Cyber Defense Incident Responder

Investigates, analyzes, and responds to cyber incidents within the network environment or enclave.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1030 additional Collect intrusion artifacts (e.g., source code, malware, trojans) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.
• T1031 additional Serve as technical expert and liaison to law enforcement personnel and explain incident details as required.
• T2179 additional Coordinate with intelligence analysts to correlate threat assessment data.
• T470 additional Coordinate and provide expert technical support to enterprise-wide cyber defense technicians to resolve cyber defense incidents.
• T478 additional Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation.
• T5670 additional Write and publish after action reviews.
• T716A additional Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.
• T738 additional Perform analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to network security.
• T741A additional Coordinate incident response functions.
• T743 additional Perform cyber defense incident triage, to include determining scope, urgency, and potential impact; identifying the specific vulnerability; and making recommendations that enable expeditious remediation.
• T745 additional Perform cyber defense trend analysis and reporting.
• T755 additional Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems.
• T762 additional Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs).
• T823 additional Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.
• T861 additional Track and document cyber defense incidents from initial detection through final resolution.
• T882 additional Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies.
• T961 additional Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness).

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• K0037 knowledge core Knowledge of disaster recovery continuity of operations plans.
• K0050 knowledge core Knowledge of how network services and protocols interact to provide network communications.
• K0060 knowledge core Knowledge of incident categories, incident responses, and timelines for responses.
• K0061 knowledge core Knowledge of incident response and handling methodologies.
• K0066 knowledge core Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.
• K0105 knowledge core Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• K0150 knowledge core Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.
• K081A knowledge core Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
• K0984 knowledge core Knowledge of cyber defense policies, procedures, and regulations.
• K0991 knowledge core Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).
• K1029A knowledge core Knowledge of malware analysis concepts and methodologies.
• K1033 knowledge core Knowledge of basic system administration, network, and operating system hardening techniques.
• K1069 knowledge core Knowledge of general attack stages (e.g., foot printing and scanning, enumeration, gaining access, escalation or privileges, maintaining access, network exploitation, covering tracks).
• K1072 knowledge core Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
• K3431 knowledge core Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
• K6210 knowledge core Knowledge of cloud service models and possible limitations for an incident response.
• K992C knowledge core Knowledge of threat environments (e.g., threat actors, threat activities).
• S153 skill core Skill of identifying, capturing, containing, and reporting malware.
• S217 skill core Skill in preserving evidence integrity according to standard operating procedures or national standards.
• S893 skill core Skill in securing network communications.
• S895 skill core Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
• S896 skill core Skill in protecting a network against malware.
• S897 skill core Skill in performing damage assessments.
• S923A skill core Skill in using security event correlation tools.
• K0029 knowledge additional Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.
• K0049 knowledge additional Knowledge of host/network access control mechanisms (e.g., access control list).
• K0087 knowledge additional Knowledge of network traffic analysis methods.
• K0093 knowledge additional Knowledge of packet-level analysis.
• K1141A knowledge additional Knowledge of an organization's information classification program and procedures for information compromise.
• K3362A knowledge additional Knowledge of key factors of the operational environment and related threats and vulnerabilities.
• K3561 knowledge additional Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

EWU courses that develop this role

Skill drills that practice this role

Exam questions from CSCD 240. Click any to work it.

• CSCD240-E1-C-Q43 secondary incident-response PID 2211 spawns thousands of sh processes/min. Steps to stop without killing vital processes.
• CSCD240-E1-C-Q50 secondary ir-process IR runbook: capture terminal session output of every IR command. Name the command and why it matters for chain of custody.

NCAE CyberGames scoreboard errors for this role

• NCAE-eeb5e4e8f3 SMB Login / failure: SMB operation failed: [Errno 111] Connection refused
• NCAE-efd6404d3c SMB Read / failure: SMB operation failed: [Errno 111] Connection refused
• NCAE-600767ba09 SMB Write / failure: SMB operation failed: [Errno 111] Connection refused
• NCAE-ed9f4ee89c SMB Read / partial: SMB operation failed: Failed to get attributes for addict_with_a_pen.data on files: Unable to open remote file object
• NCAE-5e1da0ed9d SSH Login / failure: Failed to connect to host: IP
• NCAE-4b7774940b SMB Login / failure: SMB operation failed: [Errno 113] Host is unreachable
• NCAE-b9e0ec08d1 SMB Write / failure: SMB operation failed: [Errno 113] Host is unreachable
• NCAE-1c78c96e24 SMB Read / failure: SMB operation failed: [Errno 113] Host is unreachable
• NCAE-93ded42199 SMB Read / partial: 22 files have incorrect content
• NCAE-4dc6feb4c8 SMB Read / failure: SMB connection failed: protocol error
• NCAE-2ec02e1cd0 SMB Login / failure: SMB connection failed: protocol error
• NCAE-7aef47fca9 SMB Write / failure: SMB connection failed: protocol error
• NCAE-6874759148 SMB Read / partial: SMB operation failed: Failed to get attributes for cottonwood.data on files: Unable to open remote file object
• NCAE-935f9d5213 SMB Read / partial: SMB operation failed: Failed to retrieve before_you_start_your_day.data on files: Unable to open file
• NCAE-523d40773c SMB Read / partial: SMB operation failed: Failed to get attributes for .choker.data on files: Unable to open remote file object
• NCAE-b149cb49bf SMB Read / partial: SMB operation failed: Failed to get attributes for air_catcher.data on files: Unable to open remote file object
• NCAE-4b8d0cb667 SMB Read / failure: Failed to connect to host: IP
• NCAE-d9f492a0da SMB Login / failure: Failed to connect to host: IP
• NCAE-864b183177 SMB Write / failure: SMB operation failed: timed out
• NCAE-825cea0d2d SMB Read / partial: SMB operation failed: Failed to get attributes for addict_with_a_pen.data on files: Unable to connect to shared device
• NCAE-e95d2c2e3c SMB Read / failure: SMB operation failed: timed out
• NCAE-8295662a0b SMB Write / failure: Failed to connect to host: IP
• NCAE-55a9a5a7d4 SMB Login / failure: SMB operation failed: timed out
• NCAE-720468fcb4 SMB Login / partial: SMB operation failed: Failed to list shares: Unable to locate Server Service RPC endpoint
• NCAE-8a154c2d67 SMB Write / failure: SMB operation timed out in 5 seconds
• NCAE-ef2e6bfc87 SMB Read / partial: SMB operation failed: Failed to get attributes for data_dump_1.bin on files: Unable to open remote file object
• NCAE-49be0b578b SMB Login / failure: SMB operation timed out in 5 seconds
• NCAE-73f906f1e8 SMB Read / failure: SMB operation timed out in 5 seconds
• NCAE-34e3807d5a SMB Login / partial: SMB operation failed: Failed to list shares: Unable to connect to IPC$
• NCAE-8eaf99105e SMB Read / partial: SMB operation failed: Failed to retrieve be_concerned.data on files: Unable to open file

Other roles in this element