Protection and Defense
PD-WRL-005

Insider Threat Analysis

Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.

  • T1056: Acquire resources to support cybersecurity program goals and objectives
  • T1057: Conduct an effective enterprise continuity of operations program
  • T1062: Contribute insider threat expertise to organizational cybersecurity awareness program
  • T1084: Identify anomalous network activity
  • T1085: Identify potential threats to network resources
  • T1119: Recommend vulnerability remediation strategies
  • T1160: Develop risk mitigation strategies
  • T1161: Resolve system vulnerabilities
  • T1162: Recommend security changes to systems and system components
  • T1227: Manage cybersecurity budget, staffing, and contracting
  • T1266: Recommend risk mitigation strategies
  • T1324: Process digital evidence
  • T1325: Document digital evidence
  • T1439: Assess the behavior of individual victims, witnesses, or suspects during cybersecurity investigations
  • T1510: Preserve digital evidence
  • T1592: Conduct cybersecurity reviews
  • T1689: Create comprehensive exploitation strategies
  • T1690: Identify exploitable technical or operational vulnerabilities
  • T1698: Collect target information
  • T1712: Recommend potential courses of action
  • T1737: Develop intelligence collection strategies
  • T1743: Identify information collection gaps
  • T1789: Provide aim point recommendations for targets
  • T1790: Provide reengagement recommendations
  • T1799: Notify appropriate personnel of imminent hostile intentions or activities
  • T1801: Determine validity and relevance of information
  • T1969: Document system alerts
  • T1970: Escalate system alerts that may indicate risks
  • T1971: Disseminate anomalous activity reports to the insider threat hub
  • T1973: Conduct independent comprehensive assessments of target-specific information
  • T1974: Conduct insider threat risk assessments
  • T1975: Prepare insider threat briefings
  • T1976: Recommend risk mitigation courses of action (CoA)
  • T1977: Coordinate with internal and external incident management partners across jurisdictions
  • T1978: Recommend improvements to insider threat detection processes
  • T1979: Determine digital evidence priority intelligence requirements
  • T1980: Develop digital evidence reports for internal and external partners
  • T1981: Develop elicitation indicators
  • T1982: Identify high value assets
  • T1983: Identify potential insider threats
  • T1985: Identify imminent or hostile intentions or activities
  • T1986: Develop a continuously updated overview of an incident throughout the incident's life cycle
  • T1987: Develop insider threat cyber operations indicators
  • T1988: Integrate information from cyber resources, internal partners, and external partners
  • T1989: Advise insider threat hub inquiries
  • T1990: Conduct cybersecurity insider threat inquiries
  • T1991: Deliver all-source cyber operations and intelligence indications and warnings
  • T1992: Interpret network activity for intelligence value
  • T1993: Monitor network activity for vulnerabilities
  • T1994: Identify potential insider risks to networks
  • T1995: Document potential insider risks to networks
  • T1996: Report network vulnerabilities
  • T1997: Develop insider threat investigation plans
  • T1998: Investigate alleged insider threat cybersecurity policy violations
  • T1999: Refer cases on active insider threat activities to law enforcement investigators
  • T2001: Establish an insider threat risk management assessment program
  • T2003: Evaluate organizational insider risk response capabilities
  • T2004: Document insider threat information sources
  • T2005: Conduct insider threat studies
  • T2006: Identify potential targets for exploitation
  • T2007: Analyze potential targets for exploitation
  • T2008: Vet insider threat targeting with law enforcement and intelligence partners
  • T2009: Develop insider threat targets
  • T2010: Maintain User Activity Monitoring (UAM) tools
  • T2011: Monitor the output from User Activity Monitoring (UAM) tools
  • K0635: Knowledge of decryption
  • K0636: Knowledge of decryption tools and techniques
  • K0637: Knowledge of data repositories
  • K0656: Knowledge of network collection tools and techniques
  • K0657: Knowledge of network collection policies and procedures
  • K0674: Knowledge of computer networking protocols
  • K0675: Knowledge of risk management processes
  • K0676: Knowledge of cybersecurity laws and regulations
  • K0677: Knowledge of cybersecurity policies and procedures
  • K0678: Knowledge of privacy laws and regulations
  • K0679: Knowledge of privacy policies and procedures
  • K0682: Knowledge of cybersecurity threats
  • K0683: Knowledge of cybersecurity vulnerabilities
  • K0684: Knowledge of cybersecurity threat characteristics
  • K0689: Knowledge of network infrastructure principles and practices
  • K0707: Knowledge of database systems and software
  • K0710: Knowledge of enterprise cybersecurity architecture principles and practices
  • K0721: Knowledge of risk management principles and practices
  • K0734: Knowledge of Risk Management Framework (RMF) requirements
  • K0735: Knowledge of risk management models and frameworks
  • K0751: Knowledge of system threats
  • K0752: Knowledge of system vulnerabilities
  • K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
