SPACE COLLECTIVE DEFENSE

No Single Entity Can Secure Space Alone

Space Collective Defense is the collaborative strategy where space operators, critical infrastructure owners, government agencies, and commercial partners share threat intelligence and coordinate defensive actions in real time.

• A cyber threat to one operator is a concern for all
• Shared situational awareness is a force multiplier
• Intelligence sharing transforms isolated defense into sector-wide protection
• Real-time coordination enables collective disruption of adversary operations
• The space domain requires a unique, unified defensive posture

SCORP² Threat Intelligence Architect | NIST NICE PD-WRL-006

COURSE LEARNING OUTCOMES

Four Missions. Four Outcomes. One Architecture.

• 1. ORACLE — Apply adapted joint intelligence planning methodology (PIR, EEI, Indicators, SIR) from CJCSM 3314.01A to commercial space and critical infrastructure contexts
• 2. FORGE — Evaluate and architect enterprise threat intelligence platforms using OpenCTI and MISP, including deployment, configuration, and integration
• 3. NEXUS — Implement STIX 2.1 and TAXII 2.1 for machine-to-machine intelligence sharing with ISACs and partner organizations
• 4. IGNITION — Deploy functional OpenCTI and MISP instances with automated ingestion, correlation, and bidirectional synchronization

MISSION 1 OBJECTIVES

What You Will Master in ORACLE

• 1. Trace the evolution of threat intelligence from military doctrine through commercial CTI to autonomous M2M sharing
• 2. Describe the intelligence cycle: direction, collection, processing, analysis, dissemination, feedback
• 3. Explain key milestones: Cyber Kill Chain, Diamond Model, MITRE ATT&CK, and their relevance to space
• 4. Assess organizational threat intelligence maturity using the five-level model
• 5. Adapt CJCSM 3314.01A intelligence planning methodology for commercial space cybersecurity
• 6. Develop Priority Intelligence Requirements (PIR) decomposed into EEI, Indicators, and SIR
• 7. Complete intelligence planning templates: PIR Worksheet, EEI Decomposition, Indicator Mapping, SIR/Collection Matrix

CURRENT STATE OF THREAT-INFORMED DEFENSE

The Five-Level Maturity Model

The threat intelligence landscape has matured into a rich ecosystem of frameworks, standards, platforms, and sharing communities.

• Level 1 — Ad-hoc — Reactive, no formal program, IOC-only
• Level 2 — Repeatable — Basic processes, some tooling, limited sharing
• Level 3 — Defined — Formal program, TIP deployed, ISAC participation
• Level 4 — Managed — Metrics-driven, automated sharing, PIR-aligned production
• Level 5 — Optimizing — Autonomous M2M sharing, AI-augmented analysis, collective defense

Standards: STIX 2.1, TAXII 2.1, OpenIOC, YARA, Sigma | Platforms: OpenCTI, MISP, Recorded Future, Mandiant

INTELLIGENCE PLANNING DOCTRINE

Adapting CJCSM 3314.01A for Commercial Cybersecurity

CJCSM 3314.01A provides the doctrinal framework for intelligence planning that we adapt for commercial space cybersecurity operations.

• APEX System — Adaptive Planning and Execution: deliberate and crisis action planning
• Two Lines of Effort — Intelligence Support to Planning + Planning Intelligence Operations
• J-2 → CISO/CTI Lead — The intelligence function translated to commercial roles
• CCMD → SOC Director — Command authority mapped to security operations leadership
• CSA → CTI Lead/ISAC Coordinator — Intelligence sharing coordination role
• Intelligence Planning → Threat Intelligence Program Management

"Military doctrine provides the rigor and structure. Commercial application provides the agility and scale. The TIA bridges both."

PIR DECOMPOSITION: A WORKED EXAMPLE

From Strategic Question to Collection Requirement

Strategic PIR: "Are nation-state actors actively targeting commercial LEO communication constellations?"

