| Education | Not Specified |
|
| Training | Not Specified |
| Type 1 | Completion of the following:
1. IS-100: Introduction to Incident Command System, ICS-100
2. IS-200: Basic Incident Command System for Initial Response, ICS-200
3. IS-700: National Incident Management System, An Introduction
4. IS-800: National Response Framework, An Introduction
5. Computer defense in prevention, detection, and response training as the Agency Having Jurisdiction (AHJ) determines |
|
| Experience | The knowledge, skills, and abilities align with the National Initiative for Cyber Education (NICE), National Cybersecurity Workforce Framework. |
| Type 1 | AHJ-validated knowledge, skills, and abilities demonstrated in the following areas:
1. CND in-depth principles
2. CND and vulnerability assessment tools, including open source tools, and their capabilities
3. Encryption
4. Data backup, types of backups, and recovery concepts and tools
5. Host and network access controls
6. Intrusion Detection System (IDS) tools and applications
7. Incident response and handling methodologies
8. Information assurance (IA) principles and organizational needs that are relevant to confidentiality, integrity, availability, authentication, and non-repudiation
9. Intrusion detection methodologies and techniques for detecting host- and network-based intrusions via intrusion detection technologies
10. Network protocols
11. Network traffic analysis methods
12. New and emerging information technology (IT) and information security technologies
13. Traffic flow patterns across the network
14. Penetration testing principles, tools, and techniques
15. Policy-based and risk adaptive access controls
16. Programming language structures and logic for current production platforms
17. System and application security threats and vulnerabilities
18. Security management
19. Content development
20. CND service provider reporting structure and processes
21. Virtual Private Network (VPN) security
22. Network attack and the relationship to both threats and vulnerabilities
23. Common adversary tactics, techniques, and procedures (TTP) in assigned area of responsibility
24. Common network tools
25. Defense-in-depth principles and network security architecture
26. Different types of network communication
27. File extensions
28. Common operating systems command lines
29. Collection management processes, capabilities, and limitations
30. Front-end collection systems, including network traffic collection, filtering, and selection
31. CND policies, procedures, and regulation
32. Common cyber-attack vectors on the network layer
33. Different classes of cyber attacks
34. Different operational threat environments
35. Troubleshooting basic systems and identifying operating systems-related issues
36. Basic system administration, network, and operating system hardening techniques
37. Applicable laws relevant to work performed
38. General cyber-attack stages
39. Network security architecture concepts, including topology, protocols, components, and principles
40. Encryption methodologies
41. Signature implementation impact for viruses, malware, and attacks
42. Operating system ports and services
43. Various IDS technologies such as host-based network passive IDS, network active IDS, unified threat management, and web application firewalls
44. Network firewalls and firewalling techniques
45. Reading and interpreting signatures for viruses, malware, and attacks
46. Utilizing virtual networks for testing
47. Identifying common encoding techniques
48. Reading hexadecimal data
49. Data reduction
50. Configuring and utilizing network protection components
51. Using network analysis tools to identify vulnerabilities
52. Recognizing and categorizing types of vulnerabilities and associated attack
53. Collecting data from a variety of CND resources
54. Sub-netting tools
55. Protocol analyzers
56. Incident handling methodologies
57. Performing packet-level analysis using appropriate tools
58. Network mapping and recreating network topologies
59. Detecting host and network-based intrusions via intrusion detection technologies
60. Developing and deploying signatures
61. Conducting open source research for troubleshooting novel client-level problems
62. Conducting vulnerability scans and recognizing vulnerabilities in security systems
63. Interpreting and incorporating data from multiple tool sources
64. Integrating and managing network firewall technologies
65. Integrating and managing other computer defense tools and techniques to including intrusion detection, prevention, data loss prevention, white and blacklisting, correlation, and alerting
66. Integrating the collection of network and other sensor logs for use with log analysis tools
AHJ-documented and validated experience demonstrated in the following areas:
1. Developing content for CND tools
2. Characterizing and analyzing network traffic to identify anomalous activity and potential threats to network resources
3. Coordinating with enterprise-wide CND staff to validate network alerts
4. Monitoring external data sources to maintain currency of CND threat condition and determine which security issues may have an impact on the enterprise
5. Documenting and escalating incidents that may cause ongoing and immediate impact to the environment
6. Performing CND trend analysis and reporting
7. Performing event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack
8. Providing daily summary reports of network events and activity relevant to CND practices
9. Receiving and analyzing network alerts from various sources within the enterprise and determining possible causes of such alerts
10. Providing timely detection, identification, and alerts of possible attacks and intrusions, anomalous activities, and misuse activities, and distinguishing these incidents and events from benign activities
11. Using CND tools for continual monitoring and analysis of system activity to identify malicious activity
12. Analyzing identified malicious activity to determine weaknesses exploited, exploitation methods, and effects on system and information
13. Employing approved defense-in-depth principles and practices
14. Determining appropriate course of action in response to identified and analyzed anomalous network activity conducting tests of IA safeguards in accordance with established test plans and procedures
15. Determining TTP for intrusion sets
16. Examining network topologies to understand data flows through the network
17. Recommending computing environment vulnerability corrections
18. Identifying and analyzing anomalies in network traffic using metadata
19. Conducting research, analysis, and correlation across a wide variety of all source data sets
20. Validating IDS alerts against network traffic using packet analysis tools
21. Triaging malware
22. Identifying applications and operating systems of a network device based on network traffic
23. Reconstructing a malicious attack or activity based on network traffic
24. Identifying network mapping and operating system fingerprinting activities |
|
| Physical/Medical Fitness | The NIMS Guideline for the National Qualification System (NQS) defines Physical/Medical Fitness levels for NIMS positions. |
|
| Currency | Provider must carry out and use any background checks as applicable law specifies. This may include a background check completed within past 12 months; sex-offender registry check; and a local, state, and a local, state, and national criminal history. |
| Type 1 | 1. Functions in this position during an operational incident, planned event, exercise, drill, or simulation at least once every year
2. Background checks as applicable law permits and requires
3. Active security clearance |
|
| Professional and Technical Licenses and Certifications | Not Specified |
| Type 1 | 1. Technical qualifications equivalent to Department of Defense Directive (DoDD) 8570 Level 2
2. Information Assurance Certification
3. Intrusion Analyst Certification
4. Computer Network Defense |
|
