UTC
01
FUNCTION 01 FUNCTION 02 FUNCTION 03 FUNCTION 05 INCIDENT RESPONSE PREPAREDNESS FUNCTION 04
Function Four
INCIDENT RESPONSE
PREPAREDNESS

Master Exposure Management.

“The adversary suffers when every path they take ends in a trap.”

Three days in, the Space Cybersecurity Operations and Resilience department you are building is no longer asking the departments for time; they are bringing it their work. Kestrel Orbital’s platform model, the threat catalogue, and the attack paths Satellite Design & Engineering walked with you yesterday all sit in one shared form. Today the circuit closes where it started: you sit down with the Security Operations Center to turn every path into a detection that fires and a playbook that runs. You drive the organization to continually enumerate the attack paths created by both exposed and isolated platform elements, and to work toward platform deception techniques. The signatures and playbooks you write today support Executive Order 14144’s detect-report-recover requirement and the NIS2 reporting deadlines: a 24-hour warning, a 72-hour notification, a one-month report.

MODULE FOUR
01/13
00
DAY 4 · Incident Response Preparation

DAY 4 START

Today you turn each attack path into a detection signature that fires on those data sources and a response playbook that runs when it fires. The Security Operations Center that briefed the threat sources on Day 2 now writes detections against the paths Satellite Design & Engineering drew on Day 3: each day’s work lands on the day before it. This is the detect-report-recover capability Executive Order 14144 requires, exercised inside the reporting deadlines NIS2 sets.

MODULE FOUR
00/00
UTC
03
L1 · day 4 opens with a working session in the Security Operations Center

WRITE THE SIGNATURES & PLAYBOOKS

Six artifacts on the table. Security Operations runs the detections and acts on the alerts, and today the center lays its working reality on the table the same way Satellite Design & Engineering opened its artifacts yesterday: the six below, walked together for every attack path you cover today. Each one tells you something different about what Security Operations can see, how the center responds, and which signature designs will work in production.

TELEMETRY SOURCES
▷ ARTIFACT · 01
TELEMETRY SOURCES

What data streams Security Operations actually has visibility into: auth logs, network flow, EDR, T2 RF metrics, attestation.

ROOTA TEMPLATES
▷ ARTIFACT · 02
ROOTA TEMPLATES

Vendor-neutral detection rule format. Same rule deploys to Splunk, Elastic, Microsoft Sentinel without rewrite.

PLAYBOOK LIBRARY
▷ ARTIFACT · 03
PLAYBOOK LIBRARY

Existing IR playbooks Security Operations already runs. New signatures hook into the right one.

ALERT QUEUE
▷ ARTIFACT · 04
ALERT QUEUE

Current alert volume and triage practice. New signatures must fit the queue, not flood it.

ON-CALL CONTEXT
▷ ARTIFACT · 05
ON-CALL CONTEXT

What an on-call analyst can actually do in real time during a pass. Constrains what response steps are realistic.

KNOWN GAPS
▷ ARTIFACT · 06
KNOWN GAPS

Telemetry blind spots already documented. New signatures may not be possible until engineering closes a gap.

MODULE FOUR
03/13
UTC
04
A2 · enumerating detection-signature elements

INCIDENT RESPONSE PREPARATION PROCESS

Inputs. Yesterday’s attack-path set against the telecommand path and a working session with Security Operations, building the detect-report-recover capability Executive Order 14144 requires inside the NIS2 reporting deadlines. Output. One AN-DET element per detection signature, written in vendor-neutral RootA format. Six steps, fixed order. Set LAYER (always AN). Verify the format is RootA. Set TAG (DET). Set ORDINAL. Enumerate the TDM (what structural elements the signature observes). Write the Description. Constraint. A signature that is vendor-locked or carries no TDM anchor is rejected.

