FULL SPECTRUM SPACE CYBERSECURITY PROFESSIONAL
(SCOR Practitioner)
Session 1: Foundations — METEORSTORM & Space Collective Defense
Delivered by ProofLabs | ethicallyHackingspace (eHs)® | D2 Team CORP
NICCS Training Provider — CISA Listed | US Space-ISAC Member
SCOR Practitioner — Session 1
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN2
Course Overview
KEY DETAILS
Duration: 4 hours (Day 1 of 2)
Domains: 5 knowledge domains, 40 min each
Breaks: 10 min every hour
Assessment: Integrated rubric (4-level scale)
Credential: 45/60 points minimum to pass
Book: SCORP² Cookbook Vol. 0: Foundations
WORK ROLE OBJECTIVES
- Apply METEORSTORM taxonomy to real space platforms
- Conduct contextualized threat modeling for space missions
- Develop Priority Intelligence Requirements (PIRs)
- Design converged detection engineering workflows
- Instrument telemetry pipelines for space environments
This course is grounded in the SCORP² Cookbook series — a six-volume professional library for practitioners defending complex, multi-domain platforms.
SCOR Practitioner — Session 1
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN3
Session 1 Schedule
| Time | Topic | Duration | End |
|---|
| 09:00 | Domain 1 — Decomposition: METEORSTORM framework, five-layer taxonomy, PCE layer, threat categories | 40 min | 09:40 |
| 09:40 | Domain 2 — Analytics (Part 1): Analytic layer elements (ATT, IOC, IOA, THR, DET, RES) | 10 min | 09:50 |
| 09:50 | BREAK | 10 min | 10:00 |
| 10:00 | Domain 2 — Analytics (Part 2): Enrichment sources — SPARTA, Space SHIELD, ATT&CK, FiGHT, ATLAS, EMB3D, NIST 800-53, ISA/IEC 62443 | 30 min | 10:30 |
| 10:30 | Domain 3 — PIR (Part 1): Minimum baseline intelligence requirements, mission-driven prioritization | 20 min | 10:50 |
| 10:50 | BREAK | 10 min | 11:00 |
| 11:00 | Domain 3 — PIR (Part 2): PIR exercises and assessment | 20 min | 11:20 |
| 11:20 | Domain 4 — Detection Engineering (Part 1): Minimum baseline detection, signature design aligned with METEORSTORM | 30 min | 11:50 |
| 11:50 | BREAK | 10 min | 12:00 |
| 12:00 | Domain 4 — Detection Engineering (Part 2): Cross-layer integration, exercises and assessment | 10 min | 12:10 |
| 12:10 | Domain 5 — Telemetry Instrumentation: Minimum baseline telemetry, data collection and normalization, monitoring and situational awareness | 40 min | 12:50 |
| 12:50 | BREAK | 10 min | 13:00 |
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN4
Assessment Framework
PROFICIENCY SCALE
4Exemplary — Exceeds all criteria with independent application
3Proficient — Meets all criteria with minimal guidance
2Developing — Partially meets criteria, requires support
1Beginning — Does not yet meet criteria independently
SCORING SUMMARY
- 3 criteria per domain × 4 points = 12 max/domain
- 5 domains × 12 = 60 total points
- Pass: ≥45/60 composite, no domain <6/12
- Methods: Exercises, Checkpoints, Capstones
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN5
DOMAIN 1
Decomposition
METEORSTORM Function One: Concept of Operations
40 MINUTES
L1 PCE: TE / AQ / AE / OR / DS
L2 SEG: LA / LI / GR / US / AQ / LO / HI / NE / SP / DE
L3 SVC: CP / DP / HY
L4 AST: HW / FW / SW / DA / SI / HY
L5 AN: ATT / IOC / IOA / THR / DET / RES
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN6
Learning Objectives
- Define the METEORSTORM taxonomy and its five layers
- Apply PCE, SEG, SVC, AST, and AN designators to a real platform
- Distinguish between orbital and terrestrial PCE environments
- Use METEORSTORM nomenclature to tag platform elements
- Decompose STARCOM-LEO into all five taxonomy layers
- Explain why convergence requires a unified analytical language
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN7
Block A: The Convergence Imperative
WHY CONVERGENCE MATTERS
- Adversaries do not think in terms of “cyber” or “physical” — they target the mission
- A satellite can be attacked via RF jamming, ground station intrusion, or kinetic strike
- Traditional frameworks (NIST CSF, ATT&CK, ISO 27001) were designed for enterprise IT, not converged platforms
- No firewall can be placed between a ground station antenna and a hostile jammer
- SPARTA and SPACE-SHIELD advanced space security but do not span all PCE environments
- What is needed is an analytical layer that ingests all framework outputs into a unified structure
METEORSTORM
Multiple Environment Threat Evaluation Of Resources, Space Threats Operational Risk to Missions
“Convergence is not an abstract concept — it is the operational reality that METEORSTORM was designed to address.”
