Cyber Defense Incident Responder

Cyber Defense Incident Responder Work Role ID: 531 (NIST: PR-IR-001) Workforce Element: Cybersecurity

Investigates, analyzes, and responds to cyber incidents within the network environment or enclave.


Qualification Matrix

  BasicIntermediateAdvancedNotes
Foundational Qualification OptionsEducation A BS degree in Information Technology, Cybersecurity, Data Science, Information Systems, or Computer Science, from an ABET accredited or CAE designated institution fulfills the educational requirement for this WRCA BS degree in Information Technology, Cybersecurity, Data Science, Information Systems, or Computer Science, from an ABET accredited or CAE designated institution fulfills the educational requirement for this WRCTBDFor additional information pertaining to ABET: www.abet.org or CAE: www.caecommunity.org
Foundational Qualification OptionsOR OR OR
Foundational Qualification OptionsDoD/Military TrainingWCYBER200 or CYB 5640/CYB 5640V/WSS 010A-150-1980 or A-150-1202 or A-150-1203 or A150-1250 or WSS 011 or WSS 0124-11-C32-255S (CP) or 4C-255N (CP) or 4C-255A (CP) or A-531-0045 or A-531-0022See TAB C (DCWF Training Repository) below for additional course information.
Foundational Qualification OptionsCommercial TrainingTBDTBDTBD
Foundational Qualification OptionsOR OR OR
Foundational Qualification OptionsPersonnel Certification CBROPS or FITSP-O or GISF or CCSP or CEH or Cloud+ or GCED or PenTest+ or Security+ or GSECCySA+ or CFR or GCFA or GCIA or GDSA or GCIH or GICSP or CCE See TAB B (Certification Index) below for certification vendor information. Courses at higher proficiency levels qualify lower levels.
Foundational Qualification AlternativeExperienceConditional AlternativeConditional AlternativeConditional AlternativeRefer to Section 3 of the DoD 8140 Manual for more information.
Residential QualificationOn-the-Job QualificationAlways RequiredAlways RequiredAlways RequiredIndividuals must demonstrate capability to perform their duties in their resident environment.
Residential QualificationEnvironment-Specific RequirementsComponent DiscretionComponent DiscretionComponent Discretion
Annual Maintenance Continuous Professional Development Minimum of 20 hours annually or what is required to maintain certification; whichever is greater.Minimum of 20 hours annually or what is required to maintain certification; whichever is greater.Minimum of 20 hours annually or what is required to maintain certification; whichever is greater.

Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
37

Knowledge of disaster recovery continuity of operations plans.

Knowledge
50

Knowledge of how network services and protocols interact to provide network communications.

Knowledge
60

Knowledge of incident categories, incident responses, and timelines for responses.

Knowledge
61

Knowledge of incident response and handling methodologies.

Knowledge
66

Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
150

Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.

Knowledge
153

Skill of identifying, capturing, containing, and reporting malware.

Skill
217

Skill in preserving evidence integrity according to standard operating procedures or national standards.

Skill
470

Coordinate and provide expert technical support to enterprise-wide cyber defense technicians to resolve cyber defense incidents.

Task
716A

Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.

Task
741A

Coordinate incident response functions.

Task
745

Perform cyber defense trend analysis and reporting.

Task
755

Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems.

Task
823

Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.

Task
882

Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies.

Task
893

Skill in securing network communications.

Skill
895

Skill in recognizing and categorizing types of vulnerabilities and associated attacks.

Skill
896

Skill in protecting a network against malware.

Skill
897

Skill in performing damage assessments.

Skill
923A

Skill in using security event correlation tools.

Skill
984

Knowledge of cyber defense policies, procedures, and regulations.

Knowledge
991

Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).

Knowledge
1029A

Knowledge of malware analysis concepts and methodologies.

Knowledge
1030

Collect intrusion artifacts (e.g., source code, malware, trojans) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.

Task
1033

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge
1069

Knowledge of general attack stages (e.g., foot printing and scanning, enumeration, gaining access, escalation or privileges, maintaining access, network exploitation, covering tracks).

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
3431

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

Knowledge
5670

Write and publish after action reviews.

Task
6210

Knowledge of cloud service models and possible limitations for an incident response.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
29

Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.

Knowledge
49

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge
87

Knowledge of network traffic analysis methods.

Knowledge
93

Knowledge of packet-level analysis.

Knowledge
478

Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation.

Task
738

Perform analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to network security.

Task
743

Perform cyber defense incident triage, to include determining scope, urgency, and potential impact; identifying the specific vulnerability; and making recommendations that enable expeditious remediation.

Task
762

Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs).

Task
861

Track and document cyber defense incidents from initial detection through final resolution.

Task
961

Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness).

Task
992C

Knowledge of threat environments (e.g., first generation threat actors, threat activities).

Knowledge
1031

Serve as technical expert and liaison to law enforcement personnel and explain incident details as required.

Task
1141A

Knowledge of an organization’s information classification program and procedures for information compromise.

Knowledge
2179

Coordinate with intelligence analysts to correlate threat assessment data.

Task
3362A

Knowledge of key factors of the operational environment and related threats and vulnerabilities.

Knowledge
3561

Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

Knowledge
6210

Knowledge of cloud service models and possible limitations for an incident response.

Knowledge