MODULE 4
INCIDENT RESPONSE PREPAREDNESS
METEORSTORM™ Function Four
Translate detection capabilities into operational readiness
40 Slides | ~50 Minutes
FULL SPECTRUM SPACE CYBERSECURITY PROFESSIONAL
OUTLINE
- M1: Concept of Operations
- M2: Contextualized Threat Modeling
- M3: Converged Detection Engineering
- M4: Incident Response Preparedness
- M5: Adversary Management
- M6: Space Operations Exercise
- M7: Guidance Modes Exercise
- M8: Payload Operations Exercise
- M9: Contested Space Operations
- M10: Incident Response Exercise
1 / 40
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
2
Function Four Purpose
Takes the resilience baseline from Function Three and turns it into actionable operational practices.
Rather than treating incident response as a reactive discipline, Function Four embeds resilience into daily operations.
Ensures dashboards, controls, and playbooks are active drivers of continuous engineering improvement — not shelf-ware.
KEY INSIGHT
Not just "what to do when attacked" — this is proactive operational readiness that keeps the mission running.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
3
Why Static Incident Response Plans Fail
Traditional IR plans exist as static documents, disconnected from daily operations.
In converged environments, threats materialize across multiple domains simultaneously.
A plan that addresses cyber intrusions but has no playbook for EW interference leaves operators scrambling.
Function Four integrates response into daily operational rhythm.
MISSION QUESTION
Does your current IR plan address threats across all exposure domains — or just cyber?
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
4
The Four Key Activities
Step 1
Operational Dashboards
Operational Dashboards
→
Step 2
Compensating Controls
Compensating Controls
→
Step 3
Adaptive Response Playbooks
Adaptive Response Playbooks
→
Step 4
Feedback to Resilience Engineering
Feedback to Resilience Engineering
Each activity builds operational readiness progressively.
The feedback loop ensures lessons from every engagement improve the platform.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
5
STEP 1: OPERATIONAL DASHBOARDS
Converged Visibility Across All Domains
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
6
Implementing Operational Dashboards
Dashboards visualize validated detections, resilience baselines, and system exposures.
Central visibility layer for monitoring both attack-path activity and compensating control effectiveness.
Must span ALL exposure domains — not just cyber alerts.
The dashboard is where convergence becomes operationally visible.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
7
Dashboard Design for Converged Platforms
- Detection alerts by taxonomy layer (PCE, SEG, SVC, AST)
- Telemetry health status across all segments
- Coverage gaps highlighted (from Function Three matrix)
- Active threat indicators mapped to CONOPS elements
- Compensating control status
Key: Single pane of glass across kinetic, EW, cyber, and environmental domains.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
8
STARCOM-LEO: Dashboard Implementation
Appendix D, Step 1
SPACE SEGMENT
Satellite constellation status, orbital telemetry, onboard health
GROUND SEGMENT
Control station alerts, facility security, network status
LINK SEGMENT
RF signal quality, optical link status, link margin
USER SEGMENT
Terminal connections, traffic patterns, user authentication
Each panel maps directly to CONOPS segments from Module 1.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
9
Monitoring Attack-Path Activity
Dashboard overlays attack paths from Function Three onto real-time telemetry.
When detection signatures fire, the dashboard shows which attack path is progressing.
Analysts see not just an alert, but the threat's position in the platform architecture.
OPERATIONAL ADVANTAGE
Enables informed response decisions instead of alert-chasing.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
10
STEP 2: COMPENSATING CONTROLS
Mission-Continuity Bridges
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
11
Deploying Compensating Controls
- Deploy controls for exposures that cannot be immediately remediated
- Telemetry-based guardrails that detect anomalies before they become incidents
- Access restrictions limiting blast radius of potential compromises
- Response automation that triggers protective actions without human latency
Critical: Compensating controls sustain mission continuity until engineering fixes are available.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
12
Telemetry-Based Guardrails
Automated thresholds on critical telemetry streams:
COMMAND RATE LIMITING
Flag command volumes exceeding operational norms
RF SIGNAL BOUNDS
Alert when signal-to-noise ratio drops below operational threshold
FIRMWARE INTEGRITY
Continuous hash verification against known-good baselines
ORBITAL PARAMETER BOUNDS
Flag unexpected attitude or position deviations
Guardrails operate continuously, not just during incident response.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
13
Access Restrictions and Response Automation
- Limit command authority to authenticated, authorized operators during defined windows
- Automated isolation: disconnect compromised segments without manual intervention
- Tiered access: different authorization levels for routine operations vs emergency commands
OPERATIONAL REALITY
Automation speed is critical — space platforms may have only minutes of contact per orbit.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
14
STARCOM-LEO: Compensating Controls
Appendix D, Step 2
| Control | Description |
|---|---|
| Command Auth | Multi-factor authentication for all satellite commands |
| RF Monitoring | Automated jammer detection on all ground station receivers |
| Firmware Verification | Hash check before any software upload to constellation |
| Traffic Analysis | Automated baseline comparison for gateway traffic patterns |
| Link Redundancy | Automatic failover to backup ground stations on link degradation |
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
15
Sustaining Mission Continuity
Compensating controls are not permanent solutions — they are mission-continuity bridges.
