PD-WRL-005
Insider Threat Analysis OPM Code: TBD

Protects against, identifies, and analyzes risks to technology systems or networks. Includes investigation of cybersecurity events or crimes related to technology systems and networks.

Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.

Code Description Work Roles
T1056 Acquire resources to support cybersecurity program goals and objectives 4
T1057 Conduct an effective enterprise continuity of operations program 3
T1062 Contribute insider threat expertise to organizational cybersecurity awareness program 1
T1084 Identify anomalous network activity 9
T1085 Identify potential threats to network resources 3
T1160 Develop risk mitigation strategies 2
T1162 Recommend security changes to systems and system components 2
T1227 Manage cybersecurity budget, staffing, and contracting 8
T1266 Recommend risk mitigation strategies 3
T1324 Process digital evidence 4
T1325 Document digital evidence 4
T1439 Assess the behavior of individual victims, witnesses, or suspects during cybersecurity investigations 2
T1510 Preserve digital evidence 3
T1592 Conduct cybersecurity reviews 2
T1690 Identify exploitable technical or operational vulnerabilities 1
T1712 Recommend potential courses of action 2
T1737 Develop intelligence collection strategies 1
T1743 Identify information collection gaps 1
T1799 Notify appropriate personnel of imminent hostile intentions or activities 2
T1801 Determine validity and relevance of information 1
T1969 Document system alerts 1
T1970 Escalate system alerts that may indicate risks 1
T1971 Disseminate anomalous activity reports to the insider threat hub 1
T1973 Conduct independent comprehensive assessments of target-specific information 1
T1974 Conduct insider threat risk assessments 1
T1975 Prepare insider threat briefings 1
T1976 Recommend risk mitigation courses of action (CoA) 1
T1977 Coordinate with internal and external incident management partners across jurisdictions 1
T1978 Recommend improvements to insider threat detection processes 1
T1979 Collect digital evidence that meets priority intelligence requirements 1
T1980 Develop digital evidence reports for internal and external partners 1
T1981 Develop elicitation indicators 1
T1982 Identify high value assets 1
T1983 Identify potential insider threats 1
T1985 Identify imminent or hostile intentions or activities 1
T1986 Develop a continuously updated overview of an incident throughout the incident's life cycle 1
T1987 Develop insider threat cyber operations indicators 1
T1988 Integrate information from cyber resources, internal partners, and external partners 1
T1989 Advise insider threat hub inquiries 1
T1990 Conduct cybersecurity insider threat inquiries 1
T1991 Deliver all-source cyber operations and intelligence indications and warnings 1
T1992 Interpret network activity for intelligence value 1
T1993 Monitor network activity for vulnerabilities 1
T1994 Identify potential insider risks to networks 1
T1995 Document potential insider risks to networks 1
T1996 Report network vulnerabilities 1
T1997 Develop insider threat investigation plans 1
T1998 Investigate alleged insider threat cybersecurity policy violations 1
T1999 Refer cases on active insider threat activities to law enforcement investigators 1
T2001 Establish an insider threat risk management assessment program 1
T2003 Evaluate organizational insider risk response capabilities 1
T2004 Document insider threat information sources 1
T2005 Conduct insider threat studies 1
T2006 Identify potential targets for exploitation 1
T2007 Analyze potential targets for exploitation 1
T2009 Develop insider threat targets 1
T2010 Maintain User Activity Monitoring (UAM) tools 1
T2011 Monitor the output from User Activity Monitoring (UAM) tools 1
Code Description Work Roles
K0635 Knowledge of decryption 2
K0636 Knowledge of decryption tools and techniques 3
K0637 Knowledge of data repositories 2
K0656 Knowledge of network collection tools and techniques 1
K0657 Knowledge of network collection policies and procedures 1
K0674 Knowledge of computer networking protocols 40
K0675 Knowledge of risk management processes 41
K0676 Knowledge of cybersecurity laws and regulations 41
K0677 Knowledge of cybersecurity policies and procedures 41
K0678 Knowledge of privacy laws and regulations 41
K0679 Knowledge of privacy policies and procedures 41
K0682 Knowledge of cybersecurity threats 40
K0683 Knowledge of cybersecurity vulnerabilities 40
K0684 Knowledge of cybersecurity threat characteristics 40
K0689 Knowledge of network infrastructure principles and practices 9
K0707 Knowledge of database systems and software 9
K0710 Knowledge of enterprise cybersecurity architecture principles and practices 20
K0721 Knowledge of risk management principles and practices 19
K0734 Knowledge of Risk Management Framework (RMF) requirements 14
K0735 Knowledge of risk management models and frameworks 13
K0751 Knowledge of system threats 40
K0752 Knowledge of system vulnerabilities 40
K0778 Knowledge of enterprise information technology (IT) architecture principles and practices 20
