network configuration, accesses configuration
      data, and performs other unauthorized activities
    Name: Affected Network Radio Configuration
  - Description: Adversary degrades network operation or in the worst case, causes
      network outage
    Name: Network operations impacted
  - Description: "UE and subscriber\u2019s sensitive data are revealed to adversary"
    Name: Sensitive UE data exposed to adversary
  preconditions:
  - Description: Adversary has access to rApp (e.g., application package, credential)
    Name: Adversary access to rApp
  procedureexamples:
  - Description: Adversary compromising external supply chain or internal CI/CD pipeline
      to implement backdoor into rApp
    Name: rApp access via backdoor
  - Description: Adversary obtains rApp credentials through various means and compromises
      the rApp
    Name: rApp access via stolen credentials
  - Description: Adversary may compromise the infrastructure the O-RAN platform is
      deployed on and gain access to rApp
    Name: rApp access via compromised 3rd party hosting infrastructure provider
  references:
  - <a name="1"> \[1\] </a> [O-RAN WG11 Threat Model O-R003-v06.00](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="2"> \[2\] </a> [O-RAN WG2 Non-RT RIC Architecture 3.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="3"> \[3\] </a> [O-RAN WG2 Non-RT RIC Technical Report 1.01 version](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="4"> \[4\] </a> [Federal Office of information Security, Study 5G RAN
    Risk Analysis](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/5G/5GRAN-Risk-Analysis.pdf?__blob=publicationFile&v=5)
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT5032
  tactics:
  - TA0002
  typecode: fight_subtechnique
- access-required: N/A
  architecture-segment: Control Plane
  bluf: An adversary in control of an Application Function (AF) or a rogue Network
    Function (NF) can make an API call to obtain the Subscriber Permanent Identifier
    (SUPI) or other sensitive UE information.
  criticalassets:
  - Description: If SUPI is stolen, many other subsequent attacks are possible such
      as subscriber identity spoofing and location tracking.
    Name: UE permanent identity (SUPI)
  description: " An adversary in control of an Application Function (AF) or a rogue\
    \ Network Function (NF) can make an API call to obtain the Subscriber Permanent\
    \ Identifier (SUPI) or other sensitive UE information.\r\nBesides control of a\
    \ NF, the adversary needs knowledge of the UE\u2019s phone number or Generic Public\
    \ Subscription Identifier (GPSI), which are easier to discover compared to the\
    \ SUPI, which is a tightly held UE identifier. There is a legitimate API to the\
    \ operator\u2019s Network Exposure Function (NEF) to return a UE SUPI given a\
    \ UE GPSI.  \r\nAfter acquiring the SUPI, an adversary can use it in other follow-on\
    \ behaviors against that UE, such as obtain location information or slice subscription\
    \ data.\r\n"
  detections:
  - detects: "Logging of AF inquiries for UEs that they don\u2019t serve. Post process\
      \ the logs to detect fraudulent API calls by rogue AF or NF."
    fgdsid: DS0015
    name: Application Log
  id: FGT5019.003
  mitigations:
  - fgmid: FGM5019
    mitigates: NEF should check that UE in question is subscribed to services of the
      AF. This way, unauthorized access by external rogue AFs can be avoided.
    name: Authorize external API calls
  name: Obtain subscriber identifier via NF
  object-type: technique
  platforms: 5G Network
  postconditions:
  - Description: If SUPI is obtained, many other subsequent attacks are possible such
      as subscriber identity spoofing and location tracking.
    Name: SUPI is available to the adversary
  preconditions:
  - Description: Adversary has knowledge of UE phone number/GPSI and has control over
      an AF or NEF or AMF.
    Name: UE phone number and control of AF/NF
  procedureexamples:
  - Description: "The NEF stores the UE data \u2013 including SUPI-- in UDR and responds\
      \ to API requests from various AFs. An adversary in control of an (external)\
      \ AF uses legitimate SBA API to retrieve subscriber identifier of victim UE\
      \ (SUPI) from their phone number. \n\nThe API that the AF calls is Nnef_ApplyPolicy_Create\
      \ API, it is sent to NEF with UE's GPSI/phone number. NEF retrieves the SUPI\
      \ from UDM by using Nudm_SDM_Get API. See clause 4.15.6.8 of [1].\n\nAlternatively,\
      \ Rogue NEF retrieves SUPI from GPSI/phone number using Nudm_SDM_Get API towards\
      \ the UDM, See clause 4.13.2.2 of [1]."
    Name: Retrieve UE SUPI via API
  - Description: "The AMF can obtain some sensitive information about a UE it serves\
      \ (or claims to serve). An example for roaming scenarios is that a rogue AMF\
      \ in visited PLMN retrieves UE\u2019s sensitive information from the home PLMN\
      \ by calling an API when UE roams from 5GS to EPC.\n\nAMF asks the SMF for UE\
      \ Session Management context, and thus can obtain the following sensitive information:\
      \ Permanent identifier (SUPI), the names of the slices the UE is subscribed\
      \ to (S-NSSAIs), the name of the data network the UE is connected to, and the\
      \ IP address of the UE. (The AMF API call to SMF is Nsmf_PDUSession_ContextRequest\
      \ API, see clause 4.11.1.2.1 & Table 5.2.8.2.10-1 of [1])\n\nThe same attack\
      \ can happen in non-roaming scenario by a compromised AMF."
    Name: "Retrieve UE\u2019s sensitive information via rogue NF"
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3rd Generation Partnership Project (3GPP) TS 23.502,\
    \ \u201CProcedures for the 5G System (5GS); Stage 2 (Release 17)\u201D, v17.4.0,\
    \ March 2022.](https://www.3gpp.org/DynaReport/23502.htm )"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT5019
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- access-required: user
  addendums:
  - "#### Addendum Name: _DNS_Encapsulation_\r\n##### Architecture Segments: User\
    \ Plane, Control Plane\r\n  An adversary can piggyback user data within DNS requests,\
    \ so that the DNS server retrieves the user data for further processing. \r\n\r\
    \nDNS encapsulation involves adversaries transmitting data by encapsulating it\
    \ within hostname queries in the DNS lookup process. Specifically, the targeted\
    \ data is inserted into the names section of a DNS lookup request. The target\
    \ DNS server, operated by the adversary, records the query and extracts the encoded\
    \ information. This data is then reconstructed according to the intended sequence\
    \ derived from the named fields. This method allows for covert data movement,\
    \ exploiting the DNS protocol as a channel for unauthorized data transmission.\r\
    \n\r\n"
  architecture-segment: User Plane, Control Plane
  bluf: Adversaries may tunnel network communications to and from a victim system
    within a separate protocol to avoid detection/network filtering and/or enable
    access to otherwise unreachable systems.
  criticalassets:
  - Description: Whoever controls the DNS servers controls how and what end users
      connect to over the network, making DNS servers a type of critical infrastructure.
    Name: DNS Servers
  description: "Adversaries may tunnel network communications to and from a victim\
    \ system within a separate protocol to avoid detection/network filtering and/or\
    \ enable access to otherwise unreachable systems.\r\n[To read more, please see\
    \ the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1572)\r\
    \n"
  detections:
  - detects: 'Data transmitted across a network (ex: Web, DNS, Mail, File, etc.),
      that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable
      format (ex: PCAP)'
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1572
  mitigations:
  - fgmid: FGM5024
    mitigates: Use strong data integrity protection algorithms within 5G network such
      as airlink, backhaul and core network.
    name: Integrity protection of data communication
  - fgmid: M1031
    mitigates: "Network intrusion detection and prevention systems that use network\
      \ signatures to identify traffic for specific adversary malware can be used\
      \ to mitigate activity at the network level. Signatures are often for unique\
      \ indicators within protocols and may be based on the specific obfuscation technique\
      \ used by a particular adversary or tool and will likely be different across\
      \ various malware families and versions. Adversaries will likely change tool\
      \ command and control signatures over time or construct protocols in such a\
      \ way to avoid detection by common defensive tools.\_\nScan all external traffic\
      \ header fields to detect any suspicious protocol or port number use."
    name: Network Intrusion Prevention
  - fgmid: M1037
    mitigates: Filter network traffic to discard untrusted or known bad domains and
      resources.
    name: Filter Network Traffic
  name: Protocol Tunneling
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Attacker will be able to route traffic through DNS channels to connect
      to internet free of charge.
    Name: Billing Fraud
  - Description: Attacker can route command and control traffic through DNS to control
      botnets or other entities.
    Name: Command and Control Network
  - Description: Attacker has a route to exfiltrate stolen data disguised as DNS packets.
    Name: Exfiltration Route
  preconditions:
  - Description: There must not be an endpoint detection and response capability to
      validate whether host/network function/UE is communicating with a malicious
      DNS server or a valid one.
    Name: Unauthenticated DNS Services
  procedureexamples:
  - Description: Operators do not strictly enforce free DNS service via the standard
      five-tuple flow ID (src IP, dest IP, src port, dest port, protocol). Instead,
      they use only the destination port (or plus protocol ID), thus exposing a vulnerability.
      Adversary may setup fake DNS server to process the received data from victim
      network function/host/UE. [2]
    Name: Free DNS loophole
  references:
  - "<a name=\"1\"> \\[1\\] </a> [\u201CBhadhra Framework\u201D: S.P. Rao, S. Holtmanns,\
    \ T. Aura, \u201CThreat modeling framework for mobile communication systems\u201D\
    ](https://arxiv.org/pdf/2005.05110.pdf)"
  - '<a name="2"> \[2\] </a> [Peng, C., Li, C., Tu, G., Lu, S., & Zhang, L. (2012).
    Mobile data charging: new attacks and countermeasures. Proceedings of the 2012
    ACM conference on Computer and communications security.](https://dl.acm.org/doi/pdf/10.1145/2382196.2382220)'
  - "<a name=\"3\"> \\[3\\] </a> [Merve Sahin, Aurelien Francillon, Payas Gupta, and\
    \ Mustaque Ahamad. 2017. \n\u201CSok: Fraud in telephony networks\u201D. In 2017\
    \ IEEE European Symposium on Security\nand Privacy (EuroS&P). IEEE, p235\u2013\
    250](https://ieeexplore.ieee.org/document/7961983)"
  - "<a name=\"4\"> \\[4\\] </a> [Kui Xu, Patrick Butler, Sudip Saha, Danfeng (Daphni)\
    \ Yao in DNS CC Journal, \u201CDNS for Massive-Scale Command and Control\u201D\
    ](https://people.cs.vt.edu/~danfeng/papers/DNS-CC-JOURNAL.pdf)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0011
  - TA0010
  - TA0001
  typecode: attack_technique_addendum
- architecture-segment: RAN
  bluf: An adversary may purchase, rent, or download software to stand up a fake base
    station (gNB or gNB emulator) or WiFi access point in order to pave the way to
    other follow-on behaviors against UEs such as adversary in the middle, denial
    of service, data interception or manipulation.
  description: " An adversary may purchase, rent, or download software to stand up\
    \ a false base station (gNB or gNB emulator) or WiFi access point in order to\
    \ pave the way to other follow-on behaviors against UEs such as adversary in the\
    \ middle, denial of service, data interception or manipulation.\r\n\r\nDue to\
    \ the radio spectrum bands used in 5G, 5G cellular base stations are expected\
    \ to have smaller footprint and so are often smaller in size and mounted on street\
    \ poles and other vulnerable locations. Thus they can be compromised more easily.\
    \ A false cellular base station radio component can be mounted in a given favorable\
    \ location and be connected to a system of the adversary (instead of a regular\
    \ operator\u2019s network).  \r\n\r\n\r\n"
  detections:
  - detects: UE measurements of received power levels from all base stations nearby,
      and their identifiers. Clause 6.24 of [2].
    fgdsid: FGDS5002
    name: UE signal measurements
  id: FGT1583.501
  mitigations:
  - fgmid: M1056
    mitigates: This technique cannot be easily mitigated with preventive controls
      since it is based on behaviors performed outside of the scope of the mobile
      network operator.
    name: Pre-compromise
  name: False Base Station or Access Point
  object-type: technique
  platforms: 5G radio
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [3rd Generation Partnership Project (3GPP) TR 33.809:\
    \ \u201CStudy on 5G security enhancements against False Base Stations (FBS)\u201D\
    , Technical Report, v0.18.0, February 2022.](https://www.3gpp.org/DynaReport/33809.htm\
    \ )"
  - "<a name=\"3\"> \\[3\\] </a> [Cablelabs article \u201CFalse Base Station or IMSI\
    \ Catcher: What You Need to Know\u201D](https://www.cablelabs.com/blog/false-base-station-or-imsi-catcher-what-you-need-to-know)"
  - <a name="4"> \[4\] </a> [Open source O-RAN 5G CU/DU solution from Software Radio
    Systems (SRS)](https://github.com/srsran/srsRAN_Project )
  - <a name="5"> \[5\] </a> [Open Air Interface project source code](https://gitlab.eurecom.fr/oai/openairinterface5g/)
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT1583
  tactics:
  - TA0042
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: RAN, User Plane, Control Plane
  bluf: An adversary may compromise a network device's integrity capability or configuration
    in order to exploit the non-integrity protected data communication
  criticalassets:
  - Description: Subscriber signaling and user plane data
    Name: Subscriber data
  description: " An adversary may compromise a network device\u2019s integrity capability\
    \ or configuration in order to exploit the non-integrity protected data communication.\r\
    \n\r\nIntegrity can be used to protect transmitted data traffic against unauthorized\
    \ changes. Algorithms for user data and signaling communication take a plaintext\
    \ or encrypted message and compute, using a symmetric secret key, a keyed MIC\
    \ (message integrity check) or MAC (Message Authentication Code).  A recipient\
    \ in possession of that symmetric integrity key can verify that the message was\
    \ not modified in transit. \r\n\r\nAn adversary may alter network signaling or\
    \ compromise an NF, proxy or gNB that controls the choice of integrity algorithm,\
    \ so as to enable the weak or no integrity algorithm, thus allowing for manipulation\
    \ or spoofing of user data or signaling (over the radio interface or within the\
    \ core network, e.g. Non-SBI, or SBI, or roaming interfaces). \r\n\r\n\r\n"
  detections:
  - detects: Data sent over the network or radio interface can be analyzed to check
      for the integrity algorithm.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT5009
  mitigations:
  - fgmid: M1047
    mitigates: Monitor periodically if integrity protection algorithm is enabled
    name: Audit
  name: Weaken Integrity
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Subscriber data session does not get setup (DoS attack) or gets interrupted,
      spoofed or redirected during an active session.
    Name: Subscriber data session impact
  preconditions:
  - Description: Adversary gets hold of an end point such as gNB to manipulate signaling
    Name: Adversary controlling end point
  procedureexamples:
  - Description: An adversary may manipulate gNB signaling to enable NULL integrity
      over the radio interface (Uu)
    Name: Weaken integrity over radio interface
  - Description: An adversary may change network configuration so that IPSec is not
      enabled between gNB and UPF (N3) or between gNB and AMF (N2).
    Name: Weaken integrity within the RAN to core connections
  - Description: An adversary may change network configuration so that IPSec is not
      enabled between two gNBs (Xn).
    Name: Weaken integrity within RAN
  - Description: An adversary may disable TLS between two NFs or between one or more
      NFs and the Service Communication Proxy (SCP) if deployed by MNO.
    Name: Weaken integrity within SBI
  - Description: 'An adversary may disable or weaken integrity protection of the communications
      between SEPPs (N32 which uses JWS for example) or between visited PLMN UPF and
      home PLMN UPF (N9).


      An adversary may weaken integrity protection on N26 interface between MME and
      AMF.'
    Name: Weaken integrity on the roaming/interconnect
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks)"
  status: This is a theoretical behavior
  tactics:
  - TA0005
  typecode: fight_technique
- architecture-segment: RAN
  bluf: An adversary may alter or spoof network signaling so as to enable the NULL
    integrity algorithm thus allowing for manipulation of user data or signaling over
    the radio interface, for example to redirect traffic.
  criticalassets:
  - Description: UE signaling and subscriber (user plane) data integrity.
    Name: UE data
  description: " An adversary may alter or spoof network signaling so as to enable\
    \ the NULL integrity algorithm thus allowing for manipulation of user data or\
    \ signaling over the radio interface, for example to redirect traffic. \r\n\r\n\
    Several procedures and interfaces can be implemented incorrectly or misused by\
    \ an adversary in control over a gNB or NF and may result in a configuration that\
    \ calls for the NULL integrity algorithm to protect data sent over the radio interface.\
    \ The data sent is user signaling -- Non-Access Stratum (NAS) or Access Stratum\
    \ (AS) Control Plane (CP) -- or subscriber data -- AS User Plane (UP)). These\
    \ actions can be followed by another adversarial behavior whereby data and signaling\
    \ sent over the radio interface is manipulated or tampered with.  \r\n\r\n"
  detections:
  - detects: Check for unusual changes in gNB, SMF, AMF user profile, policy, and
      configuration data. Configuration audits by OSS/BSS to detect for example, user
      session redirects.
    fgdsid: DS0015
    name: Application Log
  - detects: 'Radio traffic content

      Inspect radio traffic and watch for unauthorized changes as the packets move
      through the interfaces.'
    fgdsid: DS0029
    name: Network Traffic
  id: FGT5009.001
  mitigations:
  - fgmid: FGM5024
    mitigates: Ensure gNB implementation and SMF implementations are both checking
      the UE CP and UP security policy against the most trustworthy source and taking
      action to not enable NULL integrity except for emergency calls.
    name: Integrity protection of data communication
  - fgmid: FGM5006
    mitigates: UE should refuse to set up radio bearer and PDU session without integrity
      protection.
    name: Restrictive user profile
  - fgmid: M1018
    mitigates: Network element security safeguards for gNBs, AMFs and SMFs. Includes
      measures in clause 5.3.4 of [2] (e.g. software updates, OA&M access security,
      secure boot).
    name: User Account Management
  - fgmid: M1031
    mitigates: Implement network intrusion prevention methods.
    name: Network Intrusion Prevention
  - fgmid: M1043
    mitigates: Implement credential access protection methods.
    name: Credential Access Protection
  name: Radio Interface
  object-type: technique
  platforms: 5G Radio
  postconditions:
  - Description: "Control Plane (CP): All UE signaling data may be tampered with if\
      \ both NAS and AS CP (i.e., RRC) algorithms are weakened. \n\nUser Plane (UP):\
      \ Subscriber (user) data may be tampered with if AS UP algorithms are weakened.\n\
      \nAs a result, subscriber data session does not get setup (DoS attack) or gets\
      \ interrupted during an active session."
    Name: UE data not integrity protected on air interface
  preconditions:
  - Description: "A rogue gNB may be required to change the UE\u2019s CP & UP supported\
      \ algorithms to NULL. It\u2019s easier to achieve control over a gNB than over\
      \ the AMF or SMF itself. But then if the AMF and SMF are not rogue just not\
      \ configured to do these additional checks, then control over a rogue gNB is\
      \ sufficient.\nThis attack is possible with only control over the AMF, in which\
      \ case the algorithm for CP and UP protection may be changed to NULL."
    Name: Rogue or misconfigured AMF or SMF or gNB or MME
  procedureexamples:
  - Description: "Adversary (e.g. with fake gNB) intentionally configures NULL integrity\
      \ algorithm to have highest priority in gNB. These algorithms are sent to the\
      \ UE in the Access Stratum (AS) Security Mode Command (SMC). Normally the activation\
      \ of algorithms for the AS is done by the gNB based on that policy received\
      \ from the SMF, but a fake gNB can ignore the SMF. Clauses 6.7.3 & D.1 of [2].\n\
      \nAdversary with control over a legitimate gNB, and who currently serves the\
      \ UE, tells the SMF that the UE Control Plane (CP) and User Plane (UP) policy\
      \ is NULL integrity, and the (legit but not correctly implemented) SMF doesn\u2019\
      t check that against the locally configured UE CP & UP policy and lets the CP\
      \ and UP data use NULL integrity. Clause 6.6.1 of [2]."
    Name: Fake or misconfigured base station
  - Description: 'Adversary makes the unauthorized change in the SMF CP & UP local
      policy to enable NULL integrity for CP & UP traffic.