  • K0784: Knowledge of insider threat laws and regulations
  • K0785: Knowledge of insider threat tools and techniques
  • K0862: Knowledge of data remediation tools and techniques
  • K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
  • K0871: Knowledge of enterprise architecture (EA) principles and practices
  • K0909: Knowledge of abnormal physical and physiological behaviors
  • K1014: Knowledge of network security principles and practices
  • K1023: Knowledge of network exploitation tools and techniques
  • K1031: Knowledge of risk mitigation tools and techniques
  • K1085: Knowledge of exploitation tools and techniques
  • K1096: Knowledge of data analysis tools and techniques
  • K1115: Knowledge of Chain of Custody (CoC) processes and procedures
  • K1139: Knowledge of cybersecurity threats and vulnerabilities
  • K1151: Knowledge of digital evidence cataloging tools and techniques
  • K1152: Knowledge of digital evidence extraction tools and techniques
  • K1154: Knowledge of digital evidence packaging tools and techniques
  • K1155: Knowledge of digital evidence preservation tools and techniques
  • K1180: Knowledge of organizational cybersecurity goals and objectives
  • K1188: Knowledge of organizational policies and procedures
  • K1197: Knowledge of priority intelligence requirements
  • K1209: Knowledge of risk mitigation principles and practices
  • K1241: Knowledge of cultural, political, and organizational assets
  • K1242: Knowledge of cybersecurity review processes and procedures
  • K1243: Knowledge of cybersecurity threat remediation principles and practices
  • K1244: Knowledge of cybersecurity tools and techniques
  • K1245: Knowledge of data exfiltration tools and techniques
  • K1246: Knowledge of data handling tools and techniques
  • K1247: Knowledge of data monitoring tools and techniques
  • K1248: Knowledge of digital and physical security vulnerabilities
  • K1249: Knowledge of digital and physical security vulnerability remediation principles and practices
  • K1250: Knowledge of external organization roles and responsibilities
  • K1251: Knowledge of external referrals policies and procedures
  • K1252: Knowledge of high value asset characteristics
  • K1253: Knowledge of information collection tools and techniques
  • K1254: Knowledge of insider threat hub policies and procedures
  • K1255: Knowledge of insider threat hub operations
  • K1256: Knowledge of insider threat operational indicators
  • K1257: Knowledge of insider threat policies and procedures
  • K1258: Knowledge of insider threat tactics
  • K1259: Knowledge of insider threat targets
  • K1260: Knowledge of intelligence laws and regulations
  • K1261: Knowledge of known insider attacks
  • K1262: Knowledge of network endpoints
  • K1263: Knowledge of notification policies and procedures
  • K1265: Knowledge of organizational objectives, resources, and capabilities
  • K1267: Knowledge of previously referred potential insider threats
  • K1268: Knowledge of risk reduction metrics
  • K1269: Knowledge of security information and event management (SIEM) tools and techniques
  • K1270: Knowledge of suspicious activity response processes
  • K1271: Knowledge of system alert policies and procedures
  • K1272: Knowledge of system components
  • K1273: Knowledge of threat investigation policies and procedures
  • K1274: Knowledge of threat modeling tools and techniques
  • K1275: Knowledge of User Activity Monitoring (UAM) tools and techniques
  • S0378: Skill in decrypting information
  • S0442: Skill in collecting network data
  • S0477: Skill in identifying anomalous activity
  • S0540: Skill in identifying network threats
  • S0558: Skill in developing algorithms
  • S0559: Skill in performing data structure analysis
  • S0579: Skill in preparing reports
  • S0588: Skill in performing threat modeling
  • S0606: Skill in manipulating operating system components
  • S0610: Skill in communicating effectively
  • S0688: Skill in performing network data analysis
  • S0690: Skill in performing midpoint collection data analysis
  • S0728: Skill in preparing briefings
  • S0748: Skill in querying data
  • S0791: Skill in presenting to an audience
  • S0817: Skill in building internal and external relationships
  • S0821: Skill in collaborating with internal and external stakeholders
  • S0848: Skill in performing behavioral analysis
  • S0854: Skill in performing data analysis
  • S0866: Skill in performing log file analysis
  • S0874: Skill in performing network traffic analysis
  • S0890: Skill in performing threat analysis
  • S0896: Skill in recognizing behavioral patterns
  • S0900: Skill in analyzing information from multiple sources
  • S0902: Skill in building relationships remotely and in person
  • S0904: Skill in correlating data from multiple tools
  • S0905: Skill in determining what information may helpful to a specific audience
  • S0906: Skill in identifying insider risk security gaps
  • S0907: Skill in identifying insider threats
  • S0908: Skill in determining the importance of assets
  • S0909: Skill in integrating information from multiple sources
  • S0910: Skill in performing cyberintelligence data analysis
  • S0911: Skill in performing data queries
  • S0912: Skill in performing human behavioral analysis
  • S0913: Skill in performing link analysis
  • S0916: Skill in recognizing recurring threat incidents