Traces the path an adversary takes, and the data and signal sources needed to detect each step
Converged Detection Engineering turns each AN-THR into one or more AN-ATT entries and, for each step on each path, enumerates the data and signal sources needed to observe it. Each attack path enumerates the ordered chain of structural elements the adversary touches from initial foothold to objective, anchored by TOE references; the source inventory aligned to those steps is the second deliverable. Incident Response Preparation uses both outputs to write detection signatures and response playbooks.
AST : FW : Firmware : 00 · SurfBeam2 modem firmware (parent chain SVC : DP : Data Plane : 00 → SEG : US : User : 00 → PCE : TE : Terrestrial : 00).AN : THR : Threat : 00 · Sandworm (GRU Unit 74455). TOE → AST : FW : Firmware : 00.
One concrete path that an adversary realising the threat would traverse. Drawn from the publicly documented 2022 KA-SAT incident pattern.
| Field | Value |
|---|---|
| Identifier | AN : ATT : Attack Path : 00 |
| Description | Mass modem firmware-wipe via management-plane abuse: external VPN appliance compromise → KA-SAT management network access → abuse of the legitimate modem management interface → push of AcidRain wiper as a firmware update payload → modem flash and SPI EEPROM overwritten, modems bricked. |
| Driven by | AN : THR : Threat : 00 (Sandworm) |
| TOE chain (in order of traversal) | SEG : GR : Ground : 00 → SVC : CP : Control Plane : 00 → AST : SW : Software : 00 → AST : FW : Firmware : 00 |
| Source | Viasat post-incident report, 30 March 2022; CISA AA22-110A; SentinelOne AcidRain technical analysis. Path confirmed by post-incident analysis on the KA-SAT network. |
| Confidence | High. Path elements match the public reconstruction of the 24 February 2022 KA-SAT outage. |
TOE: SEG : GR : Ground : 00TOE: SVC : CP : Control Plane : 00TOE: AST : SW : Software : 00TOE: AST : FW : Firmware : 00| Field | Required? | What to capture |
|---|---|---|
| LAYER / TAG / LABEL / ORDINAL | Required | Always AN : ATT : Attack Path : NN. |
| DESCRIPTION | Required | One short narrative of the path from initial access to objective; no marketing. |
| DRIVEN BY | Required | The AN-THR the path realises. Each AN-ATT names exactly one driver; if a path serves several threats, enumerate it once and add the others as cross-references. |
| TOE chain | Required | Ordered list of every structural element the adversary touches, written as fully-qualified enumerated identifiers. |
| STEPS | Recommended | One bullet per traversal step, each step naming the structural element it touches. Drives the source inventory below and the detection scope inherited downstream. |
| SOURCE | Required | Red-team report, public incident analysis, government brief, or peer ISAC bulletin. Hypothetical paths must be marked exercise-only and segregated. |
| CONFIDENCE | Recommended | How well the path is corroborated. |
For each step on AN : ATT : Attack Path : 00, enumerate the data and signal source a defender needs to observe the step happening. Where no source exists, mark a detection gap. This inventory is a Converged Detection Engineering deliverable and is what Incident Response Preparation reads when authoring signatures.
| Path step (TOE) | Required data / signal source | Status on this platform |
|---|---|---|
| SEG : GR : Ground : 00 | VPN appliance authentication and session telemetry; egress NetFlow from the management subnet. | Available; onboarded to SIEM under source id src-vpn-001. |
| SVC : CP : Control Plane : 00 | Management-plane authentication and authorization audit log; per-session command audit. | Available; onboarded as src-mgmtcp-002. |
| AST : SW : Software : 00 | Modem-management software command audit; firmware-update API call log including payload hash and signing manifest reference. | Available; onboarded as src-mgmtsw-003. |
| AST : FW : Firmware : 00 | Per-modem flash-write event with hash of the image actually written; signed-update verification result. | Available; onboarded as src-modemfw-004. |
Validation rules. Before declaring the source inventory complete: every AN-ATT step has at least one row; every "Available" status names a real source identifier the SIEM operator can resolve; gaps are recorded explicitly and assigned an owner before launch.