— SCORP² Cookbook, Section 1.3
5 DESIGN PRINCIPLES
- Mission First — every decision anchored to mission requirements
- Structural Traceability — full chain from threat to asset
- Vendor Agnosticism — deployable across any SIEM platform
- Continuous Adaptation — iterative improvement cycle
- Convergence by Default — spans all operational environments
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN8
The Five-Layer Taxonomy
L1 PCE
Primary Capability Environment
TE / AQ / AE / OR / DS
Surface, water, atmospheric, orbital, and deep space operational zones
L2 SEG
Segment
LA / LI / GR / US / AQ / LO / HI / NE / SP / DE
Groups services and assets by operational role within the platform
L3 SVC
Service
CP / DP / HY
Control Plane, Data Plane, and Hybrid service functions
L4 AST
Asset
HW / FW / SW / DA / SI / HY
Hardware, firmware, software, data, signal, and hybrid components
L5 AN
Analytic
ATT / IOC / IOA / THR / DET / RES
Security-specific overlays: attack paths, indicators, threats, detections, resilience
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN9
Taxonomy Layers: Detail Reference
PCE Environments (exact MISP tags)
PCE-TE Terrestrial — surface-based operational zones
PCE-AQ Aquatic — water-based zones (incl. non-Earth)
PCE-AE Aerial — atmospheric zones
PCE-OR Orbital — planetary/satellite orbits
PCE-DS Deep Space — beyond orbital regimes
Key SEG values
SEG-GR Ground | SEG-SP Space | SEG-LI Link | SEG-US User | SEG-LA Launch
SVC Services
SVC-CP Control Plane — managing and orchestrating platform control functions
SVC-DP Data Plane — managing and orchestrating mission product functions
SVC-HY Hybrid — integrating both control and data plane functionalities
AST Assets
AST-HW Hardware | AST-FW Firmware | AST-SW Software
AST-DA Data | AST-SI Signal | AST-HY Hybrid
Nomenclature Example
meteorstorm:AST="AST-HW"
Analytic Elements + Key Questions
AN-ATT Attack Path — Is there a disclosed attack path?
AN-IOC Indicator of Compromise — Has this system been compromised?
AN-IOA Indicator of Attack — Is this system currently under attack?
AN-THR Threat — Is this platform being targeted?
AN-DET Detection Signature — Is there a detection signature?
AN-RES Resilience Measure — Is there a resilience measure available?