01
Enumerate the LAYER
LAYER = AN (fixed; identifies this as an Analytic Layer element).
02
Verify the format
The signature must be expressed in RootA format, the open vendor-neutral detection language. A vendor-specific query (Splunk SPL, Microsoft KQL, Elastic EQL, and so on) without a RootA wrapper is not accepted as an AN-DET element.
03
Set the TAG to DET
The element identifies this as a Detection-Signature element within the Analytic Layer (AN-DET).
04
Assign an ORDINAL
Two-digit ordinal starting at 00 (AN:DET:Detection Signature:00, AN:DET:Detection Signature:01, and so on); one ordinal per distinct detection signature.
05
Enumerate the TDM
Target of Detection Method: enumerate the structural elements the signature is designed to observe. AN-DET uses TDM, not TOE; TDM names the structural elements the signature scans rather than the elements an attacker exploits.
06
Write the DESCRIPTION
Identify what the signature looks for and the AN-IOC, AN-IOA, AN-ATT, or AN-THR elements it provides coverage for. Cite the RootA rule identifier and the source.
Repeat for the next detection signature. When every catalogued attack path has at least one detection enumerated, the AN-DET coverage matrix is current.
MODULE FOUR
04/13
UTC
05
K1 · what RootA is and why we use it for every AN-DET

ROOTA, OPEN DETECTION LANGUAGE

RootA is an open public-domain detection-engineering language created by the SOC Prime team, released in 2023. It is a YAML wrapper that carries a native SIEM, EDR, XDR, or Data Lake query plus the metadata a defender needs to share that query: MITRE ATT&CK mapping, log-source declaration, references, threat-actor and campaign timeline, and tags. The companion tool Uncoder.IO converts a RootA rule into 65 query dialects across 45 technologies, including Splunk, Elastic, Microsoft Sentinel, Google Chronicle, CrowdStrike, QRadar, Sumo Logic, and others. We write every AN-DET in RootA so the detection portfolio you leave Friday with ports across every SIEM your organization runs today and every SIEM it will run tomorrow.

▷ FACT · 01
OPEN AND VENDOR-NEUTRAL

Public-domain license. No procurement gate, no vendor contract. A rule you write today is a rule a peer operator, such as a fellow Space-ISAC member, could pull tomorrow and run on a different SIEM with no rewrite.

▷ FACT · 02
YAML WRAPPER AROUND NATIVE LOGIC

Write the detection in whatever query language you already know (SPL, KQL, EQL, Carbon Black, Yara-L). RootA wraps it with metadata: name, severity, log source, MITRE techniques, references, tags.

▷ FACT · 03
MITRE ATT&CK AT THE CORE

Every RootA rule carries the ATT&CK techniques it covers as a first-class field. Pairs directly with the AN-ATT map from Day 3, so detection coverage is reviewable against attack paths, not just rule counts.

▷ FACT · 04
ONE LANGUAGE, MANY SIEMS

Uncoder.IO translates a RootA rule into the dialect your Security Operations Center actually runs. A SIEM migration becomes a translation pass over the portfolio, not a rewrite of every rule from scratch.

RESOURCES · specification: roota.io · repository: github.com/UncoderIO/RootA · translator: uncoder.io · community: discord.gg/socprime

BBACKGROUND
MODULE FOUR
05/13
UTC
06
A1 · one signature, every field numbered

THE ROOTA SIGNATURE FOR AN-DET:00, FIELD BY FIELD

This is the full an-det-00-anomalous-console-auth.yml as it ships in the course rule pack. It defends AN:ATT:Attack Path:00 (operator-console credential theft) using the four Available rows from yesterday’s source inventory. Each numbered badge in the signature maps to a numbered card on the left, so you can read the rule top-to-bottom and see what every field is for. Same ten fields for every other AN-DET; only the values change.

