PD-WRL-005

Insider Threat Analysis

Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.

Task statements

T1056: Acquire resources to support cybersecurity program goals and objectives
T1057: Conduct an effective enterprise continuity of operations program
T1062: Contribute insider threat expertise to organizational cybersecurity awareness program
T1084: Identify anomalous network activity
T1085: Identify potential threats to network resources
T1119: Recommend vulnerability remediation strategies
T1160: Develop risk mitigation strategies
T1161: Resolve system vulnerabilities
T1162: Recommend security changes to systems and system components
T1227: Manage cybersecurity budget, staffing, and contracting
T1266: Recommend risk mitigation strategies
T1324: Process digital evidence
T1325: Document digital evidence
T1439: Assess the behavior of individual victims, witnesses, or suspects during cybersecurity investigations
T1510: Preserve digital evidence
T1592: Conduct cybersecurity reviews
T1689: Create comprehensive exploitation strategies
T1690: Identify exploitable technical or operational vulnerabilities
T1698: Collect target information
T1712: Recommend potential courses of action
T1737: Develop intelligence collection strategies
T1743: Identify information collection gaps
T1789: Provide aim point recommendations for targets
T1790: Provide reengagement recommendations
T1799: Notify appropriate personnel of imminent hostile intentions or activities
T1801: Determine validity and relevance of information
T1969: Document system alerts
T1970: Escalate system alerts that may indicate risks
T1971: Disseminate anomalous activity reports to the insider threat hub
T1973: Conduct independent comprehensive assessments of target-specific information
T1974: Conduct insider threat risk assessments
T1975: Prepare insider threat briefings
T1976: Recommend risk mitigation courses of action (CoA)
T1977: Coordinate with internal and external incident management partners across jurisdictions
T1978: Recommend improvements to insider threat detection processes
T1979: Determine digital evidence priority intelligence requirements
T1980: Develop digital evidence reports for internal and external partners
T1981: Develop elicitation indicators
T1982: Identify high value assets
T1983: Identify potential insider threats
T1985: Identify imminent or hostile intentions or activities
T1986: Develop a continuously updated overview of an incident throughout the incident's life cycle
T1987: Develop insider threat cyber operations indicators
T1988: Integrate information from cyber resources, internal partners, and external partners
T1989: Advise insider threat hub inquiries
T1990: Conduct cybersecurity insider threat inquiries
T1991: Deliver all-source cyber operations and intelligence indications and warnings
T1992: Interpret network activity for intelligence value
T1993: Monitor network activity for vulnerabilities
T1994: Identify potential insider risks to networks
T1995: Document potential insider risks to networks
T1996: Report network vulnerabilities
T1997: Develop insider threat investigation plans
T1998: Investigate alleged insider threat cybersecurity policy violations
T1999: Refer cases on active insider threat activities to law enforcement investigators
T2001: Establish an insider threat risk management assessment program
T2003: Evaluate organizational insider risk response capabilities
T2004: Document insider threat information sources
T2005: Conduct insider threat studies
T2006: Identify potential targets for exploitation
T2007: Analyze potential targets for exploitation
T2008: Vet insider threat targeting with law enforcement and intelligence partners
T2009: Develop insider threat targets
T2010: Maintain User Activity Monitoring (UAM) tools
T2011: Monitor the output from User Activity Monitoring (UAM) tools

