Cyber Effects (CE) DCWF 463

Host Analyst

A Host Analyst (HA) will have knowledge of various system configurations encountered. This work role also performs analysis using built-in tools and capabilities. A Host Analyst will have knowledge of system services and the security and configuration of them, as well as knowledge of file systems, permissions, and operation system configurations. The Host Analyst conducts analysis using built-in tools and capabilities.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

T1110 additional Isolate and remove malware.
T1111 additional Identify applications and operating systems of a network device based on network traffic.
T1113 additional Identify network mapping and operating system (OS) fingerprinting activities.
T2062 additional Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.
T2119 additional Conduct network scouting and vulnerability analyses of systems within a network.
T2205 additional Deploy tools to a target and utilize them once deployed (e.g., backdoors, sniffers).
T2226 additional Detect exploits against targeted networks and hosts and react accordingly.
T2232 additional Determine course of action for addressing changes to objectives, guidance, and operational environment.
T2353 additional Edit or execute simple scripts (e.g., PERL, VBS) on Windows and UNIX systems.
T2379B additional Identify threats to Blue Force vulnerabilities.
T2429 additional Generate requests for information.
T2603 additional Monitor operational environment and report on adversarial activities which fulfill leadership’s priority information requirements.
T2611 additional Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event's history, status, and potential impact for further action in accordance with the organization's cyber incident response plan.
T461 additional Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces.
T8036 additional Conduct open source research via various online tools.
T8111 additional Identify potential points of strength and vulnerability among segments of a network map.
T8115 additional Identify tools/hardware used to extract/analyze/capture memory and disk images.
T8151 additional Perform security reviews and identify gaps in security architecture that can be used in the development of a security risk management plan.
T8161 additional Provide and maintain documentation for TTPs as inputs to training programs.
T8212 additional Validate intrusion detection system (IDS) alerts.
T868 additional Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost).
T880A additional Work with stakeholders to resolve computer security incidents and vulnerability compliance.
T958 additional Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.
T959 additional Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.
T972A additional Determine and document software patches or the extent of releases that would leave software vulnerable.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