▷ FIELD GUIDE
1
NAME
Identifier Security Operations sees in the alert console. Here: AN-DET-00 Anomalous console authentication.
2
DETAILS
Plain-English description of what the rule does. Names the AN-ATT path it covers and the TDM structural elements observed.
3
CLASSIFICATION METADATA
author, severity, type, class, status, date. Tells Security Operations who wrote it, how serious it is, and whether it is production-ready.
4
MITRE-ATTACK
Techniques the signature covers. Here T1110 Brute Force and T1078 Valid Accounts. This is how the AN-ATT map and the rule portfolio link to a single shared taxonomy.
5
REFERENCES
External citations Security Operations can read to understand the rule. ATT&CK technique pages and any incident write-ups or peer rules used.
6
TAGS
METEORSTORM ordinal plus one TDM tag per structural element observed. An organization like the Space-ISAC could index on these so a peer could pull the rule by ETEN.
7
LOGSOURCE
Tells Uncoder.IO which translator to apply. Here: product: identity + category: authentication targets identity-provider logs across any SIEM.
8
DETECTION SELECTIONS
One selection_* per row of yesterday’s source inventory. Four Available sources, four selections: console target, failure burst, impossible travel, unknown source.
9
CONDITION
Boolean expression that fires the alert. Must hit the console target AND any one of the three anomaly selections. Keeps the alert tight to the operator-console scope.
10
FALSEPOSITIVES
Known legitimate causes that look like the signature. Travel-with-notice and authorized red-team. Gives the on-call analyst the triage cheat-sheet up front.
▷ an-det-00-anomalous-console-auth.yml
↓ open .yml
1name: AN-DET-00 Anomalous console authentication
2details: |
Detects anomalous authentication events against satellite operator console workstations
(AST:HW:Hardware:04, SVC:CP:Control Plane:13 console-ops). Flags brute-force, password-spray,
impossible-travel and unknown-source patterns against accounts authorized to operate the satellite
console. Implements AN-DET:00 from the METEORSTORM AN-DET layer.
3author: ethicallyHackingSpace
severity: high
type: query
class: anomaly
status: stable
date: 2026-06-07
4mitre-attack:
- T1110
- T1078
5references:
- https://attack.mitre.org/techniques/T1110/
- https://attack.mitre.org/techniques/T1078/
- https://github.com/MISP/misp-taxonomies/tree/main/meteorstorm
6tags:
- meteorstorm.an-det.00
- meteorstorm.tdm.ast-hw-hardware-04
- meteorstorm.tdm.svc-cp-control-plane-13
- attack.credential-access
- attack.initial-access
7logsource:
product: identity
category: authentication
8detection:
selection_console_target:
target_application|contains:
- "satellite-console"
- "sat-console"
- "console.ops"
selection_failure_burst:
event_name|contains: "failed"
user_account|count: ">=10"
timeframe: "5m"
selection_impossible_travel:
event_name|contains: "success"
user_account|distinct_geos: ">=2"
timeframe: "1h"
selection_unknown_source:
src_ip|not_in_baseline: true
9 condition: selection_console_target and (selection_failure_burst
or selection_impossible_travel or selection_unknown_source)
10falsepositives:
- Legitimate operator on travel with prior notification
- Authorized red-team exercise
AAPPLY
MODULE FOUR
06/13
UTC
07
B1 · signatures and playbooks for user-segment attack paths

USER SEGMENT SIGNATURES & PLAYBOOKS

Each row is one AN-DET element written with Security Operations. Each signature covers one or more steps of an attack path from yesterday; the TDM names the structural element the signature observes; the format is vendor-neutral RootA so the rule ports across detection platforms. Path steps with no observable telemetry become declared coverage gaps and go back to engineering as work to do.

ID AN-DET ETEN
AN:DET:Detection Signature:00
Anomalous console authentication: detects repeated failed logins or first-time-from-IP successes against operator console workstations, suggesting credential stuffing or phishing.
COVERS
AN:ATT:Attack Path:00 (Console credential theft)
TDM
AST:HW:Hardware:04 (console workstation) authentication logs; SVC:CP:Control Plane:13 console-ops audit stream
FORMAT RootA , vendor-neutral source-agnostic rule.
SOURCE MITRE ATT&CK T1110 (Brute Force) and T1078 (Valid Accounts) detection guidance.
COVERAGE Full , observable in standard auth-log telemetry.
AN:DET:Detection Signature:01
End-user application binary integrity: detects modified end-user application binaries or unexpected file-write events against the displayed mission product on operator workstations.
COVERS
AN:ATT:Attack Path:01 (End-user app tampering)
TDM
AST:SW:Software:08 (end-user app SW) file-integrity stream; SVC:DP:Data Plane:02 (mission product display) audit
FORMAT RootA.
SOURCE MITRE ATT&CK T1565 (Data Manipulation); SolarWinds detection retrospectives (CISA AA20-352A).
COVERAGE Full , observable via file-integrity monitoring.
2SIGNATURES
MODULE FOUR
07/13
UTC
08
B1 · signatures and playbooks for ground-segment attack paths

GROUND SEGMENT SIGNATURES & PLAYBOOKS

Each row is one AN-DET element written with Security Operations. Each signature covers one or more steps of an attack path from yesterday; the TDM names the structural element the signature observes; the format is vendor-neutral RootA so the rule ports across detection platforms. Path steps with no observable telemetry become declared coverage gaps and go back to engineering as work to do.