K0784 Knowledge of insider threat laws and regulations 7
K0785 Knowledge of insider threat tools and techniques 7
K0802 Knowledge of chain of custody policies and procedures 4
K0862 Knowledge of data remediation tools and techniques 3
K0870 Knowledge of enterprise architecture (EA) reference models and frameworks 20
K0871 Knowledge of enterprise architecture (EA) principles and practices 20
K0909 Knowledge of abnormal physical and physiological behaviors 2
K1014 Knowledge of network security principles and practices 40
K1023 Knowledge of network exploitation tools and techniques 3
K1031 Knowledge of risk mitigation tools and techniques 1
K1085 Knowledge of exploitation tools and techniques 1
K1096 Knowledge of data analysis tools and techniques 3
K1151 Knowledge of digital evidence cataloging tools and techniques 4
K1152 Knowledge of digital evidence extraction tools and techniques 4
K1154 Knowledge of digital evidence packaging tools and techniques 4
K1155 Knowledge of digital evidence preservation tools and techniques 4
K1180 Knowledge of organizational cybersecurity goals and objectives 11
K1188 Knowledge of organizational policies and procedures 4
K1197 Knowledge of priority intelligence requirements 2
K1209 Knowledge of risk mitigation principles and practices 4
K1241 Knowledge of cultural, political, and organizational assets 1
K1242 Knowledge of cybersecurity review processes and procedures 1
K1243 Knowledge of cybersecurity threat remediation principles and practices 1
K1244 Knowledge of cybersecurity tools and techniques 1
K1245 Knowledge of data exfiltration tools and techniques 1
K1246 Knowledge of data handling tools and techniques 1
K1247 Knowledge of data monitoring tools and techniques 1
K1248 Knowledge of digital and physical security vulnerabilities 1
K1249 Knowledge of digital and physical security vulnerability remediation principles and practices 1
K1250 Knowledge of external organization roles and responsibilities 1
K1251 Knowledge of external referrals policies and procedures 1
K1252 Knowledge of high value asset characteristics 1
K1254 Knowledge of insider threat hub policies and procedures 1
K1255 Knowledge of insider threat hub operations 1
K1256 Knowledge of insider threat operational indicators 1
K1257 Knowledge of insider threat policies and procedures 1
K1258 Knowledge of insider threat tactics 1
K1259 Knowledge of insider threat targets 1
K1260 Knowledge of intelligence laws and regulations 1
K1261 Knowledge of known insider attacks 1
K1262 Knowledge of network endpoints 1
K1263 Knowledge of notification policies and procedures 1
K1265 Knowledge of organizational objectives, resources, and capabilities 1
K1267 Knowledge of previously referred potential insider threats 1
K1268 Knowledge of risk reduction metrics 1
K1269 Knowledge of security information and event management (SIEM) tools and techniques 1
K1270 Knowledge of suspicious activity response processes 1
K1271 Knowledge of system alert policies and procedures 1
K1272 Knowledge of system components 1
K1273 Knowledge of threat investigation policies and procedures 1
K1274 Knowledge of threat modeling tools and techniques 1
K1275 Knowledge of User Activity Monitoring (UAM) tools and techniques 1
Code Description Work Roles
S0378 Skill in decrypting information 3
S0391 Skill in creating technical documentation 7
S0442 Skill in collecting network data 1
S0477 Skill in identifying anomalous activity 2
S0540 Skill in identifying network threats 3
S0558 Skill in developing algorithms 5
S0559 Skill in performing data structure analysis 5
S0579 Skill in preparing reports 11
S0588 Skill in performing threat modeling 2
S0610 Skill in communicating effectively 7
S0688 Skill in performing network data analysis 7
S0690 Skill in performing midpoint collection data analysis 1
S0728 Skill in preparing briefings 6
S0748 Skill in querying data 2
S0791 Skill in presenting to an audience 9
S0817 Skill in building internal and external relationships 1
S0821 Skill in collaborating with internal and external stakeholders 9
S0848 Skill in performing behavioral analysis 1
S0854 Skill in performing data analysis 8
S0866 Skill in performing log file analysis 6
S0874 Skill in performing network traffic analysis 4
S0890 Skill in performing threat analysis 2
S0896 Skill in recognizing behavioral patterns 2
S0900 Skill in analyzing information from multiple sources 1
S0902 Skill in building relationships remotely and in person 1
S0904 Skill in correlating data from multiple tools 1
S0905 Skill in determining what information may helpful to a specific audience 1
S0906 Skill in identifying insider risk security gaps 1
S0907 Skill in identifying insider threats 1
S0908 Skill in determining the importance of assets 1
S0909 Skill in integrating information from multiple sources 1
S0910 Skill in performing cyberintelligence data analysis 1
S0911 Skill in performing data queries 1
S0912 Skill in performing human behavioral analysis 1
S0913 Skill in performing link analysis 1
S0916 Skill in recognizing recurring threat incidents 1