Inside the Space ISAC Watch Center: Keeping an Eye on Cyber Threats

The watch center day begins most days just after dawn, when its director, Hector Falcon, arrives at the nondescript office park building and logs on around 6 a.m.

Like his small team of analysts, who start work at 8 a.m., Falcon is searching for information that can be turned into actionable intelligence for space technology companies all over the world—data their overburdened security operation centers can use to protect their IT systems and other assets, whether on the ground or in space, against online criminals and cyberspies and nation-state cyber warfare.

He first checks the collaboration platforms the ISAC’s member companies use to share information about cyber threats, to see what they may have submitted overnight, either because they’re in a different time zone, or because they have a 24/7 security operation center.

“The threats don’t sleep,” says Falcon. The Colorado Springs-based watch center covers 6 a.m. to 6 p.m. Mountain Time, but the global membership means Space ISAC works on a “follow-the-sun” model, with analysts in Europe, Australia, and soon Japan tracking threats 24/7.

One collaboration platform, the cybersecurity situational awareness platform, or CSAP, enables member companies to submit threat warnings in human readable format and share them with other members. Another, the Threat Intelligence Exchange, or TIX, distributes vetted technical data, like indicators of compromise and other signs of hacking, including on a machine-to-machine basis. For those who sign up for this element of the service, TIX in effect directly programs their automated defenses, ensuring their systems get real-time updates about the latest threats and how to defend against them. Both are made by Cyware, a vendor that specializes in providing threat-sharing tools to ISACs and other multi-member collaborative organizations.

The day is often punctuated by virtual stand ups, 30-minute remote meetings with member company representatives and analysts centered around the Space ISAC’s various working groups, explains Falcon. The working groups focus on industry sub-sectors like Low-Earth Orbit (LEO) operators, on technical issues like radio frequency (RF) signals or on functional roles, like information sharing or analysis. The meetings are brief by design, with Falcon asking questions like “Hey, what are you seeing? How are you seeing it and what are you feeling as well?”

Falcon uses a baseball analogy to describe the center’s work: “We need three strikes, three different levels of cross correlation, in order to make it something we can report on.”

The cyber world is full of news about new vulnerabilities — software flaws that can make a system vulnerable to hackers — and new threats, newly developed hacking tools or malicious software, malware that's being used by cyberspies or online criminals. Much of the center’s work involves sifting through those data feeds, winnowing out outdated or generic information, parsing, correlating, and prioritizing the rest, zeroing in on the must-have data that space companies need to defend their IT systems.

“It's not good enough to just understand the information, we have to correlate it and make it make sense, so we can turn it into actionable, bi-directional intelligence exchanges with our members,” says Falcon.

The first strike, he explains, is typically a bulletin or alert about a new software vulnerability or a new exploit. The second is a connection to ISAC’s membership. “We want to find at least one level of cross correlation that ties into the aerospace sector, into the actual intelligence requirements that we have.”

Intelligence requirements is a term of art: it means the unanswered questions that intelligence needs to answer. Falcon thinks of it like “a shopping list of things we need to know in order to really understand the threat a little further.”

Analysts will research the bulletin to ascertain its likely level of impact in the space sector. He says the key question is whether there are detrimental impacts in the space industry or a sub-sector, or to a software platform that has a tie-in to an adjacent sector.

The Traffic Light Protocol

The third strike is an actual cyberattack or other impact on a member company or another space sector company. The problem here is that companies, worried about reputational damage or impacts to their share price, are generally unwilling to reveal if they’ve been attacked. That’s where the ISAC’s sophisticated information management protocols come into play.

In common with most other ISACs and other cyber threat information sharing organizations, the Space ISAC employs the traffic light protocol, or TLP, to limit who can see which information, and give member companies the assurances they need to share confidential information.

TLP has four levels:

● TLP Clear: For public release

● TLP Green: For release to ISAC members and community partners, like government agencies, universities or other organizations that aren’t paying members of the ISAC, but are part of its trusted information sharing network

● TLP Amber: For ISAC members only

● TLP Red: Only for sharing with a company directly affected

To get to that third strike, data about an actual cyberattack, Falcon says, analysts will query potentially affected companies using the TLP Red protocol, giving the company the confidence that the information won’t be shared, except anonymously, if they allow it.

“We want to know: ‘Before this goes out, is there anything more we can say? Do you have any additional information to release that could be of benefit to our greater community?’ Because the worst thing is to suffer in silence,” Falcon says.

In the afternoon, as the Space ISAC’s partners in Asia and Australia start to wake up, there are virtual stand-ups to brief them on developments overnight.

As the day starts to wind down, Falcon says, attention is focused on closing out any priority alerts — warnings the members need to have to keep their systems safe.

A Unique Resource

The watch center is at the heart of the value Space ISAC provides to its members, says Norm Laudermilch, chief information security officer (CISO) for Vantor, recently rebranded from Maxar Technologies.

The watch center is such a unique resource because it distributes specialized intelligence that is contributed by threat intelligence and cybersecurity teams at its member companies and cross referenced and collated by trained ISAC analysts, he explains.