      Alternatively, adversary exploits an SMF that is not implemented to check (for
      every UE it serves) that the algorithm received from gNB- (which may be compromised
      or fake) matches the local policy. That local policy in turn should be checked
      that it is the same as the UE policy stored in the UDM. Any of these failures
      can result in the SMF enabling the CP and UP traffic over the radio interface
      to use NULL integrity.'
    Name: Rogue or misconfigured SMF
  - Description: "Adversary with control over AMF (or control over the configuration\
      \ of AMF) can affect UE procedures such as NAS Security Mode Command, such that\
      \ the UE's NAS data is not protected, i.e. prioritize NULL algorithm for either\
      \ NAS encryption or integrity. Clause K.2.3.3. of [1]. \n\nThis can be followed\
      \ by another attack behavior whereby data manipulation can be done over the\
      \ air interface for signaling data. Clauses 5.3.2, 5.3.3 & 5.5.1, 5.5.2 of [2]."
    Name: Rogue or misconfigured AMF non-roaming
  - Description: "Compromised source AMF sends incorrect UE context information to\
      \ legitimate target AMF during\nInitial registration & roaming or\nHandover\
      \ (N2 based)\n\nSource AMF sends null integrity algorithm information as part\
      \ of the \u201CUEContextTransfer\u201D (initial registration & roaming) or \u201C\
      CreateUEContext\u201D (N2 handover) service request messages. All UE data will\
      \ be sent without integrity protection after registration or handover is completed.\
      \ Clauses 4.2.2.2.2, 4.9.1.3.1 & 5.2.2.1 of [3] The element in the UE context\
      \ is the ueSecurityCapability which the rogue AMF sets to NULL only."
    Name: Rogue or misconfigured AMF during roaming/handover
  - Description: "Compromised source MME sends incorrect UE context information to\
      \ legitimate target AMF during EPS to 5GS handover and roaming with and without\
      \ N26 interface.\n\nSource AMF sends NULL integrity algorithm information as\
      \ part of the \u201CUEContextTransfer\u201D or \n\u201CRelocateUEContext\u201D\
      \ service request messages. All UE data will be sent without integrity protection\
      \  after roaming or handover is completed. Clauses 4.11.1.2.2.2, 4.11.1.3.3,\
      \ 4.11.2.3 & 5.2.2.1 of [3] The element in the UE context is the ueSecurityCapability\
      \ which the rogue AMF sets to NULL only."
    Name: Rogue or misconfigured MME during EPS roaming/handover
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TR 33.926 \u201CSecurity Assurance Specification\
    \ (SCAS) threats and critical assets in 3GPP network product classes\u201D, v17.4.0,\
    \ June 2022](https://www.3gpp.org/DynaReport/33926.htm  )"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS 33.501 \u201CSecurity architecture and procedures\
    \ for 5G System\u201D, v 17.6.0, June 2022](https://www.3gpp.org/DynaReport/33501.htm\
    \  )"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS 23.502 \u201CProcedures for the 5G System\
    \ (5GS)\u201D, v17.5.0, June 2022](https://www.3gpp.org/DynaReport/23502.htm \
    \ )"
  status: This is a theoretical behavior
  subtechnique-of: FGT5009
  tactics:
  - TA0005
  typecode: fight_subtechnique
- access-required: N/A
  addendums:
  - "#### Addendum Name: Exploit Public-Facing Network Function\r\n##### Architecture\
    \ Segments: Control Plane, User Plane\r\n An adversary may exploit weaknesses\
    \ in Application Programming (API) interfaces on Network Functions (NF) that are\
    \ exposed to the public Internet, which exposes those functions to compromise\
    \ of the NF, or disclosure of information. \r\n\r\nSome 5G functions such as the\
    \ Network Exposure Function (NEF) have APIs that are public facing and are subject\
    \ to potential exploit by adversaries similarly to public facing websites and\
    \ services. The adversary could exploit a previously identified weakness in the\
    \ API to gain initial access to the operator\u2019s environment. The adversary\
    \ may also obtain credentials through other techniques that allow the adversary\
    \ to obtain unauthorized information from the exposed network function. See Exploit\
    \ Semi-public Facing Application [FGT5029](/techniques/FGT5029) for API exposure\
    \ to interworking networks.\r\n\r\nAn example of this is represented through access\
    \ control of application functions (AF) by NEF is done at the API level which\
    \ is not protected at a granular enough level, i.e., it is not done at Information\
    \ Element (IE) level. An adversary may use a 3rd party AF to make requests for\
    \ a service, e.g. location of a UE, beyond their authorization level since IE\u2019\
    s are not explicitly required to be checked. \r\n\r\n"
  architecture-segment: Control Plane, User Plane
  bluf: Adversaries may attempt to exploit a weakness in an Internet-facing host or
    system to initially access a network.
  criticalassets:
  - Description: The Network Exposure Function has the N33 interface exposed to an
      Application Function (AF) on the Internet (3rd party)
    Name: NEF
  description: "Adversaries may attempt to exploit a weakness in an Internet-facing\
    \ host or system to initially access a network.\r\n[To read more, please see the\
    \ MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1190)\r\
    \n"
  detections: []
  id: FGT1190
  mitigations:
  - fgmid: M1016
    mitigates: Vulnerability scanning of public APIs
    name: Vulnerability Scanning
  - fgmid: M1050
    mitigates: Use Web Application Firewall (WAF) to minimize potential exploit of
      vulnerabilities
    name: Exploit Protection
  name: Exploit Public-Facing Application
  object-type: technique
  platforms: 5G
  preconditions:
  - Description: Adversary may need to identify vulnerabilities in the API to obtain
      initial-access, unauthorized information, or perform a denial of service
    Name: API vulnerability
  - Description: Adversary may need to obtain credentials to collect unauthorized
      information
    Name: API credentials
  procedureexamples:
  - Description: Adversary uses an insecure API to take over the edge NF, then can
      use legitimate signaling to obtain sensitive UE or network data.
    Name: Sensitive data exposure
  - Description: Adversary may bypass standard AF API access control mechanism by
      using crafted IEs to access sensitive data such as location of a UE through
      NEF.
    Name: Exploit vulnerable API
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,  October 2021](https://arxiv.org/abs/2108.11206 )"
  - <a name="3"> \[3\] </a> [TOP 7 REST API Security Threats, blog January 2019](https://blog.restcase.com/top-7-rest-api-security-threats/
    )
  - "<a name=\"4\"> \\[4\\] </a> [3GPP TS 29.522: \u201CNetwork Exposure Function\
    \ Northbound APIs; Stage 3\u201D](https://www.3gpp.org/DynaReport/29522.htm)"
  - "<a name=\"5\"> \\[5\\] </a> [\u201CSystem architecture for the 5G System (5GS),\u201D\
    TS 23.501, 3GPP, Sec. 4.2.3](https://www.3gpp.org/DynaReport/23501.htm)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0040
  - TA0001
  - TA0009
  typecode: attack_technique_addendum
- access-required: N/A, N/A
  addendums:
  - "#### Addendum Name: Interworking Denial of Service\r\n##### Architecture Segments:\
    \ Control Plane, Roaming\r\n An adversary on a semi-public/roaming partner network\
    \ may exploit weaknesses in Application Programming (API) interfaces on Network\
    \ Functions (NF) that are exposed to the semi-public network, i.e. roaming partner\
    \ network, which can lead to denial of service of the exposed NF.\r\n\r\nSome\
    \ 5G functions such as the SEPP and UPF have API\u2019s that are exposed and accessible\
    \ to other providers over an interworking network that is not Internet accessible.\
    \ An adversary with a position on another organization, outside the targeted operator\u2019\
    s trust zone, could exploit a previously identified weakness in the target API\
    \ to cause the NF to crash resulting in denial of service. The adversary may also\
    \ potentially use volumetric techniques to degrade or deny service.\r\n\r\n"
  - "#### Addendum Name: Public Function Denial of Service\r\n##### Architecture Segments:\
    \ Control Plane, User Plane\r\n An adversary may exploit weaknesses in Application\
    \ Programming (API) interfaces on Network Functions (NF) that are exposed to the\
    \ public Internet, which exposes those functions to potential adversary denial\
    \ of service of the NF.\r\n\r\nSome 5G functions such as the Network Exposure\
    \ Function (NEF) have APIs that are public facing and are subject to potential\
    \ exploit by adversaries similarly to public facing websites and services. The\
    \ adversary could exploit a previously identified weakness in the API to cause\
    \ the NF to crash, resulting in denial of service. The adversary may also potentially\
    \ use volumetric techniques to degrade or deny service.\r\n\r\n"
  architecture-segment: Control Plane, User Plane
  bluf: Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade
    or block the availability of services to users.
  criticalassets:
  - Description: Security Edge Protection Proxy function which provides roaming interface
      for signaling traffic to roaming partner (MNO) networks
    Name: SEPP
  - Description: User Plane Function which provides roaming interface for user plane
      traffic to roaming partner (MNO) networks
    Name: UPF
  - Description: Access and Mobility Function which provides roaming interface for
      signaling traffic to 4G networks via N26 interface and mobility function to
      5G networks via N2 interface
    Name: AMF
  - Description: Network Exposure Function which provides API access to external (to
      the operator) Application Functions (AF)
    Name: NEF
  description: "Adversaries may perform Endpoint Denial of Service (DoS) attacks to\
    \ degrade or block the availability of services to users.\r\n[To read more, please\
    \ see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1499)\r\
    \n"
  detections:
  - detects: Monitor application logs for unusual requests or rate of requests
    fgdsid: DS0015
    name: Application Log
  - detects: Monitor for unusual volumes or sources of requests to the service
    fgdsid: DS0029
    name: Network Traffic
  - detects: Monitor application logs for unusual requests or rate of requests
    fgdsid: DS0015
    name: Application Log
  - detects: Monitor for unusual volumes or sources of requests to the service
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1499
  mitigations:
  - fgmid: M1016
    mitigates: Vulnerability scanning of public APIs
    name: Vulnerability Scanning
  - fgmid: M1037
    mitigates: Use of network based DDoS mitigation capabilities to filter traffic
      upstream
    name: Filter Network Traffic
  - fgmid: M1050
    mitigates: Use Web Application Firewall (WAF) to minimize potential exploit of
      vulnerabilities
    name: Exploit Protection
  - fgmid: M1016
    mitigates: Vulnerability scanning of public APIs
    name: Vulnerability Scanning
  - fgmid: M1037
    mitigates: Use of network based DDoS mitigation capabilities to filter traffic
      upstream
    name: Filter Network Traffic
  - fgmid: M1050
    mitigates: Use Web Application Firewall (WAF) to minimize potential exploit of
      vulnerabilities
    name: Exploit Protection
  name: Endpoint Denial of Service
  object-type: technique
  platforms: 5G, 5G
  preconditions:
  - Description: Adversary may need to identify vulnerabilities in the API to obtain
      initial-access, unauthorized information, or perform a denial of service
    Name: API vulnerability
  - Description: Adversary may need to obtain credentials to collect unauthorized
      information
    Name: API credentials
  - Description: Adversary may need to identify vulnerabilities in the API to obtain
      initial-access, unauthorized information, or perform a denial of service
    Name: API vulnerability
  - Description: Adversary may need to obtain credentials to collect unauthorized
      information
    Name: API credentials
  procedureexamples:
  - Description: Adversary uses a vulnerability to cause the NF to crash
    Name: Vulnerability Exploit
  - Description: Adversary uses one or more volumetric techniques to degrade or deny
      availability of the NF
    Name: Volumetric attack
  - Description: Adversary uses a vulnerability to cause the NF to crash
    Name: Vulnerability Exploit
  - Description: Adversary uses one or more volumetric techniques to degrade or deny
      availability of the NF
    Name: Volumetric attack
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,  October 2021](https://arxiv.org/abs/2108.11206 )"
  - <a name="3"> \[3\] </a> [TOP 7 REST API Security Threats, blog January 2019](https://blog.restcase.com/top-7-rest-api-security-threats/
    )
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,  October 2021](https://arxiv.org/abs/2108.11206 )"
  - <a name="3"> \[3\] </a> [TOP 7 REST API Security Threats, blog January 2019](https://blog.restcase.com/top-7-rest-api-security-threats/
    )
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0040
  typecode: attack_technique_addendum
- access-required: N/A, N/A
  addendums:
  - "#### Addendum Name: Silent paging tool\r\n##### Architecture Segments: RAN\r\n\
    \ An adversary may buy or steal a silent SMS tool in order to send SMSes to nearby\
    \ phones in a target area.\r\n\r\nA silent SMS is described in the specification\
    \ GSM 03.40 as a Short Message of type 0, which indicates that the UE must acknowledge\
    \ receipt of the short message but may discard its contents.\r\n\r\nA simple mobile\
    \ phone running a program to send silent SMSes is such an SMS tool. What is needed\
    \ is cellular connectivity, and the phone number of the victim. \r\n\r\n"
  - "#### Addendum Name: IMSI Catcher\r\n##### Architecture Segments: RAN\r\n An adversary\
    \ may buy or steal an International Mobile Subscriber Identity (IMSI) catcher\
    \ to capture IMSI data from nearby UEs in a target area.\r\n\r\nIMSI catchers\
    \ are very similar to fake base stations but may not have full capabilities of\
    \ the base station. IMSI Catcher terms has been traditionally associated with\
    \ UE identity discovery or location identification.  Adversary may buy an IMSI\
    \ Catcher from legitimate vendors selling products.\r\n\r\n"
  architecture-segment: RAN
  bluf: Adversaries may buy and/or steal capabilities that can be used during targeting.
  description: "Adversaries may buy and/or steal capabilities that can be used during\
    \ targeting.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1588)\r\
    \n"
  detections: []
  id: FGT1588
  mitigations:
  - fgmid: M1056
    mitigates: This technique cannot be easily mitigated with preventive controls
      since it is based on behaviors performed outside of the scope of the mobile
      network operator.
    name: Pre-compromise
  name: Obtain Capabilities
  object-type: technique
  platforms: RAN, RAN
  references:
  - "<a name=\"1\"> \\[1\\] </a> [SMS Deliverer, \u201CPING/Silent SMS\u201D.](https://www.smsdeliverer.com/onlinehelp/interface/pingsms/)"
  - "<a name=\"2\"> \\[2\\] </a> [Information Security Newspaper, \u201CHow to hack\
    \ and track anybody\u2019s  phone location via silent SMS messages\u201D.](https://www.securitynewspaper.com/2023/06/20/how-to-hack-track-anybodys-phone-location-via-silent-sms-messages/)"
  - "<a name=\"1\"> \\[1\\] </a> [Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin\
    \ Mulazzani, and Edgar Weippl. \u201CIMSI-catch me if you can: IMSI-catcher-catchers\u201D\
    . Proceedings of the 30th annual computer security applications Conference, pages\
    \ 246\u2013255, 2014.](https://its-wiki.no/images/f/fb/Dabrowski_ISMI_Catch_me_Catchers.pdf)"
  - "<a name=\"2\"> \\[2\\] </a> [Ravishankar Borgaonkar, Altaf Shaik, \u201C5G IMSI\
    \ Catchers Mirage\u201D, Blackhat USA Conference 2021.](https://blackhat.com/us-21/briefings/schedule/#g-imsi-catchers-mirage-23538)"
  - "<a name=\"3\"> \\[3\\] </a> [\u201CHOW COPS CAN SECRETLY TRACK YOUR PHONE\u201D\
    , The Intercept, online article, July 31, 2021. Accessed 6/22/2022.](https://theintercept.com/2020/07/31/protests-surveillance-stingrays-dirtboxes-phone-tracking/)"
  - "<a name=\"4\"> \\[4\\] </a> [A Knight, Brier & Thorn, \u201CHacking GSM: Building\
    \ a Rogue Base Station to Hack Cellular Devices,\u201D Online Article.  Accessed\
    \ 6/22/2022.](https://www.brierandthorn.com/post/hacking-gsm-building-a-rogue-base-station-to-hack-cellular-devices)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0042
  typecode: attack_technique_addendum
- architecture-segment: UE
  bluf: An adversary can purchase, rent, or download software to acquire a programmable
    User Equipment (UE) device, in order to pave the way to other follow-on behaviors
    against the Radio-Access Network (ran) such as denial of service
  description: " An adversary can purchase, rent, or download software to acquire\
    \ a programmable User Equipment (UE) device, in order to pave the way to other\
    \ follow-on behaviors against the Radio-Access Network (RAN) such as denial of\
    \ service.\r\n\r\nFake UEs are used in many adversarial behaviors against the\
    \ mobile network. \r\n\r\n"
  detections: []
  id: FGT1583.502
  mitigations: []
  name: Programable UE devices
  object-type: technique
  platforms: 5G radio
  procedureexamples:
  - Description: "Adversary uses Software-Defined-Radio (SDR) running OAI-5G (\u201C\
      OpenAirInterface\u201D) modified software"
    Name: Fake UE build
  - Description: "In [1], it is mentioned that the adversary must \u201Cforge a malicious\
      \ UE\u201D, which is then used to replay messages form the malicious (adversary\
      \ controlled) gNB to the legitimate gNB"
    Name: Fake UE acquisition
  references:
  - "<a name=\"1\"> \\[1\\] </a> [Hu, X. et al: \u201CA Systematic Analysis Method\
    \ for 5G Non-Access Stratum Signalling Security\u201D, August 2019](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [Ericsson: \u201CDetecting false base stations in\
    \ mobile networks\u201D](https://www.ericsson.com/en/blog/2018/6/detecting-false-base-stations-in-mobile-networks)"
  status: This is a theoretical behavior
  subtechnique-of: FGT1583
  tactics:
  - TA0042
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: RAN
  bluf: An adversary may obtain software to configure a fake base station (gNB or
    gNB emulator) or WiFi access point in order to enable other Radio Access Network
    (ran) follow-on behaviors against UEs such as adversary in the middle or denial
    of service.
  description: " An adversary may obtain software to configure a false base station\
    \ (gNB or gNB emulator) or WiFi access point in order to enable other Radio Access\
    \ Network (RAN) follow-on behaviors against UEs such as adversary in the middle\
    \ or denial of service.\r\n\r\nAn adversary enables the programmability of a false\
    \ base station, for example its broadcast configuration is adjustable so that\
    \ it can broadcast the local PLMN Identifier, a particular cell ID, etc. In addition,\
    \ the transmit power of the base station \r\nis adjustable so that it will be\
    \ higher than the legitimate base stations nearby, so as to succeed in luring\
    \ UEs to connect to it.\r\n\r\n\r\n"
  detections:
  - detects: UE measurements of received power levels from all base stations nearby,
      and their identifiers. Refer to clause 6.24 of [2].
    fgdsid: FGDS5002
    name: UE signal measurements
  id: FGT1608.501
  mitigations: []
  name: Configurability of Fake Base Station or Access Point
  object-type: technique
  platforms: 5G radio
  procedureexamples:
  - Description: 'Adversary obtains software capability such as: modified custom code,
      scripts, configuration parameters.'
    Name: Obtain capability for configuration of gNB, gNB emulator, or WiFi access
      point.
  - Description: Adversary installs an illegitimate complete gNB and configures the
      power so as to appear strongest to a given UE in a particular location, see
      [2].
    Name: Configure false gNB to appear strongest
  references:
  - "<a name=\"1\"> \\[1\\] </a> [European Union Agency for Cybersecurity (ENISA):\
    \ \u201CENISA Threat Landscape for 5G Networks\u201D Report, December 2020.](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [3rd Generation Partnership Project (3GPP) TR 33.809:\
    \ \u201CStudy on 5G security enhancements against False Base Stations (FBS)\u201D\
    , Technical Report, v0.18.0, February 2022.](https://www.3gpp.org/DynaReport/33809.htm\
    \ )"
  status: This is a theoretical behavior
  subtechnique-of: FGT1608
  tactics:
  - TA0042
  typecode: fight_subtechnique_to_attack_technique
- access-required: User/NPE/Administrative access
  architecture-segment: Network Slice
  bluf: 'Adversaries may exhaust common resources of a slice to cause denial of service
    (service degradation) to all other slices that use the same common resources.  '
  criticalassets:
  - Description: NFVI network and compute resources
    Name: NFVI
  - Description: 5G Core, RAN and Non-SBI functions, virtual resources supporting
      VNF
    Name: VNFs
  description: " Adversaries may exhaust common resources of a slice to cause denial\
    \ of service (service degradation) to all other slices that use the same common\
    \ resources. \r\n\r\n5G network slices may be built using same NFVI resources\
    \ or may be sharing a common Core or RAN function.  A network slice may have dedicated\
    \ AMF, SMF and UPF but NEF, NRF, UDM is usually shared for a deployment.  Adversary\u2019\
    s slice A may target a slice B by exhausting resources common to slice A and B\
    \ such as NEF.\r\n\r\nIt is possible for adversary\u2019s slice to oversubscribe\
    \ a resource (NF or NFVI Resource) to an extent where other slices cannot get\
    \ their messages and process executed in due time.  This result in UEs or some\
    \ network functions experiencing denial of service within target slices.     \r\
    \n\r\n\r\n"
  detections:
  - detects: Monitor systems performance and alert on quota exceptions on hosts, applications
      and networks
    fgdsid: DS0013
    name: Sensor Health
  - detects: Auditing logs for security, authentication and authorization activity,
      host access, hosts, virtualization orchestrator and managers can reveal behavioral
      anomalies
    fgdsid: FGDS5012
    name: SIEM
  - detects: Automated user and resource policy compliance checks and instrumentation
      to alert on violation attempts
    fgdsid: FGDS5023
    name: Audit policy violation
  id: FGT1498.502
  mitigations:
  - fgmid: FGM5005
    mitigates: Hardware, network, and point of presence can be separated to provide
      additional isolation
    name: Physical and environmental protection
  - fgmid: M1030
    mitigates: Implementing segmentation policy at granular level, network and compute
      resources can prevent some co-residency threats when mapped to SLAs, Users,
      and Resource policies.
    name: Network Segmentation
  - fgmid: FGM5518
    mitigates: Create and enforce resource policy; policy can include SLA, quotas,
      QOS etc.
    name: Resource Policy enforcement
  name: Shared slice common control network function resource exhaustion
  object-type: technique
  platforms: Slice, CSP
  references:
  - <a name="1"> \[1\] </a> [ETSI NFV SEC026 Isolation and trust domain specification,
    section 4.2.3, Accessed 6/27/2022](https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain)
  - <a name="2"> \[2\] </a> [GSMA Official Document NG.126 - Cloud Infrastructure
    Reference Model_NG.126-v1.0-2, Accessed 6/27/2022](https://www.gsma.com/newsroom/wp-content/uploads//NG.126-v1.0-2.pdf)
  - "<a name=\"3\"> \\[3\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,\_ October 2021](https://arxiv.org/abs/2108.11206)"
  - "<a name=\"4\"> \\[4\\] </a> [NGMN: \n5G Security Recommendation Package #2 Network\
    \ Slicing, Accessed 6/27/2022](https://www.ngmn.org/publications/5g-security-recommendations-package-2-network-slicing.html)"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1498
  tactics:
  - TA0040
  typecode: fight_subtechnique_to_attack_technique
- access-required: N/A
  addendums:
  - "#### Addendum Name: DNS Queries\r\n##### Architecture Segments: Control Plane,\
    \ Roaming\r\n Adversaries may steal data by exfiltrating from an MNO by sending\
    \ it over allowed DNS queries to DNS servers outside the MNO. The data may be\
    \ sent to an alternate network location from that used for command and control.\r\
    \nAdversaries may opt to obfuscate this data within the constraints of DNS record\
    \ types. The adversary may also use custom or publicly available encoding/compression\
    \ algorithms (such as base64) as well as embedding data within protocol headers\
    \ and fields.\r\n\r\n"
  architecture-segment: Control Plane, Roaming
  bluf: Adversaries may steal data by exfiltrating it over an un-encrypted network
    protocol other than that of the existing command and control channel.
  criticalassets:
  - Description: The configuration of DNS Resolvers is important to ensure ability
      to monitor DNS queries for adversary behavior.
    Name: DNS Resolvers
  description: "Adversaries may steal data by exfiltrating it over an un-encrypted\
    \ network protocol other than that of the existing command and control channel.\r\
    \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1048/003)\r\
    \n"
  detections:
  - detects: Collect and analyze DNS lookup logs for unusual patterns and destinations
    fgdsid: DS0015
    name: Application Log
  - detects: Analyze network destinations for DNS traffic for unusual destinations
      and volumes.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1048.003
  mitigations:
  - fgmid: M1037
    mitigates: Filter public network lookups to limit exfiltration destinations. Potential
      use of protective DNS services.
    name: Filter Network Traffic
  name: Exfiltration Over Unencrypted Non-C2 Protocol
  object-type: technique
  platforms: NF, SEPP
  preconditions:
  - Description: "Operator environment must permit DNS queries either directly or\
      \ recursively for domains the operator doesn\u2019t directly control."
    Name: External DNS Resolution
  references:
  - "<a name=\"1\"> \\[1\\] </a> [\u201CBhadra framework\u201D: S.P. Rao, S. Holtmanns,\
    \ T. Aura, \u201CThreat modeling framework for mobile communication systems,\u201D\
    \ Retrieved April 28, 2022](https://arxiv.org/pdf/2005.05110.pdf)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  subtechnique-of: FGT1048
  tactics:
  - TA0010
  typecode: attack_subtechnique_addendum
- access-required: NF Service Account credentials
  addendums:
  - "#### Addendum Name: Control plane signaling exfiltration\r\n##### Architecture\
    \ Segments: Control Plane, Roaming\r\n An adversary may use Control Plane signaling\
    \ between operator-internal Network Functions and externally-facing NFs or proxies\
    \ to exfiltrate data to external endpoints.\r\n\r\nThe operator network uses edge\
    \ functions that communicate to external parties: The Network Exposure Function\
    \ (NEF) communicates with external Application Functions (AF), and the Security\
    \ Edge Protection Proxy (SEPP) communicates with nodes on the IP Interchange (roaming/interconnect\
    \ fabric). This channel can be used by an adversary to exfiltrate data originating\
    \ at a compromised NF inside the operator network and ending up at the external\
    \ node (AF, IPX node). For example, HTTP/2 optional parameters may be used to\
    \ communicate between a core NF and an external server via NEF or SEPP.\r\n\r\n"
  architecture-segment: Control Plane, Roaming
  bluf: Adversaries may steal data by exfiltrating it over a different protocol than
    that of the existing command and control channel.
  criticalassets:
  - Description: Sensitive information in subscriber signaling data
    Name: Subscriber signaling data
  - Description: Core NF identifiers (e.g. IP address, FQDN) such as AMF, SMF, UDM
      etc.
    Name: Operator resource identifiers
  description: "Adversaries may steal data by exfiltrating it over a different protocol\
    \ than that of the existing command and control channel.\r\n[To read more, please\
    \ see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1048)\r\
    \n"
  detections:
  - detects: Monitor and analyze traffic patterns and packet inspection over the SBI,
      especially to/from external functions.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1048
  mitigations:
  - fgmid: M1037
    mitigates: Filter and inspect network traffic coming out of SEPP and NEF
    name: Filter Network Traffic
  name: Exfiltration Over Alternative Protocol
  object-type: technique
  platforms: 5G Network
  procedureexamples:
  - Description: HTTP/2 optional parameters may be used to communicate between a core
      NF and an external server (AF, IPX node) via NEF or SEPP.
    Name: HTTP/2 optional parameters
  references:
  - "<a name=\"1\"> \\[1\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    , October 2021](https://arxiv.org/abs/2108.11206 )"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0010
  - TA0011
  typecode: attack_technique_addendum
- addendums:
  - "#### Addendum Name: Access to Cloud Infra or MEC\r\n##### Architecture Segments:\
    \ OA&M, MEC\r\n An adversary may purchase access to cloud infrastructure or Multi-access\
    \ Edge Computing (MEC) resources that will also be hosting the operator\u2019\
    s infrastructure.\r\n\r\nMobile Network Operators are looking to commercial cloud\
    \ and MEC providers to deploy 5G Core and RAN functions. Similar resources may\
    \ also be utilized to offer compute services for time sensitive enterprise/user\
    \ applications. Adversaries may attempt to target victims by creating co-residency\
    \ in cloud or MEC resources for bridging network, or lateral movements by using\
    \ software and configuration vulnerabilities. These are sometimes referred to\
    \ as colocation attacks.\r\n\r\n\r\n"
  architecture-segment: OA&M, MEC
  bluf: Adversaries may buy, lease, or rent infrastructure that can be used during
    targeting.
  description: "Adversaries may buy, lease, or rent infrastructure that can be used\
    \ during targeting.\r\n[To read more, please see the MITRE ATT&CK page for this\
    \ technique](https://attack.mitre.org/techniques/T1583)\r\n"
  detections: []
  id: FGT1583
  mitigations:
  - fgmid: FGM5504
    mitigates: Cloud compute, cloud storage and any serverless activity should be
      isolated from other tenants
    name: Resource Isolation in virtualization environment
  - fgmid: FGM5505
    mitigates: Hardware mediated execution environment
    name: Hardware mediated  execution environment
  - fgmid: M1030
    mitigates: Network isolation. Deployment architecture should consider physical
      and virtual isolation from other tenants
    name: Network Segmentation
  - fgmid: M1041
    mitigates: Any traffic going from a security zone to another security zone must
      be protected with encryption. Key based user and resource authentication and
      authorization should be used
    name: Encrypt Sensitive Information
  name: Acquire Infrastructure
  object-type: technique
  platforms: 5G Network
  procedureexamples:
  - Description: "[2] is a university research showing how an attacker can locate\
      \ an entity\u2019s systems in the cloud and work to instantiate profiling and\
      \ other malicious hosts on the same physical platform."
    Name: Locate cloud resources of target
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S. Sahoo, S. K. Mishra, B. Sahoo & A. K. Turuk,\
    \ \u201CCo-resident Attack in Cloud Computing: An Overview\u201D, Encyclopedia\
    \ of Big Data Technologies, March 2018](https://link.springer.com/content/pdf/10.1007%2F978-3-319-63962-8_322-1.pdf\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [T. Ristenpart, E. Tromer, H. Shacham, S. Savage,\
    \ \u201CHey, you, get off of my cloud: exploring information leakage in third-party\
    \ compute clouds\u201D, In CCS '09: Proceedings of the 16th ACM conference on\
    \ Computer and communications security, November 2009 Pages 199\u2013212](https://dl.acm.org/doi/10.1145/1653662.1653687\
    \ )"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0042
  typecode: attack_technique_addendum
- access-required: N/A
  architecture-segment: User Plane, Control Plane, Roaming
  bluf: An adversary may change the configuration of network nodes so as to disable
    or weaken integrity protection on the network interfaces Non-SBI, SBI and Roaming,
    thus allowing for transmitted data manipulation.
  criticalassets:
  - Description: Any of the subscriber data sourced or destined to the UE
    Name: UE data
  - Description: Any of the signaling traffic between UE and network
    Name: UE signaling
  - Description: Any of the signaling traffic between 5G core NFs, between 5G core
      and RAN, within RAN and between 5G and 4G core networks.
    Name: Network signaling
  description: " An adversary may change the configuration of network nodes so as\
    \ to disable or weaken integrity protection on the network interfaces Non-SBI,\
    \ SBI and Roaming, thus allowing for transmitted data manipulation.\r\n\r\nThe\
    \ following network interfaces are in the scope of this document.\r\n\r\n1. \u201C\
    Non-SBI\u201D (non-Service Based Interface) network interfaces are within 5G core\
    \ (e.g. N4) and RAN (e.g. Xn, F1, E1), and between the RAN and the 5G Core (e.g.\
    \ N2, N3). \r\n\r\n2. SBI network interfaces are between core NFs within an operator\
    \ network; they use REST APIs.\r\n\r\n3. Roaming and interconnect interfaces,\
    \ including IPX, are between network operators (between SEPPs (N32), or other\
    \ interworking functions like AMF/MME (N26) and between the UPFs owned by different\
    \ network operators (N9)).\r\n\r\nAn adversary with control over gNB or AMF or\
    \ UPF or SMF may disable IPSec on non-SBI interfaces (Xn, F1, E1, N2, N3, N4).\
    \ IPSec is expected to be used to protect all non-SBI links, however, unlike radio\
    \ communications, operator RAN to core communications do not mandate integrity\
    \ protection.\r\n\r\nAn adversary with access to the SBI links, for example, with\
    \ control over one or more core network NFs or a middlebox (including the Service\
    \ Communication Proxy (SCP) if deployed), may disable use of TLS or use older\
    \ TLS version such as v1.1. TLS is expected (by 3GPP standards) to be used to\
    \ protect all SBI links within the operator core network. \r\n\r\nAn adversary\
    \ with control over roaming nodes or interfaces - namely SEPP or IPX network --\
    \ may disable or cause to use a weak integrity algorithm for TLS or JWS signatures\
    \ on the N32 interface. An adversary with control over visited network UPF may\
    \ disable IPSec on N9 interface or a compromised MME or AMF may disable IPSec\
    \ on N26 interface. \r\n\r\n"
  detections:
  - detects: 'Check configuration changes in gNB, NFs, SEPP and MME.

