Cyber Defense Analyst

Work Role ID: 511  |  Workforce Element: Cybersecurity

What does this work role do? Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs.) to analyze events that occur within their environments for the purposes of mitigating threats.

KSAT ID Description KSAT
19 Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities. Knowledge
22 * Knowledge of computer networking concepts and protocols, and network security methodologies. Knowledge
59A Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications. Knowledge
66 Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies. Knowledge
70 Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). Knowledge
81A Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. Knowledge
87 Knowledge of network traffic analysis methods. Knowledge
92 Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). Knowledge
108 * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). Knowledge
150 Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities. Knowledge
214A Skill in performing packet-level analysis. Skill
353 Skill in collecting data from a variety of cyber defense resources. Skill
433 Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources. Task
472 Coordinate with enterprise-wide cyber defense staff to validate network alerts. Task
723 Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment. Task
745 Perform cyber defense trend analysis and reporting. Task
750 Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack. Task
767 Perform security reviews and identify security gaps in security architecture resulting in recommendations for the inclusion into the risk mitigation strategy. Task
800 Provide daily summary reports of network events and activity relevant to cyber defense practices. Task
823 Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts. Task
895 Skill in recognizing and categorizing types of vulnerabilities and associated attacks. Skill
922A Knowledge of how to use network analysis tools to identify vulnerabilities. Knowledge
956 Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities. Task
958 Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity. Task
959 Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information. Task
984 Knowledge of cyber defense policies, procedures, and regulations. Knowledge
990 Knowledge of the common attack vectors on the network layer. Knowledge
991 Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution). Knowledge
1069A Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks). Knowledge
1107 Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR). Task
1108 Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings). Task
1111 Identify applications and operating systems of a network device based on network traffic. Task
1157 * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. Knowledge
1158 * Knowledge of cybersecurity principles. Knowledge
1159 * Knowledge of cyber threats and vulnerabilities. Knowledge
6900 * Knowledge of specific operational impacts of cybersecurity lapses. Knowledge
6935 * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). Knowledge
6938 * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. Knowledge
KSAT ID Description KSAT
3C Skill in recognizing vulnerabilities in information and/or data systems. Skill
8 Knowledge of authentication, authorization, and access control methods. Knowledge
21 Knowledge of computer algorithms. Knowledge
25 Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). Knowledge
27 Knowledge of cryptography and cryptographic key management concepts. Knowledge
34 Knowledge of database systems. Knowledge
43A Knowledge of embedded systems. Knowledge
49 Knowledge of host/network access control mechanisms (e.g., access control list). Knowledge
58 Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins. Knowledge
61 Knowledge of incident response and handling methodologies. Knowledge
63 Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). Knowledge
75C Skill in conducting trend analysis. Skill
79 Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]). Knowledge
88A Knowledge of current and emerging cyber technologies. Knowledge
90 Knowledge of operating systems. Knowledge
95A Knowledge of penetration testing principles, tools, and techniques. Knowledge
98 Knowledge of policy-based and risk adaptive access controls. Knowledge
105 Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). Knowledge
110 Knowledge of key concepts in security management (e.g., Release Management, Patch Management). Knowledge
111 Knowledge of security system design tools, methods, and techniques. Knowledge
130A Knowledge of systems security testing and evaluation methods. Knowledge
133 Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers). Knowledge
138 Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization. Knowledge
139 Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications. Knowledge
148 Knowledge of Virtual Private Network (VPN) security. Knowledge
175 Skill in developing and deploying signatures. Skill
177B Knowledge of countermeasures for identified security risks. Knowledge
179A Skill in assessing security controls based on cybersecurity principles and tenets. Skill
181A Skill in detecting host and network based intrusions via intrusion detection technologies. Skill
183 Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. Skill
199 Skill in evaluating the adequacy of security designs. Skill
212A Knowledge of network mapping and recreating network topologies. Knowledge
229 Skill in using incident handling methodologies. Skill
233 Skill in using protocol analyzers. Skill
234B Knowledge of the use of sub-netting tools. Knowledge
270 Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities). Knowledge
271 Knowledge of common network tools (e.g., ping, traceroute, nslookup). Knowledge
277 Knowledge of defense-in-depth principles and network security architecture. Knowledge
278 Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN). Knowledge
286 Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip). Knowledge
342A Knowledge of operating system command line/prompt. Knowledge
427 Develop content for cyber defense tools. Task
559B Analyze and report system security posture trends. Task
559A Analyze and report organizational security posture trends. Task
576 Ensure cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level. Task
593A Assess adequate access controls based on principles of least privilege and need-to-know. Task
716A Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise. Task
717A Assess and monitor cybersecurity related to system implementation and testing practices. Task
782 Plan and recommend modifications or adjustments based on exercise results or system environment. Task
806A Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities. Task
880A Work with stakeholders to resolve computer security incidents and vulnerability compliance. Task
904 Knowledge of interpreted and compiled computer languages. Knowledge
912 Knowledge of collection management processes, capabilities, and limitations. Knowledge
915 Knowledge of front-end collection systems, including traffic collection, filtering, and selection. Knowledge
922B Skill in using network analysis tools, including specialized tools for non-traditional systems and networks (e.g., control systems), to identify vulnerabilities.​ Skill
938A Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans. Task
992C Knowledge of threat environments (e.g., first generation threat actors, threat activities). Knowledge
1033 Knowledge of basic system administration, network, and operating system hardening techniques. Knowledge
1034C Knowledge of Personal Health Information (PHI) data security standards. Knowledge
1034B Knowledge of Payment Card Industry (PCI) data security standards. Knowledge
1034A Knowledge of Personally Identifiable Information (PII) data security standards. Knowledge
1036 Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed. Knowledge
1072 Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). Knowledge
1073 Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. Knowledge
1103 Determine tactics, techniques, and procedures (TTPs) for intrusion sets. Task
1104 Examine network topologies to understand data flows through the network. Task
1105 Recommend computing environment vulnerability corrections. Task
1109 Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools. Task
1110 Isolate and remove malware. Task
1111 Identify applications and operating systems of a network device based on network traffic. Task
1112 Reconstruct a malicious attack or activity based off network traffic. Task
1113 Identify network mapping and operating system (OS) fingerprinting activities. Task
1114 Knowledge of encryption methodologies. Knowledge
1118 Skill in reading and interpreting signatures (e.g., snort). Skill
1119 Knowledge of signature implementation impact. Knowledge
1120 Ability to interpret and incorporate data from multiple tool sources. Ability
1121 Knowledge of Windows/Unix ports and services. Knowledge
1142 Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). Knowledge
2062 Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave. Task
2611 Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan. Task
3007 Ability to analyze malware. Ability
3431 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP). Knowledge
3461 Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities. Knowledge
6210 Knowledge of cloud service models and possible limitations for an incident response. Knowledge