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN10
Guided Application: STARCOM-LEO
STARCOM-LEO: A fictional LEO broadband constellation providing global internet coverage via 48 satellites. Designed to be representative of real-world LEO broadband systems. Every METEORSTORM layer is exercised through this example throughout the course.
| Layer | STARCOM-LEO Elements |
|---|
| PCE | PCE-OR (Orbital) + PCE-TE (Terrestrial) |
| SEG | SEG-SP (Space) + SEG-GR (Ground) + SEG-US (User) + SEG-LI (Link) |
| SVC | SVC-CP (Control Plane: TT&C, command uplink) + SVC-DP (Data Plane: broadband relay) |
| AST | AST-HW (transceivers, antennas) + AST-FW (flight software) + AST-DA (telemetry data) + AST-SI (RF signals) |
| Exposure | Kinetic | Non-Kinetic (DEW, EMP) | EW (jamming, spoofing) | Cyber | Environmental (space weather) |
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN11
Checkpoint & Capstone
Q1
Name the five taxonomy layers in order and give one example tag from each.
Q2
Why does METEORSTORM use 'Orbital' (PCE-OR) instead of 'Space' for the orbital environment?
CAPSTONE ACTIVITY
Given a novel platform of your choice, identify one element for each of the first four layers using METEORSTORM MISP tag notation.
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN12
Assessment Rubric: Decomposition
| Criterion | Exemplary (4) | Proficient (3) | Developing (2) | Beginning (1) |
|---|
| Taxonomy Identification | Names all 5 layers with correct MISP designators | Names 4–5 layers correctly | Names 2–3 layers | Names fewer than 2 layers |
| Nomenclature Application | Applies correct MISP tag notation independently | Applies notation with minor errors | Applies with guidance | Cannot apply notation |
| Platform Decomposition | Decomposes all 5 layers for novel platform | Decomposes 4 layers | Decomposes 2–3 layers | Decomposes 1 or fewer layers |
Max Score: 12 pts
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN13
DOMAIN 2
Analytics
METEORSTORM Function Two: Contextualized Threat Modeling
40 MINUTES
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN14
Learning Objectives
- Explain the purpose and structure of Layer 5 (Analytic)
- Distinguish between ATT, IOC, IOA, THR, DET, and RES elements
- Identify appropriate enrichment sources for space-domain threats
- Differentiate mapped vs. derived enrichment methodologies
- Formalize a threat element (AN-THR) from a mission requirement
- Attach threat elements to CONOPS using METEORSTORM notation
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN15
The Analytic Layer (Layer 5)
ATT
Attack Path
Known or modeled attack path for a converged space system
Is there a disclosed attack path?
IOC
Indicator of Compromise
Verifiable indication that the platform has been compromised
Has this system been compromised?
IOA
Indicator of Attack
Verifiable indication that the platform has been targeted
Is this system currently under attack?
THR
Threat
Known or modeled threat to the platform
Is this platform being targeted by a specific threat?
DET
Detection Signature
Pattern, signal, or logic that triggers on contextualized threat behavior
Is there a detection signature for this?
RES
Resilience Measure
Protective capability ensuring resistance or recovery from threats
Is there a resilience measure available?
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN16
Enrichment Sources
SPACE-DOMAIN SOURCES
- SPARTA (Aerospace Corp) — First ATT&CK-style matrix for spacecraft TTPs covering reconnaissance, initial access, execution, persistence, and impact
- Space SHIELD (ESA) — ATT&CK-like knowledge base for the space segment and communication links
- US Space-ISAC — Threat intelligence sharing for the space community
CROSS-DOMAIN SOURCES
- MITRE ATT&CK — Enterprise and ICS TTPs; detection signatures reference ATT&CK identifiers
- MITRE FiGHT — 5G telecom threats across radio interface, core network, and service layer
- MITRE ATLAS — Adversarial AI/ML threats: data poisoning, model evasion, adversarial input
- MITRE EMB3D — Embedded device threats relevant to spacecraft firmware
- NIST 800-53 / ISA/IEC 62443 — Security controls and industrial standards
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN17
Mapped vs. Derived Enrichment
Direct structural alignment of an external framework element to the METEORSTORM taxonomy. The external framework provides the intelligence; METEORSTORM provides the structural address.