      Run configuration audits by OSS/BSS.'
    fgdsid: DS0015
    name: Application Log
  - detects: Inspect network traffic and watch for unauthorized changes as the packets
      move through the interfaces.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT5009.002
  mitigations:
  - fgmid: FGM5024
    mitigates: Use strong integrity protection on all non-SBI, SBI and roaming/interconnect
      interfaces. That is, TLS should be used in all SBI, N32-c and N32-f and PRINS
      in N32-f when TLS is not used.
    name: Integrity protection of data communication
  - fgmid: M1018
    mitigates: Network element security safeguards for gNB and all core NFs
    name: User Account Management
  - fgmid: M1031
    mitigates: Implement network intrusion prevention methods
    name: Network Intrusion Prevention
  - fgmid: M1043
    mitigates: Implement credential access protection methods
    name: Credential Access Protection
  - fgmid: M1046
    mitigates: Network element security safeguards for gNB and all core NFs
    name: Boot Integrity
  - fgmid: M1051
    mitigates: Network element security safeguards for gNB and all core NFs
    name: Update Software
  name: Network Interfaces
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: UE signaling with network and user plane data may be impacted. This
      can be used to cause DoS attack.
    Name: UE at risk of data manipulation
  - Description: Network communication within core network or on the non-SBI interfaces
      or on roaming interface may be impacted.
    Name: Network signaling at risk of data manipulation
  preconditions:
  - Description: Adversary must have access to the network components to cause the
      attacks
    Name: Rogue or misconfigured AMF or SMF or gNB or UPF or SEPP or MME or any other
      core NF
  procedureexamples:
  - Description: A rogue or misconfigured gNB can disable IPSec integrity or use a
      weak IPSec integrity algorithm on N2, N3, F1, E1 and Xn interfaces. Then it
      can launch other attacks. Clause D.2.2 of [1].
    Name: Compromised or misconfigured gNB
  - Description: A rogue or misconfigured AMF can disable integrity protection or
      use a weak integrity algorithm on N2 and N26 interfaces. Then it can launch
      other attacks. Clause K.2.1 of [1], clause 5.5.2 of [2].
    Name: Compromised or misconfigured AMF
  - Description: A rogue or misconfigured UPF can disable IPSec integrity or use a
      weak IPSec integrity algorithm on N3, N4 and N9 interfaces. Then it can launch
      other attacks. Clause L.2.1 of [1], clauses 9.3 & 9.9 of [2].
    Name: Compromised or misconfigured UPF
  - Description: A rogue or misconfigured SMF can disable IPSec integrity or use a
      weak IPSec integrity algorithm on N4 interface. Then it can launch other attacks.
      Clause 9.9 of [2].
    Name: Compromised or misconfigured SMF
  - Description: 'A rogue or misconfigured NF can disable the TLS integrity or use
      a weak TLS integrity algorithm to another NF including the SCP (if deployed).
      Then it can launch other attacks to gain unauthorized access to network services.
      Clause 13.1 of [2].


      If SCP is rogue or misconfigured, it can force TLS connections to all NFs to
      be unencrypted or use weak integrity for all. Clause 5.9.2.4 of [2].'
    Name: Compromised or misconfigured NF
  - Description: 'A rogue or misconfigured SEPP can disable TLS integrity or use a
      weak TLS integrity algorithm on N32-c interface or N32-f interface or both.


      A rogue or misconfigured IPX component can disable JWS integrity or use a weak
      integrity algorithm when PRINS is used on N32-f. Then it can launch other attacks.
      Clauses 9.9, 13.1 and 13.2 of [2].'
    Name: Compromised or misconfigured SEPP or IPX component
  - Description: A rogue or misconfigured AMF/MME can disable IPSec integrity or use
      a weak IPSec integrity algorithm on N26 interface. Then it can launch other
      attacks. Clause K.2.1 of [1], 8.4 of [2].
    Name: Compromised or misconfigured MME/AMF
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TR33.926 \u201CSecurity Assurance Specification\
    \ (SCAS) threats and critical assets in 3GPP network product classes.\u201D](https://www.3gpp.org/DynaReport/33926.htm)"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS33.501 \u201CSecurity architecture and procedures\
    \ for 5G System.\u201D](https://www.3gpp.org/DynaReport/33501.htm)"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT5009
  tactics:
  - TA0005
  typecode: fight_subtechnique
- access-required: None
  architecture-segment: Control Plane, User Plane
  bluf: An adversary may alter network signaling so as to use weakened or no encryption
    algorithm on the Non-SBI (Service Based Interface), SBI and Roaming interfaces,
    thus allowing for eavesdropping of user data or signaling.
  criticalassets:
  - Description: Any of the subscriber data sourced or destined to the UE
    Name: UE data
  - Description: Any of the signaling traffic between UE and network
    Name: UE signaling
  description: " An adversary may alter network signaling so as to use weakened or\
    \ no encryption algorithm on the Non-SBI (Service Based Interface), SBI and Roaming\
    \ interfaces, thus allowing for eavesdropping of user data or signaling. \r\n\r\
    \nThe following Network interfaces are in the scope of this document.\r\n\r\n\
    1. \u201CNon-SBI\u201D network interfaces are within 5G core network and the Radio\
    \ Access Network (RAN), and between the RAN and the 5G Core (e.g. N2, N3, N4,\
    \ Xn). \r\n\r\n2. SBI network interfaces are between core Network Functions (NFs)\
    \ within an operator network; they use REST APIs.\r\n\r\n3. Roaming and interconnect\
    \ interfaces, including IPX, are between network operators (between Security Edge\
    \ Protection Proxies (SEPPs) (N32), or other interworking functions like Access\
    \ and Mobility Management (AMF/MME) (N26) and between User Plane Functions (UPFs)\
    \ owned by different network operators (N9)).\r\n\r\nAn adversary with control\
    \ over gNB, AMF, UPF or SMF may disable IPSec on non-SBI interfaces (Xn, N2, N3,\
    \ N4). IPSec is expected to be used to protect all non-SBI links, however, unlike\
    \ radio communications, operator RAN to core communications are not mandated to\
    \ actually run encryption protection. \r\n\r\nAn adversary with access to the\
    \ SBI links, with control over one or more core network functions (NFs) or a middlebox\
    \ (including the Service Communication Proxy (SCP) if deployed), may disable use\
    \ of TLS or use older TLS version such as v1.1. TLS is required by 3GPP standards\
    \ to be used to protect all SBI links within the operator core network. \r\n\r\
    \nAn adversary with control over roaming nodes or interfaces- namely SEPP or IPX\
    \ network-- may disable or cause to use a weak encryption algorithm for TLS or\
    \ JWE encryption on the N32 interface. An adversary with control over visited\
    \ network UPF may disable IPSec on the N9 interface or a compromised MME or AMF\
    \ may disable IPSec on N26 interface.\r\n\r\n"
  detections:
  - detects: Check configuration changes in gNB and all core NFs; Configuration audits
      by OSS/BSS.
    fgdsid: DS0015
    name: Application Log
  - detects: Inspect network traffic and watch for unauthorized changes
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1600.502
  mitigations:
  - fgmid: M1018
    mitigates: Network element security safeguards for gNB and all core NFs
    name: User Account Management
  - fgmid: M1031
    mitigates: Implement network intrusion prevention methods
    name: Network Intrusion Prevention
  - fgmid: M1041
    mitigates: Ensure strong encryption is used in all non-SBI, SBI and roaming/interconnect
      interfaces. That is, TLS (not version 1.1) should be used in all SBI, N32-c
      and N32-f ; in addition, PRINS should be used on N32-f when TLS is not used.
    name: Encrypt Sensitive Information
  - fgmid: M1043
    mitigates: Implement credential access protection methods
    name: Credential Access Protection
  - fgmid: M1046
    mitigates: Network element security safeguards for gNB and all core NFs
    name: Boot Integrity
  - fgmid: M1051
    mitigates: Network element security safeguards for gNB and all core NFs
    name: Update Software
  name: Network Interfaces
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: "Control Plane: All UE signaling data may be revealed if IPSec and\
      \ TLS are disabled.\n\nUser Plane: Subscriber (user plane) data may be revealed\
      \ if IPSec is disabled. \n\nUE CP & UP data can be sniffed, see FGT1040 \u2013\
      \ Network Sniffing"
    Name: UE data unprotected on network interfaces
  preconditions:
  - Description: Adversary must have access to the network components to cause the
      attacks
    Name: Rogue or misconfigured AMF/MME, SMF, gNB or UPF, or SEPP or any other core
      NF
  procedureexamples:
  - Description: A rogue or misconfigured gNB can disable IPSec encryption or use
      a weak IPSec encryption algorithm on backhaul interfaces such as N2, N3 and
      Xn. This can be used to launch other attacks. Clause D.2.2 of [1], clause 5.3.2
      of [2].
    Name: Compromised or misconfigured gNB
  - Description: A rogue or misconfigured AMF can disable IPSec encryption or use
      a weak IPSec encryption algorithm on N2 and N26 interfaces. This can be used
      to launch other attacks. Clause K.2.1 of [1], clause 5.5.1 of [2].
    Name: Compromised or misconfigured AMF
  - Description: A rogue or misconfigured UPF can disable IPSec encryption or use
      a weak IPSec encryption algorithm on N3, N4 and N9 interfaces. This can be used
      to launch other attacks. Clause L.2.1 of [1], clauses 9.3 and 9.9 of [2].
    Name: Compromised or misconfigured UPF
  - Description: A rogue or misconfigured SMF can disable IPSec encryption or use
      a weak IPSec encryption algorithm on N4 interface. This can be used to launch
      other attacks. Clause 9.9 of [2]
    Name: Compromised or misconfigured SMF
  - Description: 'A rogue or misconfigured NF can disable the TLS encryption or use
      a weak TLS encryption algorithm to another NF including the SCP. Then it can
      launch other attacks to gain unauthorized access to network services. Clause
      13.1 of [2]


      If SCP is rogue or misconfigured, it can force TLS connections to all NFs to
      be unencrypted or use weak encryptions for all. Clause 5.9.2.4 of [2].'
    Name: Compromised or misconfigured NF
  - Description: 'A rogue or misconfigured SEPP can disable TLS encryption or use
      a weak TLS encryption algorithm on N32-c interface or N32-f interface or both.


      A rogue or misconfigured SEPP can disable JWE encryption or use a weak encryption
      algorithm when the PRINS algorithm is used on N32-f. Then it can launch other
      attacks. Clauses 9.9, 13.1 and 13.2 of [2].'
    Name: Compromised or misconfigured SEPP or IPX component
  - Description: A rogue or misconfigured AMF/MME can disable IPSec encryption or
      use a weak IPSec encryption algorithm on N26 interface. Then it can launch other
      attacks. Clause K.2.1 of [1], 8.4 of [2].
    Name: Compromised or misconfigured MME/AMF
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TR 33.926 \u201CSecurity Assurance Specification\
    \ (SCAS) threats and critical assets in 3GPP network product classes\u201D.](https://www.3gpp.org/DynaReport/33926.htm\
    \  )"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS 33.501 \u201CSecurity architecture and procedures\
    \ for 5G System\u201D.](https://www.3gpp.org/DynaReport/33501.htm  )"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1600
  tactics:
  - TA0005
  typecode: fight_subtechnique_to_attack_technique
- access-required: N/A
  architecture-segment: RAN, Virtualization, OA&M
  bluf: Adversaries may manipulate service or service delivery mechanisms prior to
    or while used by a mobile network operator (MNO) for the purpose of data or system
    compromise.
  criticalassets:
  - Description: Network Exposure Function is a likely target for adversaries in a
      MEC environment.
    Name: NEF
  - Description: Distributed deployment models may require third party transport service
    Name: Transport network
  - Description: Distributed deployment models may require third party MEC service
    Name: MEC
  - Description: RAN as a Service or Shared RAN
    Name: RAN
  - Description: Mobile Virtual Network Operators may complete rely on third party
      provided services for their subscriber
    Name: MVNO Core and RAN infrastructure
  description: " Adversaries may manipulate service or service delivery mechanisms\
    \ prior to or while used by a mobile network operator (MNO) for the purpose of\
    \ data or system compromise.\r\n\r\nThe adversary may use the compromised service\
    \ as a means to apply additional techniques against interfaces exposed to the\
    \ service provider such as the NEF. When the service provider hosts or provides\
    \ core network functions, the adversary may attempt to compromise the 5G core\
    \ components in the service provider environment, e.g. MEC hosted NFs (clause\
    \ 5.13 of [1]), or through the service provider environment, attempt compromise\
    \ of other core NFs not hosted in the MEC. \r\n\r\nWhen service providers are\
    \ used for providing service to customers, the adversary may be in a position\
    \ to compromise information about the subscriber. \r\n\r\nThe adversary, as an\
    \ example, may also compromise software and/or hardware used by the service provider,\
    \ such as opensource, as a technique to gain initial access or achieve other tactics\
    \ within the service provider to provide a position for initial access to the\
    \ MNO\u2019s network. Open source software may be an attractive target for supply\
    \ chain attacks, as detection, reporting, and patch availability timelines can\
    \ provide a greater window of opportunity for vulnerabilities to be exploited.\r\
    \n\r\n\r\n"
  detections: []
  id: FGT1195.502
  mitigations:
  - fgmid: M0817
    mitigates: 5G Operators should evaluate suppliers of services for their technical
      and administrative controls to ensure that it meets minimum standards for assured
      services. These evaluations may include SW, HD supply chain, personnel and process
      used for service creation.
    name: Supply chain management
  - fgmid: FGM5519
    mitigates: 5G operators should integrate performance and change management from
      their suppliers into their own OA&M tools to have complete visibility into service
    name: Integrate Performance and Change Management
  name: Compromise Service Supply Chain
  object-type: technique
  platforms: 5G
  procedureexamples:
  - Description: Hardware used in service may be compromised in its build and delivery
      supply chain
    Name: HW supply chain
  - Description: Software used in service may be compromised in its build and delivery
      supply chain
    Name: SW supply chain
  - Description: OA&M tools in service has greater access to network elements, compromise
      of such tools provide adversary access to network providing the service
    Name: OA&M tools
  - Description: Service provider management may have nefarious intent for data collection
      or providing assistance to other nefarious actors
    Name: Malicious Service provider
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TS 23.501 \u201CSystem architecture for the\
    \ 5G System (5GS); Stage 2 (Release 17)\u201D]( https://www.3gpp.org/DynaReport/23501.htm)"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS 23.558: \u201C\nArchitecture for enabling\
    \ Edge Applications\u201D](https://www.3gpp.org/DynaReport/23558.htm)"
  - "<a name=\"3\"> \\[3\\] </a> [3GPP TS 23.548: \u201C5G System Enhancements for\
    \ Edge Computing; Stage 2\u201D](https://www.3gpp.org/DynaReport/23548.htm)"
  - "<a name=\"4\"> \\[4\\] </a> [ETSI, White Paper No. 28, \u201CMEC in 5G networks\u201D\
    ](https://www.etsi.org/images/files/ETSIWhitePapers/etsi_wp28_mec_in_5G_FINAL.pdf)"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1195
  tactics:
  - TA0001
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: RAN
  bluf: An adversary may intercept unencrypted radio transmissions of a UE's SUCI
    to identify the IMSI/SUPI of the UE.
  criticalassets:
  - Description: "UE\u2019s identity is obtained for subsequent attacks."
    Name: UE privacy
  description: " An adversary may intercept unencrypted radio transmissions of a UE\u2019\
    s SUCI to identify the IMSI/SUPI of the UE. \r\n\r\nAdversary can retrieve the\
    \ IMSI/SUPI of UE if SUCI is sent unencrypted over the air. The adversary can\
    \ launch other attacks on the subscriber with the IMSI/SUPI. \r\n\r\nWhen 5G UE\
    \ is connected to 4G base station (eNB) in non-stand alone (NSA) mode, adversary\
    \ uses an airlink signal analyzer to retrieve UE's permanent identity (IMSI/SUPI).\
    \ All threats present in 4G network including IMSI/SUPI catching can materialize\
    \ when UE is connected to network via 4G eNB.\r\n\r\nBackground information: The\
    \ UE\u2019s permanent identity, SUPI (SUbscriber Permanent Identifier), includes\
    \ a home network identifier and a user-specific identifier, and is never sent\
    \ unencrypted over the radio interface. Instead, a SUCI (SUbscriber Concealed\
    \ Identifier) is sent when the UE goes through initial registration to the serving\
    \ network procedures; this de-concealment operation can only be done by the UE\u2019\
    s home network. However, SUCI can be sent unencrypted over the air by UE in any\
    \ of the following scenarios: \r\n\r\n1. When UE makes an emergency call and it\
    \ does not have a 5G-GUTI\r\n  \r\n2. If the home PLMN has configured \"NULL\u201D\
    \ SUCI-protection algorithm to be used\r\n\r\n3. If the home PLMN has not provisioned\
    \ the public key needed to generate a SUCI \r\nRefer clause 6.12.2 of [1].\r\n\
    \r\nNSA mode uses 4G core, and it uses two types of base stations: 4G & 5G for\
    \ network access. Depending on the coverage area and network load, MNO chooses\
    \ whether to connect the UE to the 5G base station (gNB) or to 4G base station\
    \ (eNB). eNB typically covers a much larger area than gNB.\r\n\r\n"
  detections:
  - detects: 'Monitor gNB and core network logs when:



