Protect and Defend

Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network to protect information, information systems, and networks from threats.

Below are the roles for this Specialty Area. Click each role to see the KSAs (Knowledge, Skills, and Abilities) and Tasks.

  • A0010: Ability to analyze malware.
  • A0015: Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.
  • A0066: Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.
  • A0123: Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • A0128: Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies.
  • A0159: Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, and Traceroute). 
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0007: Knowledge of authentication, authorization, and access control methods. 
  • K0013: Knowledge of cyber defense and vulnerability assessment tools and their capabilities. 
  • K0015: Knowledge of computer algorithms. 
  • K0018: Knowledge of encryption algorithms 
  • K0019: Knowledge of cryptography and cryptographic key management concepts 
  • K0024: Knowledge of database systems. 
  • K0033: Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists). 
  • K0040: Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins). 
  • K0042: Knowledge of incident response and handling methodologies. 
  • K0044: Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • K0046: Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions.
  • K0049: Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). 
  • K0056: Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML). 
  • K0058: Knowledge of network traffic analysis methods. 
  • K0059: Knowledge of new and emerging information technology (IT) and cybersecurity technologies. 
  • K0060: Knowledge of operating systems.
  • K0061: Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
  • K0065: Knowledge of policy-based and risk adaptive access controls.
  • K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • K0074: Knowledge of key concepts in security management (e.g., Release Management, Patch Management).
  • K0075: Knowledge of security system design tools, methods, and techniques.
  • K0093: Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link Budgeting, Spectral efficiency, Multiplexing). 
  • K0098: Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization.
  • K0104: Knowledge of Virtual Private Network (VPN) security.
  • K0106: Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities. 
  • K0107: Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations. 
  • K0110: Knowledge of adversarial tactics, techniques, and procedures. 
  • K0111: Knowledge of network tools (e.g., ping, traceroute, nslookup) 
  • K0112: Knowledge of defense-in-depth principles and network security architecture.
  • K0113: Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN).
  • K0116: Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).
  • K0139: Knowledge of interpreted and compiled computer languages.
  • K0142: Knowledge of collection management processes, capabilities, and limitations.
  • K0143: Knowledge of front-end collection systems, including traffic collection, filtering, and selection.
  • K0157: Knowledge of cyber defense and information security policies, procedures, and regulations. 
  • K0160: Knowledge of the common attack vectors on the network layer.
  • K0161: Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks). 
  • K0162: Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored). 
  • K0167: Knowledge of system administration, network, and operating system hardening techniques.
  • K0168: Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
  • K0177: Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks). 
  • K0179: Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). 
  • K0180: Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. 
  • K0190: Knowledge of encryption methodologies. 
  • K0191: Signature implementation impact for viruses, malware, and attacks. 
  • K0192: Knowledge of Windows/Unix ports and services. 
  • K0203: Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
  • K0221: Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
  • K0222: Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities.
  • K0260: Knowledge of Personally Identifiable Information (PII) data security standards. 
  • K0261: Knowledge of Payment Card Industry (PCI) data security standards. 
  • K0262: Knowledge of Personal Health Information (PHI) data security standards. 
  • K0290: Knowledge of systems security testing and evaluation methods.
  • K0297: Knowledge of countermeasure design for identified security risks.
  • K0300: Knowledge of network mapping and recreating network topologies.
  • K0301: Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
  • K0303: Knowledge of the use of sub-netting tools.
  • K0318: Knowledge of operating system command-line tools. 
  • K0322: Knowledge of embedded systems.
  • K0324: Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.
  • K0332: Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
  • K0339: Knowledge of how to use network analysis tools to identify vulnerabilities.
  • K0342: Knowledge of penetration testing principles, tools, and techniques.
  • K0624: Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list) 
  • S0020: Skill in developing and deploying signatures.
  • S0025: Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort).
  • S0027: Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
  • S0036: Skill in evaluating the adequacy of security designs.
  • S0054: Skill in using incident handling methodologies.
  • S0057: Skill in using protocol analyzers.
  • S0063: Skill in collecting data from a variety of cyber defense resources.
  • S0078: Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
  • S0096: Skill in reading and interpreting signatures (e.g., snort).
  • S0147: Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.). 
  • S0156: Skill in performing packet-level analysis.
  • S0167: Skill in recognizing vulnerabilities in security systems. (e.g., vulnerability and compliance scanning). 
  • S0169: Skill in conducting trend analysis.
  • S0367: Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • S0370: Skill to use cyber defense Service Provider reporting structure and processes within one’s own organization. 
