PR-CIR-001 Cyber Defense Incident Responder

Identifies, analyzes, and mitigates threats to internal information technology (IT) systems and/or networks.

Responds to crises or urgent situations within the pertinent domain to mitigate immediate and potential threats. Uses mitigation, preparedness, and response and recovery approaches, as needed, to maximize survival of life, preservation of property, and information security. Investigates and analyzes all relevant response activities.

Investigates, analyzes, and responds to cyber incidents within the network environment or enclave.

Knowledges 30

Code	Description	Work Roles
K0001	Knowledge of computer networking concepts and protocols, and network security methodologies.	52
K0002	Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).	52
K0003	Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.	52
K0004	Knowledge of cybersecurity and privacy principles.	52
K0005	Knowledge of cyber threats and vulnerabilities.	52
K0006	Knowledge of specific operational impacts of cybersecurity lapses.	52
K0021	Knowledge of data backup and recovery.	9
K0026	Knowledge of business continuity and disaster recovery continuity of operations plans.	5
K0033	Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists).	5
K0034	Knowledge of network services and protocols interactions that provide network communications.	1
K0041	Knowledge of incident categories, incident responses, and timelines for responses.	1
K0042	Knowledge of incident response and handling methodologies.	7
K0046	Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions.	4
K0058	Knowledge of network traffic analysis methods.	10
K0062	Knowledge of packet-level analysis.	2
K0070	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).	13
K0106	Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities.	6
K0157	Knowledge of cyber defense and information security policies, procedures, and regulations.	4
K0161	Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks).	3
K0162	Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored).	3
K0167	Knowledge of system administration, network, and operating system hardening techniques.	7
K0177	Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).	12
K0179	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).	19
K0221	Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).	3
K0230	Knowledge of cloud service models and how those models can limit incident response.	1
K0259	Knowledge of malware analysis concepts and methodologies.	1
K0287	Knowledge of an organization's information classification program and procedures for information compromise.	18
K0332	Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.	14
K0565	Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.	11
K0624	Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)	13

Skills 8

Code	Description	Work Roles
S0003	Skill of identifying, capturing, containing, and reporting malware.	1
S0047	Skill in preserving evidence integrity according to standard operating procedures or national standards.	4
S0077	Skill in securing network communications.	3
S0078	Skill in recognizing and categorizing types of vulnerabilities and associated attacks.	3
S0079	Skill in protecting a network against malware. (e.g., NIPS, anti-malware, restrict/prevent external devices, spam filters).	3
S0080	Skill in performing damage assessments.	1
S0173	Skill in using security event correlation tools.	2
S0365	Skill to design incident response for cloud service models.	2

Abilities 2

Code	Description	Work Roles
A0121	Ability to design incident response for cloud service models.	1
A0128	Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies.	3

Tasks 17

Code	Description	Work Roles
T0278	Collect intrusion artifacts (e.g., source code, malware, Trojans) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.	1
T0279	Serve as technical expert and liaison to law enforcement personnel and explain incident details as required.	2
T0312	Coordinate with intelligence analysts to correlate threat assessment data.	2
T0395	Write and publish after action reviews.	2
T0503	Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.	2
T0510	Coordinate incident response functions.	1
T0041	Coordinate and provide expert technical support to enterprise-wide cyber defense technicians to resolve cyber defense incidents.	1
T0047	Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation.	1
T0161	Perform analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to network security.	1
T0163	Perform cyber defense incident triage, to include determining scope, urgency, and potential impact, identifying the specific vulnerability, and making recommendations that enable expeditious remediation.	1
T0164	Perform cyber defense trend analysis and reporting.	2
T0170	Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems.	1
T0175	Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs).	2
T0214	Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.	2
T0233	Track and document cyber defense incidents from initial detection through final resolution.	1
T0246	Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies.	1
T0262	Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness).	1