Cyber Defense Analyst

Cyber Defense Analyst Work Role ID: 511 (NIST: PR-DA-001) Category/Specialty Area: Protect & Defend / Cyber Defense Analysis Workforce Element: Cybersecurity

Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs.) to analyze events that occur within their environments for the purposes of mitigating threats.


Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role.

Core KSATs

KSAT ID Description KSAT
19

Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.

Knowledge
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
59A

Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.

Knowledge
66

Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.

Knowledge
70

Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
87

Knowledge of network traffic analysis methods.

Knowledge
88

Knowledge of new and emerging information technology (IT) and cybersecurity technologies.

Knowledge
92

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
150

Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.

Knowledge
214A

Skill in performing packet-level analysis.

Skill
353

Skill in collecting data from a variety of cyber defense resources.

Skill
433

Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.

Task
472

Coordinate with enterprise-wide cyber defense staff to validate network alerts.

Task
723

Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.

Task
745

Perform cyber defense trend analysis and reporting.

Task
750

Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.

Task
767

Perform security reviews and identify security gaps in security architecture resulting in recommendations for the inclusion into the risk mitigation strategy.

Task
800

Provide daily summary reports of network events and activity relevant to cyber defense practices.

Task
823

Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.

Task
895

Skill in recognizing and categorizing types of vulnerabilities and associated attacks.

Skill
922A

Knowledge of how to use network analysis tools to identify vulnerabilities.

Knowledge
956

Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.

Task
958

Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.

Task
959

Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.

Task
984

Knowledge of cyber defense policies, procedures, and regulations.

Knowledge
990

Knowledge of the common attack vectors on the network layer.

Knowledge
991

Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).

Knowledge
992

Knowledge of different operational threat environments (e.g., first generation [script kiddies], second generation [non- nation state sponsored], and third generation [nation state sponsored]).

Knowledge
1069A

Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).

Knowledge
1107

Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).

Task
1108

Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).

Task
1111

Identify applications and operating systems of a network device based on network traffic.

Task
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
3A

Skill in recognizing vulnerabilities in security systems.

Skill
8

Knowledge of authentication, authorization, and access control methods.

Knowledge
21

Knowledge of computer algorithms.

Knowledge
25

Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).

Knowledge
27

Knowledge of cryptography and cryptographic key management concepts.

Knowledge
34

Knowledge of database systems.

Knowledge
43A

Knowledge of embedded systems.

Knowledge
49

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge
58

Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.

Knowledge
61

Knowledge of incident response and handling methodologies.

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
75C

Skill in conducting trend analysis.

Skill
79

Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).

Knowledge
90

Knowledge of operating systems.

Knowledge
95A

Knowledge of penetration testing principles, tools, and techniques.

Knowledge
98

Knowledge of policy-based and risk adaptive access controls.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
110

Knowledge of key concepts in security management (e.g., Release Management, Patch Management).

Knowledge
111

Knowledge of security system design tools, methods, and techniques.

Knowledge
130A

Knowledge of systems security testing and evaluation methods.

Knowledge
133

Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).

Knowledge
138

Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization.

Knowledge
139

Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.

Knowledge
148

Knowledge of Virtual Private Network (VPN) security.

Knowledge
175

Skill in developing and deploying signatures.

Skill
177B

Knowledge of countermeasures for identified security risks.

Knowledge
179A

Skill in assessing security controls based on cybersecurity principles and tenets.

Skill
181A

Skill in detecting host and network based intrusions via intrusion detection technologies.

Skill
183

Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.

Skill
199

Skill in evaluating the adequacy of security designs.

Skill
212A

Knowledge of network mapping and recreating network topologies.

Knowledge
229

Skill in using incident handling methodologies.

Skill
233

Skill in using protocol analyzers.

Skill
234B

Knowledge of the use of sub-netting tools.

Knowledge
270

Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).

Knowledge
271

Knowledge of common network tools (e.g., ping, traceroute, nslookup).

Knowledge
277

Knowledge of defense-in-depth principles and network security architecture.

Knowledge
278

Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN).

Knowledge
286

Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).

Knowledge
342A

Knowledge of operating system command line/prompt.

Knowledge
427

Develop content for cyber defense tools.

Task
559A

Analyze and report organizational security posture trends.

Task
559B

Analyze and report system security posture trends.

Task
576

Ensure cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.

Task
593A

Assess adequate access controls based on principles of least privilege and need-to-know.

Task
716A

Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.

Task
717A

Assess and monitor cybersecurity related to system implementation and testing practices.

Task
782

Plan and recommend modifications or adjustments based on exercise results or system environment.

Task
806A

Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.

Task
880A

Work with stakeholders to resolve computer security incidents and vulnerability compliance.

Task
904

Knowledge of interpreted and compiled computer languages.

Knowledge
912

Knowledge of collection management processes, capabilities, and limitations.

Knowledge
915

Knowledge of front-end collection systems, including traffic collection, filtering, and selection.

Knowledge
938A

Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.

Task
1033

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge
1034A

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge
1034B

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge
1034C

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge
1036

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1073

Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.

Knowledge
1103

Determine tactics, techniques, and procedures (TTPs) for intrusion sets.

Task
1104

Examine network topologies to understand data flows through the network.

Task
1105

Recommend computing environment vulnerability corrections.

Task
1109

Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.

Task
1110

Isolate and remove malware.

Task
1111

Identify applications and operating systems of a network device based on network traffic.

Task
1112

Reconstruct a malicious attack or activity based off network traffic.

Task
1113

Identify network mapping and operating system (OS) fingerprinting activities.

Task
1114

Knowledge of encryption methodologies.

Knowledge
1118

Skill in reading and interpreting signatures (e.g., snort).

Skill
1119

Knowledge of signature implementation impact.

Knowledge
1120

Ability to interpret and incorporate data from multiple tool sources.

Ability
1121

Knowledge of Windows/Unix ports and services.

Knowledge
1142

Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).

Knowledge
2062

Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.

Task
2611

Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.

Task
3007

Ability to analyze malware.

Ability
3030

Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.

Ability
3431

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

Knowledge
3461

Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities.

Knowledge