Back to the roots – incident case study

Mikko KarikytöHead of Ericsson PSIRT

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 2

› Ericsson PSIRT – intro› Setting the scene› The Case

– The contact– Investigation– Aftermath

› Conclusions

outline

“Constituency”

40%2.5b

180

Ericsson

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 4

› Established 2004› TI 2005› FIRST 2006› Vulnerability Management› Incident Response› Corporate group› Finland› Co-op

Ericsson PSIRT

Setting the scene

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 6

The scene

E///

Managed Service Provider

Mobile Operator

“the customer”

PSIRT

The case

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 8

“Hi Mikko,

Would you have a BSS specialist with deeper knowledge on the nodes? We could use one in a case with our customer…”

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 9

Finding the common frequency

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 10

Building a team and flying in

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 11

› Good overview› Too many issues included

in one report

›XXX› SIMbox

Initial investigation report

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 12

simbox

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 13

Simbox scenario

Internet

Operator A Operator BSubscriber A Subscriber B

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 14

› Obvious from beginning› Operator blaming the MS

Provider› MS Provider blaming the

operator

› Internal blame game in the Managed Service Provider

Blame game

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 15

› High pressure put on certain people

› Afraid for their jobs› Defensive mode› How to get truthful

answers?

people

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 16

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 17

Big pile of cra… findings

No policy

No processes

No

responsible

No assets

Shared accounts

No log

monitoring

No physical security

Unclear SLA

No screening of employees

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 18

› No technical vulnerability in the system itself

› Aircraft carrier size holes in operational security

– Impossible to name culprits– Shared root accounts etc…

› Nice process! When is it created?

Summary of findings

Back to the roots - Incident case study | Commercial in confidence | © Ericsson AB 2014 | 2014-06-19 | Page 19

› It’s humans who run this show

› Communication flows or doesn’t

› Blame game takes time and energy

It’s a long way

Mikko KarikytöHead of Ericsson PSIRT

mikko.tel

Thank you