MODULE 5
ADVERSARY MANAGEMENT
METEORSTORM™ Function Five
Close the loop between intelligence and operational defense
40 Slides | ~50 Minutes
FULL SPECTRUM SPACE CYBERSECURITY PROFESSIONAL
OUTLINE
- M1: Concept of Operations
- M2: Contextualized Threat Modeling
- M3: Converged Detection Engineering
- M4: Incident Response Preparedness
- M5: Adversary Management
- M6: Space Operations Exercise
- M7: Guidance Modes Exercise
- M8: Payload Operations Exercise
- M9: Contested Space Operations
- M10: Incident Response Exercise
1 / 40
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
2
Function Five Purpose
Closes the loop between intelligence collection and operational defense by maintaining structured adversary profiles synchronized with detection engineering.
Ensures every observation of adversary behavior translates into concrete defensive action, creating an adaptive posture capable of maintaining parity with adversary evolution.
Function Five transforms threat intelligence into operationally actionable defense. Without it, intelligence remains informational rather than operational.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
3
Why Static Threat Assessments Fail
Adversary behavior is not static. Threat actors continuously adapt:
- Adapt techniques in response to defensive measures
- Exploit new vulnerabilities as platforms evolve
- Shift targeting based on geopolitical and strategic considerations
- Develop novel capabilities that bypass existing detection architectures
KEY INSIGHT
A point-in-time threat assessment becomes stale the moment it’s published. Function Five creates a living, continuously updated adversary awareness.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
4
The Four Key Activities
1. Develop Adversary Profiles
→
2. Assess Attraction & Exposure
→
3. Align Detections to TTPs
→
4. Validate & Feed Back
Each activity connects adversary intelligence directly to detection engineering. The cycle feeds back into Function One, completing the METEORSTORM loop.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
5
STEP 1
DEVELOP ADVERSARY PROFILES
Structured profiles capturing behavioral attributes aligned to the METEORSTORM taxonomy
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
6
Structured Adversary Profiles
Develop and maintain profiles capturing behavioral attributes aligned to METEORSTORM taxonomy:
- Observed and hypothesized tactics, techniques, and procedures
- Campaign context and historical targeting patterns
- Associated indicators and resilience measure linkages
- Profiles use the same taxonomy identifiers as threats, detections, and CONOPS elements
A single shared language means adversary profiles directly reference the same platform elements as your threat model and detection signatures.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
7
Profile Components
| Component | Description | METEORSTORM Link |
|---|---|---|
| Tactics | High-level adversary objectives | AN-THR threats |
| Techniques | Specific methods employed | AN-ATT attack paths |
| Procedures | Implementation details | AN-IOA/IOC indicators |
| Campaign Context | Historical operations and targeting | PCE/SEG scope |
| Indicators | Observable artifacts from past ops | AN-DET signatures |
| Resilience Gaps | Known defensive weaknesses | AN-RES measures |
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
8
STARCOM-LEO: Adversary Profile
APT-SAT-01 — Nation-State LEO Constellation Threat
Known TTPs:Ground station reconnaissance, command link exploitation, firmware supply chain targeting
PCE Scope:Orbital (OR), Terrestrial (TE)
SEG Scope:Space (SP), Ground (GR), Link (LI)
Threats:THR:01 (Command Injection), THR:05 (Supply Chain)
Capability:HIGH — demonstrated ASAT and cyber-EW convergence
Profile elements use the same identifiers as the CONOPS, threat model, and detection architecture — enabling automated correlation.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
9
Profile Maintenance and Updates
Profiles are living documents, updated with:
- New intelligence from community sharing (ISAC feeds, MISP events)
- Lessons from incidents and exercises
- Changes in geopolitical landscape affecting threat posture
- Platform modifications that alter the adversary’s attack surface
Review cycle: Quarterly minimum, triggered immediately by significant incidents or intelligence.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
10
STEP 2
ASSESS ATTRACTION & EXPOSURE
Analyze how platform characteristics attract specific adversary groups
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
11
Adversary Attraction Analysis
Assess how the platform’s characteristics attract specific adversary groups:
- Mission value: Strategic or economic importance of the platform
- Data sensitivity: Classification and value of data in transit
- Operational dependencies: What other systems depend on this platform
- Network adjacency: Who shares your ground infrastructure
- Technology access: Adversary interest in platform technology
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
12
Attraction Factors: STARCOM-LEO
| Factor | Assessment | Example |
|---|---|---|
| Mission Value | HIGH | Broadband to underserved regions — dual-use potential |
| Data Sensitivity | HIGH | User traffic + constellation command telemetry |
| Operational Dependencies | MEDIUM | Emergency comms, government backup circuits |
| Network Adjacency | MEDIUM | Shared ground station facilities with other operators |
| Technology Access | HIGH | Advanced optical inter-satellite link technology |
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
13
STARCOM-LEO: Attraction Assessment
| Adversary Group | Attraction Level | Primary Targets |
|---|---|---|
| Nation-state actors | HIGH | Dual-use comms infrastructure, command plane |
| Cybercriminal groups | MEDIUM | User data, ransomware potential |
| Hacktivists | LOW-MEDIUM | Service disruption, broadband denial |
| Insider threats | MEDIUM | Ground station operator access, privileged commands |
Each adversary group maps to specific segments and assets they would target — informing detection priority and resource allocation.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
14
Mapping Adversaries to Platform Exposure
Matrix showing which adversaries target which parts of the platform. Drives resource allocation for defensive operations.