A1072A ability additional Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
A3002 ability additional Ability to focus research efforts to meet the customer’s decision-making needs.
A3063 ability additional Ability to monitor system operations and react to events in response to triggers and/or observation of trends or unusual activity.
A3859A ability additional Ability to read, interpret, write, modify, and execute simple scripts (e.g. PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).
A4171 ability additional Ability to analyze a finding of a compromise and develop a custom signature(s) and/or rule(s) to identify it throughout the network
A4172 ability additional Ability to analyze adversarial avenues of approach on a mission-critical system
A4174 ability additional Ability to analyze Data at Rest and Data in Transit encryption methodologies and assess Data at Rest and Data in Transit policies in support of identifying outliers to delineate possible avenues of approach.
A4176 ability additional Ability to analyze how the tools operate to enumerate the system
A4179 ability additional Ability to analyze multiple memory captures, determine anomalous behavior and developed a detailed report that includes timeline of compromise
A4182 ability additional Ability to analyze organizational policies and documentation for appropriate use and user privileges to determine current user access rights policies
A4184 ability additional Ability to analyze potentially malicious processes, libraries and modules on a system
A4185 ability additional Ability to analyze process lists within Windows, Unix, or Linux operating systems
A4186 ability additional Ability to analyze software installed and in use on a system, and on a host machine and compare it to the authorized software list provided by the network owner
A4187 ability additional Ability to analyze tools/hardware used to extract/analyze/capture memory and disk images
A4188 ability additional Ability to analyze user-mode/kernel mode rootkits and how they function and differ
A4189 ability additional Ability to analyze vulnerabilities and misconfiguration without Information Assurance artifacts.
A4195 ability additional Ability to build a baseline of configuration/state for host machines
A4197 ability additional Ability to capture a memory image from a host workstation
A4198 ability additional Ability to capture forensically sound memory and disk images with regard to timeline analysis
A4206 ability additional Ability to compare active user accounts on a network to appropriate Standard Operating Procedure (SOP), gather active user accounts on a network and compare to authorized user list
A4207 ability additional Ability to compare current state against baselines
A4209 ability additional Ability to compile group policies and access control lists from mission partner networks.
A4210 ability additional Ability to compile host-based firewall configurations and host intrusion prevention system through group policy modifications from mission partner networks.
A4211 ability additional Ability to conduct disk forensics on multiple images
A4216 ability additional Ability to configure log aggregation
A4217 ability additional Ability to configure, forward and statistically analyze logs
A4225 ability additional Ability to correlate indicators of compromise
A4232 ability additional Ability to de-obfuscate (e.g. command line execution, string substitution, clandestine side channel, Base64).
A4234 ability additional Ability to develop a risk defense plan (e.g. behavioral development, etc.) and put active measures in place in defense of a network, endpoint, and/or host.
A4237 ability additional Ability to develop dashboards to better visualize data
A4238 ability additional Ability to develop host-based IDS/IPS signatures and settings
A4239 ability additional Ability to develop the reporting and recording of discovered potentially malicious processes, libraries, and modules on a compromised system
A4245 ability additional Ability to enumerate domain security groups.
A4246 ability additional Ability to enumerate knowledge management applications (e.g. SharePoint) and their service accounts/security groups.
A4247 ability additional Ability to enumerate network shares and identify ACLs/security permissions and analyze for vulnerabilities/misconfigurations (e.g. SMB, NFS, ISCSI).
A4250 ability additional Ability to evaluate common Tactics, Techniques and Procedures (TTP) used in malware and open-source and Intelligence Community (IC) resources available to identify emerging TTPs
A4251 ability additional Ability to evaluate compliance with Security Technical Implementation Guides (STIGs) on host machines by utilizing a compliance scanner in support of identifying outliers in order to delineate possible avenues of approach
A4252 ability additional Ability to evaluate if patches are up to date for all hosts, determine current process for updating patches and determine current patch level for all hosts on a network according to NIST Special Publications 800-40 in support of identifying outliers in order to delineate possible avenues of approach.
A4256 ability additional Ability to evaluate rogue/unauthorized systems on a network
A4257 ability additional Ability to evaluate security posture shortcomings in group policy
A4258 ability additional Ability to evaluate steps taken after host-based IDS/IPS alerts, verify the finding and ensure its volatility
A4259 ability additional Ability to evaluate systems resiliency in adverse conditions
A4262 ability additional Ability to export/enumerate information (e.g., users, groups) from a Domain Controller.
A4266 ability additional Ability to identify activity context in log entries to correlate indicators of compromise.
A4269 ability additional Ability to identify anomalous network traffic on a host machine.
A4273 ability additional Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.
A4281 ability additional Ability to identify new indicators of compromise through anomalous behavior in log entries.
A4283 ability additional Ability to identify security posture shortcomings
A4284 ability additional Ability to identify tools and techniques available for analyzing binary applications and interpreted scripts.
A4287 ability additional Ability to identify/select the most appropriate tools and solutions for the specific environment (e.g. disk/memory forensics/capture, host enumeration, application whitelisting, log aggregation and analysis, HIPS/HIDS solutions, etc.).
A4288 ability additional Ability to implement and configure host-based firewalls and host intrusion prevention systems
A4289 ability additional Ability to implement Data at Rest and Data in Transit encryption methodologies, Assess Data at Rest and Data in Transit polices.
A4302 ability additional Ability to measure known vulnerabilities against known vectors of approach.
A4306 ability additional Ability to monitor Active Directory (AD) for creation of unauthorized/potentially malicious accounts
A4309 ability additional Ability to operate specified tools to enumerate a system.