• EEI — System Dimension: Which constellation subsystems are being probed?
• EEI — Adversary Dimension: Which APT groups have demonstrated space-targeting capability?
• EEI — Environment Dimension: What geopolitical conditions increase targeting likelihood?
• Indicators (Leading): Reconnaissance scanning of ground station IP ranges; SPARTA technique SA-0001 activity
• Indicators (Lagging): Compromised credentials on dark web for satellite operators
• SIR: Source assignment with LTIOV (Latest Time Information of Value) and handling caveats

MISSION 1 CHECKPOINT

Test Your Understanding

Q1: Describe the evolution from signature-based defense to threat-informed defense. What was the key paradigm shift, and how does CJCSM 3314.01A doctrine inform modern commercial intelligence programs?

Q2: Walk through the PIR decomposition chain (PIR → EEI → Indicators → SIR). Why is each level necessary, and what happens if you skip a level?

Capstone Activity: Present your PIR decomposition to your team. Defend your indicator selection and source assignments.

THREAT INTELLIGENCE PLATFORM STRATEGY

Five Core Functions of a TIP

Every threat intelligence platform must fulfill five core functions to deliver operational value.

• Ingest — Collection from feeds, APIs, manual entry, and automated sources
• Correlate — Cross-reference indicators, enrich context, identify relationships
• Analyze — Investigation workbenches, relationship mapping, threat actor profiling
• Produce — Reports, dashboards, briefings for all stakeholder levels
• Share — STIX/TAXII export, ISAC distribution, partner sharing

Architecture Patterns: Centralized | Distributed | Federated | Hybrid

MISP: COMMUNITY-DRIVEN THREAT INTELLIGENCE SHARING

The Open-Source Platform Built for Sharing

MISP is optimized for sharing threat intelligence between organizations, with a rich community ecosystem and flexible distribution model.

• Data Model: Events, attributes, objects, galaxies, taxonomies, and sightings
• Sharing Model: Sharing groups, distribution levels (org only → all communities)
• Feed Management: Default feeds, custom feeds, TAXII feeds, freetext import
• Correlation Engine: Automatic correlation, warninglists, false positive management
• METEORSTORM Integration: github.com/MISP/misp-taxonomies/meteorstorm natively available
• Deployment: Docker Compose stack (MySQL/MariaDB, Apache, Redis)

STIX 2.1 & TAXII 2.1

The Language and Transport of Machine-to-Machine Intelligence

STIX and TAXII are the foundational standards that enable automated, machine-to-machine threat intelligence sharing.

• STIX 2.1 SDOs: Threat Actor, Campaign, Malware, Attack Pattern, Indicator, Vulnerability, Course of Action
• STIX 2.1 SROs: Uses, Targets, Attributed-To, Indicates, Mitigates — the relationship fabric
• TAXII 2.1 Architecture: Server/client model with API roots, collections, and channels
• Authentication Models: API key, OAuth 2.0, certificate-based authentication
• ISAC Connectivity: Configure TAXII clients to consume Space ISAC feeds automatically
• TLP Enforcement: Traffic Light Protocol encoded in STIX marking definitions

"STIX is what you say. TAXII is how you say it. Together they enable machine-to-machine collective defense."

MISSION 2 EXERCISE

Design Your TIP Architecture

Working in teams, design a TIP architecture for a provided space operator scenario.

• 1. Platform selection rationale (OpenCTI, MISP, or both)
• 2. Architecture pattern choice with justification
• 3. Connector/feed plan aligned to PIR from Mission 1
• 4. Integration plan with existing security tools
• 5. Sharing model and TLP handling

Timer: 10 minutes | Discussion-based, instructor-facilitated

Deliverable: Architecture diagram on whiteboard or digital canvas ready for peer review.

MISSION 2 ASSESSMENT

Three Criteria | Four Proficiency Levels

• Criterion 1 — Platform Knowledge: Demonstrates accurate understanding of OpenCTI and MISP architectures, data models, and capabilities
• Criterion 2 — Architecture Design: Produces a viable TIP architecture with appropriate pattern selection, justified component choices, and clear data flows
• Criterion 3 — Integration Planning: Plans realistic integration with STIX/TAXII, SIEM/SOAR, and sharing communities with proper TLP enforcement