Each control maps to a specific threat and CONOPS element.
Controls must be regularly tested and validated.
MISSION QUESTION
Which of your platform's exposures have NO compensating control today?
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
16
STEP 3: ADAPTIVE RESPONSE PLAYBOOKS
Living Documents Tied to Detection Architecture
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
17
Creating Adaptive Response Playbooks
Playbooks translate enriched detections into tiered response procedures.
Guide analysts on WHEN to trigger compensating controls, escalate incidents, or adjust telemetry.
Adaptive: playbooks evolve based on detection performance and incident outcomes.
Not static runbooks — living documents tied to the detection architecture.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
18
Playbook Structure
| Component | Description |
|---|---|
| Trigger Condition | Which detection(s) activate this playbook |
| Classification | Threat type, exposure domain, severity tier |
| Response Actions | Ordered steps by tier |
| Escalation Criteria | When to escalate to next tier |
| METEORSTORM Tags | Associated AN-THR, AN-DET, PCE, SEG, SVC, AST |
Each playbook is traceable back to specific threats and detections.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
19
Response Tiers
TIER 1
Analyst Investigation
Validate alert, gather context, classify
Validate alert, gather context, classify
TIER 2
Control Activation
Deploy compensating controls, restrict access
Deploy compensating controls, restrict access
TIER 3
Incident Escalation
Activate incident command, notify stakeholders
Activate incident command, notify stakeholders
TIER 4
Telemetry Adjustment
Modify detection thresholds, add monitoring, close gaps
Modify detection thresholds, add monitoring, close gaps
Each tier has defined decision points and handoff procedures.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
20
STARCOM-LEO: Adaptive Playbook Example
Appendix D, Step 3 — RF Link Interference Response
PLAYBOOK: RF LINK INTERFERENCE RESPONSE
Trigger:DET:01 (RF SNR deviation) fires on 2+ ground stations within 10 min
Tier 1:Analyst checks space weather data, confirms not environmental
Tier 2:Activate backup ground station, increase link margin
Tier 3:Escalate to mission command, notify constellation ops
Tier 4:Adjust RF monitoring thresholds based on interference pattern
Tags:THR:00, PCE-OR, PCE-TE, SEG-LI, SEG-GR, AST:SI:00
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
21
Playbook Integration with SIEM
Playbooks triggered automatically when SIEM detections fire.
METEORSTORM taxonomy tags enable automatic playbook selection.
When AN-DET fires, the system identifies associated AN-THR, maps to playbook.
OPERATIONAL ADVANTAGE
Reduces analyst decision time from minutes to seconds.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
22
STEP 4: FEEDBACK TO RESILIENCE ENGINEERING
Closing the Continuous Improvement Loop
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
23
The Closed-Loop Feedback Process
Incident outcomes inform updated requirements (feeds back to Function One CONOPS).
Dashboard findings drive telemetry design improvements.
Compensating control performance informs fault-tolerant architecture for future platforms.
KEY INSIGHT
This feedback loop is what makes METEORSTORM a continuous cycle, not a one-time assessment.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
24
Incident Outcomes Inform Requirements
After every incident: review mission requirements against what actually happened.
- Did the threat model predict this attack path? If not, update Function Two
- Were detections effective? If not, update Function Three signatures
- Were compensating controls sufficient? If not, design new controls
- Feed all findings back through the five-function cycle
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
25
Dashboard Findings Drive Telemetry Design
Persistent dashboard gaps reveal telemetry blind spots.
Blind spots become engineering requirements for next platform generation.
Example: if orbital telemetry gaps prevent real-time detection, require store-and-forward alerting.
Engineering teams receive specific, data-driven requirements from operational experience.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
26
Controls Inform Architecture
Compensating controls that remain deployed for extended periods indicate architectural weaknesses.
These weaknesses become design requirements for future platform releases.
Example: persistent need for command rate limiting → design hardware command authentication into next satellite bus.
KEY INSIGHT
The feedback loop ensures each generation of platform is more resilient than the last.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
27
STARCOM-LEO: Feedback Loop Example
Appendix D, Step 4
Scenario: Repeated RF interference events revealed gap in inter-satellite link monitoring.
Feedback: Added optical link telemetry requirements to CONOPS.
Result: Next constellation generation includes onboard interference classification.
