Writes the RootA signature and the response playbook against the attack path and source inventory delivered upstream
Incident Response Preparation takes each attack path and its data and signal source inventory (both delivered by Converged Detection Engineering) and produces two analytic outputs: the detection signature that fires on the upstream source for each step, and the response playbook the Security Operations Center runs the moment the signature fires. Detection signatures are written in RootA.io, the open vendor-neutral detection language, and attach via TDM (Target of Detection Method) to the structural element the rule observes.
AST : FW : Firmware : 00 · SurfBeam2 modem firmware.AN : THR : Threat : 00 · Sandworm. TOE → Firmware.AN : ATT : Attack Path : 00 · VPN compromise → mgmt control plane → modem mgmt software → firmware overwrite.
src-vpn-001, src-mgmtcp-002, src-mgmtsw-003, src-modemfw-004) are enumerated against each step of AN : ATT : Attack Path : 00 in the upstream worked example. Incident Response Preparation reads the source inventory and writes the signature; it does not produce the inventory itself.
| Field | Value |
|---|---|
| Identifier | AN : DET : Detection Signature : 00 |
| Description | RootA rule that fires when a firmware-update command targets AST-FW elements outside the approved control-plane authentication context, or when the update payload signature fails to verify against a known vendor manifest. |
| TDM | AN : DET : Detection Signature : 00 via TDM → AST : FW : Firmware : 00 |
| Back-references | AN : ATT : Attack Path : 00 |
| Sources read | src-mgmtsw-003, src-modemfw-004 |
| Test result | FP rate < 1% on 30-day baseline of legitimate vendor firmware pushes; TP rate confirmed in red-team exercise RT-2026-Q2. |
| Source | Detection rule pack v2.4; test results TS-2026-Q2. |
# meteorstorm.modem-firmware.unauthorized-push name: meteorstorm.modem-firmware.unauthorized-push title: Unauthorized firmware update pushed to subscriber modem description: | Detects a firmware-update command targeting AST-FW elements when the command does not originate from an approved control-plane authentication context, or when the payload signature does not validate against a known vendor manifest. Designed against the KA-SAT firmware-wipe pattern (AcidRain). references: - meteorstorm: AN : ATT : Attack Path : 00 - meteorstorm: AN : THR : Threat : 00 - cisa: AA22-110A status: stable author: SCORP² community tags: - meteorstorm.detection-signature - tdm.ast-fw - viasat-ka-sat logsource: product: modem-management-platform category: firmware-update detection: selection_action: command_class: firmware-update target_asset_class: AST-FW filter_authorized_context: auth_context: approved-control-plane payload_signature_valid: true vendor_manifest_match: true condition: selection_action and not filter_authorized_context fields: - source_ip - target_modem_serial - update_payload_hash - control_plane_session_id - vendor_manifest_id falsepositives: - Vendor-issued firmware updates from outside the listed control plane when the manifest signature is valid (filter passes; no alert). level: high
| Field | Required? | What to capture |
|---|---|---|
| LAYER / TAG / LABEL / ORDINAL | Required | Always AN : DET : Detection Signature : NN. |
| DESCRIPTION | Required | What the rule detects, in plain English. One short paragraph; no marketing. |
| TDM | Required | Fully-qualified enumerated identifier of the structural element the signature is deployed against and tested on. Not TOE. |
| BACK-REFERENCES | Required | The AN-ATT elements (and optionally AN-IOC / AN-IOA) the signature covers. No orphan signatures. |
| SOURCES READ | Required | Enumerated source identifiers (the src-* rows from the data-and-signal source table) the rule consumes. |
| RULE | Required | RootA YAML, attached or referenced. Sigma or Yara accepted as adjuncts for non-RootA-native sources. |
| TEST RESULT | Required | FP rate, TP rate, test data set or red-team exercise reference. A signature without test evidence does not graduate. |
| SOURCE | Required | The rule pack version and test-result document the entry was derived from. |
AN-DET back-references at least one AN-ATT (or AN-IOC / AN-IOA). A rule with no upstream analytic is by definition speculative; it does not belong in the catalogue.