| Adversary | SEG-SP | SEG-GR | SEG-LI | SEG-US |
|---|---|---|---|---|
| Nation-state | HIGH | HIGH | HIGH | MED |
| Cybercriminal | LOW | MED | LOW | HIGH |
| Hacktivist | LOW | MED | MED | MED |
| Insider | LOW | HIGH | MED | LOW |
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
15
STEP 3
ALIGN DETECTIONS TO ADVERSARY TTPs
Generate vendor-agnostic signatures that dynamically mirror adversary behavior
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
16
Detection-TTP Alignment
Align detection signatures to adversary TTPs using roota.io:
- Generate vendor-agnostic signatures that dynamically mirror adversary behavior
- Signatures span all segments, services, and assets — not just cyber indicators
- When adversary TTPs evolve, detection alignment updates accordingly
- Covers all five exposure domains: kinetic, non-kinetic physical, EW, cyber, environmental
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
17
Dynamic Detection Alignment Process
For each profiled adversary:
- Map known TTPs to METEORSTORM taxonomy elements
- Identify existing detections (AN-DET) covering those TTPs
- Identify gaps: TTPs with no corresponding detection
- Prioritize new detection development for uncovered adversary behaviors
The adversary-to-detection alignment matrix drives continuous detection engineering — not ad hoc signature creation.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
18
STARCOM-LEO: TTP-to-Detection Alignment
| Adversary TTP | Element | Detection | Status |
|---|---|---|---|
| Ground station recon | THR:01, SEG-GR | DET:00 (auth failures) | COVERED |
| RF uplink jamming | THR:00, SEG-LI | DET:01 (SNR deviation) | COVERED |
| Firmware implant | THR:05, SEG-SP | DET:02 (hash mismatch) | COVERED |
| Optical link dazzling | THR:04, SEG-LI | — | GAP |
| Social engineering | THR:01, SEG-GR | — | GAP |
Gaps in the alignment matrix become priority detection engineering tasks for Function Three.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
19
Generating Adversary-Aligned Signatures
New signatures authored in roota.io, tagged with adversary profile reference:
Adversary
→
TTP
→
AN-THR Threat
→
AN-DET Detection
→
AST Asset
Full traceability from adversary behavior to defensive capability — every signature has a documented reason for existence.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
20
STEP 4
VALIDATE, VISUALIZE, FEED BACK
Continuously test adversary-aligned detections and channel findings back into the cycle
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
21
Continuous Validation
Test adversary-aligned detections through:
- Simulated campaigns mimicking profiled adversary behavior
- Red team exercises targeting specific TTPs across all exposure domains
- Telemetry replay from past incidents and community-shared intelligence
- Purple team exercises combining offensive simulation with detection validation
VALIDATION GOAL
Confirm that detections actually fire when the specific adversary behavior they were designed to catch occurs.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
22
Adversary-to-Detection Alignment Matrix
Comprehensive view: adversary profiles × detection signatures × coverage status
| Adversary | DET:00 | DET:01 | DET:02 | DET:03 | Coverage |
|---|---|---|---|---|---|
| APT-SAT-01 | ✓ | ✓ | ✓ | GAP | 75% |
| Cybercriminal | ✓ | — | — | ✓ | 50% |
| Hacktivist | — | ✓ | — | ✓ | 50% |
| Insider | ✓ | — | Partial | — | 38% |
This matrix drives resource allocation: prioritize detection development for highest-risk adversaries with lowest coverage.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
23
STARCOM-LEO: Validation and Feedback
Validation exercise: Simulated APT-SAT-01 campaign against STARCOM-LEO constellation.