ID AN-DET ETEN
AN:DET:Detection Signature:02
Management-plane abuse: detects firmware-push operations from the modem management interface outside maintenance windows, or following a VPN-appliance authentication anomaly.
COVERS
AN:ATT:Attack Path:02 (Long-dwell ground-network intrusion , KA-SAT-style)
TDM
SVC:CP:Control Plane:09 (ground ACA) audit; AST:DA:Data:02 (patch binaries) deployment log; AST:SW:Software:03 (patch deployment SW) execution log
FORMAT RootA.
SOURCE Viasat post-incident report (30 March 2022); CISA AA22-110A; SentinelLabs AcidRain analysis.
COVERAGE Full , observable via VPN auth logs + patch-pipeline audit.
AN:DET:Detection Signature:03
Operator credential anomaly: detects sign-ins to mission ops console from new geolocations, impossible-travel patterns, or anomalous time-of-day for the operator’s shift.
COVERS
AN:ATT:Attack Path:03 (Operator credential theft)
TDM
AST:DA:Data:01 (ACA credentials) authentication audit; SVC:CP:Control Plane:09 (ground ACA) sign-in stream
FORMAT RootA.
SOURCE MITRE ATT&CK T1078 (Valid Accounts) detection guidance.
COVERAGE Full , observable in identity-provider telemetry.
AN:DET:Detection Signature:04
Out-of-pattern command authority usage: detects commanding workstation usage outside the operator’s normal hours, commands issued without peer review tags, or sequences inconsistent with the active mission profile.
COVERS
AN:ATT:Attack Path:04 (Privileged insider misuse)
TDM
AST:HW:Hardware:04 (console HW) usage stream; SVC:CP:Control Plane:13 (console ops) command audit
FORMAT RootA.
SOURCE MITRE ATT&CK T1078.003 (Local Accounts); NIST SP 800-53 PS-7 monitoring guidance.
COVERAGE Partial , depends on robust per-operator behavior baselines.
AN:DET:Detection Signature:05
Lateral movement to mission control: detects east-west network flows from operator-network hosts to mission-control hosts that fall outside the documented allow-list.
COVERS
AN:ATT:Attack Path:05 (Lateral movement to mission control)
TDM
Network flow telemetry between operator-network and mission-control segments; SVC:CP:Control Plane:13 (console ops) connection audit
FORMAT RootA.
SOURCE MITRE ATT&CK TA0008 (Lateral Movement) detection patterns.
COVERAGE Full , observable via network flow logs.
AN:DET:Detection Signature:06
Mass encryption / file-system anomaly: detects high-rate write-and-rename operations against launch-control or patch-deployment hosts, with low entropy on original files and high entropy on renamed ones.
COVERS
AN:ATT:Attack Path:06 (Ransomware against launch infrastructure)
TDM
SVC:CP:Control Plane:10 (launch control) file-system audit; AST:DA:Data:02 (patch binaries) integrity stream; AST:SW:Software:03 (patch deployment SW) audit
FORMAT RootA.
SOURCE CISA Stop Ransomware advisories; MITRE ATT&CK T1486 (Data Encrypted for Impact).
COVERAGE Full , observable via EDR + file-integrity monitoring.
5SIGNATURES
MODULE FOUR
08/13
UTC
09
B1 · signatures and playbooks for link-segment attack paths

LINK SEGMENT SIGNATURES & PLAYBOOKS

Each row is one AN-DET element written with Security Operations. Each signature covers one or more steps of an attack path from yesterday; the TDM names the structural element the signature observes; the format is vendor-neutral RootA so the rule ports across detection platforms. Path steps with no observable telemetry become declared coverage gaps and go back to engineering as work to do.