Example:
SPARTA TTP → meteorstorm:AN="AN-ATT"
ATT&CK technique → meteorstorm:AN="AN-THR"
→
Analyst-generated correlation producing novel insights beyond what any single existing framework provides. Combines observations from multiple sources.
Example:
Ground SIEM alert + RF anomaly → new AN-THR
Orbital geometry data + telemetry deviation → new AN-IOA
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN18
Contextualized Threat Modeling: Function Two
Mission Requirement
→
Failure Concern
→
Threat Element
AN-THR
→
CONOPS Attachment
→
Coverage Validation
FUNCTION TWO KEY ACTIVITIES (from SCORP² Cookbook, Section 3.2)
1. Identify failure concerns — reason from mission requirements, not abstract threat catalogs
2. Formalize as AN-THR — assign a structured METEORSTORM identifier to each threat
3. Attach to CONOPS elements — link threats to the PCE, SEG, SVC, and AST they affect
4. Validate coverage — confirm every mission requirement has at least one associated threat
5. Update CONOPS diagram — add threat nodes and connections to create a visual threat map
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN19
Checkpoint & Capstone
Q1
What key question does AN-IOA answer versus AN-IOC? Give an example of each in a space context.
Q2
Name two enrichment sources appropriate for space-segment threats and explain what each contributes.
CAPSTONE ACTIVITY
Given a mission requirement for STARCOM-LEO, formalize a threat element (AN-THR) and attach it to at least two CONOPS elements using MISP tag notation.
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN20
Assessment Rubric: Analytics
| Criterion | Exemplary (4) | Proficient (3) | Developing (2) | Beginning (1) |
|---|
| Analytic Layer Comprehension | Explains all 6 AN elements with correct key questions | Explains 4–5 AN elements | Explains 2–3 elements | Explains 1 or fewer |
| Enrichment Source Application | Selects optimal sources with justification for space context | Selects appropriate sources | Selects with guidance | Cannot identify sources |
| Threat-to-Element Mapping | Maps threat to CONOPS with full MISP notation | Maps with minor notation errors | Maps with guidance | Cannot map threat elements |
Max Score: 12 pts
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN21
DOMAIN 3
Priority Intelligence Requirements
METEORSTORM Function Three, Step 1: Intelligence Governance
40 MINUTES
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN22
Learning Objectives
- Define Priority Intelligence Requirements (PIRs) in a space context
- Describe the PIR lifecycle: generation through operationalization
- Distinguish reactive vs. proactive intelligence postures
- Apply four prioritization criteria to candidate PIRs
- Write well-formed PIR statements using METEORSTORM notation
- Represent PIRs as structured MISP objects
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN23
Intelligence Governance Foundations
PIR LIFECYCLE
1. Generation
↓
2. Validation
↓
3. Prioritization
↓
4. Operationalization
↓
5. Review & Refresh
KEY CONCEPTS
- Reactive posture: respond after detection — limited foresight
- Proactive posture: anticipate before occurrence — intelligence-driven
- PIR bridges Function Two (Threat Modeling) → Function Three (Detection Engineering)
- Formal governance structures define how intelligence questions are generated, validated, prioritized, and operationalized
- Configure MISP using METEORSTORM taxonomy to represent PIRs as structured objects
- Every PIR must be traceable to a mission requirement and a METEORSTORM-tagged platform element
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN24
Writing Effective PIR Statements
PIR TEMPLATE
“What [adversary capability / technique] exists to [action] against [METEORSTORM-tagged platform element]?”
1
Mission Impact
How critical is the affected element?
2
Adversary Likelihood
How probable is this threat actor?
3
Intelligence Gap Severity
How unknown is this threat?
4
Telemetry Support
Can we detect this if answered?
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN25
STARCOM-LEO PIR Examples
PIR-01
What nation-state capabilities exist to inject unauthorized commands into STARCOM-LEO ground station C2 links during scheduled pass windows?
