Part 6 · Threats, Attacks, and Operator Protection
27
SOC/NOC Procedures for 5G Security
From alert to action — the playbooks that turn telemetry into defense
"An alert nobody knows how to act on is just anxiety with a timestamp. Playbooks turn telemetry into defense."
— WHY PROCEDURES MATTER
Chapter 26 built the eyes; this chapter builds the hands. A telco Security Operations Center must handle incidents that don't exist in IT — authentication anomalies, signaling storms, rogue gNBs, roaming abuse — and coordinate with the Network Operations Center that runs the live network. This chapter provides the incident lifecycle and concrete playbooks for the 5G-specific incidents this book has armed you to detect.
Checked June 2026 — verify against the latest 3GPP version.
27.1 Telco SOC vs IT SOC
FIGURE 27.1Telco SOC Reference Organization
Purpose: the telco SOC's distinct shape. It ingests 5G telemetry, applies telecom-specific detections, and must coordinate with the NOC that actually operates the network — a structure IT SOCs lack.
FIGURE 27.2The 5G Incident Response Lifecycle
Purpose: the lifecycle, telco-flavored. The key telco difference is at contain — actions touch a live network carrying critical traffic, so SOC/NOC coordination is essential.
FIGURE 27.3Playbook — Authentication Anomaly
Purpose: the auth-anomaly playbook. The failure cause (Chapter 6) splits the response: MAC → rogue-gNB hunt; sync → database/SQN investigation. Same alert, opposite actions.
FIGURE 27.4Playbook — Signaling Storm
Purpose: the signaling-storm playbook. Contain first (overload control/backoff with NOC), then determine attack vs self-inflicted (Chapter 23) — both need the same immediate containment.
FIGURE 27.5Playbook — DDoS on N6 / N3 / SBA
Purpose: the DDoS playbook. Where the flood lands (N6 internet edge vs internal SBA) determines the scrubbing point; the goal is keeping the core serving legitimate traffic.
FIGURE 27.6Playbook — Rogue gNB Hunt
Purpose: the rogue-gNB playbook. The MAC-failure cluster (Chapter 6) is the lead; triangulation, sensors, and a field team close it — with legal involvement for the device.
FIGURE 27.7Playbook — Roaming Abuse
Purpose: the roaming-abuse playbook. SEPP filtering both detects and contains; the partner is contacted (the abuse may be their compromise), with GSMA/legal escalation for persistence (Chapter 13).
FIGURE 27.8Playbook — API Abuse
Purpose: the API-abuse playbook. Throttle first, then judge whether entitled use has become surveillance (Chapter 12) — a decision that blends security and contract enforcement.
FIGURE 27.9Escalation Matrix and Forensic Evidence Handling
Purpose: escalation and evidence. Know the escalation path in advance, and preserve evidence before containment destroys it — especially for incidents headed to legal or regulators.
FIGURE 27.10SOC ↔ NOC Handshake During an Incident
Purpose: the coordination that defines telco incident response. The SOC decides the security action; the NOC executes it safely on a live network carrying critical traffic — skipping the handshake fixes a breach by causing an outage.
27.2 The Practical Operator View
Pre-write playbooks for the six 5G incidents — an alert without a playbook is wasted telemetry.
Staff for 3GPP knowledge — telecom attacks need protocol expertise IT SOCs lack.
Formalize the SOC↔NOC handshake — security actions on a live network must go through the operators.
Preserve evidence before containment — snapshot logs/captures for forensics and legal.
Feed learnings back into detection (Chapter 26) and the threat model (Chapter 24).
27.3 Incident-to-Playbook Map
Detection
Playbook
Source chapter
MAC-failure cluster
rogue gNB hunt
6,24
AMF/AUSF overload
signaling storm
23
N6/N3/SBA flood
DDoS response
3,11
SEPP partner anomaly
roaming abuse
13
NEF quota breach
API abuse
12
Sync-failure storm
UDM SQN/DB investigation
6
27.4 Terminology
Term
Meaning
SOC / NOC
Security / Network Operations Center
playbook
Pre-defined response procedure for an incident type
CSIRT
Computer Security Incident Response Team (escalation)
chain of custody
Evidence-handling discipline for legal admissibility
Real network example. A SOC detected a signaling storm and, under pressure, unilaterally rate-limited registrations on the affected AMF without the NOC handshake. The change was correct for the storm — but it collided with a NOC maintenance window that was already draining traffic from that AMF, and the combined effect dropped a neighboring region's service entirely. The security action, taken in isolation on a live network, caused a worse outage than the incident. After the post-mortem, the operator formalized the SOC↔NOC handshake (Figure 27.10): the SOC decides what to contain and why; the NOC owns how and when, with an impact assessment, before any change. On a live critical network, the coordination is the procedure.
★ Chapter Summary
A telco SOC needs 3GPP protocol expertise and tight NOC coordination that IT SOCs lack.
Run the incident lifecycle (detect → triage → contain → eradicate → recover → learn), with feedback into detection and the threat model.
Pre-written playbooks exist for auth anomaly, signaling storm, DDoS, rogue gNB, roaming abuse, and API abuse — each driven by a Chapter-26 detection.
Preserve evidence before containment; know the escalation path in advance.
The SOC↔NOC handshake is the defining telco procedure — security actions on a live network go through the operators.
? Review Questions
How does a telco SOC differ from an IT SOC?
Walk the 5G incident lifecycle and the telco-specific consideration at "contain."
For an auth-failure alert, how does the failure cause split the playbook?
How does the DDoS response differ for N6 vs SBA floods?
What is the lead evidence in a rogue-gNB hunt, and what are the steps?
Why might roaming abuse originate on the partner's side, and how do you escalate?
Why must evidence be preserved before containment?
Explain the SOC↔NOC handshake and a failure that results from skipping it.
🧪 Mini lab — write a playbook
Choose one detection from Chapter 26 (e.g., a geo-clustered MAC-failure spike). Write a complete playbook: (1) the alert and its source KPI, (2) triage questions to confirm/scope, (3) immediate containment with the exact SOC↔NOC handshake (what the SOC requests, what the NOC assesses), (4) eradication and recovery steps, (5) evidence to preserve, (6) escalation path and trigger, (7) the learning fed back into detection and the threat model. Then table-top it: walk a teammate through a simulated incident using only your playbook. A playbook that survives a table-top is worth more than any alert.