Skip to content

ONE weird trick that can protect you from VoIP attacks

Of course, there is no “one weird trick” – security takes time, effort, energy, and attention. And there is no magic in any of it.  

In earlier articles, we have talked about the communication security risks: 

  1. Toll Fraud 
  1. Vishing 
  1. Telephony Denial of Service 
  1. Remote worker attacks 
  1. Traffic Pumping 
  1. Robocalls 
  1. Ransomware 

In this article (and 3 more to follow), let’s take a step back and look at how we can prevent these risks from being realized.  

In 2021, the NSA released a document that listed the risks to communication security, gave a high-level description of how to categorize them, and then gave guidance on how to prevent communication systems from getting compromised. You can read a high-level overview of NSA VVoIP Security Deployment here

The NSA document categorized 4 attack planes of a communications system –  

  • Network,  
  • Perimeter,  
  • Session Controllers, and 
  • Endpoints 

To protect your systems against attack, the document gives the following guidance: 

  • Monitor continuously. 
  • Validate your configurations. 
  • Log everything. 

Practically speaking, this means that defending your communication systems needs you to do 3 things: 

  1. Examine each incoming and outgoing call from your network. 
  1. Make sure that your perimeter devices are configured for maximum security. 
  1. Check your logs and CDRs for signs of attacks and intrusions. 

In this article, we will focus on continuous monitoring.  

Examining calls 

Examining calls is pretty much the most active approach that we can take to protect our organization from communication security risks – it fully fits into the NSA’s best practice recommendation of continuous monitoring that envisions every call being reviewed, tagged, and decided on. 

The challenge of incoming calls 

Incoming Voip attack

When we look at robocalls, scam calls, toll fraud attempts, and so on, a significant number of the calls that come in are ‘known problem’ numbers. Think of email spam: the email world has worked out a lot of the challenges of spam – emails from low-reputation systems are automatically scored low, and email IDs that have been used for spam earlier are tagged (through techniques such as the wisdom of crowds) and low scored. The phone call world is moving to the same model: we can tag specific service providers as low reputation and can automatically mark calls from those providers as ‘potential spam/scam’; we can identify specific phone numbers that have been crowd-sourced tagged for a low reputation and tag them when our employees receive calls.  

But that’s just the beginning: robocalls, spam calls, vishing, etc. all come from folks who are out to abuse the network and are aware that they might be outside the bounds of the law. To avoid getting caught, they ‘spoof’ their phone numbers. So, instead of just using blind database lookups, we can look at other factors for reputation scoring of incoming calls, including: 

  • Spoofed organization DIDs 
  • Non-routable numbers 
  • Signaling anomalies and inconsistencies 
  • STIR/SHAKEN headers in calls 
  • Bad reputation tags from third-party intelligence providers 
  • Call duration 
  • Calling frequency 
  • Time of call/time of the week 
  • Calling multiple numbers of the same customer 
  • Calls to sequential numbers 
  • Calling multiple customers at the same time 

For this to work, every incoming call to your organization needs to be screened before it hits the rest of the network. This can be done in many ways. For example, 

  • Put in an edge device that reviews all calls. 
  • Create customer modules that work on your SBCs to review and decide how to handle calls. 
  • Reroute traffic from your SBCs to a third-party service that then advises the SBC on how to handle calls. 

Each approach has architectural payoffs, but one thing is clear – this is not something that can be built in-house. You need access to teams that have significant SIP expertise, you need API access to third-party databases, you need teams that continuously look at attacks and probes on other companies’ networks… and these are simply impractical for most companies to develop from scratch. In short, you need to look for a solution provider. 

Companies such as Assertion (yes, that’s us!), Ribbon, and Oracle provide solutions that actively and continuously monitor your communication networks, look for patterns that indicate probes and attacks, and then provide additional capabilities that can help you respond.  

A full discussion of their capabilities is outside the scope of this series, but we’ll talk about them later in the year, once the 3 Minutes and 20 Weeks series is complete. 

Have more questions? Send me an email at securityeducation@assertion.cloud 

About Assertion: 

Assertion® is a leading communication security solutions provider that empowers companies to Collaborate Confidently. Our ultimate goal is to secure every conversation through our advanced AI-enabled collaboration security solutions. We also provide holistic infrastructure security for over 38 collaboration products, including full-stack collaboration security solutions for the UC and CC stack.