ID AN-DET ETEN
AN:DET:Detection Signature:07
Sustained noise-floor anomaly: detects elevated noise across the uplink or downlink bands beyond expected environmental thresholds, sustained for longer than incidental atmospheric events.
COVERS
AN:ATT:Attack Path:07 (Jamming campaign)
TDM
SVC:HY:Hybrid:02 (T2 tracking) RF metrics; AST:SI:Signal:00 (uplink/downlink waveforms) SNR + BER stream
FORMAT RootA.
SOURCE ITU interference-reporting guidance; SPARTA SPACE-T1429 (Disrupt) detection guidance.
COVERAGE Full , observable via T2 telemetry.
AN:DET:Detection Signature:08
Replay-and-spoof anomaly: detects command-waveform sequences with valid authentication tags but anomalous timing relative to the established command cadence, or session keys appearing in unexpected locations.
COVERS
AN:ATT:Attack Path:08 (Replay-and-spoof on uplink)
TDM
SVC:CP:Control Plane:05 (link ACA) authentication audit; SVC:CP:Control Plane:09 (ground ACA) key-material audit; AST:SI:Signal:00 (uplink waveform) command-timing stream
FORMAT RootA.
SOURCE SPARTA SPACE-T1428 (Replay Attacks) detection guidance.
COVERAGE Partial , requires established command-cadence baseline.
AN:DET:Detection Signature:09
Downlink interception is largely passive and cannot be detected from the link itself. Signature watches for adversary follow-on activity that suggests collection occurred (e.g., disclosure of intercepted content).
COVERS
AN:ATT:Attack Path:09 (Downlink interception)
TDM
OSINT collection monitoring; threat-intel feeds for leaked mission-product mentions
FORMAT RootA + external watch.
SOURCE SPARTA SPACE-T1427 (Eavesdropping on Communications) , mitigation guidance emphasizes encryption rather than detection.
COVERAGE Gap , primary detection signal does not exist on the link; engineering work is to encrypt the downlink and to instrument follow-on disclosure monitoring.
3SIGNATURES
MODULE FOUR
09/13
UTC
10
B1 · signatures and playbooks for space-segment attack paths

SPACE SEGMENT SIGNATURES & PLAYBOOKS

Each row is one AN-DET element written with Security Operations. Each signature covers one or more steps of an attack path from yesterday; the TDM names the structural element the signature observes; the format is vendor-neutral RootA so the rule ports across detection platforms. Path steps with no observable telemetry become declared coverage gaps and go back to engineering as work to do.

ID AN-DET ETEN
AN:DET:Detection Signature:10
Out-of-pattern bus commanding: detects sequences against ADCS/EPS/FTS that fall outside the active mission profile, or commands that would violate documented safe-mode rules.
COVERS
AN:ATT:Attack Path:10 (Destructive bus attack)
TDM
SVC:HY:Hybrid:00 (C&DH) command-acceptance audit; SVC:CP:Control Plane:00 (ADCS), 02 (EPS), 03 (FTS) command streams
FORMAT RootA + on-ground commanding audit.
SOURCE SPARTA SPACE-T1029 (Disrupt) detection guidance.
COVERAGE Partial , on-board telemetry limits real-time visibility; ground-side commanding audit fills most of the gap.
AN:DET:Detection Signature:11
Unauthorized FSW state change: detects unexpected mode transitions or configuration writes on the OBC that were not initiated by an authorized ground command.
COVERS
AN:ATT:Attack Path:11 (Command-path integrity attack)
TDM
AST:HW:Hardware:06 (OBC/OBDH) state audit; AST:SW:Software:06 (C&DH FSW) configuration-write log; SVC:CP:Control Plane:01 (space-side crypto) audit
FORMAT RootA + ground-side correlation.
SOURCE SPARTA SPACE-T1014 (Software Modification) detection guidance.
COVERAGE Partial , depends on on-board telemetry richness.
AN:DET:Detection Signature:12
Firmware-hash mismatch at boot: detects firmware images whose measured hash does not match the signed expected value at boot or after an update.
COVERS
AN:ATT:Attack Path:12 (Supply-chain firmware compromise)
TDM
AST:FW:Firmware:00 (FTS), 01 (OBC), 02 (payload) boot-attestation stream
FORMAT RootA + on-board attestation.
SOURCE NIST SP 800-193 (Platform Firmware Resilience); SolarWinds (2020) post-incident detection retrospectives.
COVERAGE Full , if measured-boot / attestation is implemented; otherwise a gap.
AN:DET:Detection Signature:13
Payload-data integrity mismatch: detects mission-product whose downlinked hash does not match the on-board signature computed before transmission, indicating tampering between the instrument and the downlink encryptor.
COVERS
AN:ATT:Attack Path:13 (Payload-data tampering)
TDM
SVC:DP:Data Plane:00 (mission data plane) integrity stream; SVC:DP:Data Plane:01 (payload data plane) signature audit
FORMAT RootA + cryptographic verification at the ground.
SOURCE SPARTA SPACE-T1059 (Modify On-Board Values); standard end-to-end integrity guidance.
COVERAGE Full , if end-to-end signing is implemented; otherwise a gap.
4SIGNATURES
MODULE FOUR
10/13
UTC
11
S1 · the day’s full enumerated signature set + paired playbooks

