Workbook. Use your browser's print dialog to save as PDF.

← Back to course
Full Spectrum Space Cybersecurity Professional

METEORSTORM Framework Overview

Workbook

The key concepts, structural data model, five framework functions, and three entry points from the METEORSTORM overview deck, in one printable reference for ongoing use after the course.

Exported by verifying identity…
Exported at
Classification TLP:GREEN · SCORP² community only
Distribution Unauthorized distribution will result in revocation of community membership.
TLP:GREEN Limited Disclosure · SCORP² community members only
Exported by: verifying identity… Exported at:
Distribution notice. This workbook is for active SCORP² community members only. Unauthorized distribution will result in revocation of community membership.

Contents

  1. The data modelFour structural layers, the analytic fifth layer, element identifier format, target fields.
  2. The five framework functionsF01 Concept of Operations through F05 Adversary Management, with the problem each solves and the framework's answer.
  3. The Pentagon of PainFive mastery areas where investment provably imposes adversary cost.
  4. The three entry pointsActivate, Integrate, Engage. Pick the one that matches your organization's current state.
  5. Worked-example referencesSelf-contained printable companions for the structural decomposition and each function, drawn from the publicly documented 2022 Viasat KA-SAT incident.
  6. Next steps and the full-course workbookHow this overview workbook combines with module workbooks into one course takeaway.

01The Data Model

METEORSTORM publishes a controlled, machine-readable vocabulary that every operator, vendor, and peer can read without translation. The vocabulary covers four structural layers (what the platform is) plus a fifth analytic layer (what defenders observe and build). Every analytic finding attaches back to a real structural element on the platform.

The four structural layers

CodeLayerNames
PCEPrimary Capability EnvironmentWhere the platform operates (Terrestrial, Aquatic, Aerial, Orbital, Deep Space).
SEGSegmentOperational role of each enclave (Launch, Link, Ground, User, Aquatic, Low/High/Near Altitude, Space, Deep Space).
SVCServiceFunctional plane the service runs on (Control Plane, Data Plane, Hybrid).
ASTAssetConcrete element class (Hardware, Firmware, Software, Data, Signal, Hybrid).

The analytic fifth layer

CodeWhat it enumerates
AN-IOCIndicator of Compromise. Confirmed indication that a converged space system has been compromised.
AN-IOAIndicator of Attack. Confirmed indication that a converged space system has been attacked.
AN-ATTAttack Path. Confirmed attack path for a converged space system.
AN-THRThreat. Confirmed and active threat against a converged space system.
AN-DETDetection Signature. Validated, operational pattern, signal, or logic that triggers on contextualized threat behavior.
AN-RESResilience Measure. Validated, operational protective capability ensuring resistance to or recovery from confirmed threats.

Element identifier format (ETEN)

LAYER : TAG : LABEL : ORDINAL

All four fields are required. Ordinals are scoped to the (LAYER, TAG) pair, so SEG : SP : Space : 00 and SEG : GR : Ground : 00 are distinct entries even though both end in 00.

Target fields (how analytic findings attach to structural elements)

FieldUsed byWhat it names
TOEAN-IOC, AN-IOA, AN-ATT, AN-THRTarget of Exploitation. The structural elements observed on or targeted by the analytic entry.
TDMAN-DETTarget of Detection Method. The structural element the signature observes.
TREAN-RESTarget of Remediation. The structural element the measure protects.
Full taxonomy reference. The open-source MISP meteorstorm taxonomy publishes the complete tag set with stable UUIDs. Companion PDF: Element Taxonomy & Ontology, Layer 1 to Layer 4.

02The Five Framework Functions

Walked twice in the overview deck. The first pass is the Integrate deep-dive carousel; the second pass gives each function a dedicated page with the problem it solves and how the framework solves it. The cards below consolidate both passes.

F01
Concept of Operations
Decompose the platform tailored to your requirements.
  • Decompose only what your mission scope requires; you do not have to model the entire platform.
  • Capture the parent of each part you enumerate so any later finding traces back through the chain you decomposed.
  • Output: a scoped tree where every part you enumerated has a name, a parent, and a place in the design.
ProblemNo shared structural vocabulary across the operational stack.
SolutionOne framework that names the entire operational stack with one parent-child rule.
Worked example · Element Taxonomy & Ontology, Layer 1 to Layer 4.
F02
Contextualized Threat Modeling
Anchor every threat to the platform you just decomposed.
  • For every part of the platform, ask which threats actually apply to that specific part.
  • Anchor each threat to the part it would target, not in the abstract; an orbital threat is not the same as a ground-site threat.
  • Output: enumerated AN-THR elements where every entry's TOE points back at a real piece of your design.
ProblemThreats tracked as actor names with no link to the platform elements they target.
SolutionEvery AN-THR binds via TOE to specific structural elements; threats anchor or they stay out of the catalog.
Worked example · Contextualized Threat Modeling, Viasat KA-SAT.
F03
Converged Detection Engineering
Enumerate attack paths and the data and signals needed to detect each step.
  • For each cataloged threat, trace how an adversary could move through the platform to make it real.
  • For each step on each path, enumerate the data and signal sources needed to observe it; where no source exists, the gap is itself a finding the team must close before launch.
  • Output: a map of every path PLUS the data and signal source inventory Incident Response Preparation will use to write signatures and playbooks.
ProblemDetection rules written before attack paths and source inventory exist.
SolutionEvery adversary move chained, every data and signal source inventoried.
Worked example · Converged Detection Engineering, Viasat KA-SAT.
F04
Incident Response Preparation
Write the detection signatures and the response playbooks.
  • For every step on every attack path, write the detection signature that fires on the data/signal source CDE delivered.
  • For every signature, write the response playbook the Security Operations Center runs the moment the signature fires.
  • Output: tested detection signatures in an open format (RootA.io) and the playbooks they trigger, each tied back to the attack path it covers. No orphan signatures, and no signature without a playbook.
ProblemVendor-locked signatures with no paired response playbook for the SOC.
SolutionSignatures in RootA, paired with response playbooks, every one linked to an attack-path step.
Worked example · Incident Response Preparation, Viasat KA-SAT.
F05
Adversary Management
Shrink the attack surface the threats keep using.
  • Identify the structural elements that show up across many threats and many attack paths.
  • Build resilience measures that shrink, harden, or eliminate those elements before launch, mapped to one of four TRE objectives (per NIST SP 800-160 v2): Anticipate, Withstand, Recover, Adapt.
  • Split each measure across two timelines: immediate compensating controls owned by Security Operations and Satellite Operations, and engineering remediation owned by Satellite Design & Engineering. The bridging control retires when the long-term fix lands.
ProblemThe same adversary returns; the same flaw stays exposed; no shared posture across the three teams.
SolutionProfile the adversary, locate the leverage, coordinate the fix across SOC, SatOps, and SatDev/Eng.
Worked example · Adversary Management + Adversary Profile, Viasat KA-SAT.

