PR-CDA-001 Cyber Defense Analyst

Identifies, analyzes, and mitigates threats to internal information technology (IT) systems and/or networks.

Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network to protect information, information systems, and networks from threats.

Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs) to analyze events that occur within their environments for the purposes of mitigating threats.

Knowledges 70

Code	Description	Work Roles
K0001	Knowledge of computer networking concepts and protocols, and network security methodologies.	52
K0002	Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).	52
K0003	Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.	52
K0004	Knowledge of cybersecurity and privacy principles.	52
K0005	Knowledge of cyber threats and vulnerabilities.	52
K0006	Knowledge of specific operational impacts of cybersecurity lapses.	52
K0007	Knowledge of authentication, authorization, and access control methods.	4
K0013	Knowledge of cyber defense and vulnerability assessment tools and their capabilities.	5
K0015	Knowledge of computer algorithms.	6
K0018	Knowledge of encryption algorithms	11
K0019	Knowledge of cryptography and cryptographic key management concepts	8
K0024	Knowledge of database systems.	7
K0033	Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists).	5
K0040	Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins).	5
K0042	Knowledge of incident response and handling methodologies.	7
K0044	Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	14
K0046	Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions.	4
K0049	Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).	8
K0056	Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).	11
K0058	Knowledge of network traffic analysis methods.	10
K0059	Knowledge of new and emerging information technology (IT) and cybersecurity technologies.	12
K0060	Knowledge of operating systems.	13
K0061	Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).	11
K0065	Knowledge of policy-based and risk adaptive access controls.	5
K0070	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).	13
K0074	Knowledge of key concepts in security management (e.g., Release Management, Patch Management).	4
K0075	Knowledge of security system design tools, methods, and techniques.	3
K0093	Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link Budgeting, Spectral efficiency, Multiplexing).	8
K0098	Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization.	2
K0104	Knowledge of Virtual Private Network (VPN) security.	4
K0106	Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities.	6
K0107	Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations.	4
K0110	Knowledge of adversarial tactics, techniques, and procedures.	2
K0111	Knowledge of network tools (e.g., ping, traceroute, nslookup)	2
K0112	Knowledge of defense-in-depth principles and network security architecture.	1
K0113	Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN).	2
K0116	Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).	2
K0139	Knowledge of interpreted and compiled computer languages.	8
K0142	Knowledge of collection management processes, capabilities, and limitations.	4
K0143	Knowledge of front-end collection systems, including traffic collection, filtering, and selection.	3
K0157	Knowledge of cyber defense and information security policies, procedures, and regulations.	4
K0160	Knowledge of the common attack vectors on the network layer.	2
K0161	Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks).	3
K0162	Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored).	3
K0167	Knowledge of system administration, network, and operating system hardening techniques.	7
K0168	Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.	11
K0177	Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).	12
K0179	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).	19
K0180	Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.	9
K0190	Knowledge of encryption methodologies.	1
K0191	Knowledge of signature implementation impact for viruses, malware, and attacks.	1
K0192	Knowledge of Windows/Unix ports and services.	1
K0203	Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).	10
K0221	Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).	3
K0222	Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities.	1
K0260	Knowledge of Personally Identifiable Information (PII) data security standards.	16
K0261	Knowledge of Payment Card Industry (PCI) data security standards.	17
K0262	Knowledge of Personal Health Information (PHI) data security standards.	17
K0290	Knowledge of systems security testing and evaluation methods.	2
K0297	Knowledge of countermeasure design for identified security risks.	4
K0300	Knowledge of network mapping and recreating network topologies.	1
K0301	Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).	3
K0303	Knowledge of the use of sub-netting tools.	1
K0318	Knowledge of operating system command-line tools.	2
K0322	Knowledge of embedded systems.	10
K0324	Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.	2
K0332	Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.	14
K0339	Knowledge of how to use network analysis tools to identify vulnerabilities.	2
K0342	Knowledge of penetration testing principles, tools, and techniques.	8
K0624	Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)	13

Skills 15

Code	Description	Work Roles
S0020	Skill in developing and deploying signatures.	1
S0025	Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort).	3
S0027	Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.	7
S0036	Skill in evaluating the adequacy of security designs.	4
S0054	Skill in using incident handling methodologies.	2
S0057	Skill in using protocol analyzers.	2
S0063	Skill in collecting data from a variety of cyber defense resources.	1
S0078	Skill in recognizing and categorizing types of vulnerabilities and associated attacks.	3
S0096	Skill in reading and interpreting signatures (e.g., snort).	1
S0147	Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).	3
S0156	Skill in performing packet-level analysis.	3
S0167	Skill in recognizing vulnerabilities in security systems. (e.g., vulnerability and compliance scanning).	2
S0169	Skill in conducting trend analysis.	1
S0367	Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	14
S0370	Skill to use cyber defense Service Provider reporting structure and processes within one’s own organization.	2

Abilities 6

Code	Description	Work Roles
A0010	Ability to analyze malware.	1
A0015	Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.	8
A0066	Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.	12
A0123	Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	15
A0128	Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies.	3
A0159	Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, and Traceroute).	2

Tasks 34

Code	Description	Work Roles
T0290	Determine tactics, techniques, and procedures (TTPs) for intrusion sets.	1
T0291	Examine network topologies to understand data flows through the network.	1
T0292	Recommend computing environment vulnerability corrections.	1
T0293	Identify and analyze anomalies in network traffic using metadata.	1
T0294	Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).	1
T0295	Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.	1
T0296	Isolate and remove malware.	1
T0297	Identify applications and operating systems of a network device based on network traffic.	1
T0298	Reconstruct a malicious attack or activity based off network traffic.	1
T0299	Identify network mapping and operating system (OS) fingerprinting activities.	1
T0310	Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the network environment or enclave.	1
T0332	Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event's history, status, and potential impact for further action in accordance with the organization's cyber incident response plan.	1
T0469	Analyze and report organizational security posture trends.	2
T0470	Analyze and report system security posture trends.	2
T0475	Assess adequate access controls based on principles of least privilege and need-to-know.	2
T0503	Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.	2
T0504	Assess and monitor cybersecurity related to system implementation and testing practices.	2
T0526	Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.	2
T0545	Work with stakeholders to resolve computer security incidents and vulnerability compliance.	2
T0548	Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.	2
T0020	Develop content for cyber defense tools.	1
T0023	Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.	1
T0043	Coordinate with enterprise-wide cyber defense staff to validate network alerts.	1
T0088	Ensure that cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.	2
T0155	Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.	1
T0164	Perform cyber defense trend analysis and reporting.	2
T0166	Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.	1
T0178	Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.	2
T0187	Plan and recommend modifications or adjustments based on exercise results or system environment.	2
T0198	Provide daily summary reports of network events and activity relevant to cyber defense practices.	1
T0214	Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.	2
T0258	Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.	1
T0259	Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.	1
T0260	Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.	1