Results: 4 of 5 TTPs detected within a single orbit pass window.
Gap identified: Optical link dazzling detection requires new sensor telemetry not currently available.
Feedback action: Optical link interference sensor requirement added to next constellation design review. The five-function cycle turned operational experience into engineering improvement.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
24
Engineering Recommendations
Function Five produces actionable engineering recommendations:
- New telemetry requirements for currently undetectable TTPs
- Platform hardening priorities based on adversary capabilities
- Architecture changes to reduce attack surface for specific adversary groups
- Resilience measure development for identified defensive gaps
These recommendations feed directly back into Function One CONOPS updates — completing the continuous improvement cycle.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
25
THE CONTINUOUS CYCLE
CLOSING THE LOOP
Function Five feeds back to Function One, completing the METEORSTORM cycle
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
26
The Five Functions as a Continuous Cycle
F1: CONOPS
→
F2: Threat Model
→
F3: Detection
→
F4: Response
→
F5: Adversary
→
F1: CONOPS
Each iteration deepens the organization’s understanding and defensive posture. A METEORSTORM analysis is never “complete” — it grows richer with every cycle.
Platform changes, new threats, and operational experience all trigger new iterations. The cumulative analytical baseline becomes an increasingly valuable organizational asset.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
27
Iteration Depth Over Time
1
First Cycle
Baseline CONOPS, initial threat model, foundational detections
2
Second Cycle
Refine threats from operational experience, expand detection coverage
3
Third Cycle
Adversary-aligned detections, validated through exercises
4+
Continuous
Architecture improvements, community intel integration, feedback loop
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
28
Platform Evolution Triggers
Each trigger restarts the cycle at the appropriate function:
- New services deployed → update CONOPS services and assets (F1)
- Operational environment changes → update PCE enumeration (F1)
- Adversary TTPs evolve → update threat model and detections (F2/F3)
- Incident outcomes → update playbooks and controls (F4)
- New adversary intelligence → update profiles and alignment (F5)
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
29
Integration with Existing Frameworks
METEORSTORM provides the converged analytical structure that enables all frameworks to be ingested and applied across multi-domain platforms:
| Framework | Integration Point | METEORSTORM Function |
|---|---|---|
| MITRE ATT&CK | Adversary techniques → threats & detections | F2, F3, F5 |
| SPARTA | Space-specific TTPs → PCE-OR threats | F2, F5 |
| SPACE-SHIELD | European space threats → segment mapping | F2, F5 |
| ATLAS | AI/ML threats → autonomy-enabled platforms | F2, F3 |
| FiGHT | 5G telecom threats → link segment | F2, F3 |
| NIST | Governance alignment → intelligence requirements | F3 |
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
30
IMPLEMENTATION
PUTTING IT ALL TOGETHER
Maturity model, resources, and the road ahead
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
31
Machine-to-Machine Defense
The combination of structured taxonomy + vendor-agnostic signatures + continuous adversary synchronization enables machine-speed defense:
- Intelligence automatically correlated via METEORSTORM MISP tags
- Detections automatically deployed via roota.io translation
- Adversary profiles automatically synchronized with detection engineering
- Particularly critical in space and high-tempo environments where adversary decision cycles may exceed human response time
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
32
Intelligence Workflow: Ingress and Egress
Ingress (Receiving)
- Receive raw indicators or reports
- Map to METEORSTORM PCE, SEG, SVC, AST, AN tags
- Record source confidence and evidence
- Fuse with internal telemetry in MISP
- Route to appropriate function workflow
Egress (Sharing)
- Select findings for sharing
- Apply METEORSTORM structural context tags
- Attach TLP/PAP markings
- Publish to MISP sharing groups or STIX/TAXII
- Taxonomy tags preserved through exchange formats
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
33
Implementation Maturity Model
| Level | Name | Description | Key Milestones |
|---|---|---|---|
| 1 | Foundation | Taxonomy enabled in MISP, basic awareness | Analysts trained, first CONOPS |
| 2 | Structured Tagging | Consistent tagging on all events | Playbook published, guardrails enforced |
