@blamejs/exceptd-skills 0.12.25 → 0.12.26

package/skills/sector-telecom/skill.md

@@ -0,0 +1,259 @@
+---
+name: sector-telecom
+version: "1.0.0"
+description: Telecom and 5G security for mid-2026 — Salt Typhoon, Volt Typhoon, CALEA / IPA-LI gateway compromise, signaling-protocol abuse (SS7 / Diameter / GTP), 5G N6 / N9 isolation, gNB / DU / CU integrity, OEM-equipment supply-chain compromise, AI-RAN / O-RAN security; FCC CPNI + 4-business-day notification, NIS2 Annex I telecom essential entities, UK TSA 2021 + Ofcom, AU SOCI / TSSR, GSMA NESAS, 3GPP TR 33.926 + TS 33.501, ITU-T X.805.
+triggers:
+  - telecom security
+  - 5g core
+  - salt typhoon
+  - volt typhoon
+  - gnb integrity
+  - lawful intercept
+  - calea
+  - fcc cpni
+  - 4-business-day notification
+  - gsma nesas
+  - ss7
+  - diameter
+  - gtp
+  - 3gpp ts 33.501
+  - 3gpp tr 33.926
+  - o-ran
+  - n6 n9 isolation
+  - nis2 annex i
+  - uk tsa 2021
+  - au soci
+  - tssr
+  - itu-t x.805
+data_deps:
+  - cve-catalog.json
+  - atlas-ttps.json
+  - framework-control-gaps.json
+  - global-frameworks.json
+  - cwe-catalog.json
+  - d3fend-catalog.json
+atlas_refs:
+  - AML.T0040
+attack_refs:
+  - T1071
+  - T1078
+  - T1098
+  - T1190
+  - T1199
+  - T1556
+framework_gaps:
+  - FCC-CPNI-4.1
+  - FCC-Cyber-Incident-Notification-2024
+  - NIS2-Annex-I-Telecom
+  - DORA-Art-21-Telecom-ICT
+  - UK-CAF-B5
+  - AU-ISM-1556
+  - GSMA-NESAS-Deployment
+  - 3GPP-TR-33.926
+  - ITU-T-X.805
+rfc_refs:
+  - RFC-9622
+cwe_refs:
+  - CWE-287
+  - CWE-306
+  - CWE-918
+d3fend_refs:
+  - D3-NTA
+  - D3-NTPM
+  - D3-IOPR
+  - D3-NI
+forward_watch:
+  - "FCC CPNI rule updates (47 CFR 64.2009 / 64.2011 amendments)"
+  - "5G AI-RAN security guidance from CISA, ENISA, NCSC, ASD ACSC"
+  - "GSMA FS.32 / FS.36 / FS.43 revisions"
+  - "Volt Typhoon / Salt Typhoon successor-actor disclosures"
+  - "Five Eyes joint advisories on telecom-equipment intrusion"
+  - "3GPP TS 33.501 updates (5G security architecture rebaseline)"
+  - "O-RAN SFG / WG11 security specifications"
+last_threat_review: 2026-05-15
+---
+
+## Threat Context (mid-2026)
+
+**Salt Typhoon (China nation-state; PRC Ministry of State Security nexus).** The 2024–2026 campaign — disclosed in successive Five Eyes joint advisories from October 2024 onward (CISA / NSA / FBI joint product reissued through 2025–2026) — compromised at least nine US carriers (publicly named: AT&T, Verizon, T-Mobile US, Lumen, Charter, Cox, Windstream, Consolidated, plus undisclosed others) and extended to AU / CA / NZ / UK Tier-1 carriers. Threat actor TTPs map to T1199 (Trusted Relationship) via OEM vendor supply chain, T1098 (Account Manipulation) for persistent admin access on NMS, and T1078 (Valid Accounts) with stolen LI-gateway operator credentials. The campaign's defining feature: targeted access to CALEA-mandated lawful-intercept systems, allowing PRC actors to read US-authorized intercept feeds — including those covering PRC counter-intelligence targets and presidential-campaign communications (2024 election cycle). The intercept-system vector is structurally novel: every carrier serving US-jurisdiction subscribers is legally required to maintain a CALEA-compliant intercept capability, which means every carrier has a high-value, low-monitored attack surface by mandate.
+
+**Volt Typhoon (China; OT-adjacent telecom + ISP critical infrastructure).** CISA AA24-038A (Feb 2024) and follow-ons document prepositioning across US critical infrastructure operators, including telecom-adjacent ISPs and edge equipment. Living-off-the-land TTPs (T1190 + T1556) defeat conventional EDR. Distinct from Salt Typhoon in mission (prepositioning vs intelligence collection) but the equipment-supply-chain access pattern overlaps.
