Telecom Security Testing & Defense - Akib Sayyed - DCTAC2025

Name of Training: Telecom Security Testing & Defense
Trainer(s): Akib Sayyed
Dates: November 3-4, 2025
Time: 8:00 am to 5:00 pm 
Venue: Exhibition World Bahrain
Cost: $3,200

Course Description:

This intensive 2-day training program equips participants with the knowledge and hands-on skills needed to secure telecom networks against evolving cyber threats. Covering 2G, 3G, 4G, and 5G architectures, the course explores vulnerabilities across the RAN, Core, Transport, and Interconnect layers, with a strong focus on real-world attack vectors such as rogue base stations, IMSI catchers, SS7/Diameter exploits, GTP tunneling attacks, and jamming/spoofing attempts.

Participants will learn to analyze, detect, and mitigate telecom-specific threats using global standards and frameworks including 3GPP security specifications, GSMA FS series, GSMA NESAS, ITU-T X.805, as well as adversarial emulation models from MITRE ATT&CK and MITRE FIGHT. The course bridges theory with practice through hands-on labs, where trainees conduct packet analysis, simulate signaling attacks, deploy rogue BTS setups, and perform incident response drills in a controlled environment.

By the end of the program, participants will be able to:

• Identify and test vulnerabilities in legacy and modern telecom networks.
  
• Map real-world telecom attacks to MITRE ATT&CK and MITRE FIGHT frameworks.
  
• Build actionable defense strategies for securing 2G–5G networks against cyber adversaries.
  
• Security by design approach for telecom network
  
• Apply encryption, authentication, and intrusion detection best practices.
  
• Minimum security baseline security standards for telecom workloads
  
• Threat modeling and security monitoring of telecom network
  

Course Outline:  

🚀 2-Day Telecom Security Testing & Defense
(with MITRE ATT&CK + MITRE FIGHT Frameworks)

Day 1 – Telecom Security Foundations & Threat Landscape

Session 1 – Telecom Security Foundations

• Theory (1.5h)
  
  • 2G → 5G architectures, RAN vs. Core vs. Transport.
    
  • Evolution of telecom network threat and security landscape
    
  • Telecom vulnerabilities by generation.
    
  • Why telco networks are prime cyber targets.
    
• Framework Integration
  
  • MITRE ATT&CK → Reconnaissance (IMSI collection), Initial Access (signaling abuse).
    
  • MITRE FIGHT → Access Network Exploitation (Rogue gNB, radio link manipulation).
• Lab (1h)
  
  • Map sample telecom network → identify surfaces.
    
  • Classify attack points using both ATT&CK + FIGHT.

Session 2 – Threat Landscape in Telecom

• Theory (1.5h)
  
  • Rogue BTS / IMSI catchers.
    
  • SS7, Diameter & GTP attacks.
    
  • Jamming & spoofing in real-world telecom incidents.
    
• Framework Integration
  
  • MITRE ATT&CK → Credential Access (SIM vectors), Impact (DoS).
    
  • MITRE FIGHT → Core Network Exploitation (GTP injection, Diameter fraud).
    
• Lab (1h)
  
  • Analyze SS7 traces with Wireshark.
    
  • Detect rogue BTS anomaly → map to MITRE FIGHT (Access Network) + ATT&CK.

Session 3 – Identity, Encryption & Standards

• Theory (1.5h)
  
  • SIM/USIM security, authentication vectors.
    
  • Weak cipher fallback (A5/1, EPS-AKA).
    
  • End-to-end encryption: SRTP, IPsec, MACSec.
    
  • GSMA FS, 3GPP security, ITU-T X.805.
    
• Framework Integration
  
  • MITRE ATT&CK → Defense Evasion (downgrade attacks).
    
  • MITRE FIGHT → Subscriber Exploitation (SUPI/IMSI exposure, AKA weaknesses).
    
• Lab (1h)
  
  • Verify cipher suites in LTE/5G traffic.
    
  • Map findings → GSMA FS + FIGHT “Subscriber Exploitation” category.

✅ End of Day 1 Outcomes

• Understand telco architectures, vulnerabilities, Evolution of telecom network threat and security landscape.
  
• Ability to map threats to both ATT&CK & FIGHT frameworks.
  
• Recognize subscriber/core/RAN exploitation patterns.

Day 2 – Security Testing, Hardening & Defense Strategy

Session 4 – Securing Legacy & Modern Networks

• Theory (1.5h)
  
  • 2G/3G downgrade & cipher cracking.
    
  • LTE: GTP tunneling, EPS-AKA flaws.
    
  • 5G: SBA threats, slicing, SUPI exposure.
    
• Framework Integration
  
  • MITRE ATT&CK → Lateral Movement (GTP pivoting).
    
  • MITRE FIGHT → Core Network Exploitation (NF misconfig, SBA exposure).
    
• Lab (1h)
  
  • Simulate downgrade attack.
    
  • Analyze GTP tunnel leakage → map to MITRE FIGHT.

Session 5 – Telecom Defense Strategy

• Theory (1.5h)
  
  • Security by design approach for telecom network – Onboarding to sunset
    
  • Perimeter Security and network segmentation strategy
    
  • User access management and RBAC for telecom workloads
    
  • Designing Minimum security baseline security standards for telecom workloads and hardening while onboarding network & workloads
    
  • IDS/IPS for SS7, Diameter, SIP.
    
  • DPI anomaly detection in live telecom traffic.
    