KEY TAKEAWAY
The five-function cycle turned operational experience into engineering improvement.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
28
REAL-WORLD APPLICATION
The Viasat KA-SAT Incident
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
29
The Viasat KA-SAT Incident
2022 cyberattack against Viasat's KA-SAT network.
Ground-based management infrastructure compromised.
Malicious firmware update propagated to user modems.
Tens of thousands of modems bricked — widespread physical consequence from cyber attack.
KEY LESSON
Demonstrates why converged incident response is essential — a cyber attack caused physical-layer destruction.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
30
Progressive Tag Application During Live Incidents
The Viasat incident began as terrestrial ground infrastructure compromise (PCE-TE, SEG-GR).
Expanded to link and user segments as firmware propagated.
METEORSTORM tags applied progressively as scope expanded.
Tags track incident evolution, not just the end state.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
31
Multi-Layer Impact Documentation
The attack affected:
- Firmware assets (AST-FW), Hardware assets (AST-HW), Signal assets (AST-SI)
- Control plane (SVC-CP) and data plane (SVC-DP) services
METEORSTORM captured this multi-layer impact in structured, machine-readable format.
KEY INSIGHT
Traditional IR documentation would miss the cross-domain connections.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
32
Analytic Layer Precision
Different intelligence events from the incident received different AN tags:
| Tag | Application |
|---|---|
| AN-ATT | Attack path documentation |
| AN-IOC | Compromised infrastructure artifacts |
| AN-THR | Threat attribution |
| AN-DET | Detection signatures created after |
| AN-RES | Resilience measures deployed |
Tags applied as incident evolved, not all at once.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
33
Guardrail Compliance Under Pressure
Most complex events in the Viasat walkthrough required 13 METEORSTORM tags.
Exceeded the standard 5-7 tag threshold.
Documented analyst justification for each additional tag.
Demonstrates proper guardrail compliance even during high-pressure incidents.
Guardrails exist to maintain quality, not to prevent thorough analysis.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
34
AN-RES: Resilience Measures in the Taxonomy
AN-RES tags document protective capabilities ensuring resistance or recovery from threats.
| Tag | Resilience Measure |
|---|---|
| RES:00 | Ground station redundancy (backup control station) |
| RES:01 | Firmware rollback capability |
| RES:02 | RF frequency hopping for anti-jam |
| RES:03 | Onboard autonomous safe mode |
Resilience measures are tracked alongside threats and detections.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
35
FUNCTION FOUR SUMMARY
Outputs, Checklists, and Integration
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
36
Function Four Output
- Operational dashboards spanning all exposure domains
- Library of compensating controls mapped to specific threats
- Tiered adaptive response playbooks integrated with SIEM
- Documented feedback mechanism channeling lessons into engineering
Detection Architecture (F3)
→
IR Preparedness (F4)
→
Adversary Management (F5)
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
37
Operational Readiness Checklist
- Operational dashboards deployed covering all CONOPS segments
- Compensating controls active for all un-remediated exposures
- Adaptive playbooks created for each high-priority detection
- Response tiers defined with clear escalation criteria
- Feedback process documented linking incidents to engineering
- Dashboard metrics tracked and reviewed regularly
- Playbooks tested through tabletop exercises
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
38
Integration with Maturity Model
| Level | Name | Description |
|---|---|---|
| 1 | Foundation | Taxonomy enabled, basic awareness |
| 2 | Structured Tagging | Consistent tagging on all events |
| 3 | Threat-Informed | Full CONOPS and threat model complete |
| 4 | Detection-Integrated | Detection signatures deployed, coverage matrix maintained ← Function Four establishes this |
| 5 | Adversary-Aligned | Full five-function cycle operational |
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
39
Intelligence Workflow Integration
Ingress workflow:
Receive
Intelligence
Intelligence
→
Map to
METEORSTORM Tags
METEORSTORM Tags
→
Fuse with
Internal Telemetry
Internal Telemetry
→
Route to
Function
Function
Egress workflow:
Select
Findings
Findings
→
Apply Structural
Context Tags
Context Tags
→
Attach
TLP/PAP
TLP/PAP
→
Publish to
Communities
Communities
Consistent tagging enables automated correlation across organizational boundaries. The shared taxonomy strengthens collective defense with every intelligence exchange.
Module 4 — Incident Response Preparedness
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
40
Module 4 Summary
- Function Four embeds resilience into daily operations, not just incident response plans
- Dashboards, controls, and playbooks all map to METEORSTORM taxonomy elements
- The Viasat KA-SAT incident demonstrates why converged response is essential
- The feedback loop ensures every engagement improves the platform
Next: Module 5 — Adversary Management
VIDEO
VIDEO PENDING
MISSION STATUS
STUDENT—
SECTIONSession 4 — Incident Response
START00:00
REMAINING—