+
+**Lawful-intercept abuse vectors.** LI gateway compromise can defeat CALEA / IPA-LI / EU EECC Art. 40 mandated intercept capability protections. LIDB poisoning, J-STD-025 / ATIS-1000013 reference-data tampering, and operator-credential theft against the LI-management subsystems are the primary access patterns. The same vectors apply to UK IPA 2016 + TSA 2021, AU TSSR / SOCI Act 2018, Singapore IMDA TCCSCoP, India CERT-In 6-hour rule, Japan Telecommunications Business Act amended 2023.
+
+**Signaling-protocol attacks.** SS7 (2G/3G legacy), Diameter (4G LTE/IMS), GTP (3G/4G data plane), and 5G core interfaces N1 / N2 / N4 / N6 / N9 — each carries authentication and authorization fragility legacies. SS7-class abuse remains operationally relevant in mid-2026 against carriers maintaining legacy interconnect. 5G core slice-isolation under TS 33.501 is the modern equivalent control surface.
+
+**OEM equipment supply-chain compromise.** Cisco / Juniper / Nokia / Ericsson / Huawei / ZTE equipment vendors are the high-value target. Vendor remote-support inbound tunnels (Cisco TAC, Ericsson ENS, Nokia 1350 OMS) are a recurring intrusion vector. GSMA NESAS (FS.13 / FS.14 / FS.15) is product-time certification — operator-attested deployment posture is the operational gap.
+
+**AI-RAN / O-RAN security.** ETSI O-RAN SFG / WG11, 3GPP TR 33.926, NIST IR 8505 (5G Cybersecurity Practice Guide). AI-RAN deployments add model-tampering and slice-mismapping risks that 3GPP TR 33.926 does not yet model.
+
+## Framework Lag Declaration
+
+Telecom security mandates lag the current threat reality because the regulatory frame was constructed before the Salt Typhoon-class adversary access pattern surfaced. **NIS2 Annex I** (EU) designates telecom providers as essential entities and requires 24-hour incident notification + supply-chain due diligence (Art. 21(2)(d)), but does not name OEM-equipment firmware integrity attestation, AI-RAN model-tampering controls, or LI-gateway-specific access auditing. **FCC CPNI rules** (47 CFR 64.2009(e) annual certification, 47 CFR 64.2011 4-business-day cyber incident notification effective 2024-03-13) predate the Salt Typhoon LI-system vector and do not require notification on LI-system compromise that does not exfiltrate PII directly. **UK CAF Principle B5** (resilient networks) is outcome-tested but the outcome catalog does not include signaling-anomaly detection, gNB firmware attestation, or slice-isolation tests; lawful-intercept access is covered separately by IPA 2016 + TSA 2021. **AU ISM-1556** (privileged user MFA) covers human privileged users but does not reach telecom NMS service accounts (the actual privilege-holders) or OEM remote-support tunnels. **DORA Art. 21** (EU) binds the financial entity consuming telecom services but does not align cadences with NIS2 telecom-essential-entity reporting and does not bridge to 5G slice-isolation obligations for finance-dedicated slices. **GSMA NESAS** is product-time, vendor-attested certification with no operator-attested-runtime check, no firmware-update-cadence-tied recertification, and no EMS / OSS / NMS coverage. **3GPP TR 33.926** assumes deterministic equipment behavior — adversary-modified firmware that passes the SCAS suite at submission remains undetected after deployment. **ITU-T X.805** (2003) is reference architecture, not a deployment-validation framework, and predates 5G, O-RAN, AI-RAN, and the modern threat model. **CTID Secure AI v2** (2026-05-06) extends MITRE ATLAS coverage of agentic-AI and AI-RAN attacks but is layered guidance, not a mandate.
