Cyber Defense Analyst

Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs) to analyze events that occur within their environments for the purposes of mitigating threats.

Below are the Knowledge, Skills, Abilities and Tasks identified as being required to perform this work role.

Knowledge of computer networking concepts and protocols, and network security methodologies.
Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
K0003Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
K0004Knowledge of cybersecurity and privacy principles.
K0005Knowledge of cyber threats and vulnerabilities.
K0006Knowledge of specific operational impacts of cybersecurity lapses.
K0007Knowledge of authentication, authorization, and access control methods.
K0013Knowledge of cyber defense and vulnerability assessment tools and their capabilities.
K0015Knowledge of computer algorithms.
K0018Knowledge of encryption algorithms
K0019Knowledge of cryptography and cryptographic key management concepts
K0024Knowledge of database systems.
K0033Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists).
K0040Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins).
K0042Knowledge of incident response and handling methodologies.
K0044Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
K0046Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions.
K0049Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
K0056Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).
K0058Knowledge of network traffic analysis methods.
K0059Knowledge of new and emerging information technology (IT) and cybersecurity technologies.
K0060Knowledge of operating systems.
K0061Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
K0065Knowledge of policy-based and risk adaptive access controls.
K0070Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0074Knowledge of key concepts in security management (e.g., Release Management, Patch Management).
K0075Knowledge of security system design tools, methods, and techniques.
K0093Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link Budgeting, Spectral efficiency, Multiplexing).
K0098Knowledge of the cyber defense Service Provider reporting structure and processes within one??s own organization.
K0104Knowledge of Virtual Private Network (VPN) security.
K0106Knowledge of what constitutes a network attack and a network attack??s relationship to both threats and vulnerabilities.
K0107Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations.
K0110Knowledge of adversarial tactics, techniques, and procedures.
K0111Knowledge of network tools (e.g., ping, traceroute, nslookup)
K0112Knowledge of defense-in-depth principles and network security architecture.
K0113Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN).
K0116Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).
K0139Knowledge of interpreted and compiled computer languages.
K0142Knowledge of collection management processes, capabilities, and limitations.
K0143Knowledge of front-end collection systems, including traffic collection, filtering, and selection.
K0157Knowledge of cyber defense and information security policies, procedures, and regulations.
K0160Knowledge of the common attack vectors on the network layer.
K0161Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks).
K0162Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored).
K0167Knowledge of system administration, network, and operating system hardening techniques.
K0168Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
K0177Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
K0179Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
K0180Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
K0190Knowledge of encryption methodologies.
K0191Knowledge of signature implementation impact for viruses, malware, and attacks.
K0192Knowledge of Windows/Unix ports and services.
K0203Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
K0221Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
K0222Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities.
K0260Knowledge of Personally Identifiable Information (PII) data security standards.
K0261Knowledge of Payment Card Industry (PCI) data security standards.
K0262Knowledge of Personal Health Information (PHI) data security standards.
K0290Knowledge of systems security testing and evaluation methods.
K0297Knowledge of countermeasure design for identified security risks.
K0300Knowledge of network mapping and recreating network topologies.
K0301Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
K0303Knowledge of the use of sub-netting tools.
K0318Knowledge of operating system command-line tools.
K0322Knowledge of embedded systems.
K0324Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.
K0332Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
K0339Knowledge of how to use network analysis tools to identify vulnerabilities.
K0342Knowledge of penetration testing principles, tools, and techniques.
K0624Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
S0020Skill in developing and deploying signatures.
S0025Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort).
S0027Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
S0036Skill in evaluating the adequacy of security designs.
S0054Skill in using incident handling methodologies.
S0057Skill in using protocol analyzers.
S0063Skill in collecting data from a variety of cyber defense resources.
S0078Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
S0096Skill in reading and interpreting signatures (e.g., snort).
S0147Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).
S0156Skill in performing packet-level analysis.
S0167Skill in recognizing vulnerabilities in security systems. (e.g., vulnerability and compliance scanning).
S0169Skill in conducting trend analysis.
S0367Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
S0370Skill to use cyber defense Service Provider reporting structure and processes within one??s own organization.
A0010Ability to analyze malware.
A0015Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.
A0066Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.
A0123Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
A0128Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies.
A0159Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, and Traceroute).
T0020Develop content for cyber defense tools.
T0023Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.
T0043Coordinate with enterprise-wide cyber defense staff to validate network alerts.
T0088Ensure that cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.
T0155Document and escalate incidents (including event¡¯s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.
T0164Perform cyber defense trend analysis and reporting.
T0166Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.
T0178Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.
T0187Plan and recommend modifications or adjustments based on exercise results or system environment.
T0198Provide daily summary reports of network events and activity relevant to cyber defense practices.
T0214Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.
T0258Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.
T0259Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.
T0260Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.
T0290Determine tactics, techniques, and procedures (TTPs) for intrusion sets.
T0291Examine network topologies to understand data flows through the network.
T0292Recommend computing environment vulnerability corrections.
T0293Identify and analyze anomalies in network traffic using metadata.
T0294Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).
T0295Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.
T0296Isolate and remove malware.
T0297Identify applications and operating systems of a network device based on network traffic.
T0298Reconstruct a malicious attack or activity based off network traffic.
T0299Identify network mapping and operating system (OS) fingerprinting activities.
T0310Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the network environment or enclave.
T0332Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.
T0469Analyze and report organizational security posture trends.
T0470Analyze and report system security posture trends.
T0475Assess adequate access controls based on principles of least privilege and need-to-know.
T0503Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.
T0504Assess and monitor cybersecurity related to system implementation and testing practices.
T0526Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.
T0545Work with stakeholders to resolve computer security incidents and vulnerability compliance.
T0548Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.