Knowledge statements

K0635: Knowledge of decryption
K0636: Knowledge of decryption tools and techniques
K0637: Knowledge of data repositories
K0656: Knowledge of network collection tools and techniques
K0657: Knowledge of network collection policies and procedures
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0689: Knowledge of network infrastructure principles and practices
K0707: Knowledge of database systems and software
K0710: Knowledge of enterprise cybersecurity architecture principles and practices
K0721: Knowledge of risk management principles and practices
K0734: Knowledge of Risk Management Framework (RMF) requirements
K0735: Knowledge of risk management models and frameworks
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
K0784: Knowledge of insider threat laws and regulations
K0785: Knowledge of insider threat tools and techniques
K0862: Knowledge of data remediation tools and techniques
K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
K0871: Knowledge of enterprise architecture (EA) principles and practices
K0909: Knowledge of abnormal physical and physiological behaviors
K1014: Knowledge of network security principles and practices
K1023: Knowledge of network exploitation tools and techniques
K1031: Knowledge of risk mitigation tools and techniques
K1085: Knowledge of exploitation tools and techniques
K1096: Knowledge of data analysis tools and techniques
K1115: Knowledge of Chain of Custody (CoC) processes and procedures
K1139: Knowledge of cybersecurity threats and vulnerabilities
K1151: Knowledge of digital evidence cataloging tools and techniques
K1152: Knowledge of digital evidence extraction tools and techniques
K1154: Knowledge of digital evidence packaging tools and techniques
K1155: Knowledge of digital evidence preservation tools and techniques
K1180: Knowledge of organizational cybersecurity goals and objectives
K1188: Knowledge of organizational policies and procedures
K1197: Knowledge of priority intelligence requirements
K1209: Knowledge of risk mitigation principles and practices
K1241: Knowledge of cultural, political, and organizational assets
K1242: Knowledge of cybersecurity review processes and procedures
K1243: Knowledge of cybersecurity threat remediation principles and practices
K1244: Knowledge of cybersecurity tools and techniques
K1245: Knowledge of data exfiltration tools and techniques
K1246: Knowledge of data handling tools and techniques
K1247: Knowledge of data monitoring tools and techniques
K1248: Knowledge of digital and physical security vulnerabilities
K1249: Knowledge of digital and physical security vulnerability remediation principles and practices
K1250: Knowledge of external organization roles and responsibilities
K1251: Knowledge of external referrals policies and procedures
K1252: Knowledge of high value asset characteristics
K1253: Knowledge of information collection tools and techniques
K1254: Knowledge of insider threat hub policies and procedures
K1255: Knowledge of insider threat hub operations
K1256: Knowledge of insider threat operational indicators
K1257: Knowledge of insider threat policies and procedures
K1258: Knowledge of insider threat tactics
K1259: Knowledge of insider threat targets
K1260: Knowledge of intelligence laws and regulations
K1261: Knowledge of known insider attacks
K1262: Knowledge of network endpoints
K1263: Knowledge of notification policies and procedures
K1265: Knowledge of organizational objectives, resources, and capabilities
K1267: Knowledge of previously referred potential insider threats
K1268: Knowledge of risk reduction metrics
K1269: Knowledge of security information and event management (SIEM) tools and techniques
K1270: Knowledge of suspicious activity response processes
K1271: Knowledge of system alert policies and procedures
K1272: Knowledge of system components
K1273: Knowledge of threat investigation policies and procedures
K1274: Knowledge of threat modeling tools and techniques
K1275: Knowledge of User Activity Monitoring (UAM) tools and techniques

Skill statements

S0378: Skill in decrypting information
S0442: Skill in collecting network data
S0477: Skill in identifying anomalous activity
S0540: Skill in identifying network threats
S0558: Skill in developing algorithms
S0559: Skill in performing data structure analysis
S0579: Skill in preparing reports
S0588: Skill in performing threat modeling
S0606: Skill in manipulating operating system components
S0610: Skill in communicating effectively
S0688: Skill in performing network data analysis
S0690: Skill in performing midpoint collection data analysis
S0728: Skill in preparing briefings
S0748: Skill in querying data
S0791: Skill in presenting to an audience
S0817: Skill in building internal and external relationships
S0821: Skill in collaborating with internal and external stakeholders
S0848: Skill in performing behavioral analysis
S0854: Skill in performing data analysis
S0866: Skill in performing log file analysis
S0874: Skill in performing network traffic analysis
S0890: Skill in performing threat analysis
S0896: Skill in recognizing behavioral patterns
S0900: Skill in analyzing information from multiple sources
S0902: Skill in building relationships remotely and in person
S0904: Skill in correlating data from multiple tools
S0905: Skill in determining what information may helpful to a specific audience
S0906: Skill in identifying insider risk security gaps
S0907: Skill in identifying insider threats
S0908: Skill in determining the importance of assets
S0909: Skill in integrating information from multiple sources
S0910: Skill in performing cyberintelligence data analysis
S0911: Skill in performing data queries
S0912: Skill in performing human behavioral analysis
S0913: Skill in performing link analysis
S0916: Skill in recognizing recurring threat incidents

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)