SEG-GR | AST-DA | SVC-CP
PIR-02
What RF interference techniques could disrupt STARCOM-LEO inter-satellite optical link performance below mission-critical thresholds?
SEG-LI | AST-SI | PCE-OR
PIR-03
What supply chain compromise vectors target STARCOM-LEO flight software update mechanisms and what indicators would be observable?
AST-SW | AST-FW | SVC-CP
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN26
PIR Development Exercise
- Reference specific METEORSTORM MISP taxonomy tags (PCE, SEG, SVC, AST, or AN)
- Link to at least one formalized threat element (AN-THR) from Domain 2
- Include prioritization rationale across all four criteria
Peer review + instructor feedback | Reference: SCORP² Cookbook Section 3.3
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN27
Checkpoint & Capstone
Q1
What distinguishes a PIR from a general intelligence question? What makes it 'priority'?
Q2
How does a well-formed PIR connect directly to detection engineering in Function Three?
CAPSTONE ACTIVITY
Present your strongest PIR: identify all METEORSTORM elements, explain the prioritization rationale, and describe the detection capability it drives.
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN28
Assessment Rubric: PIR
| Criterion | Exemplary (4) | Proficient (3) | Developing (2) | Beginning (1) |
|---|
| PIR Construction | Well-formed PIR with correct MISP notation and appropriate scope | Correct structure, minor notation gaps | Partially formed PIR | Cannot construct a PIR |
| Prioritization Rationale | All 4 criteria addressed with evidence | 3 criteria addressed | 1–2 criteria addressed | No rationale provided |
| Downstream Integration | Links PIR to detection capability and telemetry source | Links to detection only | Partial linkage | No downstream connection |
Max Score: 12 pts
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN29
DOMAIN 4
Converged Detection Engineering
METEORSTORM Function Three: Steps 2–7
40 MINUTES
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN30
Learning Objectives
- Map attack paths using METEORSTORM layer identifiers
- Explain the Collective Defense Language (CDL) and roota.io platform
- Inventory telemetry sources across space platform segments
- Derive Indicators of Attack (IOA) from observable anomalies
- Design vendor-agnostic detection signatures using CDL
- Identify telemetry constraints unique to LEO satellite platforms
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN31
Attack Path Mapping
Threat
AN-THR
→
Entry Vector
SEG-GR
→
Traversal
AST-DA → AST-SI
→
Impact
SVC-CP disrupted
STARCOM-LEO: Unauthorized Command Injection (Appendix A)
1. Adversary gains access to ground station network (SEG-GR)
2. Injects malicious commands via C2 uplink during scheduled pass window (AST-DA)
3. Commands traverse to satellite bus via RF link (AST-SI)
4. Satellite control plane operations disrupted (SVC-CP)
5. Detection observable: command outside scheduled window or from unregistered source IP
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN32
Collective Defense Language & roota.io
CDL Detection Logic
Write Once, Deploy Everywhere
ELK / OpenSearch
Splunk
Azure Sentinel
QRadar
- Vendor-agnostic signature translation layer — eliminates SIEM vendor lock-in
- Enables cross-organization detection sharing across the space community
- Integrates with METEORSTORM AN-DET elements for full traceability
- Detection signatures in Function Three reference ATT&CK identifiers via CDL
- roota.io generates vendor-agnostic signatures that dynamically mirror adversary behavior
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN33
Telemetry Inventory
TELEMETRY ASSESSMENT DIMENSIONS
- Availability: continuous vs. per-pass (15-min gaps between ground contacts)
- Format compatibility: SIEM-native vs. parser required (RF metrics are not natively SIEM-compatible)
- Retention policies: data lifecycle and storage constraints
- Fidelity: signal-to-noise ratio and data quality scoring
STARCOM-LEO SOURCES
- Ground station network logs — continuous, standard IT format
- Satellite command audit logs — per-pass only
- RF signal quality metrics — continuous, requires RF-to-SIEM bridge
- Optical link performance data — subject to downlink bandwidth constraints
SPACE PLATFORM CHALLENGES
- Inter-pass blind periods: ~15-minute gaps between ground contacts create detection windows where no telemetry is received
- Bandwidth-constrained downlinks: optical link anomaly data competes with routine telemetry for limited downlink capacity
- Non-standard signal monitoring: RF quality metrics require specialized equipment not natively SIEM-compatible