      Null scheme is used for SUCI protection



      Home PLMN does not configure public key for SUCI protection'
    fgdsid: FGDS5017
    name: Monitor null scheme usage
  - detects: Monitor Provisioning logs for changes in Home network public key configuration,
      PLMN ID etc.
    fgdsid: FGDS5018
    name: Monitor provisioning logs
  - detects: 'Monitor Operations logs for:



      UE makes an emergency call



      In NSA mode, when 5G UE is ordered to connect to network via eNB'
    fgdsid: FGDS5019
    name: Monitor operations logs
  id: FGT5019.004
  mitigations:
  - fgmid: M1041
    mitigates: Always configure home PLMN public key in the UE. Do not use NULL scheme
      for SUCI encryption both in network configuration and in UE configuration.
    name: Encrypt Sensitive Information
  - fgmid: FGM5514
    mitigates: Minimize the number of connections to eNB when using NSA mode, use
      eNB only when 5G coverage is not available or 5G network is overloaded.
    name: Minmize eNB connections
  name: Intercept unencrypted SUPI
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: When UE identity is obtained, it allows attacker to launch other
      attacks such as geolocation tracking, degradation of service, loss of traffic
      confidentiality, or physical attack.
    Name: Target association
  preconditions:
  - Description: Adversary requires sufficient signal to capture and decode all airlink
      messages (with low interference and high SNR).
    Name: Ability to receive SUCI over the air
  - Description: In NSA mode, 5G UE is directed to connect to eNB due to lack of 5G
      coverage in the area or network load situations.
    Name: 5G UE is directed to connect to 4G base station in NSA mode
  procedureexamples:
  - Description: "Adversary reads the SUCI from airlink messages using signal analyzer\
      \ when it is sent in clear mode and extracts the IMSI/SUPI.\n\nThis is possible\
      \ in the following scenarios:\n\n\nWhen UE makes an emergency call and it does\
      \ not have a 5G-GUTI.\n\n\nIf the home PLMN has configured \"NULL\u201D SUCI-protection\
      \ algorithm to be used.\n\nIf the home PLMN has not provisioned the public key\
      \ needed to generate a SUCI. \n\n\nUE is moved from a gNB to an eNB in NSA mode."
    Name: Intercept IMSI/SUPI over the radio interface
  references:
  - "<a name=\"1\"> \\[1\\] </a> [3GPP TS 33.501 \" Security architecture and procedures\
    \ for 5G system\u201D](https://www.3gpp.org/DynaReport/33501.htm  )"
  status: This is a theoretical behavior
  subtechnique-of: FGT5019
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- access-required: N/A
  architecture-segment: Roaming
  bluf: Adversary send specifically crafted messages from an interconnect/interworking
    partner against roaming interface to gain access to the service function, e.g.
    SEPP, or cause a denial of service (DoS).
  criticalassets:
  - Description: The Security Edge Protection Proxy (SEPP) is the primary target for
      this technique and represent a key interface point between the operator and
      other service providers, via N32, for roaming.
    Name: SEPP
  - Description: The User Plane Function (UPF) in the home provider network exposes
      the N9 interface to other providers and can be targeted using this technique.
      If the Home Public Land Mobile Network (HPLMN) UPF is compromised, sensitive
      data may be sniffed or potentially dropped.
    Name: UPF
  - Description: The home Policy Control Function (h-PCF) is exposed to the visited
      PCF (v-PCF) via N24 in a home routed roaming scenario.
    Name: PCF
  - Description: The HPLMN Unified Data Management (UDM) function is exposed via N10
      to the Visited PLMN (VPLMN) Session Management Function + Packet Data Network
      Gateway Control (SMF+PGW-C) for local breakout roaming architecture.  The VPLMN
      Access and Mobility Management Function (AMF) can also reach the Home Subscriber
      Server UDM (HSS+UDM) via N8.  The VPLMN Mobility Management Entity (MME) can
      reach the HSS+UDM via S6a as well.
    Name: HSS+UDM
  - Description: The Non-3GPP Interworking Function (N3IWF) is exposed via the Y2
      and NWu.
    Name: N3IWF
  description: " Adversary sends specifically crafted messages from an interconnect/interworking\
    \ partner against roaming interface to gain access to the service function, e.g.,\
    \ SEPP, or to obtain information from the interworking facing service function.\r\
    \nA semi-public application or service is one that is only reachable by an adversary\
    \ over an interworking network that is typically only exposed to mobile network\
    \ operators (MNO), internetwork packet exchange providers (IPX), Value Added Services\
    \ (VAS) providers. An adversary that has previously compromised, through other\
    \ techniques, another service on the interworking network may be in a position\
    \ to use this technique against an operator\u2019s interworking facing service\
    \ interfaces. The adversary does not necessarily need to compromise a roaming\
    \ partner but needs to be on a network which can reach the target interface.\r\
    \n\r\nThe technique uses specifically formatted signaling messages to cause unexpected\
    \ behavior that the adversary has previously determined to permit gaining access\
    \ to the roaming interface system or network functions reachable via SEPP (N32),\
    \ PCF (N24), HSS+UDM (N10, N8, S6a) or N3IWF interfaces. The specially crafted\
    \ messages may also permit the collection of information about the targeted operator\
    \ and its users. The adversary may target the SEPP itself or place specially crafted\
    \ messages within legitimately authenticated messages that the SEPP passes to\
    \ NFs that can result in compromise of the NF or information collection. N9 interfaces\
    \ and non-3GPP interfaces exposed to interworking partners may also be targeted\
    \ by adversaries. The technique [FGT1190](/techniques/FGT1190) covers internet\
    \ facing service interfaces.\r\n\r\n"
  detections:
  - detects: Monitor application logs for evidence of unexpected access requests or
      potential pattern of errors logged that might indicate attempts to create unexpected
      behavior
    fgdsid: DS0015
    name: Application Log
  - detects: Monitor login session logs for evidence an adversary has created accounts
      or setup access after compromise of the service via specially formed packets
      on the service API
    fgdsid: DS0028
    name: Logon Session
  - detects: Observe unusual traffic to the SEPP and any evidence of unusual source
      or destinations from the SEPP that might indicate a source of specially formed
      packets.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT5029
  mitigations:
  - fgmid: FGM5010
    mitigates: Redeploy SEPP regularly to prevent dwell time aka use non-persistence
    name: Non-Persistent Services
  - fgmid: M1050
    mitigates: Use of a Web Application Firewall may only allow properly formatted
      service communication.
    name: Exploit Protection
  - fgmid: M1051
    mitigates: Aggressive patching may reduce window of vulnerability if a known vulnerability
    name: Update Software
  name: Exploit Semi-public Facing Application
  object-type: technique
  platforms: SEPP, UPF
  preconditions:
  - Description: Adversary must have identified a vulnerability susceptible to the
      specially crafted message that results in an ability to use additional techniques.
    Name: Vulnerability Identified
  references:
  - "<a name=\"1\"> \\[1\\] </a> [\u201C5G Security Assurance Specification (SCAS)\
    \ for the Security Edge Protection Proxy (SEPP) network product class,\u201C TS\
    \ 33.517 ver. 17.0.0, 3rd Generation Partnership Project (3GPP), Sec. 4.2.3.3-4.4,\
    \ Jun. 2021](https://www.3gpp.org/DynaReport/33517.htm)"
  - "<a name=\"2\"> \\[2\\] </a> [R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield,\
    \ \u201CTowards dynamic threat modelling in 5G core networks based on MITRE ATT&CK\u201D\
    ,  October 2021](https://arxiv.org/abs/2108.11206)"
  - "<a name=\"3\"> \\[3\\] </a> [\u201CSecurity Edge Protection Proxy (SEPP),\u201D\
    \ Broadforward, Amersfoort, Netherlands, Accessed: May 17, 2022](https://www.broadforward.com/security-edge-protection-proxy/)"
  - "<a name=\"4\"> \\[4\\] </a> [ \u201CSecurity Assurance Specification (SCAS) threats\
    \ and critical assets in 3GPP network product classes,\u201C TR 33.926, 3GPP,\
    \ Sec. 5.3.7.2.](https://www.3gpp.org/DynaReport/33926.htm)"
  - "<a name=\"5\"> \\[5\\] </a> [\u201CSystem architecture for the 5G System (5GS),\u201D\
    TS 23.501, 3GPP, Sec. 4.2.8.2, 4.3.1, 4.3.2](https://www.3gpp.org/DynaReport/23501.htm)"
  status: This is a theoretical behavior in context of 5G systems.
  tactics:
  - TA0001
  - TA0009
  typecode: fight_technique
- access-required: N/A
  architecture-segment: UE
  bluf: An adversary may send specially crafted data to the UE over-the-air via the
    radio interface to execute malicious code.
  description: " An adversary may send specially crafted data to the UE over-the-air\
    \ via the radio interface to execute malicious code.  An adversary with a position\
    \ to send data to the UE, such as control of an IMS service or the UPF may send\
    \ data to the UE that can, using a previously identified vulnerability, cause\
    \ adversary execution on the UE.\r\n\r\nThe adversary may identify a vulnerability\
    \ in the radio interface through fuzzing techniques against the baseband and supporting\
    \ chips used in the UE.  Vulnerabilities that could enable an adversary to execute\
    \ code include heap corruptions and use-after-frees[1].  Additionally, vulnerabilities\
    \ such as buffer overflow vulnerabilities are often found due to insecure coding\
    \ practices. Although fuzzing has been demonstrated to be a viable approach to\
    \ identify vulnerabilities, vulnerabilities may be discovered by adversaries through\
    \ additional techniques including physical examination/tampering and binary executable\
    \ analysis.\r\n\r\n\r\n"
  detections: []
  id: FGT1203.501
  mitigations: []
  name: Over-the-Air Input
  object-type: technique
  platforms: 5G
  preconditions:
  - Description: Adversary must have identified a vulnerability in the target UE baseband
      or supporting chips to enable OTA exploitation.
    Name: Identified vulnerability on baseband or supporting chips
  procedureexamples:
  - Description: Proof of Concept demonstration of technique exploiting modem vulnerability
      from IMS service over an adversary controlled 5G core and base station.
    Name: Adversary controlled IMS
  references:
  - "<a name=\"1\"> \\[1\\] </a> [M.Grassi & X. Chen, \u201COver The Air Baseband\
    \ Exploit: Gaining Remote\nCode Execution on 5G Smartphones,\u201D retrieved May\
    \ 16, 2023](https://dl.acm.org/doi/abs/10.1145/3395351.3399360)"
  status: This a 5G relevant behavior that has been demonstrated in a successful proof
    of concept
  subtechnique-of: FGT1203
  tactics:
  - TA0002
  typecode: fight_subtechnique_to_attack_technique
- access-required: Privileged
  architecture-segment: UE
  bluf: An adversary may send specially crafted data to the UE's application processor's
    interface to the baseband API to execute malicious code.
  description: " An adversary may send specially crafted data to the UE's application\
    \ processor's interface to the baseband API to execute malicious code. The adversary\
    \ with a position on the UE to communicate to the baseband API can execute malicious\
    \ code on the baseband processing system.\r\n\r\nThe adversary may identify a\
    \ vulnerability in the baseband API through fuzzing techniques[1].  Vulnerabilities\
    \ that could enable an adversary to execute code include memory boundary violations,\
    \ including buffer overflows that affect the stack and the heap on the baseband.\
    \  Vulnerabilities such as buffer overflow vulnerabilities are often found due\
    \ to insecure coding practices. Although fuzzing has been demonstrated to be a\
    \ viable approach to identify vulnerabilities, vulnerabilities may be discovered\
    \ by adversaries through additional techniques including physical examination/tampering\
    \ and binary executable analysis.\r\n\r\n"
  detections: []
  id: FGT1203.502
  mitigations: []
  name: Baseband API
  object-type: technique
  platforms: 5G, 4G, 3G
  preconditions:
  - Description: Exploitation requires the ability to communicate with the baseband
      API.
    Name: Baseband API Access
  references:
  - '<a name="1"> \[1\] </a> [Imtiaz Karim, Fabrizio Cicala, Syed Rafiul Hussain,
    Omar Chowdhury, and Elisa Bertino. 2020. ATFuzzer: Dynamic Analysis Framework
    of AT Interface for Android Smartphones. Digital Threats 1, 4, Article 23 (December
    2020)](https://dl.acm.org/doi/10.1145/3416125)'
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1203
  tactics:
  - TA0002
  typecode: fight_subtechnique_to_attack_technique
- access-required: N/A
  addendums:
  - "#### Addendum Name: Baseband Exploits\r\n##### Architecture Segments: UE\r\n\
    \ An adversary may develop exploits that target the UE to execute malicious code.\
    \ The adversary may identify a vulnerability in the UE modem and exploit this\
    \ to execute malicious code. The adversary may need specific knowledge of the\
    \ modems, e.g.[T1592.001]( https://attack.mitre.org/techniques/T1592/001/), used\
    \ in specific UEs and exploits might be viable for specific models of UEs or the\
    \ class of UE utilizing a specific version of firmware, e.g. [T1592.003]( https://attack.mitre.org/techniques/T1592/003/).\
    \ Vulnerabilities may be discovered in multiple ways and exploiting the vulnerability\
    \ may require previous use of techniques to obtain an operator RAN position or\
    \ deploy a false base station, such as in [FGT1583.501]( https://fight.mitre.org/techniques/FGT1583.501),\
    \  to which the UE would connect.  \r\n"
  architecture-segment: UE
  bluf: Adversaries may develop exploits that can be used during targeting.
  description: "Adversaries may develop exploits that can be used during targeting.\r\
    \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1587/004)\r\
    \n"
  detections:
  - detects: Use of stack canaries by the firmware author can be used to detect manipulation
      of stack return addresses,
    fgdsid: DS0008
    name: Kernel
  id: FGT1587.004
  mitigations: []
  name: Exploits
  object-type: technique
  platforms: UE Baseband
  preconditions:
  - Description: Adversary may need to deploy their own base station (and possibly
      core network) in a lab environment for exploit development and testing.
    Name: Lab test environment
  procedureexamples:
  - Description: Researchers[1] analyzed firmware for vulnerabilities and identified
      stack overflow vulnerability in an XML parser inside the baseband that parses
      IMS messages.
    Name: Stack Overflow
  references:
  - "<a name=\"1\"> \\[1\\] </a> [M.Grassi and X. Chen, \u201COver The Air Baseband\
    \ Exploit: Gaining Remote\nCode Execution on 5G Smartphones, Retrieved May 16,\
    \ 2023](https://keenlab.tencent.com/zh/whitepapers/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-on-5G-Smartphones-wp.pdf)"
  - "<a name=\"2\"> \\[2\\] </a> [I.Karim, F.Cicala, et.al.,\u201CATFuzzer: Dynamic\
    \ Analysis Framework of AT Interface\nfor Android Smartphones,\u201D Retrieved\
    \ May 16, 2023](https://dl.acm.org/doi/pdf/10.1145/3416125)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  subtechnique-of: FGT1587
  tactics:
  - TA0042
  typecode: attack_subtechnique_addendum
- access-required: N/A
  architecture-segment: RAN, Control Plane, User Plane
  bluf: An adversary may create an operator network to facilitate applying techniques
    to a victim UE.
  description: " An adversary may create an operator network to facilitate applying\
    \ techniques to a victim UE.\r\n\r\nAn adversary may create a fully functional\
    \ operator network such as a 5G core and false base station to exploit the user\
    \ and/or UE. Creation of a false base station may not be sufficient in a 5G network\
    \ to further the adversary\u2019s objectives due to security improvements from\
    \ earlier generations. The availability of open 5G core and RAN software and services\
    \ make this viable for an adversary. The adversary, controlling the 5G network\
    \ the UE attaches, via additional techniques, such as [FGT1583.501](https://fight.mitre.org/techniques/FGT1583.501/),\
    \ may redirect the UE or use [FGT1562.501](https://fight.mitre.org/techniques/FGT1562.501)\
    \ to perform a downgrade attack to weaken end-to-end security. Techniques such\
    \ as [FGT5009]( https://fight.mitre.org/techniques/FGT5009/) may also be utilized\
    \ by the adversary to evade defenses.\r\n\r\n\r\n"
  detections: []
  id: FGT1587.501
  mitigations:
  - fgmid: M1056
    mitigates: The development aspect is not visible to the UE or Operator and is
      therefore not easily or possible to mitigate.
    name: Pre-compromise
  name: Operator Network
  object-type: technique
  platforms: 5G
  references:
  - "<a name=\"1\"> \\[1\\] </a> [M.Grassi and X. Chen, \u201COver The Air Baseband\
    \ Exploit: Gaining Remote Code Execution on 5G Smartphones\u201D, Retrieved May\
    \ 16, 2023.](https://keenlab.tencent.com/zh/whitepapers/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-on-5G-Smartphones-wp.pdf)"
  status: This a 5G relevant behavior that has been demonstrated in a successful proof
    of concept
  subtechnique-of: FGT1587
  tactics:
  - TA0042
  typecode: fight_subtechnique_to_attack_technique
- access-required: N/A
  architecture-segment: Control Plane
  bluf: An adversary obtains network access through illicit means in order to install
    instrumentation.
  description: " An adversary obtains use of network or signaling infrastructure in\
    \ order to apply techniques against 5G networks.\r\n\r\nAn adversary may attempt\
    \ to legitimately or illegitimately acquire network or signaling, e.g. SS7, infrastructure\
    \ capabilities that are able to communicate with other operator environments.\
    \ Unlike [T1650 \u2013 Acquire Access](https://attack.mitre.org/techniques/T1650),\
    \ the adversary is not acquiring access through an underground market and the\
    \ adversary may be part of a legitimate organization that has obtained access.\
    \  The adversary, working within the legitimate organization, may then use that\
    \ legitimately obtained access in unauthorized ways. The adversary may also be\
    \ acquiring infrastructure access through coercion or subterfuge from a legitimate\
    \ operator or service provider. The adversary may use this network infrastructure,\
    \ however obtained, as a position to apply additional follow-on behaviors. \r\n\
    \r\n\r\n"
  detections:
  - detects: Logs from firewalls may be useful for detecting adversary activities
      through signaling or via other network access protocols protected by firewalls.
    fgdsid: DS0018
    name: Firewall
  id: FGT1583.508
  mitigations:
  - fgmid: M1037
    mitigates: Use of firewall capabilities may allow filtering for a number of different
      paths, protocols, and networks.  Firewall capability may permit restrictions
      on SS7, SMS, IP, Diameter and other protocols.
    name: Filter Network Traffic
  name: Network Access
  object-type: technique
  platforms: 5G
  references:
  - "<a name=\"1\"> \\[1\\] </a> [\u201CNSO offered \u2018bags of cash\u2019 for access\
    \ to U.S. cell networks, whistleblower claims,\u201D Washington Post. Accessed:\
    \ Apr. 11, 2023. [Online].](https://www.washingtonpost.com/technology/2022/02/01/nso-pegasus-bags-of-cash-fbi/)"
  - "<a name=\"2\"> \\[2\\] </a> [\u201CNSO Group's Recent Difficulties Could Shape\
    \ the Future of the Spyware Industry,\u201D Infosecurity Magazine, Access: Sep.\
    \ 11, 2011. [online]](https://www.infosecurity-magazine.com/news-features/nso-groups-difficulties-spyware/)"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1583
  tactics:
  - TA0042
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: RAN, User Plane, UE
  bluf: An adversary may send crafted GTP-U packets to the UPF/PGW in order to establish
    an illicit session with a target UE.
  criticalassets:
  - Description: "UE\u2019s privacy is violated by the data session established by\
      \ adversary."
    Name: UE security is impacted
  description: " An adversary may send crafted GTP-U packets to the UPF/PGW in order\
    \ to establish an illicit session with a target UE.\r\n\r\nAdversary may send\
    \ an encapsulated GTP-U packet to UPF/PGW from the internet with destination IP\
    \ of inner IP the same as UE\u2019s private IP address and source IP of inner\
    \ IP as its own IP or a server IP on the internet which is controlled by the adversary.\
    \ UPF/PGW forwards the GTP-U packet to gNB/eNB. gNB/eNB decapsulates the GTP-U\
    \ header and forwards the inner packet to the victim UE. UE responds to the message.\
    \ The response message is received either by the adversary or by an adversary\
    \ controlled malicious server on the internet. Thus, adversary establishes a two-way\
    \ communication to the victim UE. Once the session is established, adversary can\
    \ launch further attacks such as inserting malware, execute Remote Procedure Call\
    \ (RPC) etc.\r\n\r\n"
  detections:
  - detects: Monitor incoming packets on N6/SGi interface for any unauthorized data
      sessions.
    fgdsid: DS0029
    name: Network Traffic
  - detects: Examine all IP packets received from the internet at UPF/PGW with encapsulated
      GTP-U payload.
    fgdsid: FGDS5016
    name: Payload checking
  id: FGT1572.501
  mitigations:
  - fgmid: FGM5498
    mitigates: GTP firewall can be used to prevent GTP-U based frauds. GTP in GTP
      Identification can be used to prevent GTP reflection attacks. [2]
    name: Limit incoming signaling and user plane traffic
  - fgmid: M1031
    mitigates: Network Intrusion Prevention.
    name: Network Intrusion Prevention
  - fgmid: M1041
    mitigates: Use IPSec tunnel between gNB and UPF to prevent Adversary on the side
      (AoTS) attacks.
    name: Encrypt Sensitive Information
  name: UE Access via GTP-U
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: UE is subject to further attacks such as malware insertion, RPC execution
      etc.
    Name: UE security is compromised
  preconditions:
  - Description: "Adversary figures out UE\u2019s private IP address by using open-source\
      \ IP address scanning tools such as Shodan and they also figure out the TEID\
      \ being used by the network. [See FGT5031 Discover TEID]\n\nNote: For LTE, the\
      \ adversary needs to know TEIDs of two GTP tunnels: TEIDs on S5 and S1-U interfaces."
    Name: Adversary has knowledge of UE IP address and TEID
  procedureexamples:
  - Description: "Adversary may send encapsulated GTP-U packet to UPF/PGW from the\
      \ internet with destination IP of inner IP the same as UE\u2019s private IP\
      \ address and source IP of inner IP as its own IP or a server IP on the internet\
      \ which is controlled by the adversary. UPF/PGW forwards the GTP-U packet to\
      \ gNB/eNB. gNB/eNB decapsulates the GTP-U header and forwards the inner packet\
      \ to the victim UE. UE responds to the message. The response message is received\
      \ either by the adversary or by an adversary controlled malicious server on\
      \ the internet. Thus, adversary establishes a two-way communication to the victim\
      \ UE. [1]\n\nAdversary may launch further attacks on victim UE such as inserting\
      \ malware, execute Remote Procedure Call (RPC) etc.\n\nNote: For LTE, two GTP\
      \ tunnels are used in the user plane. The first GTP tunnel is between PGW and\
      \ SGW-U on S5 interface and the second GTP tunnel is between SGW-U and eNB on\
      \ S1-U interface. Hence, the adversary needs to know the TEID of both GTP tunnels\
      \ to launch this attack."
    Name: Two way session is established between victim UE and adversary
  references:
  - "<a name=\"1\"> \\[1\\] </a> [Trend Micro article: \u201COutside Looking In: How\
    \ a Packet Reflection Vulnerability Could Allow Attackers to Infiltrate Internal\
    \ 5G Networks\u201D](https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/plague-private-5g-networks)"
  - "<a name=\"2\"> \\[2\\] </a> [A10 Networks article: \u201CGTP FIREWALL IN 4G AND\
    \ 5G MOBILE NETWORKS STRONG PROTECTION FOR ALL GTP INTERFACES\u201D.](https://www.a10networks.com/wp-content/uploads/A10-SB-19202-EN.pdf)"
  status: This is a theoretical behavior
  subtechnique-of: FGT1572
  tactics:
  - TA0001
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: User Plane
  bluf: An adversary may discover a valid GTP-U TEID in order to apply additional
    techniques.
  criticalassets:
  - Description: "UE\u2019s sensitive data such as its private IP address and GTP-U\
      \ tunnel id (TEID) are revealed to adversary."
    Name: UE privacy
  description: " An adversary may discover a valid GTP-U TEID in order to apply additional\
    \ techniques.\r\n\r\nThe GPRS Tunneling Protocol - User plane (GTP-U) is a protocol\
    \ in both 4G and 5G that tunnels user data packets between the radio network (gNB/eNB)\
    \ and the User Plane Function (UPF) in 5G, Serving Gateway (SGW) in 4G. In 4G,\
    \ there is another GTP-U tunnel between SGW and Packet Data Network (PDN) Gateway\
    \ (PGW). The GTP-U protocol header has a Tunnel Endpoint ID (TEID). Each UE is\
    \ assigned a unique TEID for the GTP-U tunnel and it is used to carry data from\
    \ multiple QoS flows. In order to apply additional techniques like hijacking the\
    \ tunnel, the adversary needs to discover a valid TEID.\r\n\r\nAdversary may try\
    \ to guess the TEID by sending a large number of encapsulated GTP-U packets to\
    \ the UPF/PGW from the internet with different TEIDs, until a valid one is found.\
    \ UPF/PGW forwards those packets to the UE through GTP-U tunnels. Following GTP-U\
    \ tunnels are used: In 5G, N3 GTP-U tunnel between UPF and gNB, in 4G, S1-U GTP-U\
    \ tunnel between SGW and eNB and S5 GTP-U tunnel between SGW and PGW. When target\
    \ IP address and TEID match, the adversary may receive a response indicating success.\
    \ Some core networks show affinity to certain ranges of TEIDs under certain conditions,\
    \ making brute forcing easier. Once TEID is known, further attacks can be launched\
    \ to slow down or crash the targeted UE.\r\n\r\n"
  detections:
  - detects: Monitor incoming packets on N6 and SGi interfaces for any unauthorized
      data sessions.
    fgdsid: DS0029
    name: Network Traffic
  - detects: Inspect the payloads of all incoming packets to filter encapsulated GTP-U
      on internet facing interface of UPF and PGW.
    fgdsid: FGDS5016
    name: Payload checking
  id: FGT5031
  mitigations:
  - fgmid: M1031
    mitigates: Network Intrusion Prevention.
    name: Network Intrusion Prevention
  - fgmid: M1041
    mitigates: Use IPSec between gNB and UPF, eNB and SGW, SGW and PGW. Use strong
      encryption algorithms to prevent eavesdropping on subscriber payload data including
      their private IP addresses.
    name: Encrypt Sensitive Information
  - fgmid: FGM5507
    mitigates: Randomize TEID allocations.
    name: TEID allocation
  - fgmid: FGM5508
    mitigates: Refresh TEIDs frequently to make discovery of TEID to UE IP address
      mapping harder.
    name: Refresh TEIDs
  name: Discover TEID
  object-type: technique
  platforms: 5G
  preconditions:
  - Description: "Retrieve the target UE\u2019s private IP address using open-source\
      \ search engines e.g. shodan."
    Name: "Obtain victim UE\u2019s private IP address"
  procedureexamples:
  - Description: "Adversary sends large number of encapsulated GTP-U packets with\
      \ different TEIDs to a particular UE whose IP address is known to the adversary.\
      \ Encapsulated GTP-U packets are sent from the internet to UPF/PGW and UPF/PGW\
      \ forwards those packets to the UE via gNB/eNB. If response is received for\
      \ a GTP-U packet, UE\u2019s TEID will be known to the adversary. [1]\n\nFor\
      \ example, adversary may launch further attacks such as GTP-U tunnel hijack\
      \ and DoS to the target UE.\n\nIn 5G, the TEID of N3 GTP-U tunnel needs to be\
      \ discovered by the adversary. In 4G, the adversary needs to discover TEID of\
      \ S1-U GTP-U tunnel and S5 GTP tunnel."
    Name: Send large number of GTP-U packets via UPF/PGW/SGW to the target UE
  references:
  - "<a name=\"1\"> \\[1\\] </a> [TrendMicro publication: \u201CA Deep Dive into the\
    \ Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Networks\
    \ - Security News.\u201D](https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/plague-private-5g-networks)"
  status: This a 5G relevant behavior that has been demonstrated in a successful proof
    of concept
  tactics:
  - TA0007
  typecode: fight_technique
- architecture-segment: Control Plane
  bluf: An adversary controlled UE may be used to send crafted NAS messages to AMF
    to crash or slow down the AMF.
  criticalassets:
  - Description: 5G core network functions can be slowed down or crashed which causes
      temporary network outage for UEs and gNBs.
    Name: Core network functions
  description: " An adversary controlled UE may be used to send crafted NAS messages\
    \ to AMF to crash or slow down the AMF.\r\n\r\nAMF processes registration request\
    \ messages from UE and it works with other NFs in the core to respond to those\
    \ messages. By sending crafted NAS messages from UE, an adversary may force 5G\
    \ core AMF or other Control Plane functions to go into undefined states, and might\
    \ result in DoS. UEs use NAS connection (via N1 interface) to the core AMF function.\
    \ A specially crafted message can be used to cause coding or parsing error which\
    \ can potentially crash the AMF. Existing UEs and new UEs may not be able to get\
    \ service from the 5G network.\r\n\r\n"
  detections:
  - detects: 'Examine all header fields of control plane messages received in the
      uplink direction from UE to the core.