A4312 ability additional Ability to organize Active Directories (AD) hierarchy structure
A4313 ability additional Ability to organize logging and auditing procedures including server-based logging
A4315 ability additional Ability to organize order of the volatility when capturing artifacts
A4318 ability additional Ability to perform and analyze situational awareness commands within Windows, Unix, and Linux operating systems (e.g. system info, net stat, ipconfig, task list, ls, ifconfig, etc...)
A4319 ability additional Ability to perform and analyze vulnerability scans on host machines in support of identifying outliers in order to delineate possible avenues of approach.
A4320 ability additional Ability to perform complex root-cause analysis and recommend mitigations to determine root cause of an intrusion
A4323 ability additional Ability to perform dynamic analysis.
A4326 ability additional Ability to perform static analysis.
A4331 ability additional Ability to prioritize how Operating System (OS) and application patches are distributed in different systems
A4332 ability additional Ability to prioritize Operating Systems (OS) default processes, library, and modules based on boot order, dependencies, or key operations.
A4337 ability additional Ability to provide host analysis for Risk Mitigation Plan (RMP) to improve customer security overall posture
A4339 ability additional Ability to provide mitigations to recover from a full network compromise.
A4351 ability additional Ability to select the best tools to enumerate a given set of host machines in order to validate whether they match known baselines.
A4363 ability additional Ability to use and integrate a Security Information and Event Management (SIEM) platform.
A4371 ability additional Ability to use host volatile data to compare active processes, libraries and modules against databases of known good/bad.
A4375 ability additional Ability to utilize Defense Information Systems Agency (DISA)/ Department of Defense (DoD) system configuration guidelines
A68A ability additional Ability to build architectures and frameworks.
K0015 knowledge additional Knowledge of capabilities and applications of network equipment including hubs, routers, switches, bridges, servers, transmission media, and related hardware.
K0034 knowledge additional Knowledge of database systems.
K0046 knowledge additional Knowledge of fault tolerance.
K0049 knowledge additional Knowledge of host/network access control mechanisms (e.g., access control list).
K0051 knowledge additional Knowledge of how system components are installed, integrated, and optimized.
K0052 knowledge additional Knowledge of human-computer interaction principles.
K0053 knowledge additional Knowledge of measures or indicators of system performance and availability.
K0061 knowledge additional Knowledge of incident response and handling methodologies.
K0062 knowledge additional Knowledge of industry-standard and organizationally accepted analysis principles and methods.
K0063 knowledge additional Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
K0066 knowledge additional Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.
K0069 knowledge additional Knowledge of Risk Management Framework (RMF) requirements.
K0078 knowledge additional Knowledge of microprocessors.
K0079 knowledge additional Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).
K0088 knowledge additional Knowledge of systems administration concepts.
K0090 knowledge additional Knowledge of operating systems.
K0105 knowledge additional Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0109 knowledge additional Knowledge of secure configuration management techniques.
K0110 knowledge additional Knowledge of key concepts in security management (e.g., Release Management, Patch Management).
K0111 knowledge additional Knowledge of security system design tools, methods, and techniques.
K0117 knowledge additional Knowledge of software design tools, methods, and techniques.
K0124 knowledge additional Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.
K0130 knowledge additional Knowledge of virtualization technologies and virtual machine development and maintenance.
K0139 knowledge additional Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.
K0148 knowledge additional Knowledge of Virtual Private Network (VPN) security.
K0150 knowledge additional Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.
K0264 knowledge additional Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
K0270 knowledge additional Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).
K027A knowledge additional Knowledge of cryptology.
K043A knowledge additional Knowledge of embedded systems.
K065A knowledge additional Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).
K070A knowledge additional Knowledge of cybersecurity methods, such as firewalls, demilitarized zones, and encryption.
K081A knowledge additional Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
K082A knowledge additional Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs.
K0912 knowledge additional Knowledge of collection management processes, capabilities, and limitations.
K0915 knowledge additional Knowledge of front-end collection systems, including traffic collection, filtering, and selection.
K092B knowledge additional Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol (TCP), Internet Protocol (IP), Open System Interconnection Model (OSI)).
K095A knowledge additional Knowledge of penetration testing principles, tools, and techniques.
K1033 knowledge additional Knowledge of basic system administration, network, and operating system hardening techniques.
K1037B knowledge additional Knowledge of program protection planning to include information technology (IT) supply chain security/risk management policies, anti-tampering techniques, and requirements.
K1038 knowledge additional Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability.
K1073 knowledge additional Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
K109A knowledge additional Knowledge of configuration management techniques.
K110A knowledge additional Knowledge of security management.
K1141A knowledge additional Knowledge of an organization's information classification program and procedures for information compromise.
K141A knowledge additional Knowledge of the enterprise information technology (IT) architectural concepts and patterns to include baseline and target architectures.
K143A knowledge additional Knowledge of integrating the organization’s goals and objectives into the architecture.
K183A knowledge additional Knowledge in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
K3130 knowledge additional Knowledge of auditing and logging procedures (including server-based logging).
K3140 knowledge additional Knowledge of basic programming concepts (e.g., levels, structures, compiled vs. interpreted languages).
K3141 knowledge additional Knowledge of basic software applications (e.g., data storage and backup, database applications) and their vulnerabilities.
