Cyber Defense Analyst

Work Role ID: 511 | Workforce Element: Cybersecurity

What does this work role do? Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs.) to analyze events that occur within their environments for the purposes of mitigating threats.

CORE KSATs

KSAT ID	Description	KSAT
19	Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.	Knowledge
22	* Knowledge of computer networking concepts and protocols, and network security methodologies.	Knowledge
59A	Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.	Knowledge
66	Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.	Knowledge
70	Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).	Knowledge
81A	Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.	Knowledge
87	Knowledge of network traffic analysis methods.	Knowledge
92	Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).	Knowledge
108	* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).	Knowledge
150	Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.	Knowledge
214A	Skill in performing packet-level analysis.	Skill
353	Skill in collecting data from a variety of cyber defense resources.	Skill
433	Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.	Task
472	Coordinate with enterprise-wide cyber defense staff to validate network alerts.	Task
723	Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.	Task
745	Perform cyber defense trend analysis and reporting.	Task
750	Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.	Task
767	Perform security reviews and identify security gaps in security architecture resulting in recommendations for the inclusion into the risk mitigation strategy.	Task
800	Provide daily summary reports of network events and activity relevant to cyber defense practices.	Task
823	Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.	Task
895	Skill in recognizing and categorizing types of vulnerabilities and associated attacks.	Skill
922A	Knowledge of how to use network analysis tools to identify vulnerabilities.	Knowledge
956	Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.	Task
958	Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.	Task
959	Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.	Task
984	Knowledge of cyber defense policies, procedures, and regulations.	Knowledge
990	Knowledge of the common attack vectors on the network layer.	Knowledge
991	Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).	Knowledge
1069A	Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).	Knowledge
1107	Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).	Task
1108	Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).	Task
1111	Identify applications and operating systems of a network device based on network traffic.	Task
1157	* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.	Knowledge
1158	* Knowledge of cybersecurity principles.	Knowledge
1159	* Knowledge of cyber threats and vulnerabilities.	Knowledge
6900	* Knowledge of specific operational impacts of cybersecurity lapses.	Knowledge
6935	* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).	Knowledge
6938	* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.	Knowledge

ADDITIONAL KSATs

KSAT ID	Description	KSAT
3C	Skill in recognizing vulnerabilities in information and/or data systems.	Skill
8	Knowledge of authentication, authorization, and access control methods.	Knowledge
21	Knowledge of computer algorithms.	Knowledge
25	Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).	Knowledge
27	Knowledge of cryptography and cryptographic key management concepts.	Knowledge
34	Knowledge of database systems.	Knowledge
43A	Knowledge of embedded systems.	Knowledge
49	Knowledge of host/network access control mechanisms (e.g., access control list).	Knowledge
58	Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.	Knowledge
61	Knowledge of incident response and handling methodologies.	Knowledge
63	Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	Knowledge
75C	Skill in conducting trend analysis.	Skill
79	Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).	Knowledge
88A	Knowledge of current and emerging cyber technologies.	Knowledge
90	Knowledge of operating systems.	Knowledge
95A	Knowledge of penetration testing principles, tools, and techniques.	Knowledge
98	Knowledge of policy-based and risk adaptive access controls.	Knowledge
105	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).	Knowledge
110	Knowledge of key concepts in security management (e.g., Release Management, Patch Management).	Knowledge
111	Knowledge of security system design tools, methods, and techniques.	Knowledge
130A	Knowledge of systems security testing and evaluation methods.	Knowledge
133	Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).	Knowledge
138	Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization.	Knowledge
139	Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.	Knowledge
148	Knowledge of Virtual Private Network (VPN) security.	Knowledge
175	Skill in developing and deploying signatures.	Skill
177B	Knowledge of countermeasures for identified security risks.	Knowledge
179A	Skill in assessing security controls based on cybersecurity principles and tenets.	Skill
181A	Skill in detecting host and network based intrusions via intrusion detection technologies.	Skill
183	Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.	Skill
199	Skill in evaluating the adequacy of security designs.	Skill
212A	Knowledge of network mapping and recreating network topologies.	Knowledge
229	Skill in using incident handling methodologies.	Skill
233	Skill in using protocol analyzers.	Skill
234B	Knowledge of the use of sub-netting tools.	Knowledge
270	Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).	Knowledge
271	Knowledge of common network tools (e.g., ping, traceroute, nslookup).	Knowledge
277	Knowledge of defense-in-depth principles and network security architecture.	Knowledge
278	Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN).	Knowledge
286	Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).	Knowledge
342A	Knowledge of operating system command line/prompt.	Knowledge
427	Develop content for cyber defense tools.	Task
559B	Analyze and report system security posture trends.	Task
559A	Analyze and report organizational security posture trends.	Task
576	Ensure cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.	Task
593A	Assess adequate access controls based on principles of least privilege and need-to-know.	Task
716A	Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.	Task
717A	Assess and monitor cybersecurity related to system implementation and testing practices.	Task
782	Plan and recommend modifications or adjustments based on exercise results or system environment.	Task
806A	Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.	Task
880A	Work with stakeholders to resolve computer security incidents and vulnerability compliance.	Task
904	Knowledge of interpreted and compiled computer languages.	Knowledge
912	Knowledge of collection management processes, capabilities, and limitations.	Knowledge
915	Knowledge of front-end collection systems, including traffic collection, filtering, and selection.	Knowledge
922B	Skill in using network analysis tools, including specialized tools for non-traditional systems and networks (e.g., control systems), to identify vulnerabilities.	Skill
938A	Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.	Task
992C	Knowledge of threat environments (e.g., first generation threat actors, threat activities).	Knowledge
1033	Knowledge of basic system administration, network, and operating system hardening techniques.	Knowledge
1034C	Knowledge of Personal Health Information (PHI) data security standards.	Knowledge
1034B	Knowledge of Payment Card Industry (PCI) data security standards.	Knowledge
1034A	Knowledge of Personally Identifiable Information (PII) data security standards.	Knowledge
1036	Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.	Knowledge
1072	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).	Knowledge
1073	Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.	Knowledge
1103	Determine tactics, techniques, and procedures (TTPs) for intrusion sets.	Task
1104	Examine network topologies to understand data flows through the network.	Task
1105	Recommend computing environment vulnerability corrections.	Task
1109	Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.	Task
1110	Isolate and remove malware.	Task
1111	Identify applications and operating systems of a network device based on network traffic.	Task
1112	Reconstruct a malicious attack or activity based off network traffic.	Task
1113	Identify network mapping and operating system (OS) fingerprinting activities.	Task
1114	Knowledge of encryption methodologies.	Knowledge
1118	Skill in reading and interpreting signatures (e.g., snort).	Skill
1119	Knowledge of signature implementation impact.	Knowledge
1120	Ability to interpret and incorporate data from multiple tool sources.	Ability
1121	Knowledge of Windows/Unix ports and services.	Knowledge
1142	Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).	Knowledge
2062	Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.	Task
2611	Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.	Task
3007	Ability to analyze malware.	Ability
3431	Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).	Knowledge
3461	Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities.	Knowledge
6210	Knowledge of cloud service models and possible limitations for an incident response.	Knowledge