      This can be done either by logging all messages received by the NF or by using
      a proxy or firewall at the core network entry point.'
    fgdsid: DS0029
    name: Network Traffic
  - detects: Test all software patches for each core NF.
    fgdsid: FGDS5015
    name: Image verification
  id: FGT1498.503
  mitigations:
  - fgmid: FGM5511
    mitigates: Check for NAS message with incorrect or very large length, examine
      all header fields. Improve message parsing mechanism by discarding messages
      with improper header lengths.
    name: Verify NAS messages from UE
  - fgmid: FGM5512
    mitigates: Use high availability feature for all core network functions.
    name: Use high availability
  name: UE DoS to AMF
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Some 5G core network services will be unavailable causing temporary
      network outage.
    Name: Network services unavailable
  preconditions:
  - Description: A compromised COTS UE or a UE with open-source code running in an
      SDR can be used to run malicious application code. This can be used to generate
      the specially crafted NAS message to be sent towards AMF.
    Name: Compromise a UE or a purpose built UE
  procedureexamples:
  - Description: Adversary controlled UE sends a crafted NAS message towards AMF with
      the length field increased to a very large value. If AMF does not do proper
      header parameters check including length check, it can cause buffer overflow
      in the AMF which can force AMF to go to an undefined state or crash. This will
      cause Denial of Service for existing and future UEs. [1,2,3]
    Name: AMF is targeted from UE using malformed NAS message
  references:
  - "<a name=\"1\"> \\[1\\] </a> [Github post: \u201C[NAS] fix the security issue\
    \ (ZDI-CAN-14043)\u201D](https://github.com/open5gs/open5gs/commit/00c96a3f0ffd12c4330bee9a3f9596f8e4b86b6f)"
  - "<a name=\"2\"> \\[2\\] </a> [CVE-2021-44081: \u201CA buffer overflow vulnerability\
    \ exists in the AMF of open5gs 2.1.4. When the length of MSIN in Supi exceeds\
    \ 24 characters, it leads to AMF denial of service.\u201D](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44081)"
  - "<a name=\"3\"> \\[3\\] </a> [CVE-2022-43677: \u201CA crafted malformed NGAP message\
    \ can crash AMF and NGAP decoder\u201D.](https://github.com/free5gc/free5gc/issues/402)"
  status: This a 5G relevant behavior that has been demonstrated in a successful proof
    of concept
  subtechnique-of: FGT1498
  tactics:
  - TA0040
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: User Plane
  bluf: An adversary-controlled UE may be used to send a GTP-U packet to UPF/PGW with
    a malicious payload in order to evade UPF/PGW routing controls to establish communications
    with a core NF.
  criticalassets:
  - Description: Core NF is illegitimately accessed from the UE via user plane function
      UPF/PGW.
    Name: Core network functions accessed from the user plane
  description: " An adversary-controlled UE may be used to send a GTP-U packet to\
    \ UPF/PGW with a malicious payload in order to evade UPF/PGW routing controls\
    \ to establish communications with a core NF.\r\n\r\nThe UPF/PGW is the core network\
    \ function supporting the user plane. It tunnels user data packets from the radio\
    \ access networks (gNB/eNB) towards data networks (such as the Internet). Other\
    \ core network functions (NFs) - such as the Session Management Function (SMF)\
    \ - support the control plane. In this threat, a user plane packet crosses over\
    \ to the control plane. \r\n\r\nThe UPF/PGW normally processes GTP-U packets to\
    \ and from the radio access network (gNB/eNB). A GTP-U packet, after the header\
    \ is stripped, should contain a regular user data IP packet, with the source IP\
    \ address of the UE, and the destination an external IP address (Internet). However,\
    \ in this case, it contains a control packet addressed to a core network function\
    \ for instance the SMF. The UPF/PGW should then drop this packet, but in some\
    \ implementations it was found that the UPF/PGW may instead route it as indicated.\r\
    \n\r\nThus, if UPF/PGW does not do proper parameter checks, it may route the packet\
    \ to an improper destination such as a core network function in the control plane\
    \ e.g. SMF, it can cause the NF to go to an undefined state and the NF may crash.\r\
    \n\r\n\r\n"
  detections:
  - detects: Examine all header fields and encapsulated payload of user plane packets
      received in the uplink direction from UE.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1599.505
  mitigations:
  - fgmid: FGM5510
    mitigates: "Do not allow any packets received from UE which has destination address\
      \ set to a core NF\u2019s IP address."
    name: Filter packets to core NF sent by UE
  name: GTP-U Abuse
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: "Core network function is DoS\u2019ed from the user plane."
    Name: Core network functions impacted
  preconditions:
  - Description: A COTS UE or SDR UE can be used to prepare specially crafted GTP-U
      packets to be sent to towards UPF/PGW.
    Name: Compromise a UE
  procedureexamples:
  - Description: 'This is a UP to CP cross-over or network boundary bridging attack.
      A specially crafted GTP-U packet containing a control plane packet is sent by
      the adversary controlled UE to the UPF/PGW, e.g. a tunneled GTP-U packet can
      be sent to trick the UPF/PGW. The payload packet contains the NF IP address
      as the destination IP.



      Without proper parameter validation, UPF/PGW may send the GTP-U payload to the
      destination address in the control plane which can be SMF. The message can cause
      the SMF to go to an undefined state and it may crash the SMF.'
    Name: Core NF is attacked from UE using tunneled GTP-U packets via UPF/PGW
  status: This is a theoretical behavior
  subtechnique-of: FGT1599
  tactics:
  - TA0005
  typecode: fight_subtechnique_to_attack_technique
- access-required: N/A
  architecture-segment: Control Plane
  bluf: An adversary may send an unsolicited SS7/Diameter message to the core network
    of a UE that will cause the core network to provide coarse location of the UE.
  criticalassets:
  - Description: "Subscriber\u2019s coarse location is revealed to the adversary."
    Name: "UE\u2019s privacy is compromised"
  description: " An adversary may send an unsolicited SS7/Diameter message to the\
    \ core network of a UE that will cause the core network to provide coarse location\
    \ of the UE.\r\n\r\nAn operator\u2019s network consists of a 5G Core and also\
    \ auxiliary systems such as the IP Multimedia System (IMS).  The IMS is used to\
    \ provide voice and SMS services; this is accomplished via traditional protocols\
    \ SS7 and Diameter between the IMS and 5G core functions. This subtechnique covers\
    \ the abuse of such legitimate signaling to obtain the location of a UE.\r\n\r\
    \nBackground info:\r\n5G SA core has interfaces to IMS core to support voice and\
    \ SMS services. Diameter/SS7 attacks. In signaling plane, voice service uses Diameter\
    \ based Rx interface between PCF and P-CSCF in IMS, Diameter based Sh interface\
    \ between HSS/UDM and TAS in IMS, Diameter based Cx interface between HSS/UDM\
    \ and I/S-CSCF. It also uses SIP/SDP based Gm interface between UPF and P-CSCF\
    \ in the user plane. SMS over NAS service uses SS7 (MAP) based interface and S6c\
    \ Diameter based interface from UDM to SMSC. It also uses MAP and SGd (Diameter)\
    \ interfaces from SMSF to SMSC.\r\n\r\n\r\n"
  detections:
  - detects: Monitor all communications over Diameter and SS7/MAP based interfaces
      to/from core network.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT5012.008
  mitigations:
  - fgmid: FGM5004
    mitigates: Use SMS router or firewall
    name: Correctly configure SMS firewall
  - fgmid: FGM5513
    mitigates: Use Diameter End-to-end Signaling Security (DESS). Section 6.5.3 of
      [4].
    name: Use DESS security
  name: Diameter signaling
  object-type: technique
  platforms: 5G Network
  postconditions:
  - Description: Further attacks such as physical attack and eavesdropping on subscriber
      private data are possible once their coarse location is known to the adversary.
    Name: Further attacks on subscriber are possible
  preconditions:
  - Description: "Adversary collects victim UE\u2019s phone number from subscriber\u2019\
      s physical address using internet based services such as numlooker.com."
    Name: MSISDN or phone number of victim UE is known to adversary
  procedureexamples:
  - Description: "Adversary sets up a fake SMSC and then sends a specially crafted\
      \ MAP SRI_SM Send Routing Info for Short Message Request (SRR) with victim UE\u2019\
      s MSISDN to HSS/UDM. If SMS router/firewall is not setup or if it is setup incorrectly,\
      \ HSS/UDM will return the IMSI/SUPI of the UE and the ID of AMF/MME\u2019s currently\
      \ serving the UE in response Send Routing Info for SM Answer (SRA) message.\
      \ Thus, adversary will know the coarse location of the UE e.g. part of the town\
      \ where the victim UE is present [1]"
    Name: "Subscriber\u2019s coarse location is retrieved via SS7/MAP signaling"
  - Description: "Adversary sets up a fake IP-SM-GW or SMS-GMSC and then sends a specially\
      \ crafted Send Routing Info for Short Message Request (SRR) with victim UE\u2019\
      s MSISDN to HSS/UDM. If SMS router/firewall is not setup or if it is setup incorrectly,\
      \ HSS/UDM will return the ID of AMF/MME\u2019s currently serving the UE in response\
      \ Send Routing Info for SM Answer (SRA) message. Thus, adversary will know the\
      \ coarse location of the UE e.g. part of the town where the victim UE is present.\
      \ [2]"
    Name: "Subscriber\u2019s coarse location is retrieved via Diameter signaling"
  references:
  - "<a name=\"1\"> \\[1\\] </a> [International Conference on Cyber Conflict 2016:\
    \ \u201CWe know where you are\".](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7529440)"
  - "<a name=\"2\"> \\[2\\] </a> [Positive Technologies article: \u201CNext Generation\
    \ Networks, Next Level Cyber Security Problems\u201D.](https://www.ptsecurity.com/upload/iblock/a8e/diameter_research.pdf)"
  - "<a name=\"3\"> \\[3\\] </a> [Broadforward\u2019s SS7/MAP Firewall](https://www.broadforward.com/ss7-firewall-ss7fw/)"
  - "<a name=\"4\"> \\[4\\] </a> [GSMA IR.88 \u201CEPS Roaming Guidelines\u201D.](https://www.gsma.com/newsroom/wp-content/uploads/IR.88-v22.0.pdf)"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT5012
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- access-required: N/A
  architecture-segment: Control Plane
  bluf: An adversary may send an unsolicited SS7/Diameter message to the core network
    of a UE that will cause the core network to provide IMSI/SUPI of the UE.
  criticalassets:
  - Description: "Subscriber\u2019s identity is revealed to the adversary."
    Name: "UE\u2019s privacy is compromised"
  description: " An adversary may send an unsolicited SS7/Diameter message to the\
    \ core network of a UE that will cause the core network to provide IMSI/SUPI of\
    \ the UE.\r\n\r\nAn operator\u2019s network consists of a 5G Core and also auxiliary\
    \ systems such as the IP Multimedia System (IMS).  The IMS is used to provide\
    \ voice and SMS services; this is accomplished via traditional protocols SS7 and\
    \ Diameter between the IMS and 5G core functions. This subtechnique covers the\
    \ abuse of such legitimate signaling to obtain the permanent identifier of a UE.\
    \ Once the IMSI/SUPI is obtained, adversary may launch further attacks such as\
    \ retrieving location of the UE, network slice and data network that are being\
    \ used by the UE etc.\r\n  \r\nBackground info:\r\n5G SA core has interfaces to\
    \ IMS core to support voice and SMS services. Diameter/SS7 attacks. In signaling\
    \ plane, voice service uses Diameter based Rx interface between PCF and P-CSCF\
    \ in IMS, Diameter based Sh interface between HSS/UDM and TAS in IMS, Diameter\
    \ based Cx interface between HSS/UDM and I/S-CSCF. It also uses SIP/SDP based\
    \ Gm interface between UPF and P-CSCF in the user plane. SMS over NAS service\
    \ uses SS7 (MAP) based interface and S6c Diameter based interface from UDM to\
    \ SMSC. It also uses MAP and SGd (Diameter) interfaces from SMSF to SMSC.\r\n\r\
    \n"
  detections:
  - detects: Monitor all communications over Diameter and SS7/MAP based interfaces
      to/from core network.
    fgdsid: DS0029
    name: Network Traffic
  id: FGT5019.005
  mitigations:
  - fgmid: FGM5004
    mitigates: Use SMS router or firewall
    name: Correctly configure SMS firewall
  - fgmid: FGM5513
    mitigates: Use Diameter End-to-end Signaling Security (DESS). Section 6.5.3 of
      [4].
    name: Use DESS security
  name: Diameter signaling
  object-type: technique
  platforms: 5G Network
  postconditions:
  - Description: If IMSI/SUPI is obtained, many other subsequent attacks are possible
      such as retrieving subscriber location, network slice, data network of the UE.
    Name: IMSI/SUPI is available to the adversary
  preconditions:
  - Description: "Adversary collects victim UE\u2019s phone number from subscriber\u2019\
      s physical address using internet based services such as numlooker.com."
    Name: MSISDN or phone number of victim UE is known to adversary
  procedureexamples:
  - Description: "Diameter protocol:\nAdversary sets up a fake SMSC and then sends\
      \ a specially crafted Send Routing Info for Short Message Request (SRR) with\
      \ victim UE\u2019s MSISDN to HSS/UDM. If SMS router/firewall is not setup or\
      \ if it is setup incorrectly, HSS/UDM will return the IMSI/SUPI of the UE and\
      \ the ID of AMF/MME\u2019s ID currently serving the UE in response Send Routing\
      \ Info for SM Answer (SRA) message.\n\nSS7 protocol:\nAdversary sets up a fake\
      \ SMSC and then sends a specially crafted MAP SRI_SM Send Routing Info for Short\
      \ Message Request (SRR) with victim UE\u2019s MSISDN to HSS/UDM. If SMS router/firewall\
      \ is not setup or if it is setup incorrectly, HSS/UDM will return the IMSI/SUPI\
      \ of the UE and the ID of AMF/MME\u2019s ID currently serving the UE in response\
      \ Send Routing Info for SM Answer (SRA) message. [1, 2]"
    Name: "UE\u2019s IMSI/SUPI is retrieved using SRR message"
  - Description: "Diameter protocol: Adversary sets up an application server and sends\
      \ a specially crafted User Data Request (UDR) message with victim UE\u2019s\
      \ MSISDN to HSS/UDM. If HSS/UDM is not configured properly, HSS/UDM will return\
      \ the IMSI/SUPI of the UE in User Data Answer (UDA) response message. [2]"
    Name: "UE\u2019s IMSI/SUPI is retrieved using Diameter UDR message"
  references:
  - "<a name=\"1\"> \\[1\\] </a> [International Conference on Cyber Conflict 2016:\
    \ \u201CWe know where you are\".](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7529440)"
  - "<a name=\"2\"> \\[2\\] </a> [Positive Technologies article: \u201CNext Generation\
    \ Networks, Next Level Cyber Security Problems\u201D](https://www.ptsecurity.com/upload/iblock/a8e/diameter_research.pdf)"
  - "<a name=\"3\"> \\[3\\] </a> [Broadforward\u2019s SS7/MAP Firewall](https://www.broadforward.com/ss7-firewall-ss7fw/)"
  - "<a name=\"4\"> \\[4\\] </a> [GSMA IR.88 \u201CEPS Roaming Guidelines\u201D.](https://www.gsma.com/newsroom/wp-content/uploads/IR.88-v22.0.pdf)"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT5019
  tactics:
  - TA0007
  - TA0009
  typecode: fight_subtechnique
- architecture-segment: O-RAN, RAN
  bluf: Malicious xApps may gain unauthorized access to near-RT RIC and E2 nodes,
    in order to affect Radio Access Network (ran) behavior.
  criticalassets:
  - Description: Adversary may impact normal RAN functions.
    Name: 'Near-RT RIC function: RAN optimization'
  - Description: "Adversary may disrupt RAN operations by changing UE\u2019s slice\
      \ priority and QoS parameters which results in denying new connections or dropping\
      \ existing connections."
    Name: RAN configuration data
  - Description: "UE data includes UE\u2019s coarse location, temporary identifier\
      \ and correlation of UE temporary identifier to other service related data e.g.\
      \ DNN, NSSAI etc. See clause 6.2.1 of [2]."
    Name: UE data
  - Description: Adversary has read/write access to database containing sensitive
      network data such as QoS policies and slice priority.
    Name: Sensitive network data
  description: " Malicious xApps may gain unauthorized access to near-RT RIC and E2\
    \ nodes, in order to affect Radio Access Network (RAN) behavior. \r\n\r\nxApps\
    \ are application software that may be developed by third party vendors. They\
    \ reside in the Near Real Time (near-RT) RAN Intelligent Controller (RIC) after\
    \ onboarding is done by ORAN orchestration system. Near-RT RICs control and optimize\
    \ RAN functions for events ranging from 10 ms to 1 sec. xApps manage Radio Resource\
    \ Management (RRM) functions of RAN via E2 interface. The following components\
    \ are controlled by xApps by using APIs: E2 nodes such as O-DU, O-RU, O-CU-CP\
    \ and O-CU-UP. Near-RT RIC and xApps are managed by non-RT RIC via A1 interface\
    \ for RAN optimizations and by SMO via O1 interface for lifecycle management.\r\
    \n\r\nDuring onboarding of xApps, malware may be installed by the adversary in\
    \ xApps which can gain unauthorized access to near-RT RIC by exploiting weak or\
    \ misconfigured authentication mechanism in near-RT RIC. A malicious xApp image\
    \ may be crafted by the adversary and then installed in near-RT RIC during onboarding.\
    \ A legitimate xApp may be cloned in near-RT RIC by an insider adversary.\r\n\r\
    \nOnce installed in near-RT RIC, the rogue xApp may indirectly access E2 nodes\
    \ via APIs by penetrating traffic separating firewalls within ORAN. The rogue\
    \ xApp may change behavior of near-RT RIC which will impact RAN functions such\
    \ as coverage, network slicing, QoS etc.\r\n  \r\n\r\n"
  detections:
  - detects: Monitor access token usage by xApps.
    fgdsid: DS0006
    name: Web Credential
  - detects: 'Perform real-time audits and post-processing of logs.

