Level 34

5G Security Operations — SOC for 5G Core Networks

Operate the security of a live 5G core. Complements the architectural treatment in Level 8 with the operational view — what a SOC analyst actually does day-to-day defending a 5GC deployment. Master the 5G attack surface (SBI, signaling, NRF abuse, GTP-C tunnel hijacking), apply the MITRE FiGHT framework for telecom threats, engineer SIEM rules tuned for 5G traffic, hunt anomalies across NF logs and signaling traffic, run incident response playbooks for compromised NFs, and coordinate with NOC, legal, and regulators. This level completes the Cybersecurity Analyst career path alongside Level 8.

20 interactive0 simulation4 labs4 quizzes

0/28 lessons

This level requires a Pro subscription

Unlock all 32 advanced levels — 900 lessons, labs, and interactives by TELCOMA Global.

SOC Foundations for 5G

0/7

Why 5G security operations is its own discipline, the 5G attack surface (SBI, signaling, RAN, radio), SOC tooling for 5GC (SIEM, SOAR, EDR, network detection), the operational view of TS 33.501 security architecture, and the MITRE FiGHT framework for telecom threats.

Why 5G security operations needs its own discipline

How 5G changes the SOC analyst's job versus enterprise IT security — and why generic security tools fall short.

interactive3 min

The 5G attack surface — SBI, signaling, RAN, radio

Four distinct attack surfaces in a 5G deployment, each with different threat profiles and detection approaches.

interactive3 min

SOC tools for 5G — SIEM, SOAR, EDR, network detection

The tooling categories a 5G SOC depends on and how they connect for telecom workloads.

interactive3 min

TS 33.501 security architecture — the operational view

Reading the 5G security architecture from a defender's perspective — what each control protects and what it does not.

interactive3 min

MITRE FiGHT — threat framework for telecom

MITRE's 5G-specific threat framework adapting ATT&CK to mobile network adversary techniques.

interactive3 min

Lab: Mapping a 5GC attack to MITRE FiGHT

Walk through classifying a real-world 5GC attack scenario using the FiGHT tactic and technique vocabulary.

lab5 min

Quiz: SOC Foundations for 5G

Test your understanding of the 5G attack surface, SOC tools, and the FiGHT framework.

quiz5 min

SBI and Signaling Threats

0/7

Attack vectors against the Service-Based Interface, NRF abuse and false-NF registration, GTP-C tunnel hijacking and location tracking, legacy Diameter/SS7 threats that persist into 5G, and signaling-layer threat hunting techniques.

Service-Based Interface attack vectors

How attackers can exploit SBI: token reuse, NF impersonation, replay attacks, and malformed-request flooding.

interactive3 min

NRF abuse and false-NF registration

Compromising the service registry — what happens when a malicious NF registers with NRF and starts receiving traffic.

interactive3 min

GTP-C abuse — tunnel hijacking, location tracking

Long-standing GTP-C vulnerabilities and how they manifest in 5G non-standalone deployments.

interactive3 min

Diameter and SS7 legacy threats in 5G

Why interconnect signaling attacks from 4G and earlier still affect 5G deployments through interworking.

interactive3 min

Signaling threat hunting techniques

Hypothesis-driven hunting for signaling-layer abuse using NF logs, packet captures, and behavioral baselines.

interactive3 min

Lab: Detecting GTP-C tunnel hijacking in logs

Walk through analyzing GTP-C logs to identify suspicious tunnel manipulation and craft a detection rule.

lab5 min

Quiz: SBI and Signaling Threats

Test your understanding of SBI attacks, NRF abuse, GTP-C threats, and legacy signaling risks.

quiz5 min

SIEM Rules and Detection Engineering

0/7

Engineering detection rules for 5GC SIEM, building behavioral baselines and anomaly detection, the log sources a 5G SOC depends on (NF logs, NGAP, PFCP, network flow), alert tuning to reduce false positives, and structured threat hunting workflows.

Building SIEM rules for 5G SBI traffic

Translating an SBI threat into a concrete SIEM detection rule — the structure that survives production.

interactive3 min

Behavioral baselines and anomaly detection

When static rules fail, behavioral baselines on per-NF and per-UE traffic surface the unusual.

interactive3 min

Log sources for 5GC — NF logs, NGAP, PFCP, flow

The five log categories a 5GC SOC ingests and what each one reveals.

interactive3 min

Alert engineering — reducing false positives

How a SOC keeps alert fatigue at bay through deduplication, suppression windows, and contextual enrichment.

interactive3 min

Threat hunting workflows for 5GC SOC

Hypothesis-driven hunting versus alert-driven triage — when each applies and how to structure the work.

interactive3 min

Lab: Writing a SIEM rule for NRF abuse detection

Walk through designing a Sigma-style detection rule for false-NF registration attempts.

lab5 min

Quiz: SIEM Rules and Detection Engineering

Test your understanding of detection engineering, baselines, log sources, and alert tuning.

quiz5 min

Incident Response for 5G

0/7

IR playbook fundamentals for 5G, containment strategies for compromised NFs, forensics and evidence preservation under telecom lawful-process constraints, coordination across SOC/NOC/legal/regulators, and post-incident review for continuous improvement.

5G IR playbook fundamentals

The PICERL (Prepare, Identify, Contain, Eradicate, Recover, Lessons-learned) model adapted to 5GC incidents.

interactive3 min

Containment strategies — isolating compromised NFs

How to isolate a suspected-compromised AMF, SMF, or UPF without taking down the network.

interactive3 min

Forensics for 5GC — evidence and lawful process

Preserving evidence in a regulated industry — what to capture, how to chain-of-custody, and the lawful-intercept constraints.

interactive3 min

Coordination — SOC, NOC, legal, regulators

The multi-stakeholder coordination that distinguishes telecom IR from enterprise IT incident response.

interactive3 min

Post-incident review and continuous improvement

How mature SOCs run blameless post-mortems that feed back into detection engineering and IR playbooks.

interactive3 min

Lab: Responding to an AMF compromise

Walk through an end-to-end IR scenario for a compromised AMF instance — detection, containment, recovery, review.

lab5 min

Quiz: Incident Response for 5G — Level Gate

Final level gate covering IR playbooks, containment, forensics, coordination, and post-incident review.

quiz5 min

5G Security Operations — SOC for 5G Core Networks

20 interactive0 simulation4 labs4 quizzes