PR-CDA-001 Cyber Defense Analyst

Identifies, analyzes, and mitigates threats to internal information technology (IT) systems and/or networks.

Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network to protect information, information systems, and networks from threats.

Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs) to analyze events that occur within their environments for the purposes of mitigating threats.

Knowledges 70

Code Description Work Roles
K0001 Knowledge of computer networking concepts and protocols, and network security methodologies. 52
K0002 Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 52
K0003 Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 52
K0004 Knowledge of cybersecurity and privacy principles. 52
K0005 Knowledge of cyber threats and vulnerabilities. 52
K0006 Knowledge of specific operational impacts of cybersecurity lapses. 52
K0007 Knowledge of authentication, authorization, and access control methods. 4
K0013 Knowledge of cyber defense and vulnerability assessment tools and their capabilities. 5
K0015 Knowledge of computer algorithms. 6
K0018 Knowledge of encryption algorithms 11
K0019 Knowledge of cryptography and cryptographic key management concepts 8
K0024 Knowledge of database systems. 7
K0033 Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists). 5
K0040 Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins). 5
K0042 Knowledge of incident response and handling methodologies. 7
K0044 Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 14
K0046 Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions. 4
K0049 Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). 8
K0056 Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML). 11
K0058 Knowledge of network traffic analysis methods. 10
K0059 Knowledge of new and emerging information technology (IT) and cybersecurity technologies. 12
K0060 Knowledge of operating systems. 13
K0061 Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). 11
K0065 Knowledge of policy-based and risk adaptive access controls. 5
K0070 Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). 13
K0074 Knowledge of key concepts in security management (e.g., Release Management, Patch Management). 4
K0075 Knowledge of security system design tools, methods, and techniques. 3
K0093 Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link Budgeting, Spectral efficiency, Multiplexing). 8
K0098 Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization. 2
K0104 Knowledge of Virtual Private Network (VPN) security. 4
K0106 Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities. 6
K0107 Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations. 4
K0110 Knowledge of adversarial tactics, techniques, and procedures. 2
K0111 Knowledge of network tools (e.g., ping, traceroute, nslookup) 2
K0112 Knowledge of defense-in-depth principles and network security architecture. 1
K0113 Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN). 2
K0116 Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip). 2
K0139 Knowledge of interpreted and compiled computer languages. 8
K0142 Knowledge of collection management processes, capabilities, and limitations. 4
K0143 Knowledge of front-end collection systems, including traffic collection, filtering, and selection. 3
K0157 Knowledge of cyber defense and information security policies, procedures, and regulations. 4
K0160 Knowledge of the common attack vectors on the network layer. 2
K0161 Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks). 3
K0162 Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored). 3
K0167 Knowledge of system administration, network, and operating system hardening techniques. 7
K0168 Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures. 11
K0177 Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks). 12
K0179 Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). 19
K0180 Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. 9
K0190 Knowledge of encryption methodologies. 1
K0191 Knowledge of signature implementation impact for viruses, malware, and attacks. 1
K0192 Knowledge of Windows/Unix ports and services. 1
K0203 Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). 10
K0221 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP). 3
K0222 Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities. 1
K0260 Knowledge of Personally Identifiable Information (PII) data security standards. 16
K0261 Knowledge of Payment Card Industry (PCI) data security standards. 17
K0262 Knowledge of Personal Health Information (PHI) data security standards. 17
K0290 Knowledge of systems security testing and evaluation methods. 2
K0297 Knowledge of countermeasure design for identified security risks. 4
K0300 Knowledge of network mapping and recreating network topologies. 1
K0301 Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump). 3
K0303 Knowledge of the use of sub-netting tools. 1
K0318 Knowledge of operating system command-line tools. 2
K0322 Knowledge of embedded systems. 10
K0324 Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications. 2
K0332 Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. 14
K0339 Knowledge of how to use network analysis tools to identify vulnerabilities. 2
K0342 Knowledge of penetration testing principles, tools, and techniques. 8
K0624 Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list) 13

Skills 15

Code Description Work Roles
S0020 Skill in developing and deploying signatures. 1
S0025 Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort). 3
S0027 Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. 7
S0036 Skill in evaluating the adequacy of security designs. 4
S0054 Skill in using incident handling methodologies. 2
S0057 Skill in using protocol analyzers. 2
S0063 Skill in collecting data from a variety of cyber defense resources. 1
S0078 Skill in recognizing and categorizing types of vulnerabilities and associated attacks. 3
S0096 Skill in reading and interpreting signatures (e.g., snort). 1
S0147 Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.). 3
S0156 Skill in performing packet-level analysis. 3
S0167 Skill in recognizing vulnerabilities in security systems. (e.g., vulnerability and compliance scanning). 2
S0169 Skill in conducting trend analysis. 1
S0367 Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 14
S0370 Skill to use cyber defense Service Provider reporting structure and processes within one’s own organization. 2

Abilities 6

Code Description Work Roles
A0010 Ability to analyze malware. 1
A0015 Ability to conduct vulnerability scans and recognize vulnerabilities in security systems. 8
A0066 Ability to accurately and completely source all data used in intelligence, assessment and/or planning products. 12
A0123 Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 15
A0128 Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies. 3
A0159 Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, and Traceroute). 2

Tasks 34

Code Description Work Roles
T0290 Determine tactics, techniques, and procedures (TTPs) for intrusion sets. 1
T0291 Examine network topologies to understand data flows through the network. 1
T0292 Recommend computing environment vulnerability corrections. 1
T0293 Identify and analyze anomalies in network traffic using metadata. 1
T0294 Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings). 1
T0295 Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools. 1
T0296 Isolate and remove malware. 1
T0297 Identify applications and operating systems of a network device based on network traffic. 1
T0298 Reconstruct a malicious attack or activity based off network traffic. 1
T0299 Identify network mapping and operating system (OS) fingerprinting activities. 1
T0310 Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the network environment or enclave. 1
T0332 Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event's history, status, and potential impact for further action in accordance with the organization's cyber incident response plan. 1
T0469 Analyze and report organizational security posture trends. 2
T0470 Analyze and report system security posture trends. 2
T0475 Assess adequate access controls based on principles of least privilege and need-to-know. 2
T0503 Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise. 2
T0504 Assess and monitor cybersecurity related to system implementation and testing practices. 2
T0526 Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities. 2
T0545 Work with stakeholders to resolve computer security incidents and vulnerability compliance. 2
T0548 Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans. 2
T0020 Develop content for cyber defense tools. 1
T0023 Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources. 1
T0043 Coordinate with enterprise-wide cyber defense staff to validate network alerts. 1
T0088 Ensure that cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level. 2
T0155 Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment. 1
T0164 Perform cyber defense trend analysis and reporting. 2
T0166 Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack. 1
T0178 Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy. 2
T0187 Plan and recommend modifications or adjustments based on exercise results or system environment. 2
T0198 Provide daily summary reports of network events and activity relevant to cyber defense practices. 1
T0214 Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts. 2
T0258 Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities. 1
T0259 Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity. 1
T0260 Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information. 1