  • T0020: Develop content for cyber defense tools.
  • T0023: Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.
  • T0043: Coordinate with enterprise-wide cyber defense staff to validate network alerts.
  • T0088: Ensure that cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.
  • T0155: Document and escalate incidents (including event's history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.
  • T0164: Perform cyber defense trend analysis and reporting.
  • T0166: Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.
  • T0178: Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.
  • T0187: Plan and recommend modifications or adjustments based on exercise results or system environment.
  • T0198: Provide daily summary reports of network events and activity relevant to cyber defense practices.
  • T0214: Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.
  • T0258: Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.
  • T0259: Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.
  • T0260: Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.
  • T0290: Determine tactics, techniques, and procedures (TTPs) for intrusion sets.
  • T0291: Examine network topologies to understand data flows through the network.
  • T0292: Recommend computing environment vulnerability corrections.
  • T0293: Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).
  • T0294: Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).
  • T0295: Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.
  • T0296: Isolate and remove malware.
  • T0297: Identify applications and operating systems of a network device based on network traffic.
  • T0298: Reconstruct a malicious attack or activity based off network traffic.
  • T0299: Identify network mapping and operating system (OS) fingerprinting activities.
  • T0310: Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the network environment or enclave.
  • T0332: Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event's history, status, and potential impact for further action in accordance with the organization's cyber incident response plan.
  • T0469: Analyze and report organizational security posture trends.
  • T0470: Analyze and report system security posture trends.
  • T0475: Assess adequate access controls based on principles of least privilege and need-to-know.
  • T0503: Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.
  • T0504: Assess and monitor cybersecurity related to system implementation and testing practices.
  • T0526: Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.
  • T0545: Work with stakeholders to resolve computer security incidents and vulnerability compliance.
  • T0548: Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.
  • Capability Indicators for Cyber Defense Analyst
    Category Entry Intermediate Advanced
    Credentials/Certifications
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications addressing new attack vectors (emphasis on cloud computing technology, mobile platforms and tablet computers), new vulnerabilities, existing threats to operating environments
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications addressing incident handling (identification, overview, and preparation) buffer overflow, client attacks, covering tacks (networks, systems), denial of service attacks, incident handing (containment, eradication, recovery, and lessons learned), network attacks, password attacks, reconnaissance, scanning (discovery and mapping, techniques and defense), session hijacking and cache poisoning, techniques for maintaining access, web applications attacks, worms, bots, and bot-nets
    • Recommended: Yes
    • Example Topics: Certifications addressing incident handling (identification, overview, and preparation) buffer overflow, client attacks, covering tacks (networks, systems), denial of service attaches, incident handing (containment, eradication, recovery, and lessons learned), network attacks, password attacks, reconnaissance, scanning (discovery and mapping, techniques and defense), session hijacking and cache poisoning, techniques for maintaining access, web applications attacks, worms, bots, and bot-nets
    Continuous Learning
    • Recommended: Yes
    • Examples: 40 hours annually (may include attending security conferences)
    • Recommended: Yes
    • Examples: 40 hours annually (may include attending security conferences)
    • Recommended: Yes
    • Examples: 40 hours annually (may include attending security conferences)
    Education
    • Recommended: Not essential but may be beneficial
    • Example Types: Bachelor's
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
    • Recommended: Yes
    • Example Types: Bachelor's
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
    • Recommended: Yes
    • Example Types: Master's, Ph.D.
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
    Experiential Learning
    • Recommended: Yes
    • Examples: Introductory information assurance, networks, sensor operations, network/data analysis, packet capture analysis, hunts methodologies, intelligence analysis
    • Recommended: Yes
    • Examples: Information assurance, networks, radio communications, network/data analysis, packet capture analysis, malware detection, custom intrusion signature development concepts
    • Recommended: Yes
    • Examples: Network/data analysis, packet capture analysis, malware detection, custom intrusion signature development, advanced information assurance
    Training
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: System administrator, basic cyber analyst/operator, intermediate cyber, hunt methodologies, cyber threat modeling
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Network security vulnerability technician, advanced network analyst, basic cyber analyst/operator, network traffic analysis, information security, information systems, network security, information assurance, trouble shooting, security operations, cryptography, cyber threat modeling
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Hunt methodologies, information security, information systems, network security, information assurance, trouble shooting, security operations, cryptography, cyber threat modeling