DAY 4 COMPLETE · FOURTEEN DETECTIONS AND FOURTEEN PLAYBOOKS

One signature per observable path step, plus one playbook per path. Every signature is written in vendor-neutral RootA so it ports across detection tooling, and the same neutrality makes each rule runnable by a peer operator: the form the organization’s policy-gated Space ISAC contributions ride on. Path steps with no observable telemetry are declared coverage gaps and go back to engineering as work to do.

ID Description Covers
AN:DET:Detection Signature:00 Anomalous console authentication: detects repeated failed logins or first-time-from-IP successes against operator console workstations, suggesting credential stuffing or phishing. AN:ATT:Attack Path:00 (Console credential theft)
AN:DET:Detection Signature:01 End-user application binary integrity: detects modified end-user application binaries or unexpected file-write events against the displayed mission product on operator workstations. AN:ATT:Attack Path:01 (End-user app tampering)
AN:DET:Detection Signature:02 Management-plane abuse: detects firmware-push operations from the modem management interface outside maintenance windows, or following a VPN-appliance authentication anomaly. AN:ATT:Attack Path:02 (Long-dwell ground-network intrusion , KA-SAT-style)
AN:DET:Detection Signature:03 Operator credential anomaly: detects sign-ins to mission ops console from new geolocations, impossible-travel patterns, or anomalous time-of-day for the operator’s shift. AN:ATT:Attack Path:03 (Operator credential theft)
AN:DET:Detection Signature:04 Out-of-pattern command authority usage: detects commanding workstation usage outside the operator’s normal hours, commands issued without peer review tags, or sequences inconsistent with the active mission profile. AN:ATT:Attack Path:04 (Privileged insider misuse)
AN:DET:Detection Signature:05 Lateral movement to mission control: detects east-west network flows from operator-network hosts to mission-control hosts that fall outside the documented allow-list. AN:ATT:Attack Path:05 (Lateral movement to mission control)
AN:DET:Detection Signature:06 Mass encryption / file-system anomaly: detects high-rate write-and-rename operations against launch-control or patch-deployment hosts, with low entropy on original files and high entropy on renamed ones. AN:ATT:Attack Path:06 (Ransomware against launch infrastructure)
AN:DET:Detection Signature:07 Sustained noise-floor anomaly: detects elevated noise across the uplink or downlink bands beyond expected environmental thresholds, sustained for longer than incidental atmospheric events. AN:ATT:Attack Path:07 (Jamming campaign)
AN:DET:Detection Signature:08 Replay-and-spoof anomaly: detects command-waveform sequences with valid authentication tags but anomalous timing relative to the established command cadence, or session keys appearing in unexpected locations. AN:ATT:Attack Path:08 (Replay-and-spoof on uplink)
AN:DET:Detection Signature:09 Downlink interception is largely passive and cannot be detected from the link itself. Signature watches for adversary follow-on activity that suggests collection occurred (e.g., disclosure of intercepted content). AN:ATT:Attack Path:09 (Downlink interception)
AN:DET:Detection Signature:10 Out-of-pattern bus commanding: detects sequences against ADCS/EPS/FTS that fall outside the active mission profile, or commands that would violate documented safe-mode rules. AN:ATT:Attack Path:10 (Destructive bus attack)
AN:DET:Detection Signature:11 Unauthorized FSW state change: detects unexpected mode transitions or configuration writes on the OBC that were not initiated by an authorized ground command. AN:ATT:Attack Path:11 (Command-path integrity attack)
AN:DET:Detection Signature:12 Firmware-hash mismatch at boot: detects firmware images whose measured hash does not match the signed expected value at boot or after an update. AN:ATT:Attack Path:12 (Supply-chain firmware compromise)
AN:DET:Detection Signature:13 Payload-data integrity mismatch: detects mission-product whose downlinked hash does not match the on-board signature computed before transmission, indicating tampering between the instrument and the downlink encryptor. AN:ATT:Attack Path:13 (Payload-data tampering)
14SIGNATURES
MODULE FOUR
11/13
UTC
12
Work role ability confirmation · what you are now able to perform at your work center