      Detect which parts of the RAN is accessed by each xApp e.g. O-DU, O-CU-CP, O-CU-UP,
      O-RU etc.'
    fgdsid: DS0010
    name: Cloud Storage
  - detects: Monitor logs for authentication/authorization of xApps to near-RT RIC
      and E2 nodes, logs for each transaction done by xApps to E2 nodes. Audit logs
      and telemetry data for unauthorized activities.
    fgdsid: DS0025
    name: Cloud Service
  - detects: Verify and refresh frequently digital signatures used for authenticating
      xApps by near-RT RIC and E2 nodes.
    fgdsid: DS0037
    name: Certificate
  - detects: Verify xApp image hash
    fgdsid: FGDS5015
    name: Image verification
  - detects: Monitor all xApps onboarding processes. Use host scanning tools to detect
      malware insertions.
    fgdsid: FGDS5021
    name: Monitor 3rd party application onboarding
  id: FGT5034
  mitigations:
  - fgmid: FGM5091
    mitigates: Use strong authentication and authorization for 3rd party xApps during
      onboarding and use strong mutual authentication between xApps and near-RT RIC
      and between xApp and E2 nodes.
    name: Mutual authentication
  - fgmid: M1030
    mitigates: Restrict SW paths for some network components using standard protocols
      such as SSL, REST/HTTPS etc.
    name: Network Segmentation
  - fgmid: M1033
    mitigates: Use only trusted supply chain, rigorous scanning of software images.
      Limit Software Installations especially from 3rd party sources.
    name: Limit Software Installation
  - fgmid: M1043
    mitigates: Credential Access Protection - Use capabilities to prevent successful
      credential access by adversaries; including blocking forms of credential dumping.
    name: Credential Access Protection
  - fgmid: M1045
    mitigates: Verify digital signature of xApp
    name: Code Signing
  - fgmid: FGM5516
    mitigates: Make the tokens short lived to prevent replay of token attacks (AiTM).
    name: Make xApp sessions short lived
  name: Radio control manipulation via rogue xApps
  object-type: technique
  platforms: O-RAN
  postconditions:
  - Description: Adversary degrades network operation or in the worst case causes
      temporary network outage.
    Name: Network operations impacted
  - Description: "Operator\u2019s network policies are known to the adversary."
    Name: Sensitive network data exposed to adversary
  - Description: "UE and subscriber\u2019s sensitive data is revealed to the adversary."
    Name: Sensitive UE data exposed to adversary
  preconditions:
  - Description: 'Adversary installs rogue xApp in near-RT RIC via malware during
      onboarding and it finds out weak authentication mechanism in near-RT RIC to
      gain entry in the O-RAN systems.


      A legitimate xApp may be cloned by adversary to launch further attacks.'
    Name: Adversary has access to near-RT RIC during onboarding or via insider attack
  procedureexamples:
  - Description: 'Adversary may exploit weakly configured authentication mechanism
      in near-RT RIC and E2 nodes for the xApps and may gain unauthorized access to
      near-RT RIC and thus affect E2 nodes.


      Adversary may access E2 nodes such as O-DU, O-RU, O-CU-CP and O-CU-UP via E2
      interface by using E2 related APIs. Clause 5.4.1.4 of [1], clause 7.3 of [2]
      and [3].'
    Name: Malicious xApp gets access to near-RT RIC and E2 nodes.
  - Description: "Rogue xApp may change behavior of near-RT RIC by intercepting or\
      \ modifying A1 messages to/from non-RT RIC or O1 messages to/from SMO. Some\
      \ examples of attacks are:\n\nDoS attack on network and UEs by changing slice\
      \ priority and QoS parameters, steal network and UE information and track UE\u2019\
      s location."
    Name: Rogue xApp changes behavior of ORAN system
  - Description: "When a new xApp is deployed, it is authenticated by near-RT RIC.\
      \ If authentication is successful, near-RT RIC provides an ID to the xApp and\
      \ it creates a Managed Object Instance (MOI) for the xApp. MOI is used by SMO\
      \ to manage xApps. \n\nAiTM attack may be launched by adversary by monitoring\
      \ and replaying a stolen token or MOI of a legitimate xApp. This may change\
      \ behavior of near-RT RIC and impact RAN functions such as coverage, network\
      \ slicing and QoS. Clause 9.4.1 of [2]."
    Name: xApps stolen token/MOI
  references:
  - <a name="1"> \[1\] </a> [O-RAN Security Threat Model 6.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
  - <a name="2"> \[2\] </a> [O-RAN WG3 Near-RT RIC Architecture 4.00 version](https://orandownloadsweb.azurewebsites.net/specifications)
  - "<a name=\"3\"> \\[3\\] </a> [Ericsson white paper: \u201CSecurity considerations\
    \ of Open RAN\u201D.](https://www.ericsson.com/en/security/security-considerations-of-open-ran)"
  status: This is a theoretical behavior
  tactics:
  - TA0001
  - TA0008
  typecode: fight_technique
- architecture-segment: O-RAN, RAN
  bluf: Adversary may jam to impact IAB or mIAB (gNB) node's communications to impact
    the UEs and downstream IAB node's ability to connect to network.
  criticalassets:
  - Description: 5G RAN services are disrupted during jamming attack.
    Name: Network operations disrupted
  description: " Adversary may jam to impact IAB or mIAB (gNB) node's communications\
    \ to impact the UEs and downstream IAB node\u2019s ability to connect to network.\r\
    \n\r\nIf one or more Integrated Access and Backhaul (IAB) nodes or mobile IAB\
    \ (mIAB) or gNBs wireless backhaul connection is jammed in tactical or mobile\
    \ network deployment, the network connectivity will be disrupted. This will cause\
    \ temporary DoS attack for some users until an alternate connection is available.\r\
    \n\r\nMobile IAB nodes are small cell base stations which are typically deployed\
    \ on a vehicle placed in strategic areas. For example, mIAB node can be deployed\
    \ near a stadium for a game event. The backhaul traffic from the mIAB node is\
    \ carried over the air to the next hop base station. The next hop gNB can be another\
    \ IAB node or a fixed base station (aka donor IAB) which has a wired connection\
    \ to the 5G core network.\r\n\r\nAn IAB node may use the same or different RF\
    \ frequency bands for the backhaul traffic to the upstream IAB node and for providing\
    \ network access to the UEs connected to itself. If the same frequency band is\
    \ used for backhaul and access, it is known as in-band deployment and if different\
    \ frequency bands are used for backhaul and access, it is known as out-of-band\
    \ deployment. The adversary may choose to jam both frequency bands in case of\
    \ out-of-band deployment to disrupt both backhaul and access communications.\r\
    \n\r\nThe adversary may impact communications of the target IAB node, the IAB\
    \ nodes that are downstream from the target IAB node and all UEs that are connected\
    \ to the target IAB node and all UEs that are connected to downstream IAB nodes.\
    \ [2]\r\n\r\n"
  detections:
  - detects: Monitor gNB logs for abnormal service outage.
    fgdsid: FGDS5020
    name: Monitor unplanned service outage
  id: FGT5024
  mitigations:
  - fgmid: FGM5515
    mitigates: Move the mIAB node to another location to avoid jamming and establish
      a new connection to the next hop base station.
    name: Move mIAB node
  name: IAB Denial of Service
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Legitimate subscribers are not able to connect to 5G network.
    Name: Network operations are impacted
  preconditions:
  - Description: Adversary must be positioned in the same area as the victim IAB node
      with a wireless sniffer device and a jamming device equipped with sufficient
      transmit power.
    Name: Adversary in the same vicinity as victim IAB node
  - Description: Adversary impacts all communications associated to the victim IAB
      node i.e. both access and backhaul.
    Name: Adversary jams all communications of the victim IAB node
  procedureexamples:
  - Description: Adversary monitors transmissions on the IAB node backhaul and access
      links with a wireless sniffer device. Then it starts transmitting bogus RF signal
      with enough transmit power to jam the backhaul and access link communications.
      This will disrupt connectivity to the network of the victim IAB node, all IAB
      nodes that are downstream from victim IAB node, all UEs which are connected
      to the victim IAB node and all UEs which are connected to downstream IAB nodes.
    Name: IAB or mIAB node is jammed by adversary.
  references:
  - "<a name=\"1\"> \\[1\\] </a> [5G Americas White Paper: \u201CInnovations in 5G\
    \ Backhaul Technologies; IAB, HFC & FIBER\u201D, June 2020.](https://www.5gamericas.org/wp-content/uploads/2020/06/Innovations-in-5G-Backhaul-Technologies-WP-PDF.pdf)"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS 38.401: \u201CNG-RAN; Architecture description\u201D\
    .](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3219)"
  status: This is a theoretical behavior
  tactics:
  - TA0040
  typecode: fight_technique
- access-required: N/A, N/A
  addendums:
  - "#### Addendum Name: IMSI Catcher\r\n##### Architecture Segments: RAN, UE\r\n\
    \ An adversary may build an International Mobile Subscriber Identity (IMSI) catcher\
    \ to capture IMSI numbers from nearby UEs in a target area.\r\n\r\nIMSI catchers\
    \ are very similar to fake base stations but may not have full capabilities of\
    \ the base station. The IMSI Catcher term has been traditionally associated with\
    \ UE identity discovery or location identification.  Adversary may build one with\
    \ open-source code and generic radio transceivers. Open-source code for software\
    \ defined radio, or RAN test equipment, or simulators can also be modified to\
    \ create an IMSI catcher.\r\n\r\n"
  - "#### Addendum Name: Silent paging tool\r\n##### Architecture Segments: RAN, UE\r\
    \n An adversary may build or develop a silent SMS tool in order to send SMSs to\
    \ nearby phones in a target area.\r\n\r\nA silent SMS is described in the specification\
    \ GSM 03.40 as a Short Message of type 0, which indicates that the UE must acknowledge\
    \ receipt of the short message but may discard its contents.\r\n\r\nIt is possible\
    \ to build/develop an application to send silent SMS messages, which can run on\
    \ a regular phone (UE) that can register to a local network. That application\
    \ can be used to send a silent SMS to a target UE using the phone number (MSISDN).\r\
    \n\r\n"
  architecture-segment: RAN, UE
  bluf: Adversaries may build capabilities that can be used during targeting.
  description: "Adversaries may build capabilities that can be used during targeting.\r\
    \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1587)\r\
    \n"
  detections: []
  id: FGT1587
  mitigations:
  - fgmid: M1056
    mitigates: This technique cannot be easily mitigated with preventive controls
      since it is based on behaviors performed outside of the scope of the mobile
      network operator.
    name: Pre-compromise
  name: Develop Capabilities
  object-type: technique
  platforms: RAN, RAN
  references:
  - "<a name=\"1\"> \\[1\\] </a> [Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin\
    \ Mulazzani, and Edgar Weippl. \u201CIMSI-catch me if you can: IMSI-catcher-catchers\u201D\
    . In Proceedings of the 30th annual computer security applications Conference,\
    \ pages 246\u2013255, 2014.](https://its-wiki.no/images/f/fb/Dabrowski_ISMI_Catch_me_Catchers.pdf)"
  - "<a name=\"2\"> \\[2\\] </a> [Ravishankar Borgaonkar, Altaf Shaik, \u201C5G IMSI\
    \ Catchers Mirage\u201D, Blackhat USA Conference 2021.](https://blackhat.com/us-21/briefings/schedule/#g-imsi-catchers-mirage-23538)"
  - "<a name=\"3\"> \\[3\\] </a> [\u201CHOW COPS CAN SECRETLY TRACK YOUR PHONE\u201D\
    , The Intercept online article, July 31, 2021. Accessed 6/22/2022.](https://theintercept.com/2020/07/31/protests-surveillance-stingrays-dirtboxes-phone-tracking/)"
  - "<a name=\"4\"> \\[4\\] </a> [A Knight, Brier & Thorn, \u201CHacking GSM: Building\
    \ a Rogue Base Station to Hack Cellular Devices\u201D, Online Article.  Accessed\
    \ 6/22/2022.](https://www.brierandthorn.com/post/hacking-gsm-building-a-rogue-base-station-to-hack-cellular-devices)"
  - "<a name=\"1\"> \\[1\\] </a> [Information Security Newspaper, \u201CHow to hack\
    \ and track anybody\u2019s  phone location via silent SMS messages\u201D.](https://www.securitynewspaper.com/2023/06/20/how-to-hack-track-anybodys-phone-location-via-silent-sms-messages/)"
  - <a name="2"> \[2\] </a> [Silent-sms-ping github repository](https://github.com/MatejKovacic/silent-sms-ping)
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0042
  typecode: attack_technique_addendum
- addendums:
  - "#### Addendum Name: Rogue Operator Network\r\n##### Architecture Segments: Control\
    \ Plane, RAN\r\n An adversary may install or set up a customized core mobile network\
    \ in a target environment to enable follow-on behaviors.\r\n\r\nAn adversary may\
    \ install, or otherwise set up a 5G core network capability that can be used during\
    \ targeting. To support their operations, an adversary will likely obtain this\
    \ capability (e.g. from open source software), and then proceed to stage it on\
    \ a server (COTS) under their control. For a complete mobile network set-up, a\
    \ radio access network (e.g. fake base station) would also be used, connected\
    \ to this core network.\r\n\r\n\r\n"
  architecture-segment: Control Plane, RAN
  bluf: Adversaries may upload, install, or otherwise set up capabilities that can
    be used during targeting.
  description: "Adversaries may upload, install, or otherwise set up capabilities\
    \ that can be used during targeting.\r\n[To read more, please see the MITRE ATT&CK\
    \ page for this technique](https://attack.mitre.org/techniques/T1608)\r\n"
  detections: []
  id: FGT1608
  mitigations: []
  name: Stage Capabilities
  object-type: technique
  platforms: 5G Core
  references:
  - "<a name=\"1\"> \\[1\\] </a> [M.Grassi & X. Chen, \u201COver The Air Baseband\
    \ Exploit: Gaining Remote Code Execution on 5G Smartphones,\u201D retrieved May\
    \ 16, 2023](https://dl.acm.org/doi/abs/10.1145/3395351.3399360)"
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0042
  typecode: attack_technique_addendum
- architecture-segment: Control Plane
  bluf: An adversary may operationalize a customized mobile network in a target environment
    to enable other follow-on behaviors against UEs.
  criticalassets:
  - Description: UEs that are lured to connect to a fake network may lose functionality.
      The registration signaling will likely fail in the end.
    Name: UE functionality
  description: " An adversary may operationalize a customized mobile network in a\
    \ target environment to enable other follow-on behaviors against UEs.\r\n\r\n\
    An adversary enables the programmability of a rogue mobile network, in order to\
    \ be able to connect a victim UE to a hostile/fake operator network. This is software\
    \ that can run on a single piece of hardware. To configure it, the configuration\
    \ files would need to be updated:  configure PLMN identifiers, radio frequency\
    \ spectrum, IP addresses for core components. Configuration for connecting to\
    \ one or more radio access nodes (e.g. base station) may also be done.\r\n\r\n\
    This technique is to be used in conjunction with the equivalent technique for\
    \ fake base station FGT1608.501. \r\n\r\n\r\n"
  detections: []
  id: FGT1608.502
  mitigations: []
  name: Configure Operator Core Network
  object-type: technique
  platforms: 5G Core
  procedureexamples:
  - Description: 'Adversary obtains software capability such as: open source software
      (e.g Open5GS, free5GC) to set up a rogue operator network, with sufficient capability
      to achieve follow-on behavior.'
    Name: Obtain capability for configuration of a rogue mobile network core
  references:
  - "<a name=\"1\"> \\[1\\] </a> [M.Grassi & X. Chen, \u201COver The Air Baseband\
    \ Exploit: Gaining Remote\nCode Execution on 5G Smartphones,\u201D retrieved May\
    \ 16, 2023](https://dl.acm.org/doi/abs/10.1145/3395351.3399360)"
  status: This is a theoretical behavior
  subtechnique-of: FGT1608
  tactics:
  - TA0042
  typecode: fight_subtechnique_to_attack_technique
- access-required: N/A
  architecture-segment: RAN
  bluf: Adversary sends a spoofed or silent SMS to trigger paging of UE, to retrieve
    the subscriber profile identifier.
  criticalassets:
  - Description: ''
    Name: UE identifier
  description: " Adversary sends a spoofed or silent SMS to trigger paging of UE,\
    \ to retrieve the subscriber profile identifier. \r\n\r\nA UE has a permanent\
    \ identifier (IMSI or SUPI), but also a temporary one (\u201CTemporary Mobile\
    \ Subscriber Identity\u201D) assigned by the network (TMSI, with their version\
    \ for 4G and 5G). Adversaries can take advantage of cellular networks where the\
    \ IMSI is used when computing how to page a UE, rather than TMSI, or when the\
    \ TMSI is used but not changed frequently. This is a choice of the mobile network\
    \ operator. \r\n\r\n\r\nAn adversary can send silent SMS messages to that target\
    \ phone number, and watch the paging messages that the base station in that area\
    \ sends in response (assumes the target UE is in inactive mode and is located\
    \ in the area of a base station where the adversary has installed a radio interface\
    \ sniffer). From the sniffed paging messages, and adversary learns the \u201C\
    paging occasion\u201D for that UE. From the paging occasion, several bits (7)\
    \ of the IMSI can be deduced. The rest of the IMSI (24 bits) can be tried out\
    \ by brute force by sending many paging messages (e.g. via a fake base station)\
    \ corresponding to the IMSIs being tried out, and if one gets a response that\
    \ is valid, it means that the guess is correct. \r\n\r\n\r\nSeveral UEs may end\
    \ up sharing the same paging occasion. With knowledge of the victim\u2019s phone\
    \ number, an adversary can cause the victim UE to be paged in a certain fashion\
    \ (e.g. by sending a given number of silent SMS and watching for a similar number\
    \ of paging messages), the adversary can determine the paging occasion for that\
    \ UE. If the UE is not located in that cell area, then no such paging messages\
    \ will be noticed. An adversary needs to install sniffers in all of the cell areas\
    \ of interest, i.e. where they desire to determine the presence or absence of\
    \ a target UE at a given time, and/or to determine the UE identifiers (IMSI or\
    \ SUPI or TMSI).\r\n\r\n\r\nBackground information: the IMSI in the US is ~49\
    \ bits, but the IMSI\u2019s leading 18-bits (i.e., the mobile country code and\
    \ the mobile network code) can be obtained from the phone number using paid, Internet-based\
    \ home location register lookup services. The \u201Cpaging occasion\u201D \u2013\
    \ the precise time/frequency slot when the paging indication is sent\u2014is calculated\
    \ in a known way based on a UE identifier- either IMSI or TMSI.\r\n\r\n"
  detections:
  - detects: Run at the UE side a tool to detect silent SMS messages (can be OS monitoring
      app as in [4])
    fgdsid: FGDS5102
    name: Silent SMS detector
  id: FGT5019.006
  mitigations:
  - fgmid: FGM5004
    mitigates: The operator may run a network side SMS firewall that permits legitimate
      silent SMSs (e.g. from law enforcement) but blocks the ones from suspicious
      sources
    name: Correctly configure SMS firewall
  - fgmid: FGM5102
    mitigates: Run at the UE side a tool to detect and not respond to multiple silent
      SMS messages received in a short time (can be OS monitoring app as in [2])
    name: 'Silent SMS blocker '
  name: Silent SMS
  object-type: technique
  platforms: 5G Network
  preconditions:
  - Description: Adversary deployed a sniffer in the coverage area where the target
      UE may be located
    Name: Radio interface sniffer
  procedureexamples:
  - Description: By sending several (about 8) silent SMS messages to a UE, (or make
      8 silent calls), and watching the responses on the radio interface- if the UE
      is present, the paging occasion of the UE can be determined [1].
    Name: Paging occasion guessing
  - Description: If the operator uses IMSI to page UEs, then if some bits of the IMSI
      are already guessed (e.g. via a location/paging occasion guessing discovery
      technique), it is possible to infer the actual IMSI. The adversary sends multiple
      silent SMS messages corresponding to guessed IMSIs, and watches the radio interface
      for responses. [1]
    Name: IMSI-cracking
  references:
  - "<a name=\"1\"> \\[1\\] </a> [S.R. Hussain et.al., \u201CPrivacy Attacks to the\
    \ 4G and 5G Cellular Paging Protocols Using Side Channel Information\u201D](https://homepage.divms.uiowa.edu/~comarhaider/publications/LTE-torpedo-NDSS19.pdf\
    \ )"
  - "<a name=\"2\"> \\[2\\] </a> [H. Wen et al., \u201CThwarting Smartphone SMS Attacks\
    \ at the\nRadio Interface Layer\u201D. Retrieved Sept 14, 2023.](https://www.ndss-symposium.org/ndss-paper/thwarting-smartphone-sms-attacks-at-the-radio-interface-layer/)"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT5019
  tactics:
  - TA0009
  - TA0007
  typecode: fight_subtechnique
- architecture-segment: RAN
  bluf: Adversary sends spoofed or silent paging messages to a UE and deduces the
    UE's location from the responses of that UE
  criticalassets:
  - Description: UEs rough location is known to the adversary which can be used for
      further attacks such as bidding down, IMSI cracking and physical attack.
    Name: UE location
  description: " Adversary sends spoofed or silent paging messages to a UE and deduces\
    \ the UE's location from the responses of that UE.\r\n\r\nAdversary broadcasts\
    \ spoofed paging message from a false base station or manipulates a legitimate\
    \ one using a Software-defined-radio tool; alternatively, the adversary uses a\
    \ silent SMS message tool to cause the legitimate base station to send a paging\
    \ message. These paging messages can be heard by all UEs in the area. The paging\
    \ message broadcast time/frequency is calculated by the base station based on\
    \ the temporary identifier 5G-GUTI or 4G-GUTI of the target UE, or the IMSI. It\
    \ is assumed that the adversary can guess the UEs GUTI (see technique FGT5012.006).\r\
    \n\r\nAn adversary sends multiple paging messages and then sniffs the radio interface\
    \ looking for UEs\u2019 responses to paging messages. Paging is successful if\
    \ the target UE responds.  If such a set of multiple paging responses corresponding\
    \ to the paging calculated from the one given GUTI is noticed, then it can be\
    \ concluded that that UE is present in the cell area. This leads to discovery\
    \ of the coarse location of a UE. As a side benefit, a valid GUTI (or several\
    \ GUTIs) is also now discovered. \r\n\r\nBackground info: Silent SMS messages\
    \ is a type of SMS that are used legitimately by mobile operators and governments\
    \ to track a smartphone subscriber\u2019s geographical location. \r\n\r\n\r\n"
  detections:
  - detects: UE measurements of received power levels from all base stations nearby,
      and their identifiers. Clause 6.24 of [2].
    fgdsid: FGDS5002
    name: UE signal measurements
  - detects: Run at the UE side a tool to detect silent SMS messages (can be OS monitoring
      app as in [4])
    fgdsid: FGDS5102
    name: Silent SMS detector
  id: FGT5012.007
  mitigations:
  - fgmid: FGM5004
    mitigates: The operator may run a network-side SMS firewall that permits legitimate
      silent SMSs (e.g. from law enforcement) but blocks the ones from suspicious
      sources
    name: Correctly configure SMS firewall
  - fgmid: FGM5102
    mitigates: Run at the UE side a tool to detect and not respond to multiple silent
      SMS messages received in a short time (can be OS monitoring app as in [4])
    name: 'Silent SMS blocker '
  name: Silent or spoofed paging
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: "Adversary knows the cellular base station area where the UE is located.\
      \ Further attacks are possible such as eavesdropping on target UE\u2019s communication\
      \ to network if UE coarse location is known to adversary."
    Name: UE coarse location is known to adversary
  preconditions:
  - Description: Adversary gets hold of a false base station which is capable of sending
      fraudulent paging messages.
    Name: Obtain a false base station to send fake broadcast messages, or a SDR tool
      to manipulate legitimate signaling on the radio interface
  - Description: Adversary develops or obtains a tool to send silent SMS (e.g. mobile
      phone with special application running)
    Name: Obtain a silent SMS tool
  procedureexamples:
  - Description: "Adversary sends fake paging message with UEs temporary identifier\
      \ from a false base station. Sigover attack method is used to overshadow the\
      \ paging message from legitimate base station. If the victim UE is in the area,\
      \ it responds with a service request message. UE\u2019s presence in the cell\
      \ area is then known to the adversary [1]."
    Name: Send fake paging message to target UE
  - Description: "Adversary sends a series of silent SMS messages or makes a series\
      \ of silent calls to a target UE, that would cause the base station to send\
      \ a series of corresponding paging messages. The adversary then monitors the\
      \ paging channel to watch for these set of multiple paging messages, and thus\
      \ determines the paging slots (\u201Cpaging occasion\u201D) assigned to the\
      \ target UE. In addition, if the target UE responds, adversary concludes the\
      \ target is in the area of that base station. If not, the target is not there\
      \ [3]"
    Name: Send silent SMS to target UE
  - Description: "Adversary sends multiple silent SMS to the UE, and then watches\
      \ the paging channel. If multiple instances of the same GUTI is seen, or if\
      \ a given Paging Frame Index (determined by the IMSI) (PFI)  seems to be \u201C\
      busy\u201D then the adversary can conclude that the target UE is in that cell\
      \ area (coarse location retrieval) [3]"
    Name: Watch for same paging occasion to be used by base station
  references:
  - "<a name=\"1\"> \\[1\\] </a> [Chuan Yu et al, \u201CImproving 4G/5G air interface\
    \ security: A survey of existing attacks on different LTE layers\u201D, ACM digital\
    \ library](https://dl.acm.org/doi/abs/10.1016/j.comnet.2021.108532)"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TR 33.809 \u201CStudy on 5G security enhancements\
    \ against False Base Stations (FBS)\u201D, Technical Report, v0.18.0, February\
    \ 2022.](https://www.3gpp.org/DynaReport/33809.htm)"
  - "<a name=\"3\"> \\[3\\] </a> [S.R. Hussain et.al., \u201CPrivacy Attacks to the\
    \ 4G and 5G Cellular Paging Protocols Using Side Channel Information\u201D. Retrieved\
    \ Sept 11, 2023](https://homepage.divms.uiowa.edu/~comarhaider/publications/LTE-torpedo-NDSS19.pdf)"
  - "<a name=\"4\"> \\[4\\] </a> [H. Wen et al., \u201CThwarting Smartphone SMS Attacks\
    \ at the\nRadio Interface Layer\u201D. Retrieved Sept 14, 2023.](https://www.ndss-symposium.org/ndss-paper/thwarting-smartphone-sms-attacks-at-the-radio-interface-layer/)"
  status: Observed in earlier 3GPP generations and expected in 5G.
  subtechnique-of: FGT5012
  tactics:
  - TA0009
  - TA0007
  typecode: fight_subtechnique
- architecture-segment: RAN, Virtualization
  bluf: 'Adversary may gain unauthorized access to machine learning model or database
    and alters the data to disrupt service or change the behavior of network elements. '
  criticalassets:
  - Description: Configuration and session data for RAN as well as ML applications.
    Name: Configuration and session data
  - Description: ML models and algorithms itself can be a lucrative asset to acquire
      in addition to understanding the behavior of the models fo0r an adversary.
    Name: Algorithm
  description: " Adversary may gain unauthorized access to machine learning model\
    \ or database and alters the data to disrupt service or change the behavior of\
    \ network elements. \r\n\r\nCurrently ORAN implementation specifies RAN Intelligent\
    \ Controller (RIC) and associated xApps/rApps as part of the RAN system for machine\
    \ learning and optimization.  Machine learning models may also exist in Service\
    \ Management and Orchestration (SMO) to optimize network design, deployment and\
    \ operation.  A nefarious change on ML models or data can cause drastic behavior\
    \ change of O-RAN components including network outage. Altering a machine learning\
    \ model (System manipulation and compromise of ML data confidentiality and privacy),\
    \ adversary can change O-RAN behavior.\r\n\r\n"
  detections:
  - detects: Application logs can provide information about change, read, update,
      and delete(CRUD) activity.
    fgdsid: DS0015
    name: Application Log
  - detects: Access and authorization logs can reveal abnormal logging activity that
      precedes action taken on the system
    fgdsid: DS0028
    name: Logon Session
  id: FGT5037
  mitigations:
  - fgmid: M1018
    mitigates: Manage the creation, modification, use, and permissions associated
      to user accounts.
    name: User Account Management
  - fgmid: M1026
    mitigates: Strict access control to infrastructure and application supporting
      AI/ML operations
    name: Privileged Account Management
  - fgmid: M1041
    mitigates: Model and data should be encrypted in the system
    name: Encrypt Sensitive Information
  - fgmid: M1047
    mitigates: Monitoring of access logs, sensor data and changes proposed by algorithms
      and Human experts
    name: Audit
  - fgmid: M1009
    mitigates: APIs in the system should use secure access and data transport using
      TLS 1.3 or latest.
    name: Encrypt Network Traffic
  name: Alter ML Model
  object-type: technique
  platforms: ORAN, OA&M
  references:
  - "<a name=\"1\"> \\[1\\] </a> [O-RAN Security Threat Modeling and Remediation Analysis\
    \ 6.0\_\nO-RAN.WG11.Threat-Model.O-R003-v06.00, T-ML-02](https://orandownloadsweb.azurewebsites.net/specifications)"
  - '<a name="2"> \[2\] </a> [Adversarial Machine Learning: Well-known techniques](https://viso.ai/deep-learning/adversarial-machine-learning/)'
  - <a name="3"> \[3\] </a> [OWASP Machine Learning Security Top Ten](https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack.html)
  status: This is a theoretical behavior
  tactics:
  - TA0040
  typecode: fight_technique
- architecture-segment: RAN, Virtualization, O-RAN
  bluf: 'Adversary may use AI/ML training data and prediction poisoning techniques
    to manipulate the outcomes of a machine learning model for malicious purposes,
    to disrupt service or change the behavior of network elements. '
  criticalassets:
  - Description: Configuration and session data for RAN as well as ML applications.
    Name: Configuration and session data
  - Description: ML models and algorithms itself can be a lucrative asset to acquire
      in addition to understanding the behavior of the models fo0r an adversary.
    Name: Algorithm
  description: " Adversary may use AI/ML training data and prediction poisoning techniques\
    \ to manipulate the outcomes of a machine learning model for malicious purposes,\
    \ to disrupt service or change the behavior of network elements. \r\n\r\nIn the\
    \ context of AI/ML security threats, adversaries can employ various techniques\
    \ to compromise machine learning models at different stages. During training,\
    \ they can engage in data poisoning by injecting manipulated data (Data Injection),\
    \ mislabeling data points (Label Poisoning), or maliciously augmenting data with\
    \ adversarial samples (Data Augmentation Poisoning). Adversaries can also manipulate\
    \ the model itself during training, introducing hidden backdoor patterns (Backdoor\
    \ Attacks) or deducing sensitive information by observing model outputs (Model\
    \ Inversion Attacks). In the inference phase, they can create adversarial examples\
    \ to trick the model (Adversarial Examples) or subtly change data distributions\
    \ over time to cause incorrect predictions (Concept Drift). Additionally, adversaries\
    \ can engage in data pollution by manipulating live input data (Data Poisoning\
    \ in Live Systems) or compromise model integrity by stealing and manipulating\
    \ training data (Data Theft). Lastly, they can attempt to determine training data\
    \ membership via Membership Inference Attacks by querying the model with tailored\
    \ inputs. \r\n\r\nThe ORAN implementation outlines the inclusion of a RAN Intelligent\
    \ Controller (RIC) and its associated xApps/rApps within the RAN system, which\
    \ are designed for machine learning and optimization purposes. Machine learning\
    \ models might also be present within the Service Management and Orchestration\
    \ (SMO) framework to enhance network design, deployment, and operation. However,\
    \ any malicious alterations made to these ML models, or their associated data\
    \ could lead to unintended consequences, such as disruptions in the desired operational\
    \ state of network components, traffic management issues, and potentially even\
    \ network outages.\r\n\r\n\r\n\r\n"
  detections:
  - detects: Application logs can provide information about change, read, update,
      and delete(CRUD) activity.
    fgdsid: DS0015
    name: Application Log
  - detects: Access and authorization logs can reveal abnormal logging activity that
      precedes action taken on the system
    fgdsid: DS0028
    name: Logon Session
  id: FGT5036
  mitigations:
  - fgmid: M1018
    mitigates: Manage the creation, modification, use, and permissions associated
      to user accounts.
    name: User Account Management
  - fgmid: M1026
    mitigates: Strict access control to infrastructure and application supporting
      AI/ML operations
    name: Privileged Account Management
  - fgmid: M1041
    mitigates: Model and data should be encrypted in the system
    name: Encrypt Sensitive Information
  - fgmid: M1047
    mitigates: Monitoring of access logs, sensor data and changes proposed by algorithms
      and Human experts
    name: Audit
  - fgmid: M1009
    mitigates: APIs in the system should use secure access and data transport using
      TLS 1.3 or latest.
    name: Encrypt Network Traffic
  name: AI/ML training data and prediction poisoning
  object-type: technique
  platforms: ORAN, OA&M
  references:
  - "<a name=\"1\"> \\[1\\] </a> [O-RAN Security Threat Modeling and Remediation Analysis\
    \ 6.0, \_\nO-RAN.WG11.Threat-Model.O-R003-v06.00, T-ML-02](https://orandownloadsweb.azurewebsites.net/specifications)"
  - '<a name="2"> \[2\] </a> [Adversarial Machine Learning: Well-known techniques](https://viso.ai/deep-learning/adversarial-machine-learning/)'
  - <a name="3"> \[3\] </a> [OWASP Machine Learning Security Top Ten](https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack.html)
  status: This is a theoretical behavior
  tactics:
  - TA0040
  typecode: fight_technique
- addendums:
  - "#### Addendum Name: Compromise software  Supply Chain\r\n##### Architecture Segments:\
    \ Control Plane, RAN, Virtualization, OA&M, O-RAN\r\n Adversaries may manipulate\
    \ software products or product delivery mechanisms prior to deployment in an MNO\u2019\
    s production environment for the purpose of data or system compromise.\r\n\r\n\
    Software supply chain compromise can occur through various means, such as tampering\
    \ with the source code of the application, manipulating the software's update\
    \ and distribution process, or substituting legitimate compiled releases with\
    \ altered versions.\r\n\r\n5G deployments are expected to embrace diverse deployment\
    \ models, encompassing vendor-supplied VNF/CNFs, open-source software, dedicated\
    \ physical appliances from suppliers, and white-label hardware. This diversity\
    \ introduces multiple potential points of vulnerability before the software is\
    \ employed in 5G communication services. An adversary could exploit the supply\
    \ chain of management and monitoring tools, network functions, or infrastructure\
    \ software, including operating systems, orchestration systems, and element managers.\
    \ The same software deployment model is used in O-RAN systems, hence all vulnerabilities\
    \ described in this addendum applies to O-RAN networks as well.\r\n\r\n"
  architecture-segment: Control Plane, RAN, Virtualization, OA&M, O-RAN
  bluf: Adversaries may manipulate application software prior to receipt by a final
    consumer for the purpose of data or system compromise.
  criticalassets:
  - Description: Network functions are prime target to impact 5G communication services
    Name: CORE, RAN VNFs
  - Description: OSS tools have privileged access and broad reachability and may be
      used to change configuration of the network by adversary.
    Name: OSS Tools
  - Description: Security tools have privileged access and broad reachability may
      be used to evade defenses and allow for lateral movements by the adversary
    Name: Security tools
  - Description: CI/CD tools may be used for inserting malware or poisoned images
      as well as change the network elements deployed and their behavior.
    Name: CI/CD Tools
  description: "Adversaries may manipulate application software prior to receipt by\
    \ a final consumer for the purpose of data or system compromise.\r\n[To read more,\
    \ please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1195/002)\r\
    \n"
  detections:
  - detects: Use verification of distributed binaries through hash checking or other
      integrity checking mechanisms. Scan downloads for malicious signatures and attempt
      to test software and updates prior to deployment while taking note of potential
      suspicious activity.
    fgdsid: DS0022
    name: File
  id: FGT1195.002
  mitigations:
  - fgmid: M1016
    mitigates: Vulnerability Scanning of software before it is brought into MNO environment
      as well as regular scans to detect abnormal behavior
    name: Vulnerability Scanning
  - fgmid: M1045
    mitigates: Enforce binary and application integrity with digital signature verification
      to prevent untrusted code from executing.
    name: Code Signing
  - fgmid: M1051
    mitigates: Update Software regularly
    name: Update Software
  - fgmid: FGM5517
    mitigates: Enforce policy to use signed Software Bill of Materials (SBOMs) and
      software.
    name: Use obfuscation at application layer
  - fgmid: M0817
    mitigates: Implement a supply chain management program, including policies and
      procedures to ensure all devices and components originate from a trusted supplier
      and are tested to verify their integrity. 5G Operators should evaluate suppliers
      of services for their technical and administrative controls to ensure that it
      meets minimum standards for assured services. These evaluations may include
      SW, HD supply chain, personnel and process used for service creation.
    name: Supply chain management
  name: Compromise Software Supply Chain
  object-type: technique
  platforms: Infrastructure, 5G, CI/CD, OA&M Tools, VNFs
  references:
  - "<a name=\"1\"> \\[1\\] </a> [ETSI NFV SEC001, \u201CNetwork Functions Virtualization\
    \ (NFV); NFV Security; Problem Statement\u201D, Jan. 2014, section 6.9](https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf\
    \ )"
  - <a name="2"> \[2\] </a> [The Untold Story of the Boldest Supply-Chain Hack Ever](https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/)
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  subtechnique-of: FGT1195
  tactics:
  - TA0001
  typecode: attack_subtechnique_addendum
- addendums:
  - "#### Addendum Name: Compromise Hardware  Supply Chain\r\n##### Architecture Segments:\
    \ Control Plane, RAN, Virtualization, OA&M, O-RAN\r\n Adversaries may manipulate\
    \ hardware components or products prior to deployment in an MNO\u2019s production\
    \ environment for the purpose of data or system compromise.\r\n\r\nThrough alterations\
    \ to hardware or firmware within the supply chain, malicious actors can implant\
    \ a concealed entry point into consumer networks. This clandestine access can\
    \ prove challenging to identify, affording the adversary substantial control over\
    \ the system. Hardware backdoors have the potential to be introduced into a wide\
    \ array of devices, including servers, workstations, network infrastructure components,\
    \ and peripherals.\r\n\r\n5G multiplicity of deployment options introduces numerous\
    \ potential points of vulnerability, all before the hardware even integrates into\
    \ 5G communication services. Within this complex landscape, adversaries possess\
    \ the opportunity to exploit various aspects of the supply chain, such as compromising\
    \ management and monitoring tools, tampering with firmware within components,\
    \ or clandestinely introducing additional chips into server and network hardware.\
    \ Furthermore, the prospect of counterfeit hardware infiltrating the legitimate\
    \ supply chain accentuates the vulnerability landscape. Counterfeit hardware may\
    \ lack rigorous security considerations and thorough testing, making it a potential\
    \ Achilles' heel within the supply chain. The same hardware or firmware deployment\
    \ model is used in O-RAN systems, hence all vulnerabilities described in this\
    \ addendum applies to O-RAN networks as well.\r\n\r\n"
  architecture-segment: Control Plane, RAN, Virtualization, OA&M, O-RAN
  bluf: Adversaries may manipulate hardware components in products prior to receipt
    by a final consumer for the purpose of data or system compromise.
  criticalassets:
  - Description: Network functions are prime target to impact 5G communication services
    Name: CORE, RAN VNFs
  - Description: OSS tools have privileged access and broad reachability and may be
      used to change configuration of the network by adversary.
    Name: OSS Tools
  - Description: Security tools have privileged access and broad reachability may
      be used to evade defenses and allow for lateral movements by the adversary
    Name: Security tools
  - Description: CI/CD tools may be used for inserting malware or poisoned images
      as well as change the network elements deployed and their behavior.
    Name: CI/CD Tools
  description: "Adversaries may manipulate hardware components in products prior to\
    \ receipt by a final consumer for the purpose of data or system compromise.\r\n\
    [To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1195/003)\r\
    \n"
  detections:
  - detects: 'Perform physical inspection of hardware to look for potential tampering.
      Perform integrity checking on pre-OS boot mechanisms that can be manipulated
      for malicious purposes and compare against known good baseline behavior.