03The Pentagon of Pain

Five organizational mastery areas where investment provably imposes adversary cost. Each area is exercised by one of the five framework functions. Detect, disrupt, and deter become measurable outcomes instead of slogans.

#Mastery areaThe adversary suffers when…
01Master Decomposition…you know your platform better than they ever can.
02Master Contextualized Threat Modeling…every strike they imagine is already prepared for.
03Master Converged Detection Engineering…they cannot hide, and every move is seen.
04Master Exposure Management…every path they take ends in a trap.
05Master Adversary Management…their plans are known, broken, and turned against them.

04The Three Entry Points

No two organizations sit at the same starting capability. Pick the entry point that matches your current state.

Entry pointBest fitWhat you do first
Activate Ops already run; shared vocabulary does not. Adopt the shared vocabulary inside your existing Threat Intel Platform so every confirmed finding reads the same way for every analyst, vendor, and partner. Federating with Space ISAC peers is a recommended next step, not a prerequisite.
Integrate Platform being designed or rebuilt. Align Security Operations, Satellite Operations, and Satellite Design & Engineering on the five-function process while the platform is being designed, so each team runs the framework as part of daily work rather than alongside it.
Engage The three teams need to build production work product together. Run exercises in an environment fully separate from production with SOC, SatOps, and SatDev/Eng, using synthetic adversary data, so the detection signatures, response playbooks, and resilience measures the three teams build during the exercise graduate straight into production the moment it closes.
Across all three entry points, the data model stays the same. The PCE / SEG / SVC / AST / AN structure, the element identifier format, and the target-field rules apply uniformly regardless of which entry point you start with.

05Worked-Example References

Each worked example is a self-contained printable companion based on the publicly documented 2022 Viasat KA-SAT incident. Pull them alongside this workbook when you want to see what a full, anchored analytic entry looks like.

ReferenceWhat it demonstrates
Element Taxonomy & OntologyThe full four-layer structural decomposition with element enumeration process and annotation criteria.
Contextualized Threat ModelingOne concrete AN-THR anchored via TOE to the SurfBeam2 modem firmware element, with full annotation criteria and the rationale for why this threat anchors to firmware specifically.
Converged Detection EngineeringOne concrete AN-ATT covering the VPN-compromise-through-firmware-overwrite chain, with the data and signal source inventory aligned to each step.
Incident Response PreparationOne enumerated AN-DET in RootA YAML covering the unauthorized firmware push, with TDM attachment and back-references to the upstream attack path.
Adversary Management + Adversary ProfileOne enumerated AN-RES for hardened boot + a complete adversary-profile template for the Sandworm actor that carried out the operation.

06Next Steps and the Full-Course Workbook

This document is the overview workbook. The full course also includes five module workbooks, one per framework function, each structured the same way as this one (title page, classification banner, key concepts, worked examples, references).

How the workbooks combine

  1. Overview workbook (this document) · data model, five functions at altitude, Pentagon of Pain, entry points.
  2. Module 01 workbook · Concept of Operations. Structural decomposition walkthrough on a reference satellite platform, with the four-layer enumeration process applied end to end.
  3. Module 02 workbook · Contextualized Threat Modeling. AN-THR enumeration with the actor / capability / intel-source pattern, anchored against the platform from Module 01.
  4. Module 03 workbook · Converged Detection Engineering. AN-ATT enumeration plus the data and signal source inventory per attack path.
  5. Module 04 workbook · Incident Response Preparation. AN-DET authoring in RootA plus the paired response playbook for each signature.
  6. Module 05 workbook · Adversary Management. AN-RES enumeration mapped to the four TRE objectives plus the adversary-profile template.
End-of-course master workbook. Once a learner completes all five modules, the master workbook combines this overview workbook with each module workbook into one cumulative reference, signed by the same identity, with one classification banner and one continuous table of contents. Save this overview workbook now; the module workbooks slot in as you complete each module.

What to do with this document