Proficiency Levels: Emerging | Developing | Proficient | Expert

MISSION 3 OBJECTIVES

What You Will Master in NEXUS

• 1. Define Space Collective Defense and articulate its value proposition for the space sector
• 2. Map the sharing ecosystem: ISACs, ISAOs, government programs (CISA AIS, JCDC, InfraGard), and international partners (FIRST, NATO MISP)
• 3. Configure automated TAXII 2.1 feed consumption and publication
• 4. Implement TLP enforcement for automated distribution control at machine speed
• 5. Develop sharing governance documents: Trust frameworks, legal considerations, and CISO/CIO/DPO agreements
• 6. Create organizational threat intelligence policy, standards, and SOPs
• 7. Measure sharing effectiveness and community value

MACHINE-TO-MACHINE SHARING

Intelligence at Machine Speed

Human-only workflows cannot scale to the volume and velocity of modern threats. Automated sharing is not optional — it is the only viable path to collective defense.

• Real-time TAXII feed consumption from ISACs and partners — no human in the loop
• Automated indicator publication to sharing communities with TLP enforcement
• TLP-enforced distribution control at machine speed — policy encoded in STIX
• Collective disruption operations through shared telemetry and coordinated response
• Data flow: ISAC TAXII Server → Your MISP/OpenCTI → Your SIEM → Alert → Response → Intelligence Production → Share Back

TEMPLATE: THREAT INTELLIGENCE POLICY

The Charter for Your Intelligence Program

A policy without a platform is aspirational. A platform without a policy is dangerous. The TIA builds both.

• Policy Scope, Authority & Applicability — Who this policy covers and what it governs
• Intelligence Program Charter — Mission statement and strategic objectives
• Roles & Responsibilities — CTI Lead, Analysts, Stakeholders, Executive Sponsors
• Intelligence Requirements Management — PIR lifecycle from Mission 1
• Collection, Analysis, Production & Dissemination Procedures — Operational workflows

"A policy without a platform is aspirational. A platform without a policy is dangerous. The TIA builds both."

MISSION 3 EXERCISE

Customize Your Governance Documents

Using the four provided templates, customize for your organization's context.

• Template 1 — Threat Intelligence Policy: Adapt scope, roles, and procedures to your organization
• Template 2 — Threat Intelligence Standards: Configure STIX 2.1 usage standards and confidence scoring
• Template 3 — Threat Intelligence SOP: Define daily operations and surge procedures
• Template 4 — CISO/CIO/DPO Sharing Agreement: Draft sharing terms with a partner organization

Timer: 20 minutes | Guided walkthrough with instructor

Deliverable: Four customized governance documents ready for organizational review.

MISSION 3 ASSESSMENT

Three Criteria | Four Proficiency Levels

• Criterion 1 — Ecosystem Knowledge: Accurately maps the Space Collective Defense sharing ecosystem including ISACs, government programs, and international partners
• Criterion 2 — Sharing Architecture: Designs viable automated sharing configurations with proper TAXII 2.1 setup and TLP enforcement
• Criterion 3 — Governance Documentation: Produces complete, customized policy, standards, SOP, and sharing agreement documents

Proficiency Levels: Emerging | Developing | Proficient | Expert

MISSION 4 OBJECTIVES

What You Will Deploy in IGNITION

• 1. Deploy OpenCTI via Docker Compose with all required services healthy
• 2. Deploy MISP via Docker Compose with default feeds and METEORSTORM taxonomy enabled
• 3. Configure the MITRE ATT&CK connector in OpenCTI for automated framework import
• 4. Configure OpenCTI-MISP bidirectional synchronization
• 5. Create indicators and validate cross-platform synchronization
• 6. Export a STIX 2.1 bundle and demonstrate TLP enforcement

LAB: OpenCTI DEPLOYMENT

Step 1 of 3 — 20 Minutes

Deploy OpenCTI with all required services and configure the MITRE ATT&CK connector.

• Step 1: Clone the OpenCTI Docker repository
• Step 2: Configure environment variables: admin credentials, Elasticsearch, Redis, RabbitMQ, MinIO, connector tokens
• Step 3: Deploy the platform: docker compose up -d
• Step 4: Verify service health — all containers running, UI accessible at port 8080
• Step 5: Configure the MITRE ATT&CK connector for automated framework import
• Step 6: Create a custom dashboard aligned to one PIR developed in Mission 1
• Step 7: Configure a TAXII 2.1 feed subscription from the provided ISAC test feed

Validation: Can you access the OpenCTI dashboard? Is the ATT&CK data populating? Is the TAXII feed connected?

