FAQ

What is SPARTA?

The Space Attack Research and Tactic Analysis (SPARTA) matrix is the first publicly available cybersecurity threat identification and response matrix dedicated to help spacecraft developers, owners, and operators outpace space-cyber threats. In a high-stakes, rapidly transforming space economy, this matrix will enhance the likelihood of mission success by offering unclassified space-cyber threat information to United States Government and commercial space actors to better inform defense-in-depth engineering, threat readiness and response.

The SPARTA matrix includes tactics, techniques, sub-techniques and procedures that have either occurred in operations, been proven in laboratories, on-orbit exercises and/or hacking workshops or theoretically within the realm of the possible.

Why did Aerospace develop SPARTA?

Due to information and communication barriers that hinder the identification and sharing of space-cyber Tactic, Techniques, and Procedures (TTPs), the Aerospace Corporation created the SPARTA matrix. SPARTA is intended to provide unclassified information to space professionals about how spacecrafts may be compromised via cyber means, and it defines and categorizes commonly identified activities that contribute to spacecraft compromises. TTP matrices are becoming standard across the cybersecurity community as they enable a visual way to organize TTPs and document attack chains.

SPARTA attempts to aggregate unclassified research from academia, Federally Funded Research and Development Centers, and space cyber professionals into a single pane of glass to better educate the space community on TTPs while also identifying countermeasures within SPARTA. SPARTA’s goal is to raise the bar on space-cyber common knowledge across the community so that space systems are engineered with defense-in-depth principles. SPARTA is cross referenced to cybersecurity best practices like NIST 800-53 revision 5, MITRE ATT&CK where applicable, as well as previously published spacecraft cyber protections within TOR 2021-01333 REV A. This correlation provides further justification for adherence to these best practices as it enables a more threat-informed design process.

What are "tactics"?

Tactics represent the “why” of a SPARTA technique or sub-technique. It is the threat actor’s tactical goal and the reason they are performing a technique. For example, a threat actor may want to achieve initial access on a spacecraft via cyber means.

What are "techniques"?

Techniques represent “how” a threat actor achieves a tactical goal by performing a threat action. For example, a threat actor may exploit trusted relationships to achieve initial access.

What are "sub-techniques"?

Sub-techniques represent a variation or more specific instance of the threat actor’s behavior used to achieve a goal. Sub-techniques typically describe behavior at a lower level than a technique and are considered children of the parent technique. For example, a threat actor may compromise mission collaborators (academia, international, etc.) to achieve their initial access.

What are "procedures"?

Procedures represent specific implementation the threat actor uses for techniques or sub-techniques. Procedures are the step-by-step descriptions of how the threat actor plans to go about achieving their purpose. In other words, how will the general techniques/sub-techniques be carried out in detail? For example, a procedure could be a threat actor using spear phishing with a malicious Excel document to gain access to a mission collaborator network, and then using PowerShell to inject into a Windows process like lsass.exe to gain credentials by dumping the LSASS memory. These credentials could then be used to laterally move into the mission ground station to achieve their initial access for commanding the spacecraft.

Will this teach adversaries how to attack or hack spacecraft?

Security by obsecurity is not a strategy, and the Aerospace Corporation and the rest of the space-cyber community must continue to educate engineers and system defenders so they can overcome cyber challenges and outpace the growing threat. SPARTA not only identifies methods to perform attacks, it also documents countermeasures to ensure spacecraft can protect and/or detect, recover, and respond against the TTPs.

Without a deep understanding of information technology concepts, no cyber-attack knowledge base or matrix would be sufficient to go off and hack a sophisticated enterprise IT environment. Hoowever, you CAN expose an experienced IT professional to the same knowledge, who may not be familiar with cyber concepts, and through the new insights they're now able to see the types of enablers within their environment that may contribute to an attack. This is how we view SPARTA - just replace the role of IT professional with space system developers.

The goal of SPARTA is not to explicitly lay out a work instruction for hacking a space platform, but simply to compile a knowledge base of TTPs that can ultimately enable more secure designs, architecures, and operations for space missions. It is also our hope that through SPARTA we can educate our commercial partners with whom we have an increasing reliance for critical capabilities.

How does SPARTA relate to the existing MITRE ATT&CK framework?