+
+## TTP Mapping
+
+| Tactic | ATT&CK | ATLAS | Description |
+|---|---|---|---|
+| Initial Access | T1199 Trusted Relationship | AML.T0040 (Tool/Plugin Compromise) | OEM vendor remote-support tunnel or AI-RAN plugin compromise opens a path into the operator network |
+| Initial Access | T1190 Exploit Public-Facing Application | — | Internet-facing OSS / EMS / NMS exposed services (Salt Typhoon access pattern) |
+| Persistence | T1098 Account Manipulation | — | Persistent admin role grants on NMS / EMS / OSS after initial compromise |
+| Defense Evasion | T1556 Modify Authentication Process | — | LI-gateway credential pivot — operator account credentials forged or replayed against LI provisioning subsystem |
+| Credential Access | T1078 Valid Accounts | — | Stolen LI-gateway operator credentials used directly, no separate exploitation path |
+| Command and Control | T1071 Application Layer Protocol | — | Living-off-the-land C2 over telecom internal management protocols (SNMP, NETCONF, Telco-IP-fabric) |
+| Collection | T1199 (downstream) | AML.T0040 (downstream) | Pulling subscriber call-detail records, location data, and LI feed contents via compromised access |
+
+ATLAS AML.T0040 (Tool / Plugin Compromise) anchors the AI-RAN attack class: plugin-layer compromise of an O-RAN xApp or rApp can route traffic through an adversary-controlled inference path while the NMS believes the legitimate xApp is still in use.
+
+## Exploit Availability Matrix
+
+| Vector | PoC status | Weaponization | AI-assist factor | Notes |
+|---|---|---|---|---|
+| LI-gateway operator credential theft | Public (per CISA AA24 advisories) | Confirmed in-the-wild | Low | Salt Typhoon TTP; credentials harvested through OEM-vendor supply chain |
+| OEM vendor remote-support tunnel | Public (TTP class, no single PoC) | Confirmed in-the-wild | Low | Vendor TAC / ENS tunnels documented as Salt Typhoon vector |
+| SS7 / Diameter signaling abuse | Public (signaling-research community) | Commodity | Low | Pre-dates AI-augmented attack landscape |
+| GTP-U tunneling attacks | Public | Demonstrated | Low | Operator-side defense via signaling firewalls |
+| 5G core N4 abuse (PFCP) | Researcher PoCs | Demonstrated | Low | Defense via N4 isolation per TS 33.501 |
+| AI-RAN xApp tampering | No public PoC | Speculative | High (ATLAS AML.T0040 class) | CTID Secure AI v2 forward-watch |
+| gNB firmware tampering | Researcher PoCs (vendor-specific) | Demonstrated against vendor pre-prod | Low | GSMA NESAS scope gap |
+| Slice mismapping (cross-slice leak) | Researcher PoCs against test cores | Demonstrated | Low | TS 33.501 control surface |
+
+## Analysis Procedure
+
+### Phase 1 — govern (jurisdictional clock + obligations)
+
+Surface the operator's jurisdictional notification clocks immediately on detection:
+
+- **US**: FCC 47 CFR 64.2011 — 4 business days from discovery of PII/CPNI breach; CALEA / Title III LI-system compromise reporting through DOJ / FBI per separate channel
+- **EU**: NIS2 Art. 23 — 24 hours initial notification, 72 hours intermediate, 1 month final (telecom essential entity)
+- **EU finance-touching**: DORA Art. 19 — 4 hours major-ICT-incident initial notification for financial-entity-impacting telecom incidents
+- **UK**: TSA 2021 + Electronic Communications (Security Measures) Regulations 2022 — Ofcom notification immediately on a security compromise of significance; NCSC notification when applicable
+- **AU**: SOCI Act 2018 (as amended 2022) + TSSR 2017 — Critical Infrastructure Centre notification + ACMA where applicable; ASD ACSC reporting per Essential 8 obligations
+- **CA**: Bill C-26 (Critical Cyber Systems Protection Act) notification once in force
+- **JP**: MIC Telecommunications Business Act amended 2023; immediate notification
+- **IN**: Telecommunications (Security) Rules 2024 + CERT-In 6-hour rule
+- **SG**: IMDA TCCSCoP (2022 v2 + 2024 update) — immediate
+- **NZ**: TICSA 2013
+
+Wait for operator acknowledgment of the highest-priority clock before proceeding.
+
+### Phase 2 — direct (threat context)
+
+Brief the operator on Salt Typhoon-class TTPs + RWEP-threshold bands. For telecom CVEs with active exploitation: live-patch threshold 90, urgent-patch 70, scheduled 30.
+
+### Phase 3 — look (artifacts to capture)
+
+Capture the following telecom-specific evidence (use `air_gap_alternative` paths if operator is in disconnected mode):
+
+- **LI provisioning audit log** — full activation/deactivation history for the assessment window (typically last 90 days). Air-gap alternative: operator-supplied CSV export.
+- **gNB / DU / CU firmware hashes** — operator-attested hash for every running base station, compared against vendor-published expected hashes. Air-gap alternative: out-of-band hash list verified against PGP-signed vendor bulletin.