K3153 knowledge additional Knowledge of circuit analysis.
K3188 knowledge additional Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).
K3201 knowledge additional Knowledge of all relevant reporting and dissemination procedures.
K3206 knowledge additional Knowledge of current software and methodologies for active defense and system hardening.
K3222 knowledge additional Knowledge of data backup and restoration concepts.
K3253 knowledge additional Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).
K3261 knowledge additional Knowledge of evasion strategies and techniques.
K3270 knowledge additional Knowledge of forensic implications of operating system structure and operations.
K3317 knowledge additional Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.
K3348 knowledge additional Knowledge of intrusion detection systems and signature development.
K3353 knowledge additional Knowledge of the Risk Management Framework Assessment Methodology.
K3378 knowledge additional Knowledge of methods and techniques used to detect various exploitation activities.
K3431 knowledge additional Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
K3454 knowledge additional Knowledge of products and nomenclature of major vendors (e.g., security suites - Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.
K3459 knowledge additional Knowledge of the functions and capabilities of internal teams that emulate threat activities to benefit the organization.
K3479 knowledge additional Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.
K3480 knowledge additional Knowledge of security implications of software configurations.
K3508 knowledge additional Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).
K3513 knowledge additional Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.
K3539 knowledge additional Knowledge of telecommunications fundamentals.
K3627 knowledge additional Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.
K3637 knowledge additional Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).
K3642 knowledge additional Knowledge of various types of computer architectures.
K4095 knowledge additional Knowledge of concepts related to websites (e.g., web servers/pages, hosting, DNS, registration, web languages such as HTML).
K4390 knowledge additional Knowledge of active directory federated services.
K4413 knowledge additional Knowledge of common information network malware (e.g., viruses, trojans, etc.) and vectors of attack (e.g., ports, attachments, etc.).
K4415 knowledge additional Knowledge of common obfuscation techniques (e.g. command line execution, string substitution, clandestine side channel, Base64).
K4416 knowledge additional Knowledge of common persistence locations within Windows, Unix, or Linux operating systems
K4427 knowledge additional Knowledge of cybersecurity and cybersecurity-enabled software products.
K4429 knowledge additional Knowledge of cybersecurity controls and design principles and methods (e.g., firewalls, DMZ, and encryption).
K4430 knowledge additional Knowledge of cybersecurity Risk Management Framework (RMF) process.
K4434 knowledge additional Knowledge of DCO capabilities, including open-source tools, and their capabilities.
K4435 knowledge additional Knowledge of Defense-In-Depth principles.
K4438 knowledge additional Knowledge of different types of log subscriptions (e.g. push vs pull, MS Windows event forwarding, winlogbeat, syslog).
K4443 knowledge additional Knowledge of evasion strategies and TTPs (e.g., noise, stealth, situational awareness, bandwidth throttling).
K4445 knowledge additional Knowledge of existing cybersecurity principles, policies, and procedures
K4452 knowledge additional Knowledge of full-spectrum of cyberspace operations in an intelligence-driven DCO environment.
K4501 knowledge additional Knowledge of non-Active Directory domains (e.g. IDM, LDAP).
K4522 knowledge additional Knowledge of public key infrastructure (PKI) libraries, certificate authorities, certificate management, and encryption functionalities.
K4537 knowledge additional Knowledge of stream providers (e.g. KAFKA).
K4539 knowledge additional Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).
K4583 knowledge additional Knowledge of the U.S. Security System authorities, responsibilities, and contributions to the cyberspace operations mission.
K4585 knowledge additional Knowledge of the Windows registry hive keys and the information contained within each one.
K4589 knowledge additional Knowledge of typical system processes within Windows, Unix, or Linux operating systems
K4595 knowledge additional Knowledge of web applications and their common attack vectors.
K6240 knowledge additional Knowledge of critical protocols (e.g., IPSEC, AES, GRE, IKE).
K6330 knowledge additional Knowledge of multi-level/security cross domain solutions.
K6820 knowledge additional Knowledge of network architecture concepts including topology, protocols, and components.
S0155 skill additional Skill in monitoring and optimizing system/server performance.
S156 skill additional Skill in applying confidentiality, integrity, and availability principles.
S202A skill additional Skill in identifying and anticipating system/server performance, availability, capacity, or configuration problems.
S205 skill additional Skill in implementing, maintaining, and improving established network security practices.
S233 skill additional Skill in using protocol analyzers.
S350 skill additional Skill in analyzing memory dumps to extract information.
S3740 skill additional Skill in determining installed patches on various operating systems and identifying patch signatures.
S3777 skill additional Skill in reverse engineering (e.g., hex editing, binary packaging utilities, debugging, and strings analysis) to identify function and ownership of remote tools.
S3801 skill additional Skill in identifying the devices that work at each level of protocol models.
S3815 skill additional Skill in interpreting vulnerability scanner results to identify vulnerabilities.
S3859 skill additional Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).
S3871 skill additional Skill in remote command line and Graphic User Interface (GUI) tool usage.
S3948 skill additional Skill in verifying the integrity of all files.
S4599 skill additional Skill in analyzing endpoint collection data.
S4655 skill additional Skill in providing support to intelligence analysts to understand the operational environment and how it ties to intelligence reporting.
S4660 skill additional Skill in refining research (e.g., vulnerabilities, TTPs) to assist intelligence analysts’ preparation of products.
S4665 skill additional Skill in run level configurations in a Linux or UNIX environment
S4679 skill additional Skill in using various online tools for open-source research (e.g., online trade, DNS, mail, etc.).
S892 skill additional Skill in configuring and utilizing software-based computer protection tools (e.g., software firewalls, anti-virus software, anti-spyware).
S973A skill additional Skill in using code analysis tools.

EWU courses that develop this role

CSCD240-S26 partial

CSCD 240 — C and Unix Programming

Filesystem and process model feed CE-463 Host Analyst practice.

CSCD240 partial

CSCD 240 — C and Unix Programming

Filesystem permissions and process model are CE-463 Host Analyst prerequisites.

Related lectures and labs

Lectures

CSCD240-S26-L02 Shell basics, navigation, file type identification, which
CSCD240-S26-L03 Files, directories, file command, wildcards, viewing
CSCD240-S26-L05 Permissions part 1: ls -l anatomy, rwx, file types
CSCD240-S26-L06 Permissions part 2: chmod octal + symbolic, directory x bit
CSCD240-S26-L07 I/O redirection, aliases, source, .bashrc, env
CSCD240-S26-L08 Pipes, filters, grep, sort, uniq, wc, tar

Labs

CSCD240-S26-LAB1 Linux Lab 1: Navigation and Files
CSCD240-S26-LAB3 Linux Lab 3: Permissions and Man Pages
CSCD240-S26-LAB4 Linux Lab 4: Redirection and Environment
CSCD240-S26-LAB5 Linux Lab 5: Quoting and File Utilities
CSCD240-S26-LAB6 Linux Lab 6: Processes and Pipes

Skill drills that practice this role

Exam questions from CSCD 240. Click any to work it.

CSCD240-E1-B-Q26 primary ps List every process system-wide with PID, PPID, user, and command line.
CSCD240-E1-B-Q27 primary process-filter Show every process whose command line contains "cron".
CSCD240-E1-B-Q28 primary proc-forensics Suspect PID 31337 is a reverse shell. Print its full command line and working directory.
CSCD240-E1-B-Q31 primary signals Process 31337 refuses SIGTERM. Terminate unconditionally.
CSCD240-E1-B-Q37 primary forensics-hex Print a hex + ASCII side-by-side dump of the first 256 bytes of sample.bin.
CSCD240-E1-B-Q38 primary forensics-strings List every printable ASCII string length≥8 inside sample.bin.
CSCD240-E1-C-Q03 primary ps Which command lists every process system-wide in BSD-style output with full command line?
CSCD240-E1-C-Q08 primary signals Which signal cannot be caught, blocked, or ignored?
CSCD240-E1-C-Q19 primary forensics-strings Which command lists printable ASCII strings of length ≥8 inside binary.bin?
CSCD240-E1-C-Q28 primary proc Show full command line of PID 4523 by reading from /proc.
CSCD240-E1-C-Q33 primary forensics-hex Hex + ASCII side-by-side dump of first 128 bytes of sample.bin.
CSCD240-E1-C-Q43 primary incident-response PID 2211 spawns thousands of sh processes/min. Steps to stop without killing vital processes.