Protection and Defense
PD-WRL-003
Incident Response
Responsible for investigating, analyzing, and responding to network cybersecurity incidents.
- T0164: Perform cyber defense trend analysis and reporting
- T0262: Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness)
- T0510: Coordinate incident response functions
- T1020: Determine the operational and safety impacts of cybersecurity lapses
- T1084: Identify anomalous network activity
- T1085: Identify potential threats to network resources
- T1109: Resolve cyber defense incidents
- T1110: Coordinate technical support to enterprise-wide cybersecurity defense technicians
- T1118: Identify vulnerabilities
- T1119: Recommend vulnerability remediation strategies
- T1250: Perform cyber defense incident triage
- T1251: Recommend incident remediation strategies
- T1252: Determine the scope, urgency, and impact of cyber defense incidents
- T1256: Perform forensically sound image collection
- T1257: Recommend mitigation and remediation strategies for enterprise systems
- T1260: Perform real-time cyber defense incident handling
- T1299: Determine causes of network alerts
- T1315: Track cyber defense incidents from initial detection through final resolution
- T1316: Document cyber defense incidents from initial detection through final resolution
- T1332: Produce incident findings reports
- T1333: Communicate incident findings to appropriate constituencies
- T1370: Collect intrusion artifacts
- T1371: Mitigate potential cyber defense incidents
- T1372: Advise law enforcement personnel as technical expert
- T1407: Correlate threat assessment data
- T1485: Prepare after action reviews (AARs)
- T1489: Correlate incident data
- T1582: Maintain currency of cyber defense threat conditions
- T1617: Prepare cyber defense reports
- K0674: Knowledge of computer networking protocols
- K0675: Knowledge of risk management processes
- K0676: Knowledge of cybersecurity laws and regulations
- K0677: Knowledge of cybersecurity policies and procedures
- K0678: Knowledge of privacy laws and regulations
- K0679: Knowledge of privacy policies and procedures
- K0680: Knowledge of cybersecurity principles and practices
- K0681: Knowledge of privacy principles and practices
- K0682: Knowledge of cybersecurity threats
- K0683: Knowledge of cybersecurity vulnerabilities
- K0684: Knowledge of cybersecurity threat characteristics
- K0685: Knowledge of access control principles and practices
- K0686: Knowledge of authentication and authorization tools and techniques
- K0689: Knowledge of network infrastructure principles and practices
- K0701: Knowledge of data backup and recovery policies and procedures
- K0709: Knowledge of business continuity and disaster recovery (BCDR) policies and procedures
- K0710: Knowledge of enterprise cybersecurity architecture principles and practices
- K0716: Knowledge of host access control (HAC) systems and software
- K0717: Knowledge of network access control (NAC) systems and software
- K0718: Knowledge of network communications principles and practices
- K0724: Knowledge of incident response principles and practices
- K0725: Knowledge of incident response tools and techniques
- K0726: Knowledge of incident handling tools and techniques
- K0732: Knowledge of intrusion detection tools and techniques
- K0746: Knowledge of policy-based access controls
- K0747: Knowledge of Risk Adaptive (Adaptable) Access Controls (RAdAC)
- K0751: Knowledge of system threats
- K0752: Knowledge of system vulnerabilities
- K0770: Knowledge of system administration principles and practices
- K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
- K0783: Knowledge of network attack characteristics
- K0791: Knowledge of defense-in-depth principles and practices
- K0829: Knowledge of account creation policies and procedures
- K0830: Knowledge of password policies and procedures
- K0832: Knowledge of cyberattack characteristics
- K0833: Knowledge of cyberattack actor characteristics
- K0837: Knowledge of hardening tools and techniques
- K0844: Knowledge of cyber attack stages
- K0845: Knowledge of cyber intrusion activity phases
- K0857: Knowledge of malware analysis tools and techniques
- K0865: Knowledge of data classification standards and best practices
- K0866: Knowledge of data classification tools and techniques
- K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
- K0871: Knowledge of enterprise architecture (EA) principles and practices
- K0891: Knowledge of the Open Systems Interconnect (OSI) reference model
- K0898: Knowledge of cloud service models and frameworks
- K0915: Knowledge of network architecture principles and practices
- K0916: Knowledge of malware analysis principles and practices
- K0924: Knowledge of network analysis tools and techniques
- K0934: Knowledge of data classification policies and procedures
- K0969: Knowledge of cyber-attack tools and techniques
- K0983: Knowledge of computer networking principles and practices
- K1014: Knowledge of network security principles and practices
- K1049: Knowledge of routing protocols
- K1079: Knowledge of web application security risks
- S0077: Skill in securing network communications
- S0080: Skill in performing damage assessments
- S0483: Skill in identifying software communications vulnerabilities
- S0509: Skill in evaluating security products
- S0544: Skill in recognizing vulnerabilities
- S0547: Skill in identifying malware
- S0548: Skill in capturing malware
- S0549: Skill in containing malware
- S0550: Skill in reporting malware
- S0572: Skill in detecting host- and network-based intrusions
- S0589: Skill in preserving digital evidence integrity
- S0607: Skill in collecting digital evidence
- S0608: Skill in processing digital evidence
- S0609: Skill in transporting digital evidence
- S0614: Skill in categorizing types of vulnerabilities
- S0615: Skill in protecting a network against malware
- S0651: Skill in performing malware analysis
- S0688: Skill in performing network data analysis
- S0805: Skill in designing incident responses
- S0806: Skill in performing incident responses
- S0821: Skill in collaborating with internal and external stakeholders
- S0854: Skill in performing data analysis
- S0866: Skill in performing log file analysis
Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)