- Proprietary formats: constellation management software uses vendor-specific log formats requiring custom parsers
- Latency: telemetry may arrive seconds or minutes after the event
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN34
Indicators of Attack (IOA) — STARCOM-LEO
IOA-00
Command outside scheduled window or from unregistered source IP
Telemetry: Ground station command audit logs
Linked Threat: Unauthorized command injection (AN-THR:00)
IOA-01
Sudden degradation in RF carrier-to-noise ratio without corresponding weather or orbital geometry explanation
Telemetry: RF signal quality metrics
Linked Threat: RF interference / jamming (AN-THR:01)
IOA-02
Telemetry values deviating from predicted orbital mechanics model without corresponding maneuver command
Telemetry: Satellite telemetry streams, constellation management logs
Linked Threat: Kinetic or cyber-physical disruption (AN-THR:02)
IOA-03
Sustained asymmetric traffic pattern at gateway indicating potential volumetric flooding
Telemetry: Gateway traffic flow records
Linked Threat: Data plane denial-of-service (AN-THR:03)
IOA-04
Optical link bit error rate spike not correlated with known orbital geometry constraints
Telemetry: Optical link performance data
Linked Threat: Inter-satellite link disruption (AN-THR:04)
IOA-05
Unexpected software hash mismatch during scheduled integrity verification of satellite flight code
Telemetry: Satellite command audit logs, software management records
Linked Threat: Supply chain / firmware compromise (AN-THR:05)
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN35
Detection Design Exercise
- Identify entry vector, traversal, and impact using METEORSTORM MISP tag identifiers
- Inventory telemetry sources for each stage — note availability and format constraints
- Draft one IOA statement: “[Observable condition] at [telemetry source] indicating [threat]”
Group discussion: telemetry gaps and compensating controls | Reference: SCORP² Cookbook Appendix C
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN36
Checkpoint & Capstone
Q1
What is the purpose of the Collective Defense Language? How does it solve the vendor lock-in problem?
Q2
Name one telemetry constraint unique to LEO satellite platforms and describe a compensating control.
CAPSTONE ACTIVITY
Present your IOA: state the observable, the telemetry source, the linked threat (AN-THR), and explain how you would validate it against simulated telemetry.
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN37
Assessment Rubric: Detection Engineering
| Criterion | Exemplary (4) | Proficient (3) | Developing (2) | Beginning (1) |
|---|
| Attack Path Mapping | Full path mapped with all METEORSTORM MISP IDs | Path mapped with minor gaps | Partial path mapping | Cannot map attack path |
| IOA Derivation | IOA with observable, telemetry source, and threat link | IOA with 2 of 3 components | IOA with 1 component | Cannot derive IOA |
| Telemetry Awareness | Identifies sources for all stages plus constraints | Identifies sources for most stages | Identifies 1–2 sources | Cannot identify sources |
Max Score: 12 pts
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN38
DOMAIN 5
Telemetry Instrumentation
METEORSTORM Functions Three & Four
40 MINUTES
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN39
Learning Objectives
- Categorize telemetry types across space platform segments
- Describe the METEORSTORM ingress workflow for telemetry processing
- Design operational dashboards organized by taxonomy layer
- Identify compensating controls for telemetry gaps
- Produce an instrumentation plan for a space segment
- Explain the RF-to-SIEM bridge concept and its necessity
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN40
Instrumentation Architecture: STARCOM-LEO
Ground Station Network Logs
Continuous | SEG-GR | Standard IT format | Direct SIEM ingestion
Satellite Command Audit Logs
Per-pass only | SEG-SP | ~15-min gaps between passes
RF Signal Quality Metrics
Continuous | SEG-LI | Requires RF-to-SIEM bridge adapter
Optical Link Performance
Continuous (on-orbit) | SEG-SP | Subject to downlink bandwidth constraints
Constellation Management Logs
Continuous | SEG-GR | Proprietary format, requires custom parser
Gateway Traffic Flow Records
Continuous | SEG-US | Standard NetFlow format
User Terminal Logs
Continuous | SEG-US | Authentication and usage data
Satellite H&H Telemetry
Per-pass | SEG-SP | Health and housekeeping data
RF-to-SIEM Bridge: Deployed at each ground station to convert RF quality metrics into structured log events compatible with the detection ecosystem. Initially a compensating control; recommended for integration into ground station baseline architecture.