      Some manufacturers are now adding seals to their component hardware packaging.  This
      may provide some indication if Hardware was tampered with after leaving the
      manufacturing facility.'
    fgdsid: DS0013
    name: Sensor Health
  - detects: Use verification of distributed binaries through hash checking or other
      integrity checking mechanisms. Scan downloads for malicious signatures and attempt
      to test software and updates prior to deployment while taking note of potential
      suspicious activity.
    fgdsid: DS0022
    name: File
  id: FGT1195.003
  mitigations:
  - fgmid: M1016
    mitigates: Vulnerability Scanning of software before it is brought into MNO environment
      as well as regular scans to detect abnormal behavior
    name: Vulnerability Scanning
  - fgmid: M1051
    mitigates: Update Software regularly
    name: Update Software
  name: Compromise Hardware Supply Chain
  object-type: technique
  platforms: Infrastructure, 5G, CI/CD & OA&M Tools, VNFs
  procedureexamples:
  - Description: "In virtual network functions, the provisioning, configuration, testing,\
      \ and debugging processes involve software interfaces, often remote, with distinct\
      \ security implications compared to traditional physical interfaces, emphasizing\
      \ the need for mitigations and protections in situations where debug and test\
      \ interfaces in NFV devices are enabled in the field.\n\nETSI NFV SEC001, \u201C\
      Network Functions Virtualization (NFV); NFV Security; Problem Statement\u201D\
      , Jan. 2014,\_section 6.9"
    Name: Back-Doors via Virtualized Test & Monitoring Functions
  references:
  - "<a name=\"1\"> \\[1\\] </a> [ETSI NFV SEC001, \u201CNetwork Functions Virtualization\
    \ (NFV); NFV Security; Problem Statement\u201D, Jan. 2014, section 6.9](https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf\
    \ )"
  - <a name="2"> \[2\] </a> [The Untold Story of the Boldest Supply-Chain Hack Ever](https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/)
  - <a name="3"> \[3\] </a> [Trusted Platform Module (TPM) Summary](https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf)
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  subtechnique-of: FGT1195
  tactics:
  - TA0001
  typecode: attack_subtechnique_addendum
- addendums:
  - "#### Addendum Name: Unauthorized device on O-RAN fronthaul infrastructure\r\n\
    ##### Architecture Segments: RAN, O-RAN\r\n An adversary may attach a device to\
    \ an O-RAN fronthaul infrastructure in order to disrupt its traffic.\r\n\r\nIn\
    \ an O-RAN architecture, the baseband unit (BBU) is divided into two components:\
    \ the distributed unit (DU) and the centralized unit (CU). The front haul interface\
    \ plays a crucial role in connecting the DU and the Remote Radio Unit (RU or RRU)\
    \ within the network, ensuring efficient communication. \r\n\r\nTo transport the\
    \ CPRI (Common Public Radio Interface) traffic from the RU to the DU, an Ethernet-based\
    \ bridged network is employed. This involves utilizing various Ethernet protocols\
    \ such as IEEE 802.3 for general Ethernet connectivity, IEEE 802.1 for bridging\
    \ and VLAN tagging, and IEEE 802.1CM for time-sensitive networking in industrial\
    \ automation. The Ethernet-based fronthaul interface establishes a high-capacity\
    \ and low-latency connection between the DU and the RU, facilitating the efficient\
    \ transmission of digital baseband data, synchronization signals, control signals,\
    \ and management information. Usually, RUs and Ethernet Switches are placed near\
    \ the antenna units, which are unmanned facilities and can be physically breached\
    \ due to detection and response time delays by personnel. \r\n\r\nUnauthorized\
    \ devices on this infrastructure can pose significant risks to the O-RAN network.\
    \ Such devices can be used towards a Denial-of-Service (DoS) attack by sending\
    \ malicious or bogus messages, disrupting network operations. Additionally, they\
    \ may attempt to eavesdrop on critical Control (C-Plane), User (U-Plane), Synchronization\
    \ (S-Plane), or Management (M-Plane) traffic, compromising the confidentiality\
    \ of the network.\r\n\r\n\r\n"
  architecture-segment: RAN, O-RAN
  bluf: Adversaries may introduce computer accessories, networking hardware, or other
    computing devices into a system or network that can be used as a vector to gain
    access.
  criticalassets:
  - Description: RRU, DU, CU may be exposed to front haul design vulnerability or
      compromise.
    Name: RAN network elements
  - Description: Control plane and user plane data communication between DU and RRU
      as well as UE.
    Name: CP/UP Data
  description: "Adversaries may introduce computer accessories, networking hardware,\
    \ or other computing devices into a system or network that can be used as a vector\
    \ to gain access.\r\n[To read more, please see the MITRE ATT&CK page for this\
    \ technique](https://attack.mitre.org/techniques/T1200)\r\n"
  detections:
  - detects: Monitor network traffic between hosts
    fgdsid: DS0029
    name: Network Traffic
  - detects: Monitoring ability to detect new ports, devices on the network
    fgdsid: DS0039
    name: Asset
  id: FGT1200
  mitigations:
  - fgmid: M1026
    mitigates: Implement strong access control for all types of interfaces on originating
      switch and any intermediary devices on the fronthaul.
    name: Privileged Account Management
  - fgmid: M1030
    mitigates: Implement network segmentation.
    name: Network Segmentation
  - fgmid: M1047
    mitigates: Perform hardware and software installation audits of all O-RAN open
      fronthaul components.
    name: Audit
  name: Hardware Additions
  object-type: technique
  platforms: O-RAN
  procedureexamples:
  - Description: Addition of unauthorized hardware in the O-RAN fronthaul infrastructure
      may leak data to the adversary as the fronthaul interfaces normally are not
      confidentiality and integrity protected. [ATT&CK T1200]
    Name: Adding hardware to insecure open switch ports
  - Description: A compromised access via remote login or physical access to communication,
      technician interface can yield to creating span ports and tunneling traffic
      to network sniffer.
    Name: Privileged access to a router or switch
  references:
  - "<a name=\"1\"> \\[1\\] </a> [O-RAN WG11 Threat Model 6.00 version, \u201CORAN\
    \ Threat Model\u201D](https://orandownloadsweb.azurewebsites.net/specifications)"
  - <a name="2"> \[2\] </a> [NTIA Open RAN Security Report May 2023](https://ntia.gov/sites/default/files/publications/open_ran_security_report_full_report_0.pdf)
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  tactics:
  - TA0040
  typecode: attack_technique_addendum
- addendums:
  - "#### Addendum Name: Tools\r\n##### Architecture Segments: RAN, O-RAN\r\n An adversary\
    \ may obtain tooling needed to target victim UEs for attack.\r\n\r\nAdversary\
    \ needs to obtain tools (HW/SW) to carry out planned attacks against victim UEs.\
    \  This may include buying stingrays or buying radio cards, laptops and integrating\
    \ into a working base station.  Adversary may need specific tools such as Sim\
    \ Cloning, network traffic analyzer, certificates, or code needed to be executed\
    \ on a compromised 5G Network Function to achieve its goals.   \r\n\r\nIn some\
    \ cases, an adversaries may purchase from third party specific software to do\
    \ development and integration work to provide specific attack capabilities. \r\
    \n\r\n\r\n\r\n\r\n"
  architecture-segment: RAN, O-RAN
  bluf: Adversaries may buy, steal, or download software tools that can be used during
    targeting.
  criticalassets:
  - Description: Radio communication service between UE and base station.
    Name: RAN Service
  - Description: UE and subscriber identity as well as communication.
    Name: UE identity, and communication
  description: "Adversaries may buy, steal, or download software tools that can be\
    \ used during targeting.\r\n[To read more, please see the MITRE ATT&CK page for\
    \ this technique](https://attack.mitre.org/techniques/T1588/002)\r\n"
  detections: []
  id: FGT1588.002
  mitigations:
  - fgmid: M1056
    mitigates: This technique cannot be easily mitigated with preventive controls
      since it is based on behaviors performed outside of the scope of enterprise
      defenses and controls.
    name: Pre-compromise
  name: Tool
  object-type: technique
  platforms: 5G
  procedureexamples:
  - Description: There are many tools developed to test 5G systems, same tools can
      be used for adversarial objective on a system.
    Name: Use of Open-source software & Testing tools
  references:
  - <a name="1"> \[1\] </a> [Open Source tools](https://github.com/ravens/awesome-telco)
  - <a name="2"> \[2\] </a> [Building a Cellphone IMSI Catcher (Stingray)](https://www.hackers-arise.com/post/software-defined-radio-part-6-building-a-imsi-catcher-stingray)
  status: This is an observed behavior in Enterprise networks, and is theoretical
    in context of 5G systems.
  subtechnique-of: FGT1588
  tactics:
  - TA0042
  typecode: attack_subtechnique_addendum
- architecture-segment: RAN, O-RAN
  bluf: An adversary may obtain radio network function needed to attack target victim
    UEs.
  criticalassets:
  - Description: Radio Communication service between UE and basestation.
    Name: RAN Service
  - Description: UE and Subscriber identity as well as communication, cellular devices
      and user data.
    Name: UE identity, and communication
  description: " An adversary may obtain radio network function needed to attack target\
    \ victim UEs.\r\n\r\nAdversary provides an alternate radio access network (gNB\
    \ or open-RAN gNB components such as Distributed Unit (DU) or Centralized Unit\
    \ (CU)) to target victim UEs without victim (user or UE) discovering that they\
    \ are not attached to a legitimate MNO network.  This can be achieved by the adversary\
    \ obtaining false base station network functionality and any connections to core\
    \ network functions required to carry out their mission. Opensource radio and\
    \ base station software combined with radio cards can be easily obtained to create\
    \ a base station to launch attacks against network or UE.\r\n\r\n\r\n\r\n\r\n"
  detections: []
  id: FGT1588.501
  mitigations:
  - fgmid: M1056
    mitigates: This technique cannot be easily mitigated with preventive controls
      since it is based on behaviors performed outside of the scope of enterprise
      defenses and controls.
    name: Pre-compromise
  name: ' Radio Network Functions'
  object-type: technique
  platforms: 5G
  procedureexamples:
  - Description: Many software defined source code are available that can be used
      to build a base station with radio transceiver hardware on Linux and or windows
      PC.  There are also opensource 5G core software available on opensource project
      websites.
    Name: Use of opensource SW
  - Description: With the proliferation of private 5G deployments, almost anyone can
      now purchase software for the RAN components such as gNB, DU, CU.
    Name: Purchase of Commercial equipment
  references:
  - <a name="1"> \[1\] </a> [Open Source RAN project](https://www.srslte.com)
  - '<a name="2"> \[2\] </a> [Over The Air Baseband Exploit: Gaining Remote Code Execution
    on 5G Smartphones](https://keenlab.tencent.com/zh/whitepapers/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-on-5G-Smartphones-wp.pdf)'
  - <a name="3"> \[3\] </a> [Open5GS](https://open5gs.org)
  - '<a name="4"> \[4\] </a> [Over The Air Baseband Exploit: Gaining Remote Code Execution
    on 5G Smartphones](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-On-5G-Smartphones.pdf)'
  - <a name="5"> \[5\] </a> [Open Source tools](https://github.com/ravens/awesome-telco)
  - <a name="6"> \[6\] </a> [Building a Cellphone IMSI Catcher (Stingray)](https://www.hackers-arise.com/post/software-defined-radio-part-6-building-a-imsi-catcher-stingray)
  - <a name="7"> \[7\] </a> [5G NR equipment suppliers](https://www.rfwireless-world.com/Vendors/5G-NR-Network-Equipment-Manufacturers.html)
  status: This is a theoretical behavior
  subtechnique-of: FGT1588
  tactics:
  - TA0042
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: RAN
  bluf: Adversary controlled fake base station transmits crafted broadcast messages
    to prevent legitimate UEs to connect to network.
  criticalassets:
  - Description: Legitimate UEs do not get network access in the area where false
      base station is deployed.
    Name: 5G network access
  description: " Adversary controlled fake base station transmits crafted broadcast\
    \ messages to prevent legitimate UEs to connect to network.\r\n\r\nLTE sub-frames\
    \ are sent by adversary from a false base station which mimics legitimate eNB.\
    \ It sends fake System Information Block Type 1 (SIB1) messages which are aligned\
    \ in time-frequency domain with the messages sent by the legitimate eNB, but with\
    \ stronger transmit power. The adversary does not send synchronization signals\
    \ (PSS, SSS) for this attack which makes it harder to detect. This is known as\
    \ sigover attack. [1]\r\n\r\nAdversary may transmit crafted broadcast messages\
    \ by manipulating cell barring in Master Information Block (MIB) and access barring\
    \ feature in SIB1 broadcast messages, UE will stop camping on to legitimate network\
    \ for 300 seconds and it gets a DoS attack. The same attacks are possible in 5G\
    \ network as MIB and SIB1 messages in 5G are similar to 4G and those are not integrity\
    \ protected in 5G.\r\n\r\n"
  detections:
  - detects: UE measurements of received power levels from all base stations nearby,
      and their identifiers. Clause 6.24 of [3].
    fgdsid: FGDS5002
    name: UE signal measurements
  id: FGT1642.501
  mitigations:
  - fgmid: FGM5024
    mitigates: Use integrity protection for all broadcast messages sent by gNB. This
      will have performance impact on the network and UE due to additional processing
      of integrity protection algorithm.
    name: Integrity protection of data communication
  name: Transmit Spoofed Broadcast Message
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: No UE in the area where false base station is present can get connection
      to the network.
    Name: Network access denied
  preconditions:
  - Description: Adversary gets hold of a false base station which is capable of broadcasting
      fraudulent messages.
    Name: Obtain a false base station to send fake broadcast messages
  - Description: False base station must be deployed in the area where target UEs
      are located.
    Name: Adversary must be in the same vicinity of target UEs
  procedureexamples:
  - Description: "Adversary broadcasts fake MIB and SIB1 messages with cell barring\
      \ and access barring features turned on. cellbarred field in the MIB can be\
      \ set to \u201Cbarred\u201D, cellReservedForOperatorUse and cellReservedforOtherUse\
      \ fields can be set to \u201Ctrue\u201D in the SIB1. All UEs in the area which\
      \ are camped on to the false base station will not connect to legitimate base\
      \ stations for 300 seconds. [1, 4], clauses 6.2.2 & 6.3.2 of [2].\n\nThe same\
      \ attack is possible in 5G as MIB and SIB1 messages are sent without integrity\
      \ protection and the format of the messages are similar to 4G.\n\nNote: This\
      \ attack is not persistent as the UE\u2019s will try to connect the legitimate\
      \ network after about 300 seconds."
    Name: Send cell barring and access barring information to target UEs
  references:
  - "<a name=\"1\"> \\[1\\] </a> [ACM article, : \u201CImproving 4G/5G air interface\
    \ security: A survey of existing attacks on different LTE layers\u201D.](https://dl.acm.org/doi/abs/10.1016/j.comnet.2021.108532)"
  - "<a name=\"2\"> \\[2\\] </a> [3GPP TS 38.331: \u201CRadio Resource Control (RRC);\
    \ Protocol specification\u201D Release 16.](https://www.3gpp.org/DynaReport/38331.htm)"
  - <a name="3"> \[3\] </a> [3GPP TR 33.809:](https://www.3gpp.org/DynaReport/33809.htm)
  - "<a name=\"4\"> \\[4\\] </a> [Ericsson paper, Jingya Li et al: \u201CAn Overview\
    \ of 5G System Accessibility Differentiation and Control\u201D.](https://arxiv.org/ftp/arxiv/papers/2012/2012.05520.pdf)"
  status: This is a theoretical behavior
  subtechnique-of: FGT1642
  tactics:
  - TA0040
  typecode: fight_subtechnique_to_attack_technique
- access-required: user
  architecture-segment: User Plane, Control Plane
  bluf: 'An adversary may move targeted data and remain undetected during the exfiltration
    process by using DNS requests. '
  criticalassets:
  - Description: Whoever controls the DNS servers controls how and what end users
      connect to over the network, making DNS servers a type of critical infrastructure.
    Name: DNS Servers
  description: " An adversary may move targeted data and remain undetected during\
    \ the exfiltration process by using DNS requests. \r\n\r\nAn adversary may be\
    \ able to move data by simply encoding data as a hostname query and by placing\
    \ the data in the names section of a DNS lookup. The receiving DNS server, controlled\
    \ by the adversary, logs the query and decodes the data, reassembles in the planned\
    \ sequence from the named field. The reply to the query may or may not sent. If\
    \ the query is sent, it may be ignored by the compromised host.\r\n\r\nThe data\
    \ may be of the following categories:\r\nC2 data \u2013 This involves remote command\
    \ and control information like system change, routing information change, etc.\r\
    \nUser/System data \u2013 This involves information such as identifiers, files,\
    \ credentials, etc.\r\n\r\n"
  detections:
  - detects: Monitor executed commands and arguments that may steal data by exfiltrating
      it over an existing command and control channel.
    fgdsid: DS0017
    name: Command
  - detects: 'Data transmitted across a network (ex: Web, DNS, Mail, File, etc.),
      that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable
      format (ex: PCAP).'
    fgdsid: DS0029
    name: Network Traffic
  id: FGT1048.501
  mitigations:
  - fgmid: FGM5024
    mitigates: Use strong data integrity protection algorithms within 5G network such
      as airlink, backhaul and core network.
    name: Integrity protection of data communication
  - fgmid: M1031
    mitigates: "Network intrusion detection and prevention systems that use network\
      \ signatures to identify traffic for specific adversary malware can be used\
      \ to mitigate activity at the network level. Signatures are often for unique\
      \ indicators within protocols and may be based on the specific obfuscation technique\
      \ used by a particular adversary or tool and will likely be different across\
      \ various malware families and versions. Adversaries will likely change tool\
      \ command and control signatures over time or construct protocols in such a\
      \ way to avoid detection by common defensive tools.\_\nScan all external traffic\
      \ header fields to detect any suspicious protocol or port number use."
    name: Network Intrusion Prevention
  name: 'Covert Exfiltration of Data Via DNS Request '
  object-type: technique
  platforms: 5G
  postconditions:
  - Description: Attacker can route command and control traffic through DNS to control
      botnets or other entities.
    Name: Command and Control Network
  - Description: Attacker has a route to exfiltrate stolen data disguised as DNS packets.
    Name: Exfiltration Route
  - Description: This involves information such as identifiers, files, user credentials,
      etc.
    Name: User/System data
  preconditions:
  - Description: There must not be an endpoint detection and response capability to
      validate whether host/network function/UE is communicating with a malicious
      DNS server or a valid one.
    Name: Unauthenticated DNS Services
  procedureexamples:
  - Description: 'Operators do not strictly enforce flow monitoring for free DNS service
      via the standard five-tuple flow ID (src IP, dest IP, src port, dest port, protocol).
      Instead, they use only the destination port (or plus protocol ID), thus exposing
      a vulnerability.

