Existing literature and industry research largely emphasize theoretical threat models in the telecommunications space, often referencing frameworks like MITRE ATT&CK. However, they fall short when it comes to evaluating how those threats manifest in real-world telecom environments or how detection can be operationalized at scale. To build practical threat detection strategies, it’s necessary to first analyze and validate the theoretical landscape—reviewing cited data sources, tactics, techniques, and procedures (TTPs)—and then map them against the specific needs, telemetry capabilities, and architecture of telecom service providers​

For the purposes of this document, the GCF Safeguarding the Future Networks & Emerging Technologies working group took the following approach:

1. We analyzed multiple related publications and identified common themes and 3 gaps​
2. We proposed a whitepaper "Practical Threat Detections For Telecommunications" that will incorporate potentially all common practices and focus beyond traditional systems​
3. We are defining a framework for increaing detection performance which is aligned to common requirements from the analysed publications. Develoing the framework comprised of the following steps:
   1. Defining targeted audience & their needs (e.g., cybersecurity decision markers & framework to guide strategic decisions when monitoring telecoms and building threat detections)​
   2. Setting the framework scope and purpose (e.g., qualitative analysis of ATT&CK and FiGHT's theoretical mitigations and data sources, contextualized against workloads, requirements and feasibility)
   3. Documenting the existing publication analysis to cover industry reports, and cybersecurity guidelines to map relevant components of SP systems (e.g., EPC, OSS/BSS etc)​
   4. Seeking inspiration from existing cybersecurity frameworks used by​ cybersecurity professionals (e.g., NIST, MITRE)​
   5. Defining key dimensions of the framework​
      • The threat landscape​
      • Requirements for detections​
      • Qualitative analysis of ATT&CK and FiGHT's theoretical mitigations and data sources
   6. Finally, we sought to make it practical
      • For each component of the framework (e.g., indicator) define the approach to measure it (e.g., potential data sources)​
      • For each indicator define aspirational goal (e.g., use cases that it would help to address)​
      • Provide practical examples of the framework (i.e., illustrative example how the framework works in the practice)​
4. Based on this analysis, we inferred implications and proposed a path forwards which we will be published with GCF as a whitepaper

This whitepaper is intended to provice a practical guide to threat detection that is tailored specifically to telecom operators, rather than enterprises. It consolidates knowledge gathered through real-world deployments and engagements, transforming it into a market-wide strategy. The focus is on identifying which telemetry sources (e.g., NetFlow, BGP, GTP) are both viable and valuable, and on proposing use cases that address telecom-specific risks—such as signaling anomalies, network segmentation (trusted vs. untrusted zones), and interconnect abuse. This approach directly addresses the recurring concerns raised by telecom customers and fills the gap between generic threat models and actionable detection frameworks.​

The raw/tool file version is available on this link:

• https://github.com/CiscoCXSecurity/GCF-Practical-Threat-Detections-for-Telecommunications

To view this tool's output in the original source form, please use Libre Office or Microsoft Excel.