Last year, a business in California was hit with a bill for USD 120K after intruders made 11,000 calls through its phone system over 46 hours. Another business in India received a bill of almost USD 8,000 for calls spanning just one weekend with each call being billed at up to USD 300 per minute. They only realized they were victims of toll fraud when the service provider blocked their SIP trunk and informed them of the incident. And these communication security incidents occurred even before remote working exploded. A side effect of Covid-19 has been a dramatic increase in the number of VoIP systems exposed to the Internet. This has led to an equally dramatic increase in communication security attacks and breaches.

Communication networks that use SIP trunks for PSTN connectivity allow a lot of room for losses through toll fraud and service theft. Here’s why: A media gateway with two T1 TDM trunks (each with a bandwidth of 1.54 Mbps) might give attackers ~2750 call minutes per hour to exploit. SIP trunks with similar bandwidth and using compression algorithms might give attackers up to 6000 call minutes per hour. And usually with much less traceability.

Who is vulnerable to communication security breaches?

Most small enterprises fall victim to attacks hacking VoIP systems because they leave ports open to the Internet. This is like virtually welcoming attackers into their offices.
Protection tools and components, such as Session Border Controllers(SBCs), deployed as SIP trunk gateways and remote working enablers can protect networks from attackers. But that’s not always the case. Even enterprises that use them continue to be breached by attackers who try to get in and gain control of the network. This is because companies don’t monitor or secure these devices. Criminals are getting smarter, and their attacks more sophisticated. SBCs must be set up and managed by network security experts who know what they’re doing.

How attacks happen

Attackers are lazier than we think. But hacking VoIP systems can be easier than you’d imagine. Usually, attackers just scour the Internet pinging random IP addresses looking for responses. These responses can help them identify if that IP address is assigned to a VoIP-based communication network. When they find such an address, they look for vulnerabilities that they can exploit to gain control of the communication systems.

This is why SBCs are crucial for communication security since they lie at the most vulnerable part of the network, the border. Though SBCs are front-ended by firewalls in most networks, these firewalls pass SIP traffic straight to the SBC. This makes SBCs the first responders and the first line of defense for VoIP traffic. It becomes their job to respond to attackers and prevent them from directly pinging communication networks.

Analysis of attacks that get past standard SBCs shows that it is often a result of misconfigurations or lack of security attention given to SBCs. If you monitor, manage, and secure your SBCs, you can stop communication security threats right at the network perimeter.

The SBC defense

It’s clear that SBCs have a critical role to play in ensuring continuous communication security. Even the NSA’s VoIP guidelines stress the importance of effectively deploying and managing SBCs for effective perimeter security.

By decrypting all TLS-encrypted SIP signaling traffic and SRTP-based media streams, SBCs detect anomalous behavior and prevent attackers from invading your network. On one hand, they can ensure that only select types of calls are allowed. On the other, their behavior pattern recognition feature can prevent unwanted calls. For instance, Access Control Lists of SBCs can ensure that SBCs allow only calls from white-listed numbers.

Using your SBCs for comprehensive communication security

SBCs track specific network failures, such as WebRTC binding failures, channel binding failures, media relay creation failures, and STUN server errors. Most times, all these might be simple failures that can be easily resolved, but they might also indicate an onset of attacks on your network. Monitoring SBCs in real time can alert you as attacks happen and defend your networks.

But this is easier said than done. Managing and monitoring an SBC and using it to detect and stop threats is no walk in the park. You need access to the latest threat intelligence, you need to study every call, every connection, and analyze this to identify any issues.
Assertion® SecureVoice™ builds on trusted MITRE ATT&CK® and NIST frameworks to configure, secure, and monitor your VoIP systems and detect attacks in real-time to block

o inbound calls such as vishing, spoofed, robocalls, and scam calls
o outgoing toll fraud calls, calls to high-rate destinations, or calls in violation of trade regulations such as OFAC

In addition, with its close integration with the organization’s cybersecurity workflows or platforms like SOAR, you can elevate communication security standards to enterprise industry standards. If you have any questions or concerns about using or securing your VoIP systems and why it matters, we’d love to help. You can get in touch with us at sales@assertion.cloud.

— — –

Assertion® is a leading communication security solutions provider that empowers companies to Collaborate Confidently. Our ultimate goal is to secure every conversation through our advanced AI-enabled collaboration security solutions. We also provide holistic infrastructure security for over 38 collaboration products, including full-stack collaboration security solutions for the UC and CC stack.