“We share specific threat intelligence about the threat actors we’re watching with the watch center. That is then re-shared throughout the entire Space ISAC community, and we get a lot of feedback that this is very valuable for the rest of the members,” Laudermilch says. And, he adds, the intelligence reporting that the watch center shares with Vantor from their own analysts and from other member companies is highly valuable, adding to the collection efforts of Vantor's internal team.

The watch center is especially useful to smaller companies that may not be able to afford their own threat intelligence collection operation. Vantor makes a substantial investment in its 30-person strong cybersecurity and intelligence team, says Laudermilch.

“Not every company can afford that. [The] watch center is a really amazing collaboration tool for the whole industry that delivers a better understanding of the threat landscape associated with space, which you can't get anywhere else,” he explains.

While there are commercial cybersecurity threat intelligence feeds on the market, these aren’t specially tailored for the space sector and don’t include all-hazards space information, for example about space weather or orbital conjunctions, that the Space ISAC provides.

“This is not the stuff that you get from the more generic security feeds and forums,” says Laudermilch. “We are operators in the space domain, and so we have different needs, different interests. Having a resource like the watch center, tailored to the space technology sector, is really powerful for us.”

The working groups that Space-ISAC runs also provide key resources for member companies, he says, because they provide a forum for discussing with other space companies things Vantor is doing to reduce risks from newly revealed vulnerabilities (known as threat mitigation), and how they are dealing with security incidents. For example, Vantor participates in an all source intelligence group on a weekly basis, in addition to the sharing group, threat working group, and analyst working group.

“These are highly valuable for us for openly discussing threat mitigations that we've got going on and incident response procedures that are specific to space systems,” he says.

A key task for the Vantor threat intelligence team is watching threat actors on the dark web — a region of the internet accessible only through a special tool known as The Onion Router (TOR) or the Tor browser. Tor uses encryption and traffic forwarding to hide the internet addresses and locations of those using it. The threat actors communicate in password-protected forums on Tor and via encrypted chat apps like Telegram. Laudermilch declined to comment on specifics, but because the threat groups are generally loose networks of hackers who only know each other online, it’s possible for intelligence analysts to infiltrate and monitor these forums.

When we're collecting threat intelligence on these actors. We're not just watching what they do, we're watching what they say,” explains Laudermilch. “We see who they're communicating with … and we can track their cohorts.”

Financially motivated or cybercrime threat actors tend to be most active on Telegram and the dark web. But nation-state aligned threat groups often maintain ties with cybercrime actors, and many engage directly in financially motivated cyberattacks as a side hustle. Even western intelligence agencies’ cyber teams will be present, monitoring for hacker activity just as the Vantor intelligence team does — so they’re all active to one degree or another.

Distinguishing amongst the various threat groups, and attributing cyberattacks to them is a skillset all its own, says Laudermilch, “It’s all about tools, tactics, and procedures.” Identifying a particular version of a malware hacking tool favored by a certain group for instance, or any other of a myriad of clues that together form a digital fingerprint of a particular threat actor.

Crucially, Laudermilch explains, monitoring these groups also provides clues and signs of possible attack planning that can help companies prepare ahead of time for forthcoming cyberattacks — girding their networks for battle and shoring up any weaknesses in their software.

Laudermilch says several times over the past 18 months; his analysts have detected threat actor chatter about Zero Day vulnerabilities. These are highly prized software flaws discovered in the wild but not yet patched by the manufacturer. “There are examples where we found out about vulnerabilities before the rest of the industry did, because we saw the conversation about the Zero Day happening, we were able to patch and remediate before any attacks occurred,” Laudermilch says.

He gives the hypothetical example of a threat group discussing a new service from Vantor, “and they’re discussing how to evaluate its security and they mention they believe that one of these unpublished vulnerabilities might be present in the service.”

Vantor analysts can pass on details of the attack planning so that engineering teams can check the software at issue to see if those vulnerabilities are indeed present — and patch them if they are. “We see the discussions that are underway in real time, between the members of the groups that are working on some of these campaigns,” and pass on the information, Laudermich says. “Nine times out of 10, it turns out that we have patched and we're good, but there may be times where there's something here that we need to patch immediately.”

“Vantor is just proud to share the intelligence we collect so that other space ISAC members can benefit and protect their critical infrastructure as well,” Laudermilch concludes.

The Watch Center of The Future

Like everyone else in our information-saturated world, the watch center analysts — and their counterparts in its member companies — are suffering from data overload and cognitive choke points, says Space ISAC Executive Director Erin Miller.

Both the Russian invasion of Ukraine and the Israeli strikes on Iran were preceded briefly by cyber and/or RF activity, some of which watch center analysts were tracking, she explains.

“We probably had the pieces of information, they were coming from the hundreds, thousands of sources that we track. But to put a human in front of that information and say, ‘Synthesize all this and tell me what it means within minutes,’ is impossible,” Miller says.

To get ahead of threats in real time, she argues, ISACs have to use Artificial Intelligence. “We're experimenting with that now,” she says. “ISACs can only become proactive with data fusion tools.” VS