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN41
METEORSTORM Ingress Workflow
1
Receive Raw Data
Collect telemetry from all sources across PCE/SEG
→
2
Map to Tags
Assign PCE/SEG/SVC/AST/AN MISP identifiers
→
3
Record Confidence
Score data quality, fidelity, and retention
→
4
Fuse in MISP
Aggregate into structured intelligence objects
→
5
Route
Send to Detection / Response workflows
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN42
Operational Dashboards — STARCOM-LEO
Primary Audience: Mission Operations Center
Real-time overlay of all 48 satellites showing telemetry status, RF link quality, optical link performance, and active IOA alerts mapped to METEORSTORM segments and assets
Primary Audience: Ground Control Station Operators
Command audit trail visualization, authentication status, scheduled vs. actual command activity, and IOA-00 / IOA-05 alert status for unauthorized command and software integrity indicators
Primary Audience: Gateway and Network Operations
Traffic flow analysis, gateway utilization, user terminal connection health, and IOA-03 alert status for data plane denial-of-service indicators
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN43
Compensating Controls — STARCOM-LEO
1
Inter-Pass Telemetry Gap
Onboard autonomous anomaly detection: satellite flight software flags command processing anomalies locally and transmits a priority alert buffer at first ground contact
Linked: THR-00, THR-01, THR-02
2
RF Monitoring Not SIEM-Compatible
RF-to-SIEM bridge adapter deployed at each ground station: converts RF quality metrics into structured log events compatible with the detection ecosystem
Linked: THR-01
3
Optical Link Bandwidth Constraints
Tiered telemetry priority scheme: optical link anomaly data promoted to high-priority downlink queue, displacing routine telemetry when bit error rate thresholds are exceeded
Linked: THR-04
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN44
Instrumentation Planning Exercise
- Describe the format and normalization required for each source
- Assign METEORSTORM MISP taxonomy tags (PCE, SEG, SVC, AST)
- Identify 1 telemetry gap and propose a compensating control with linked threat
Reference: SCORP² Cookbook Appendix C telemetry inventory table
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN45
Checkpoint & Capstone
Q1
What is the purpose of the METEORSTORM ingress workflow? What happens at each of the five steps?
Q2
Why is an RF-to-SIEM bridge necessary for space platform security? What problem does it solve?
CAPSTONE ACTIVITY
Produce a mini instrumentation plan for one segment: 2 telemetry sources with MISP tags, format notes, and 1 compensating control linked to a specific threat.