DAY 4 COMPLETE

What you built today. Fourteen AN-DET elements written in vendor-neutral RootA with Security Operations, plus one IR playbook per attack path. 2 USER, 5 GROUND, 3 LINK, 4 SPACE. Where telemetry could see the path step, the signature ships; where it could not, the gap is declared and handed back to engineering as work to close. The signature, its path, its threat, and the element it watches now share one identifier chain any of the three departments can follow unaided. The set feeds Executive Order 14144’s detect-report-recover requirement inside the NIS2 reporting deadlines.

Your role here. Incident-response preparedness is the fourth of the five functions where a Full Spectrum professional drives change, and you don’t have to be the security operations analyst, the detection author, or the spacecraft engineer to lead it. Security Operations, Satellite Operations, and Satellite Design & Engineering can sometimes be provided by separate organizations, and an incident crosses every one of them at once. Your job is to build the cross-functional team and agree the signatures and playbooks before the incident, so each organization knows its part. That is what makes this function a deliberate point of insertion for transforming how those organizations respond together.

From the field · policy evidence

Updated CNSS policy for national security space systems (CNSSP No. 12 / CNSSI 1200, Aug. 2025) now requires real-time on-board intrusion detection and prevention and patch management for on-board and ground-segment software, written into procurement contracts. As Aerospace Corp.’s Brandon Bailey told CyberSat 2025: “if you build services or capabilities that support national security missions, [these requirements] apply to you.” Source: Air & Space Forces Magazine, Nov. 19, 2025.

DAY 4 COMPLETE · SIGNATURES & PLAYBOOKS WRITTEN WITH THE SECURITY OPERATIONS CENTER
Working session with Security Operations turning each attack path into a deployable detection plus a response playbook the on-call analyst can run
Full Spectrum Space Cybersecurity Professional briefing the same three departments with the same platform vocabulary on the wall, threat markers and attack-path lines from prior days still visible, with new green detection-signature badges overlaid on specific elements showing where Security Operations will observe the adversary, plus a small playbook stack icon on the table. Dark operations center setting.
MODULE FOUR
12/13
00
DAY 4 COMPLETE · Incident Response Preparation

DAY 4 COMPLETE

You wrote a signature and a playbook for every path with the Security Operations Center, the evidence behind the organization’s detect-report-recover duties. Tomorrow, Day 5 brings all three departments to one table and shrinks and hardens the exposure that keeps recurring.

MODULE FOUR
00/00
UTC
END
ADVERSARY MANAGEMENT FUNCTION 05
Function FOUR complete · Function Five next

ADVERSARY
MANAGEMENT.

Day 4 done. Tomorrow (Day 5 / Mod 05 · Adversary Management), you write the resilience measures that take options away from the adversary across Security Operations, Satellite Operations, and Satellite Design & Engineering, the continuity and backup protections the mandates expect for command and control.