LAB: INTEGRATION & VALIDATION

Step 3 of 3 — 10 Minutes

Configure bidirectional synchronization and validate end-to-end intelligence sharing.

• Step 1: Configure the OpenCTI-MISP connector for bidirectional synchronization
• Step 2: Verify that indicators created in MISP appear in OpenCTI (and vice versa)
• Step 3: Export a STIX 2.1 bundle from OpenCTI and validate its structure
• Step 4: Demonstrate TLP enforcement — verify TLP:RED indicators do not propagate to lower-trust sharing groups
• Checkpoint 1 — Cross-platform sync: Create indicator in MISP → confirm appearance in OpenCTI
• Checkpoint 2 — STIX export: Download bundle → verify JSON structure and object types
• Checkpoint 3 — TLP enforcement: Tag indicator as TLP:RED → verify it does NOT appear in community sharing group

All three validation checkpoints must pass for course completion.

MISSION 4 CHECKPOINT

Course Completion Validation Checklist

• ☐ OpenCTI deployed and accessible with healthy services
• ☐ MITRE ATT&CK connector active and populating data
• ☐ Custom PIR-aligned dashboard created in OpenCTI
• ☐ MISP deployed and accessible with healthy services
• ☐ Default feeds enabled and METEORSTORM taxonomy activated
• ☐ Event created with scenario-derived indicators
• ☐ Sharing group configured per Mission 3 governance template
• ☐ OpenCTI-MISP bidirectional sync verified
• ☐ STIX 2.1 bundle exported and validated
• ☐ TLP enforcement demonstrated

KEY TAKEAWAYS

Five Principles of the Threat Intelligence Architect

• 1. Doctrine Drives Architecture — Intelligence planning methodology (PIR/EEI/SIR) provides the structure that makes platforms valuable, not just functional
• 2. Two Platforms, One Mission — OpenCTI for knowledge management and analysis. MISP for community sharing and distribution. Together they create a complete intelligence capability.
• 3. Sharing is a Force Multiplier — Space Collective Defense transforms isolated defense into sector-wide situational awareness. Machine-to-machine sharing enables this at scale.
• 4. Governance Enables Trust — Policy, standards, SOPs, and sharing agreements are not bureaucracy—they are the trust framework that makes collective defense possible.
• 5. From Theory to Operations — Deployed platforms with live data flows are the proof. Theory without deployment is just paperwork.

RESOURCES & REFERENCES

Frameworks, Standards, Platforms & Community

• METEORSTORM MISP Taxonomy: github.com/MISP/misp-taxonomies/meteorstorm
• METEORSTORM GitHub: github.com/h4ck32n4u75/meteorstorm
• CJCSM 3314.01A: Intelligence Planning (reference doctrine)
• NIST NICE Framework: niccs.cisa.gov/workforce-development/nice-framework
• STIX 2.1 Specification: oasis-open.github.io/cti-documentation/stix/intro
• TAXII 2.1 Specification: oasis-open.github.io/cti-documentation/taxii/intro
• OpenCTI: github.com/OpenCTI-Platform/opencti
• MISP: github.com/MISP/MISP
• Space ISAC: s-isac.org
• ethicallyHackingspace: ethicallyhackingspace.com

ASSESSMENT & COMPLETION REQUIREMENTS

What You Need to Earn Your Certificate

• 1. Attendance — Attend all four instructional domains (Required)
• 2. Domain I Template Workshop — Complete PIR/EEI/SIR templates (Required)
• 3. Deploy OpenCTI — Via Docker Compose with functional dashboard (Required)
• 4. Deploy MISP — Via Docker Compose with configured feeds (Required)
• 5. Demonstrate Integration — OpenCTI-MISP integration and STIX bundle export (Required)

Certificate: SCORP² Threat Intelligence Architect course completion certificate issued upon instructor validation.