+- **NMS / EMS / OSS access logs** — last 90 days of admin actions on the network management plane.
+- **Signaling-flow statistics** — SS7 SCCP / TCAP / MAP message rates per peer; Diameter ABMF / CCR / CCA rates per Diameter peer; GTP-C / GTP-U bytes per APN.
+- **Cross-PLMN signaling exchange patterns** — anomalous PLMN-pair flows that did not previously exchange traffic.
+- **eUICC SIM-swap event log** — recent IMSI swaps, MSISDN reassignments.
+- **5GC slice-isolation verification output** — last AMF / SMF / UPF reachability test per slice.
+- **OEM vendor remote-support tunnel inventory** — open Cisco TAC / Ericsson ENS / Nokia OMS tunnels with last-active timestamp.
+- **NESAS deployment posture report** — most recent operator-attested deployment match against the vendor-certified build.
+
+### Phase 4 — detect (indicators)
+
+Walk every indicator's `false_positive_checks_required` list before submitting a hit:
+
+- **Anomalous LI activation requests** — provisioning events outside the operator's standard workflow (e.g. activation without paired law-enforcement-agency ticket reference, activation from a service-account that never previously performed LI provisioning).
+- **gNB firmware hash drift** — running firmware does not match the vendor-published or operator-attested expected hash. FP check: rule out staged update window.
+- **NMS access from anomalous source** — admin login from an ASN, region, or device class not previously used for the role. FP check: rule out OEM TAC support session (correlate against open tunnel inventory).
+- **Cross-PLMN signaling spikes** — sudden order-of-magnitude increase in signaling exchange with a previously-quiet PLMN-pair. FP check: rule out legitimate roaming-agreement reactivation, peering reconfiguration.
+- **Unauthorized LI gateway tunnel** — outbound connection from the LI gateway to an IP outside the LE / DOJ / regulator allowlist. FP check: rule out documented maintenance bastion.
+- **OEM firmware downgrade events** — vendor-equipment firmware version regressed below the operator-published minimum. FP check: rule out documented incident-response rollback.
+
+### Phase 5 — analyze (correlation)
+
+Match captured artifacts against `data/cve-catalog.json` entries with `attack_class: telecom` or matching `attack_refs`. Cross-reference against `data/framework-control-gaps.json` for FCC-CPNI-4.1, FCC-Cyber-Incident-Notification-2024, NIS2-Annex-I-Telecom, DORA-Art-21-Telecom-ICT, UK-CAF-B5, AU-ISM-1556, GSMA-NESAS-Deployment, 3GPP-TR-33.926, ITU-T-X.805. Score blast-radius based on subscriber count + LI-feed-exposure dimension + AI-RAN slice-mismapping potential.
+
+### Phase 6 — validate (priority-sorted remediation)
+
+Priority 1 (immediate): isolate compromised NMS account; revoke and re-issue LI-gateway operator credentials; pull running-gNB firmware hash off every base station and compare against operator-attested expected.
+Priority 2 (24h): rotate all OEM vendor remote-support credentials; close TAC tunnels not actively in use; signaling-firewall block on cross-PLMN spike sources.
+Priority 3 (72h): operator-attested NESAS recertification of every gNB / EMS / OSS; slice-isolation verification across every active 5GC slice; comprehensive review of the last 90 days of NMS admin actions.
+
+### Phase 7 — close (regulator notifications + evidence preservation)
+
+Draft jurisdictional notification messages with regulator-specific evidence templates. Preserve LI-system audit trail for downstream law-enforcement / intelligence-community handoff. Schedule a follow-up `reattest` window at the highest applicable regulator deadline minus 48 hours.