Security matrices that served as inspiration for SPARTA – including Microsoft Kubernetes and MITRE ATT&CK for Enterprise and Industrial Control Systems (ICS) – are robust resources of collective knowledge and have benefited many security professionals throughout their existence. Since cybersecurity matrices like MITRE ATT&CK have become the industry standard for cyber TTPs, the Aerospace Corporation wanted to fill the gap in the space-cyber community. SPARTA is intended to provide unclassified information to space professionals about how spacecraft may be compromised via cyber means. SPARTA leverages the same framework as its predecessors where it defines TTPs in a tabular format where tactics are displayed across the top row of the table, with techniques and sub-technique(s) listed underneath. SPARTA is complimentary to other matrices, but it focuses on the spacecraft where other matrices focus on different terrestrial technology disciplines. Space system engineers/developers who build and defend the system-of-systems will ultimately have to understand multiple cybersecurity matrices and how threat actors can leverage TTPs — such as SPARTA, MITRE ATT&CK for Enterprise, ICS, Microsoft Kubernetes matrix, etc. — depending on their design. Understanding the TTPs will help inform design decisions and where detection and/or countermeasures can be deployed within the system-of-system context.

How is SPARTA unique from ATT&CK? Couldn’t you just extend ATT&CK into space?

Cybersecurity matrices have become an industry standard approach for providing a knowledge base of adversary behaviors and serve as a taxonomy for adversarial actions across the attack lifecycle, but there has previously been no framework dedicated to spacecraft. The Aerospace Corporation recognized that the space enterprise faces often unique threats that a unique, dedicated cybersecurity matrix would help fill this gap. SPARTA resembles the open-sourced ATT&CK framework and is designed to help space developers and network defenders understand the types of TTPs they need to be resilient against. Space cybersecurity experts were consulted in a critical peer review of SPARTA to ensure it was not duplicative and it is a unique security framework comprised of existing best practices.

While SPARTA focuses on the spacecraft, there are likely “pre-SPARTA” TTPs that an adversary may use to position themselves to execute SPARTA-defined TTPs. Space system engineers and developers who build and defend the system-of-systems will ultimately have to understand multiple cybersecurity matrices — SPARTA, MITRE ATT&CK for Enterprise, ICS, Microsoft Kubernetes matrix, etc. — and how threat actors can potentially leverage a variety of TTPs from each depending on their design. This is where the concept of Platform Independent Vectors of Techniques (PIVOT) can be utilized. MITRE created PIVOT which is designed to connect multiple cybersecurity matrices based on potential adversary TTPs overlaid on systems-of-systems components. PIVOT also identifies the PIVOT points, or components that translate the data from one protocol format to another (e.g., TCP/IP to MIL-STD 1553B or Serial). These PIVOT points are seldom understood or enumerated, leaving gaps in systems-of-systems cyber assessments that could allow an adversary to laterally move across technology domains undetected.

Who will use this?

The Aerospace Corporation believes in a threat-informed, defense-in-depth design (DiD) principles to designing secure space systems. Offense is a strong driver for defense, and a space system’s ability to detect and stop a cyber-attack improves immensely with stronger collaboration between offense (red) and defense (blue) teams. Developers, owners, and operators of spacecraft and space systems can leverage SPARTA to consider known adversarial cyber threats, techniques, and procedures to inform DiD-based design.

How can I use SPARTA?

SPARTA leverages the same framework as its predecessors where it defines TTPs in a tabular format. Tactics are listed across the top row of the matrix, with techniques and sub-technique(s) are listed underneath. Users can manipulate the elements in the SPARTA matrix by building an attack chain to link tactics, techniques, and procedures and review potential countermeasures for such attacks.

Use Case Examples:

Space system developers: Engineers now have a resource that contains TTPs, threats, and countermeasures to enable the engineering of protections early in the lifecycle -- establishing countermeasures to disrupt the attack chains
Defensive Cyber Operations (DCO): Enables the building of monitoring solutions, analytics, automation, etc. for DCO Operators/Blue Team members to measure how effective systems/operators are at detecting TTPs for their specific space system
Threat intelligence: Report data to the community tying threat actor TTPs against space systems using a common taxonomy. Leverage the unique identifiers and aggregate reporting using a similar approach as the current industry standard for Enterprise IT systems
Assessments / Table-Tops: Provides a framework for security engineers & red teamers to leverage for designing attack chains against the space segment
Education / Training / Research: Expands the footprint of knowledge to a wider audience – raises the bar on what is considered common knowledge. Security researchers can submit their own TTPs via email to sparta@aero.org to crowd source information and further support the community

Cyber threats evolve much more quickly at times than they are detected and addressed. How is SPARTA going to keep pace with these threats?

The Aerospace Corporation will continually update the SPARTA matrix with known or theoretical TTPs and aspires for SPARTA to continually improve through community participation.

Frequently Asked Questions

General