SOC/Blue team analyst¶
Cyber Defense Analyst < PR-CDA-001 <Cyber Defense Analysis < Protect and Defend Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs) to analyze events that occur within their environments for the purposes of mitigating threats.
Tasks Develop content for cyber defense tools. Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources. Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment. Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack. Provide daily summary reports of network events and activity relevant to cyber defense practices. Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts. Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities. Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information. Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools. Isolate and remove malware. Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.
Knowledge Knowledge of computer networking concepts and protocols, and network security methodologies. Knowledge of cyber defense and vulnerability assessment tools and their capabilities. Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists). Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins). Knowledge of incident response and handling methodologies. Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions. Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML). Knowledge of network traffic analysis methods. Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). Knowledge of collection management processes, capabilities, and limitations. Knowledge of front-end collection systems, including traffic collection, filtering, and selection. Knowledge of the common attack vectors on the network layer. Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks). Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored). Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks). Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). Knowledge of OSI model and underlying network protocols (e.g., TCP/IP). Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump). Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.
Skills Skill in developing and deploying signatures. Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort). Skill in using incident handling methodologies. Skill in using protocol analyzers. Skill in reading and interpreting signatures (e.g., snort). Skill in performing packet-level analysis. Skill in conducting trend analysis.
Abilities Ability to analyze malware. Ability to conduct vulnerability scans and recognize vulnerabilities in security systems. Ability to accurately and completely source all data used in intelligence, assessment and/or planning products. Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies. Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, and Traceroute).