| 3 | Threat-Informed | Full CONOPS and threat model complete | F1 & F2 complete, coverage validated |
| 4 | Detection-Integrated | Signatures deployed via roota.io | F3 complete, coverage matrix maintained |
| 5 | Adversary-Aligned | Full five-function cycle operational | Profiles active, quarterly reviews, feedback loop |
Organizations should not attempt Level 5 immediately. Each level delivers measurable improvement. Most will spend 3–6 months at each level.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
34
Getting Started Resources
- METEORSTORM GitHub Repository — complete tagging guide, worked examples, MISP event templates
- Official MISP Taxonomy — machine-readable taxonomy file, enable in any MISP instance
- roota.io — vendor-agnostic detection translation platform
- Space ISAC Resources — community intelligence sharing through ISAC channels
- MITRE ATT&CK / ATLAS — adversary TTP catalogs for cross-reference
Everything needed for an initial METEORSTORM implementation is freely available today.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
35
METEORSTORM Quick Reference
Namespace: meteorstorm
Format: meteorstorm:<Layer>=<Value>
PCE: TE, AQ, AE, OR, DS
SEG: LA, LI, GR, US, SP, AQ, LO, HI, NE, DE
SVC: CP, DP, HY
AST: HW, FW, SW, DA, SI, HY
AN: ATT, IOC, IOA, THR, DET, RES
GUARDRAILS: 5–7 tags/event. Document exceptions. Precision > volume. TLP/PAP first.
Format: meteorstorm:<Layer>=<Value>
PCE: TE, AQ, AE, OR, DS
SEG: LA, LI, GR, US, SP, AQ, LO, HI, NE, DE
SVC: CP, DP, HY
AST: HW, FW, SW, DA, SI, HY
AN: ATT, IOC, IOA, THR, DET, RES
GUARDRAILS: 5–7 tags/event. Document exceptions. Precision > volume. TLP/PAP first.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
36
The SCORP² Cookbook Series
| Volume | Title | Focus |
|---|---|---|
| 0 | Foundations | Framework overview, taxonomy reference, Getting Started guide |
| 1 | Concept of Operations | Deep dive Function One, multiple platform examples |
| 2 | Threat Modeling | Deep dive Function Two, advanced threat decomposition |
| 3 | Detection Engineering | Deep dive Function Three, roota.io integration |
| 4 | Incident Response | Deep dive Function Four, dashboards and playbooks |
| 5 | Adversary Management | Deep dive Function Five, adversary profiling, red team |
Subsequent volumes follow at approximately quarterly intervals. Release dates announced via GitHub and community channels.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
37
Community and Contribution
METEORSTORM is an open, community-driven initiative. The framework is most powerful when adopted across a community sharing intelligence through a common taxonomy.
- Organizations can contribute: taxonomy refinements, worked examples, pilot implementations
- Space ISAC provides prioritized support for implementation guidance
- Every organization that tags intelligence with METEORSTORM improves collective defense
Contact: william.o.ferguson@ethicallyhacking.space
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
38
Key Concepts Summary
- Convergence is the operational reality — space, cyber, EW, and physical domains have merged
- Mission first, always — every analysis begins with the platform’s mission purpose
- Taxonomy is the connective tissue — PCE, SEG, SVC, AST, AN provide the shared language
- Structure enables automation — structured identifiers enable machine-to-machine defense
- Five functions are a continuous cycle — outputs of each feed into the next
- Tools are available now — MISP taxonomy, GitHub repository, roota.io
- Community amplifies capability — collective defense strengthens with every adopter
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
39
Function Five Output
A maintained library of:
- Structured adversary profiles aligned to METEORSTORM taxonomy
- Validated adversary-to-detection alignment matrix
- Engineering recommendations derived from adversary engagement analysis
- Feedback updates to the CONOPS and all subsequent functions
This output feeds back into the continuous improvement cycle, informing updates to the CONOPS and all subsequent functions.
Module 5 — Adversary Management
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
40
Module 5 Summary
Course Foundations Complete
- Function Five closes the intelligence-to-defense loop with structured adversary profiles
- The five METEORSTORM functions form a continuous, self-improving cycle
- All tools and resources are freely available for immediate implementation
- The defensive community cannot afford to wait — the methodology is yours
Next: Module 6 — Space Operations Exercise
Functions 1–5 Complete. Simulation Exercises Begin.
VIDEO
VIDEO FEED STANDBY
MISSION STATUS
STUDENT—
SECTIONSession 5 — Adversary Management
START00:00
REMAINING—