STARTING POINT
A complete Concept of Operations CONOPS, Contextualized Threat Modeling threat catalogue, and Converged Detection Engineering attack-path map. No detection signatures or validated data sources yet; coverage of the attack-path map is unknown.
FINISH LINE
Enumerated data and signal sources for every step of every attack path, plus a complete portfolio of detection signatures in RootA.io format. Each AN-DET attaches via TDM to the structural element it observes and back-references the AN-ATT it covers. Ready for Module 05 to enumerate resilience measures that remove adversary attack surface.
▷ MODULE 04 ASSESSMENT

A multiple-choice exam aligned with Module 04 KSAT areas. Drawn at random from a question bank covering Function FOUR's taxonomy element (AN-DET), its TARGET attachment (TDM), and the production flow into the next function. Exam scaffolding wired in next iteration.

END
MODULE FOUR
13/13
REFERENCE LIBRARY

Standards, Policies & Sources

The instruments this course aligns to. Each element links to its primary source.

U.S. National Security Space Policy

CNSS Policy No. 12 (CNSSP-12)Information-assurance policy for national security space systems. CNSS Instruction 1200 (CNSSI 1200), Aug 2025Implementing requirements: on-board intrusion detection, hardware root-of-trust, patch management. DoDI 8581.01Information-assurance policy for space systems used by the DoD. Space Policy Directive 5 (SPD-5), 2020First comprehensive U.S. cybersecurity principles for space systems.

Executive Orders

EO 14144 (Jan 16, 2025)Strengthening and Promoting Innovation in the Nation’s Cybersecurity. EO 14306 (Jun 6, 2025)Sustaining select efforts, amending EO 13694 and EO 14144.

NIST Standards & FISMA

NIST SP 800-53 Rev. 5Security and privacy controls; IR-3 incident-response testing. NIST SP 800-37 Rev. 2Risk Management Framework; continuous monitoring and annual control assessment. NIST IR 8270Introduction to Cybersecurity for Commercial Satellite Operations. NIST IR 8401Satellite Ground Segment cybersecurity framework profile. NIST IR 8441Cybersecurity Framework Profile for Hybrid Satellite Networks. NIST SP 800-160 Vol. 2 Rev. 1Cyber resiliency goals: Anticipate, Withstand, Recover, Adapt. FISMAFederal Information Security Modernization Act; annual program review obligation.

Threat Frameworks (analytic layer)

MITRE ATT&CKAdversary tactics and techniques knowledge base. MITRE CAPECCommon Attack Pattern Enumeration and Classification; dictionary of attack patterns that exploit known weaknesses. MITRE D3FENDKnowledge graph of defensive countermeasures and techniques, mapped to ATT&CK (NSA-funded, maintained by MITRE). SPARTASpace Attack Research and Tactic Analysis (The Aerospace Corporation). ESA Space ShieldEuropean Space Agency space-system threat framework.

EU & Global

NIS2 Directive (EU 2022/2555)Risk management and 24h/72h incident reporting; space sector in scope. EU Space Act (proposal, 25 Jun 2025)Space-specific resilience and cybersecurity obligations; extraterritorial scope. ENISA Space Threat LandscapeEuropean threat landscape and recommendations for space operators. Cyber Resilience Act (CRA)Connected hardware/software requirements; applies from December 2027.

Open-Source Vocabulary & Tooling

METEORSTORM MISP taxonomyThe course vocabulary, live and open source in the MISP taxonomy repository. MISP / CIRCLComputer Incident Response Center Luxembourg, maintainers of MISP. RootAPublic-domain open detection language (YAML) used in Module 04 to write portable signatures. (github.com/UncoderIO/Roota) Uncoder.IOOpen-source IDE and translation engine that ports RootA rules across SIEM, EDR, and XDR formats. SpaceCOP & Indicators of BehaviorDHS S&T + Aerospace Corp. on-board intrusion-detection prototype. CROO (Cyber Resilience On-Orbit)Proof Labs on-board IDS for the Space Force.

Community & Reporting

Space ISACSpace Information Sharing and Analysis Center. Air & Space Forces MagazineWaterman, “New Cybersecurity Rules for Pentagon’s Commercial Satellite Vendors,” Nov 19, 2025. Via Satellite“DHS Wants Satellite Volunteers to Test New Cyber Tools,” Nov 17, 2025. Defense Daily“New National Space Cybersecurity Policy Emphasizes Intrusion Detection,” Nov 18, 2025. Mayer Brown legal analysis“Securing the Final Frontier,” Dec 11, 2025 (US and EU regulatory map).