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN46
Assessment Rubric: Telemetry Instrumentation
| Criterion | Exemplary (4) | Proficient (3) | Developing (2) | Beginning (1) |
|---|
| Instrumentation Design | 3 sources with full MISP tags and format notes | 3 sources with partial tags | 1–2 sources identified | Cannot identify sources |
| Normalization Understanding | Describes normalization pipeline for all sources | Describes for most sources | Partial description | Cannot describe normalization |
| Gap Analysis & Mitigation | Gap identified with compensating control and linked threat | Gap identified, no control | Partial gap analysis | No gap analysis |
Max Score: 12 pts
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN47
Composite Scoring Summary
| # | Domain | Criterion 1 | Criterion 2 | Criterion 3 | Total | Min Pass |
|---|
| 1 | Decomposition | Taxonomy Identification | Nomenclature Application | Platform Decomposition | 12 | ≥6 |
| 2 | Analytics | Analytic Layer Comprehension | Enrichment Source Application | Threat-to-Element Mapping | 12 | ≥6 |
| 3 | PIR | PIR Construction | Prioritization Rationale | Downstream Integration | 12 | ≥6 |
| 4 | Detection Eng. | Attack Path Mapping | IOA Derivation | Telemetry Awareness | 12 | ≥6 |
| 5 | Telemetry | Instrumentation Design | Normalization Understanding | Gap Analysis & Mitigation | 12 | ≥6 |
| COMPOSITE TOTAL | 60 | ≥45 |
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN48
Session 1 Recap
D1: Decomposition
METEORSTORM taxonomy provides a universal analytical language for converged space platform defense
D2: Analytics
Layer 5 transforms raw intelligence into actionable threat elements linked to mission-specific CONOPS
D3: PIR
Priority Intelligence Requirements drive proactive, mission-aligned defense and precede detection engineering
D4: Detection Eng.
Converged detection bridges threat models to operational capability via CDL and IOA derivation
D5: Telemetry
Instrumentation sustains continuous situational awareness across all segments despite space-unique constraints
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN49
Key Takeaways
1
Decomposition enables everything
You cannot defend what you cannot describe — the METEORSTORM taxonomy is the foundation of all subsequent analysis
2
Analytics transforms awareness
Raw data becomes actionable intelligence through Layer 5 enrichment and the six AN element types
3
PIRs drive proactive defense
Mission-aligned intelligence requirements must precede detection engineering, not follow it
4
Detection bridges models to operations
CDL and IOA derivation translate threat models into vendor-agnostic operational signatures
5
Telemetry sustains awareness
Continuous instrumentation — including compensating controls for space-unique gaps — is the lifeblood of space cyber defense
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN50
Session 2 Preview
Day 2: Live Exercise — Zendir.io Digital Twin
- D6: Space Situational Awareness
- D7: Satellite Operations
- D8: Payload Operations
- D9: Satellite Operations Incident Response
- D10: Satellite Cyber IR Operations
Red Team vs. Blue Team culminating exercise
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN51
The METEORSTORM Framework
F3
Detection Engineering
D3–D4
F5
Adversary Management
Session 2
Session 1 domains highlighted — Session 2 continues the cycle. Each function produces structured outputs that serve as inputs to the next.
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN52
Resources
SCORP² Cookbook Volume 0 — Foundations — Core reference for METEORSTORM methodology (primary course text)
SPARTA — Aerospace Corporation — Spacecraft TTP catalog (sparta.aerospace.org)
Space SHIELD — ESA — Space segment threat library (spaceshield.esa.int)
MITRE ATT&CK / FiGHT / ATLAS / EMB3D — Cross-domain TTP frameworks (attack.mitre.org, fight.mitre.org, atlas.mitre.org)
NIST SP 800-53 / ISA/IEC 62443 — Security controls and industrial standards
roota.io — Collective Defense Language platform for vendor-agnostic detection signatures
Zendir.io — Digital Twin platform for live exercises (Session 2)
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN53
Course Partners
ProofLabs
Course Delivery Partner
Operational training and exercise facilitation
ethicallyHackingspace (eHs)®
Curriculum Developer
METEORSTORM framework and course content
D2 Team CORP
Incubator Partner
Innovation and program development support
SCOR Practitioner — Session 1 ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN54
Your Micro-Credential
SCOR Practitioner
Full Spectrum Space Cybersecurity Professional
Blockchain-verified | Valid 12 months
8 CPE Credits upon completion of both sessions
Session 2 completes your certification
Thank You
See you for Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN