Cyber Defense Analyst

Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs.) to analyze events that occur within their environments for the purposes of mitigating threats.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1103 additional Determine tactics, techniques, and procedures (TTPs) for intrusion sets.
• T1104 additional Examine network topologies to understand data flows through the network.
• T1105 additional Recommend computing environment vulnerability corrections.
• T1107 additional Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).
• T1108 additional Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).
• T1109 additional Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.
• T1110 additional Isolate and remove malware.
• T1111 additional Identify applications and operating systems of a network device based on network traffic.
• T1112 additional Reconstruct a malicious attack or activity based off network traffic.
• T1113 additional Identify network mapping and operating system (OS) fingerprinting activities.
• T2062 additional Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.
• T2611 additional Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event's history, status, and potential impact for further action in accordance with the organization's cyber incident response plan.
• T427 additional Develop content for cyber defense tools.
• T433 additional Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.
• T472 additional Coordinate with enterprise-wide cyber defense staff to validate network alerts.
• T559A additional Analyze and report organizational security posture trends.
• T559B additional Analyze and report system security posture trends.
• T576 additional Ensure cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.
• T593A additional Assess adequate access controls based on principles of least privilege and need-to-know.
• T716A additional Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.
• T717A additional Assess and monitor cybersecurity related to system implementation and testing practices.
• T723 additional Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.
• T745 additional Perform cyber defense trend analysis and reporting.
• T750 additional Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.
• T767 additional Perform security reviews and identify security gaps in security architecture resulting in recommendations for the inclusion into the risk mitigation strategy.
• T782 additional Plan and recommend modifications or adjustments based on exercise results or system environment.
• T800 additional Provide daily summary reports of network events and activity relevant to cyber defense practices.
• T806A additional Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.
• T823 additional Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.
• T880A additional Work with stakeholders to resolve computer security incidents and vulnerability compliance.
• T938A additional Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.
• T956 additional Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.
• T958 additional Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.
• T959 additional Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• K0019 knowledge core Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.
• K0066 knowledge core Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.
• K0070 knowledge core Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
• K0087 knowledge core Knowledge of network traffic analysis methods.
• K0092 knowledge core Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
• K0150 knowledge core Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.
• K059A knowledge core Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.
• K081A knowledge core Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
• K088B knowledge core Knowledge of new and emerging control systems technologies.
• K0984 knowledge core Knowledge of cyber defense policies, procedures, and regulations.
• K0990 knowledge core Knowledge of the common attack vectors on the network layer.
• K0991 knowledge core Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).
• K1069A knowledge core Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
• K992C knowledge core Knowledge of threat environments (e.g., threat actors, threat activities).
• S214A skill core Skill in performing packet-level analysis.
• S353 skill core Skill in collecting data from a variety of cyber defense resources.
• S895 skill core Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
• S922B skill core Skill in using network analysis tools, including specialized tools for non-traditional systems and networks (e.g., control systems), to identify vulnerabilities.
• A1120 ability additional Ability to interpret and incorporate data from multiple tool sources.
• A3007 ability additional Ability to analyze malware.
• K0008 knowledge additional Knowledge of authentication, authorization, and access control methods.
• K0021 knowledge additional Knowledge of computer algorithms.
• K0025 knowledge additional Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).
• K0027 knowledge additional Knowledge of cryptography and cryptographic key management concepts.
• K0034 knowledge additional Knowledge of database systems.
• K0049 knowledge additional Knowledge of host/network access control mechanisms (e.g., access control list).
• K0058 knowledge additional Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.
• K0061 knowledge additional Knowledge of incident response and handling methodologies.
• K0063 knowledge additional Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• K0079 knowledge additional Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).
• K0090 knowledge additional Knowledge of operating systems.
• K0098 knowledge additional Knowledge of policy-based and risk adaptive access controls.
• K0105 knowledge additional Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• K0110 knowledge additional Knowledge of key concepts in security management (e.g., Release Management, Patch Management).
• K0111 knowledge additional Knowledge of security system design tools, methods, and techniques.
• K0133 knowledge additional Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).
• K0138 knowledge additional Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization.
• K0139 knowledge additional Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.
• K0148 knowledge additional Knowledge of Virtual Private Network (VPN) security.
• K0270 knowledge additional Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).
• K0271 knowledge additional Knowledge of common network tools (e.g., ping, traceroute, nslookup).
• K0277 knowledge additional Knowledge of defense-in-depth principles and network security architecture.
• K0278 knowledge additional Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN).
• K0286 knowledge additional Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).
• K043A knowledge additional Knowledge of embedded systems.
• K0904 knowledge additional Knowledge of interpreted and compiled computer languages.
• K0912 knowledge additional Knowledge of collection management processes, capabilities, and limitations.
• K0915 knowledge additional Knowledge of front-end collection systems, including traffic collection, filtering, and selection.
• K095A knowledge additional Knowledge of penetration testing principles, tools, and techniques.
• K1033 knowledge additional Knowledge of basic system administration, network, and operating system hardening techniques.
• K1034A knowledge additional Knowledge of Personally Identifiable Information (PII) data security standards.
• K1034B knowledge additional Knowledge of Payment Card Industry (PCI) data security standards.
• K1034C knowledge additional Knowledge of Personal Health Information (PHI) data security standards.
• K1036 knowledge additional Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
• K1072 knowledge additional Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
• K1073 knowledge additional Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
• K1114 knowledge additional Knowledge of encryption methodologies.
• K1119 knowledge additional Knowledge of signature implementation impact.
• K1121 knowledge additional Knowledge of Windows/Unix ports and services.
• K1142 knowledge additional Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
• K130A knowledge additional Knowledge of systems security testing and evaluation methods.
• K177B knowledge additional Knowledge of countermeasures for identified security risks.
• K212A knowledge additional Knowledge of network mapping and recreating network topologies.
• K234B knowledge additional Knowledge of the use of sub-netting tools.
• K342A knowledge additional Knowledge of operating system command line/prompt.
• K3431 knowledge additional Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
• K3461 knowledge additional Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities.
• K6210 knowledge additional Knowledge of cloud service models and possible limitations for an incident response.
• S1118 skill additional Skill in reading and interpreting signatures (e.g., snort).
• S175 skill additional Skill in developing and deploying signatures.
• S179A skill additional Skill in assessing security controls based on cybersecurity principles and tenets.
• S181A skill additional Skill in detecting host and network based intrusions via intrusion detection technologies.
• S183 skill additional Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
• S199 skill additional Skill in evaluating the adequacy of security designs.
• S229 skill additional Skill in using incident handling methodologies.
• S233 skill additional Skill in using protocol analyzers.
• S3C skill additional Skill in recognizing vulnerabilities in information and/or data systems.
• S75C skill additional Skill in conducting trend analysis.

EWU courses that develop this role

Related lectures and labs

Skill drills that practice this role

Exam questions from CSCD 240. Click any to work it.

• CSCD240-E1-A-Q13 primary search-find Somewhere in the filesystem there is a file config.ini. Locate it.
• CSCD240-E1-A-Q14 primary grep-recursive Show the filenames containing "printf" in all .c files in home directory and subdirs.
• CSCD240-E1-A-Q29 primary regex contacts.txt has Name<tab>number lines. Print only those whose number ends with 6.
• CSCD240-E1-A-Q37 primary field-extract data.csv has comma-separated records. Print just the second column.
• CSCD240-E1-A-Q38 primary pipeline-distinct Count distinct lines in visitors.txt (unsorted input).
• CSCD240-E1-B-Q21 primary field-extract Print the second column of data.csv (comma-separated).
• CSCD240-E1-B-Q22 primary regex-alt Print lines of fw.log matching DENY OR DROP (extended regex).
• CSCD240-E1-C-Q11 primary log-follow A log file is continuously updated. Which command shows new lines as written?
• CSCD240-E1-C-Q15 primary pipeline-distinct Which pipeline counts distinct values in column 1 of a CSV?
• CSCD240-E1-C-Q17 primary find Which command searches the filesystem for a file by name, suppressing permission-denied errors?
• CSCD240-E1-C-Q44 primary debug-pipeline cat access.log | grep admin | wc -l returns 0 when log has admin hits. Two reasons?
• CSCD240-E1-A-Q17 secondary process-listing Display PID and full process info for all processes containing "python".
• CSCD240-E1-A-Q50 secondary log-pipeline auth.log line format "2026-04-14 08:31 FAIL user=alex src=10.x". Print top-3 FAIL source IPs, count first, most-frequent first.
• CSCD240-E1-B-Q19 secondary log-pipeline Top 5 source IPs in FAIL lines of auth.log, where IP is field 5.
• CSCD240-E1-B-Q20 secondary log-pipeline Count distinct usernames on FAIL lines of auth.log where username is "user=<name>".
• CSCD240-E1-C-Q26 secondary log-pipeline Top 5 source IPs appearing on FAIL lines of auth.log (IP = field 5).
• CSCD240-E1-C-Q27 secondary log-pipeline List unique usernames appearing on FAIL lines of auth.log (user=<name>).

Other roles in this element