+
+## Output Format
+
+The investigation evidence bundle returned by phase 5 + 6 has this shape:
+
+```json
+{
+  "session_id": "telecom-<iso>",
+  "playbook_id": "sector-telecom",
+  "classification": "detected | clean | not_detected | inconclusive",
+  "evidence_hash": "sha256:...",
+  "telecom_specific_findings": {
+    "li_gateway_audit": {
+      "anomalous_activations": 0,
+      "activations_outside_ticket": 0,
+      "outbound_tunnel_to_non_allowlist_ip": 0
+    },
+    "gnb_attestation_state": {
+      "expected_hashes_compared": 0,
+      "drifted_basestations": [],
+      "downgrade_events": 0
+    },
+    "signaling_anomaly_count": {
+      "ss7_per_peer_z_score_outliers": 0,
+      "diameter_per_peer_z_score_outliers": 0,
+      "gtp_apn_byte_z_score_outliers": 0,
+      "cross_plmn_unexpected_pairs": []
+    },
+    "nms_admin_access": {
+      "logins_from_anomalous_asn": 0,
+      "service_account_role_grants_outside_workflow": 0,
+      "open_oem_tac_tunnels": []
+    },
+    "oem_firmware_drift": {
+      "vendor_published_min_version_violations": [],
+      "operator_attested_mismatch": []
+    },
+    "slice_isolation": {
+      "amf_smf_upf_reachability_misses": [],
+      "cross_slice_packet_leakage_detected": false
+    }
+  },
+  "jurisdiction_notifications": [
+    { "jurisdiction": "US-FCC", "regulation": "47-CFR-64.2011", "deadline_iso": "...", "clock_anchor": "detect_confirmed" },
+    { "jurisdiction": "EU", "regulation": "NIS2-Art-23", "deadline_iso": "...", "clock_anchor": "detect_confirmed" }
+  ]
+}
+```
+
+## Compliance Theater Check
+
+Theater patterns specific to telecom posture:
+
+- **"We have CPNI annual certification."** Annual certification is a process artifact, not a compromise-detection control. The certification covers operational procedures; it does not test LI-gateway compromise detection. Theater test: ask whether the last CPNI certification audit reviewed LI provisioning logs for anomalous activations.
+- **"We are GSMA NESAS certified."** NESAS is product-time, vendor-attested certification of the equipment itself — not the deployed posture. Theater test: ask for the most recent operator-attested-runtime gNB firmware hash report compared against the NESAS-certified build hash. Mismatch or absence is theater.
+- **"OEM firmware is verified at receipt."** Vendor-supplied hash is the input to the receipt verification; the operator does not independently re-derive the hash from upstream OEM-vendor source. Theater test: ask whether the operator separately verifies OEM firmware against an out-of-band PGP-signed vendor bulletin OR an operator-side reproducible build.
+- **"3GPP TR 33.926 tests passed at deployment."** TR 33.926 SCAS is product-class testing; it does not detect adversary-modified firmware that passes the test suite at submission. Theater test: ask for the post-deployment hash-attestation report on the running gNB.
+- **"ITU-T X.805 framework adopted."** X.805 is reference architecture, not validation. Theater test: ask for a deployment validation checklist mapping X.805's 8 dimensions to specific operational telemetry. Most operators cite the framework but do not validate against it.
+- **"We have signaling firewall (SS7 / Diameter / GTP)."** Signaling firewalls are policy-engine dependent on a current threat-actor PLMN catalog. Theater test: ask when the threat-actor PLMN list was last refreshed against GSMA Fraud and Security Group bulletins.
+- **"LI-gateway operator credentials use MFA."** Human-MFA on the LI gateway is necessary but not sufficient — service accounts and OEM remote-support tunnels frequently bypass. Theater test: count the LI-gateway admin actions executed in the last 30 days by service-account principals vs human-MFA principals.
+
+## Defensive Countermeasure Mapping
+
+| Threat | D3FEND technique | Operational mapping |
+|---|---|---|
+| Signaling anomaly | D3-NTA (Network Traffic Analysis) | SS7 / Diameter / GTP per-peer baseline + alert on z-score outliers |
+| 5G slice cross-leak | D3-NTPM (Network Traffic Policy Mapping) | Per-slice ACL + AMF/SMF/UPF reachability testing |
+| LI-gateway audit-trail integrity | D3-IOPR (I/O Read) | Immutable / append-only LI provisioning log + cross-system reconciliation |
+| 5GC slice / N6 / N9 isolation | D3-NI (Network Isolation) | Slice ID + DNN + S-NSSAI policy enforcement; N6 transit egress monitoring |
+| OEM firmware tampering | D3-EFA (Executable File Analysis) | Out-of-band hash verification + operator-attested-runtime checks |
+
+## Hand-Off / Related Skills
+
+- **incident-response-playbook** — parent IR flow; sector-telecom extends the IR contract with telecom-specific evidence and jurisdictional clocks.
+- **framework-gap-analysis** — invoke for downstream Hard-Rule-5 gap mapping against catalog framework_gaps.
+- **cred-stores** — LI-gateway operator credential storage falls under the cred-stores skill for secret-management depth.
+- **sector-federal-government** — national-security adjacency on LI-system compromise touches federal investigation scope.
+- **mcp-agent-trust** — AI-RAN xApp / rApp compromise (ATLAS AML.T0040 class) crosses into MCP-class agent-tool trust boundaries.