Protection and Defense
PD-WRL-003

Incident Response

Responsible for investigating, analyzing, and responding to network cybersecurity incidents.

  • T0164: Perform cyber defense trend analysis and reporting
  • T0262: Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness)
  • T0510: Coordinate incident response functions
  • T1020: Determine the operational and safety impacts of cybersecurity lapses
  • T1084: Identify anomalous network activity
  • T1085: Identify potential threats to network resources
  • T1109: Resolve cyber defense incidents
  • T1110: Coordinate technical support to enterprise-wide cybersecurity defense technicians
  • T1118: Identify vulnerabilities
  • T1119: Recommend vulnerability remediation strategies
  • T1250: Perform cyber defense incident triage
  • T1251: Recommend incident remediation strategies
  • T1252: Determine the scope, urgency, and impact of cyber defense incidents
  • T1256: Perform forensically sound image collection
  • T1257: Recommend mitigation and remediation strategies for enterprise systems
  • T1260: Perform real-time cyber defense incident handling
  • T1299: Determine causes of network alerts
  • T1315: Track cyber defense incidents from initial detection through final resolution
  • T1316: Document cyber defense incidents from initial detection through final resolution
  • T1332: Produce incident findings reports
  • T1333: Communicate incident findings to appropriate constituencies
  • T1370: Collect intrusion artifacts
  • T1371: Mitigate potential cyber defense incidents
  • T1372: Advise law enforcement personnel as technical expert
  • T1407: Correlate threat assessment data
  • T1485: Prepare after action reviews (AARs)
  • T1489: Correlate incident data
  • T1582: Maintain currency of cyber defense threat conditions
  • T1617: Prepare cyber defense reports
  • K0674: Knowledge of computer networking protocols
  • K0675: Knowledge of risk management processes
  • K0676: Knowledge of cybersecurity laws and regulations
  • K0677: Knowledge of cybersecurity policies and procedures
  • K0678: Knowledge of privacy laws and regulations
  • K0679: Knowledge of privacy policies and procedures
  • K0680: Knowledge of cybersecurity principles and practices
  • K0681: Knowledge of privacy principles and practices
  • K0682: Knowledge of cybersecurity threats
  • K0683: Knowledge of cybersecurity vulnerabilities
  • K0684: Knowledge of cybersecurity threat characteristics
  • K0685: Knowledge of access control principles and practices
  • K0686: Knowledge of authentication and authorization tools and techniques
  • K0689: Knowledge of network infrastructure principles and practices
  • K0701: Knowledge of data backup and recovery policies and procedures
  • K0709: Knowledge of business continuity and disaster recovery (BCDR) policies and procedures
  • K0710: Knowledge of enterprise cybersecurity architecture principles and practices
  • K0716: Knowledge of host access control (HAC) systems and software
  • K0717: Knowledge of network access control (NAC) systems and software
  • K0718: Knowledge of network communications principles and practices
  • K0724: Knowledge of incident response principles and practices
  • K0725: Knowledge of incident response tools and techniques
  • K0726: Knowledge of incident handling tools and techniques
  • K0732: Knowledge of intrusion detection tools and techniques
  • K0746: Knowledge of policy-based access controls
  • K0747: Knowledge of Risk Adaptive (Adaptable) Access Controls (RAdAC)
  • K0751: Knowledge of system threats
  • K0752: Knowledge of system vulnerabilities
  • K0770: Knowledge of system administration principles and practices
  • K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
  • K0783: Knowledge of network attack characteristics
  • K0791: Knowledge of defense-in-depth principles and practices
  • K0829: Knowledge of account creation policies and procedures
  • K0830: Knowledge of password policies and procedures
  • K0832: Knowledge of cyberattack characteristics
  • K0833: Knowledge of cyberattack actor characteristics
  • K0837: Knowledge of hardening tools and techniques
  • K0844: Knowledge of cyber attack stages
  • K0845: Knowledge of cyber intrusion activity phases
  • K0857: Knowledge of malware analysis tools and techniques
  • K0865: Knowledge of data classification standards and best practices
  • K0866: Knowledge of data classification tools and techniques
  • K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
  • K0871: Knowledge of enterprise architecture (EA) principles and practices
  • K0891: Knowledge of the Open Systems Interconnect (OSI) reference model
  • K0898: Knowledge of cloud service models and frameworks
  • K0915: Knowledge of network architecture principles and practices
  • K0916: Knowledge of malware analysis principles and practices
  • K0924: Knowledge of network analysis tools and techniques
  • K0934: Knowledge of data classification policies and procedures
  • K0969: Knowledge of cyber-attack tools and techniques
  • K0983: Knowledge of computer networking principles and practices
  • K1014: Knowledge of network security principles and practices
  • K1049: Knowledge of routing protocols
  • K1079: Knowledge of web application security risks
  • S0077: Skill in securing network communications
  • S0080: Skill in performing damage assessments
  • S0483: Skill in identifying software communications vulnerabilities
  • S0509: Skill in evaluating security products
  • S0544: Skill in recognizing vulnerabilities
  • S0547: Skill in identifying malware
  • S0548: Skill in capturing malware
  • S0549: Skill in containing malware
  • S0550: Skill in reporting malware
  • S0572: Skill in detecting host- and network-based intrusions
  • S0589: Skill in preserving digital evidence integrity
  • S0607: Skill in collecting digital evidence
  • S0608: Skill in processing digital evidence
  • S0609: Skill in transporting digital evidence
  • S0614: Skill in categorizing types of vulnerabilities
  • S0615: Skill in protecting a network against malware
  • S0651: Skill in performing malware analysis
  • S0688: Skill in performing network data analysis
  • S0805: Skill in designing incident responses
  • S0806: Skill in performing incident responses
  • S0821: Skill in collaborating with internal and external stakeholders
  • S0854: Skill in performing data analysis
  • S0866: Skill in performing log file analysis