      Adversary may setup fake DNS server to receive exfiltered data.

      Adversarial activity could be a person who has remote access or a worm collecting
      and transmitting protected information. [2]'
    Name: Free DNS loophole
  references:
  - "<a name=\"1\"> \\[1\\] </a> [\u201CBhadhra Framework\u201D: S.P. Rao, S. Holtmanns,\
    \ T. Aura, \u201CThreat modeling framework for mobile communication systems\u201D\
    ](https://arxiv.org/pdf/2005.05110.pdf)"
  - '<a name="2"> \[2\] </a> [Peng, C., Li, C., Tu, G., Lu, S., & Zhang, L. (2012).
    Mobile data charging: new attacks and countermeasures. Proceedings of the 2012
    ACM conference on Computer and communications security.](https://dl.acm.org/doi/pdf/10.1145/2382196.2382220)'
  - "<a name=\"3\"> \\[3\\] </a> [Merve Sahin, Aurelien Francillon, Payas Gupta, and\
    \ Mustaque Ahamad. 2017. \n\u201CSok: Fraud in telephony networks\u201D. In 2017\
    \ IEEE European Symposium on Security\nand Privacy (EuroS&P). IEEE, p235\u2013\
    250](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7961983&tag=1)"
  - "<a name=\"4\"> \\[4\\] </a> [Kui Xu, Patrick Butler, Sudip Saha, Danfeng (Daphni)\
    \ Yao in DNS CC Journal, \u201CDNS for Massive-Scale Command and Control\u201D\
    ](https://people.cs.vt.edu/~danfeng/papers/DNS-CC-JOURNAL.pdf)"
  status: This is a theoretical behavior in context of 5G systems.
  subtechnique-of: FGT1048
  tactics:
  - TA0011
  - TA0010
  typecode: fight_subtechnique_to_attack_technique
- architecture-segment: 5G
  bluf: Adversaries may breach or otherwise leverage organizations who have access
    to intended victims.
  description: "Adversaries may breach or otherwise leverage organizations who have\
    \ access to intended victims.\r\n[To read more, please see the MITRE ATT&CK page\
    \ for this technique](https://attack.mitre.org/techniques/T1199)\r\n"
  detections: []
  id: FGT1199
  mitigations: []
  name: Trusted Relationship
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0001
  - TA0040
  typecode: attack_technique_with_fight_subs
- architecture-segment: 5G
  bluf: Adversaries may maliciously modify components of a victim environment in order
    to hinder or disable defensive mechanisms.
  description: "Adversaries may maliciously modify components of a victim environment\
    \ in order to hinder or disable defensive mechanisms.\r\n[To read more, please\
    \ see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1562)\r\
    \n"
  detections: []
  id: FGT1562
  mitigations: []
  name: Impair Defenses
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0005
  typecode: attack_technique_with_fight_subs
- architecture-segment: 5G
  bluf: Adversaries may gather information about the victim's hosts that can be used
    during targeting.
  description: "Adversaries may gather information about the victim's hosts that can\
    \ be used during targeting.\r\n[To read more, please see the MITRE ATT&CK page\
    \ for this technique](https://attack.mitre.org/techniques/T1592)\r\n"
  detections: []
  id: FGT1592
  mitigations: []
  name: Gather Victim Host Information
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0043
  typecode: attack_technique_with_fight_subs
- architecture-segment: 5G
  bluf: Adversaries may obtain and abuse credentials of existing accounts as a means
    of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
  description: "Adversaries may obtain and abuse credentials of existing accounts\
    \ as a means of gaining Initial Access, Persistence, Privilege Escalation, or\
    \ Defense Evasion.\r\n[To read more, please see the MITRE ATT&CK page for this\
    \ technique](https://attack.mitre.org/techniques/T1078)\r\n"
  detections: []
  id: FGT1078
  mitigations: []
  name: Valid Accounts
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0003
  - TA0005
  - TA0004
  - TA0001
  typecode: attack_technique_with_subs_with_addendums
- architecture-segment: 5G
  bluf: Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence
    on a system.
  description: "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish\
    \ persistence on a system.\r\n[To read more, please see the MITRE ATT&CK page\
    \ for this technique](https://attack.mitre.org/techniques/T1542)\r\n"
  detections: []
  id: FGT1542
  mitigations: []
  name: Pre-OS Boot
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0003
  - TA0005
  typecode: attack_technique_with_fight_subs
- architecture-segment: 5G
  bluf: "Adversaries may compromise a network device\u2019s encryption capability\
    \ in order to bypass encryption that would otherwise protect data communications."
  description: "Adversaries may compromise a network device\u2019s encryption capability\
    \ in order to bypass encryption that would otherwise protect data communications.\r\
    \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1600)\r\
    \n"
  detections: []
  id: FGT1600
  mitigations: []
  name: Weaken Encryption
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0005
  typecode: attack_technique_with_fight_subs
- architecture-segment: 5G
  bluf: Adversaries may abuse a container administration service to execute commands
    within a container.
  description: "Adversaries may abuse a container administration service to execute\
    \ commands within a container.\r\n[To read more, please see the MITRE ATT&CK page\
    \ for this technique](https://attack.mitre.org/techniques/T1609)\r\n"
  detections: []
  id: FGT1609
  mitigations: []
  name: Container Administration Command
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0006
  - TA0007
  typecode: attack_technique_with_fight_subs
- architecture-segment: 5G
  bluf: Adversaries may exfiltrate data, such as sensitive documents, through the
    use of automated processing after being gathered during Collection.
  description: "Adversaries may exfiltrate data, such as sensitive documents, through\
    \ the use of automated processing after being gathered during Collection.\r\n\
    [To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1020)\r\
    \n"
  detections: []
  id: FGT1020
  mitigations: []
  name: Automated Exfiltration
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0007
  - TA0010
  typecode: attack_technique_with_subs_with_addendums
- architecture-segment: 5G
  bluf: Adversaries may search for common password storage locations to obtain user
    credentials.
  description: "Adversaries may search for common password storage locations to obtain\
    \ user credentials.\r\n[To read more, please see the MITRE ATT&CK page for this\
    \ technique](https://attack.mitre.org/techniques/T1555)\r\n"
  detections: []
  id: FGT1555
  mitigations: []
  name: Credentials from Password Stores
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0006
  typecode: attack_technique_with_fight_subs
- architecture-segment: 5G
  bluf: Adversaries may perform Network Denial of Service (DoS) attacks to degrade
    or block the availability of targeted resources to users.
  description: "Adversaries may perform Network Denial of Service (DoS) attacks to\
    \ degrade or block the availability of targeted resources to users.\r\n[To read\
    \ more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1498)\r\
    \n"
  detections: []
  id: FGT1498
  mitigations: []
  name: Network Denial of Service
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0040
  typecode: attack_technique_with_fight_subs
- architecture-segment: 5G
  bluf: Adversaries may attempt to position themselves between two or more networked
    devices using an adversary-in-the-middle (AiTM) technique to support follow-on
    behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
    [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
    or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)).
  description: "Adversaries may attempt to position themselves between two or more\
    \ networked devices using an adversary-in-the-middle (AiTM) technique to support\
    \ follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),\
    \ [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),\
    \ or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)).\r\
    \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1557)\r\
    \n"
  detections: []
  id: FGT1557
  mitigations: []
  name: Adversary-in-the-Middle
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0009
  - TA0006
  typecode: attack_technique_with_fight_subs
- architecture-segment: 5G
  bluf: Adversaries may insert, delete, or manipulate data in order to influence external
    outcomes or hide activity, thus threatening the integrity of the data.
  description: "Adversaries may insert, delete, or manipulate data in order to influence\
    \ external outcomes or hide activity, thus threatening the integrity of the data.\r\
    \n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1565)\r\
    \n"
  detections: []
  id: FGT1565
  mitigations: []
  name: Data Manipulation
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0040
  - TA0009
  typecode: attack_technique_with_subs_with_addendums
- architecture-segment: 5G
  bluf: Adversaries may exploit software vulnerabilities in client applications to
    execute code.
  description: "Adversaries may exploit software vulnerabilities in client applications\
    \ to execute code.\r\n[To read more, please see the MITRE ATT&CK page for this\
    \ technique](https://attack.mitre.org/techniques/T1203)\r\n"
  detections: []
  id: FGT1203
  mitigations: []
  name: Exploitation for Client Execution
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0002
  typecode: attack_technique_with_fight_subs
- architecture-segment: 5G
  bluf: 'Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade
    or block the availability of services to users.


    On Android versions prior to 7, apps can abuse Device Administrator access to
    reset the device lock passcode, preventing the user from unlocking the device.'
  description: "Adversaries may perform Endpoint Denial of Service (DoS) attacks to\
    \ degrade or block the availability of services to users.\n\nOn Android versions\
    \ prior to 7, apps can abuse Device Administrator access to reset the device lock\
    \ passcode, preventing the user from unlocking the device.\r\n[To read more, please\
    \ see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1642)\r\
    \n"
  detections: []
  id: FGT1642
  mitigations: []
  name: Endpoint Denial of Service
  object-type: technique
  platforms: 5G
  status: This is an observed behavior in Enterprise networks.
  tactics:
  - TA0040
  typecode: attack_technique_with_fight_subs