  • Threat modeling and designing security monitoring of telecom network & workloads
    
  • Integration of security logs of network and supporting components with SOC/SIEM for security monitoring.
    
  • Advanced threat detection strategy for telecom network and integration of cutting edge technologies with telco network
    
  • Implementing Zero trust model for telecom network
    
• Framework Integration
  
  • MITRE ATT&CK → Command & Control (rogue BTS), Persistence (profile injection).
    
  • MITRE FIGHT → Management Plane Exploitation (abuse of OAM, misconfig access).
    
• Lab (1.5h)
  
  • Deploy SS7/Diameter firewall rules.
    
  • Detect signaling DoS in SIEM.
    
  • Classify attack paths with ATT&CK + FIGHT side by side.

Session 6 – Offensive Security & Future Telecom Defense

• Theory (1h)
  
  • Telecom penetration testing methodology.
    
  • Rogue BTS exploitation demo.
    
  • Future: PQC for 6G, AI/ML anomaly detection, zero-trust telco networks.
    
• Framework Integration
  
  • MITRE ATT&CK → Execution (malicious signalling), Exfiltration (CDR theft).
    
  • MITRE FIGHT → Interconnect Exploitation (roaming fraud, inter-PLMN abuse).
    
• Lab (1.5h)
  
  • Deploy rogue BTS, simulate penetration test.
    
  • Incident response drill → classify every attack step in MITRE FIGHT & ATT&CK matrices.

✅ End of Day 2 Outcomes

• Perform practical telecom penetration tests.
  
• Map red team attacks to both ATT&CK and FIGHT frameworks.
  
• Learn security hardening, security monitoring and defensive controls for RAN, Core, and Interconnect domains.
  
• Gain future-ready skills (PQC, AI/ML detection, zero-trust telco defense).

📊 Key Delivery Highlights

• Audience: Telco SOC engineers, security testers, core/RAN engineers.
  
• Duration: 2 days (~16 hours).
  
• Balance: ~50% labs, 50% deep dives.
  
• Tools: Wireshark, srsRAN/OAI, SDR,IMSI Catcher,Rouge BTS 
  
• Framework Value:
  
  • MITRE ATT&CK → broad enterprise threat taxonomy.
    
  • MITRE FIGHT → telecom-native adversary emulation (Access, Core, Subscriber, Management, Interconnect).
    

Difficulty Level:

Intermediate/Advanced
Audience: Security researchers, penetration testers, defense communication engineers, network engineers, SOC analysts, early-career telecom security professionals, security researchers, penetration testers, defense communication engineers.

Suggested Prerequisites:

📋 Prerequisites (Summary)

• Networking basics: TCP/IP, routing, firewalls, VPN/TLS/IPsec.
  
• Telecom basics: 2G–5G architecture, core & RAN elements, signalling (SS7, Diameter, SIP, GTP).
  
• Security basics: Common attack vectors, cryptography, IDS/IPS/SIEM.
  
• Hands-on skills: Linux, Wireshark, telecom simulators (srsRAN/OAI), VMs/Docker.
  
• Experience: 2–3 years in networking/security/telecom (Intermediate–Advanced level).
  
• Lab setup: Laptop (8GB RAM, 4 cores), Wireshark, Kali VM, optional SDR (HackRF/USRP).
  

What Students Should Bring:

• Course Materials: Slides, lab workbook, MITRE ATT&CK + FIGHT matrices, case studies.
  
• Lab Setup: Prebuilt VM/Docker with Wireshark, srsRAN/OAI, SS7/Diameter tools, sample PCAPs.
  
• References: 3GPP, GSMA FS, ITU-T X.805, ATT&CK Navigator + FIGHT matrix handouts.
  
• Training Aids: Audit checklists, reporting & incident response templates.
  Optional Hardware: SDR (USRP/HackRF) + mini LTE/5G testbed for live demos.
  

Trainer(s) Bio:

Akib Sayyed is the Founder of Matrix Shell and Telecom Village, and serves as the GSMA NESAS Lab Technical Manager. With over a decade of expertise in telecom security, penetration testing, and network resilience, he has worked extensively with global MNOs and MVNOs to secure networks across 2G, 3G, 4G, and 5G infrastructures. Under his leadership, Matrix Shell has achieved ISO/IEC 17025 accreditation and recognition as an NCCS-accredited 5G Security Lab.

At Telecom Village, Akib has built a global community dedicated to advancing telecom security awareness, research, and training. He has showcased cutting-edge attack simulations and fostered collaboration between researchers and industry experts to address vulnerabilities in signalling protocols such as SS7, Diameter, and GTP, as well as modern 5G service-based architectures. His role as a GSMA NESAS Lab Technical Manager further positions him at the forefront of telecom equipment security evaluations and global compliance.

As a trainer, Akib designs and delivers specialized courses on Telecom Security Testing, integrating international frameworks such as 3GPP, GSMA FS, GSMA NESAS, ITU-T X.805, MITRE ATT&CK, and MITRE FIGHT. His programs combine theoretical foundations with hands-on labs, enabling participants to analyze real-world telecom attack traces, deploy rogue BTS setups, and practice incident response drills — equipping professionals to defend telecom networks against evolving cyber threats.

Registration Terms and Conditions: 

Trainings are refundable before October 2, 2025, minus a non-refundable processing fee of $250.

Trainings are non-refundable after October 2, 2025.

Training tickets may be transferred. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions.