Insider Threat Analysis
Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.
- T1056: Acquire resources to support cybersecurity program goals and objectives
- T1057: Conduct an effective enterprise continuity of operations program
- T1062: Contribute insider threat expertise to organizational cybersecurity awareness program
- T1084: Identify anomalous network activity
- T1085: Identify potential threats to network resources
- T1119: Recommend vulnerability remediation strategies
- T1160: Develop risk mitigation strategies
- T1161: Resolve system vulnerabilities
- T1162: Recommend security changes to systems and system components
- T1227: Manage cybersecurity budget, staffing, and contracting
- T1266: Recommend risk mitigation strategies
- T1324: Process digital evidence
- T1325: Document digital evidence
- T1439: Assess the behavior of individual victims, witnesses, or suspects during cybersecurity investigations
- T1510: Preserve digital evidence
- T1592: Conduct cybersecurity reviews
- T1689: Create comprehensive exploitation strategies
- T1690: Identify exploitable technical or operational vulnerabilities
- T1698: Collect target information
- T1712: Recommend potential courses of action
- T1737: Develop intelligence collection strategies
- T1743: Identify information collection gaps
- T1789: Provide aim point recommendations for targets
- T1790: Provide reengagement recommendations
- T1799: Notify appropriate personnel of imminent hostile intentions or activities
- T1801: Determine validity and relevance of information
- T1969: Document system alerts
- T1970: Escalate system alerts that may indicate risks
- T1971: Disseminate anomalous activity reports to the insider threat hub
- T1973: Conduct independent comprehensive assessments of target-specific information
- T1974: Conduct insider threat risk assessments
- T1975: Prepare insider threat briefings
- T1976: Recommend risk mitigation courses of action (CoA)
- T1977: Coordinate with internal and external incident management partners across jurisdictions
- T1978: Recommend improvements to insider threat detection processes
- T1979: Determine digital evidence priority intelligence requirements
- T1980: Develop digital evidence reports for internal and external partners
- T1981: Develop elicitation indicators
- T1982: Identify high value assets
- T1983: Identify potential insider threats
- T1985: Identify imminent or hostile intentions or activities
- T1986: Develop a continuously updated overview of an incident throughout the incident's life cycle
- T1987: Develop insider threat cyber operations indicators
- T1988: Integrate information from cyber resources, internal partners, and external partners
- T1989: Advise insider threat hub inquiries
- T1990: Conduct cybersecurity insider threat inquiries
- T1991: Deliver all-source cyber operations and intelligence indications and warnings
- T1992: Interpret network activity for intelligence value
- T1993: Monitor network activity for vulnerabilities
- T1994: Identify potential insider risks to networks
- T1995: Document potential insider risks to networks
- T1996: Report network vulnerabilities
- T1997: Develop insider threat investigation plans
- T1998: Investigate alleged insider threat cybersecurity policy violations
- T1999: Refer cases on active insider threat activities to law enforcement investigators
- T2001: Establish an insider threat risk management assessment program
- T2003: Evaluate organizational insider risk response capabilities
- T2004: Document insider threat information sources
- T2005: Conduct insider threat studies
- T2006: Identify potential targets for exploitation
- T2007: Analyze potential targets for exploitation
- T2008: Vet insider threat targeting with law enforcement and intelligence partners
- T2009: Develop insider threat targets
- T2010: Maintain User Activity Monitoring (UAM) tools
- T2011: Monitor the output from User Activity Monitoring (UAM) tools
- K0635: Knowledge of decryption
- K0636: Knowledge of decryption tools and techniques
- K0637: Knowledge of data repositories
- K0656: Knowledge of network collection tools and techniques
- K0657: Knowledge of network collection policies and procedures
- K0674: Knowledge of computer networking protocols
- K0675: Knowledge of risk management processes
- K0676: Knowledge of cybersecurity laws and regulations
- K0677: Knowledge of cybersecurity policies and procedures
- K0678: Knowledge of privacy laws and regulations
- K0679: Knowledge of privacy policies and procedures
- K0682: Knowledge of cybersecurity threats
- K0683: Knowledge of cybersecurity vulnerabilities
- K0684: Knowledge of cybersecurity threat characteristics
- K0689: Knowledge of network infrastructure principles and practices
- K0707: Knowledge of database systems and software
- K0710: Knowledge of enterprise cybersecurity architecture principles and practices
- K0721: Knowledge of risk management principles and practices
- K0734: Knowledge of Risk Management Framework (RMF) requirements
- K0735: Knowledge of risk management models and frameworks
- K0751: Knowledge of system threats
- K0752: Knowledge of system vulnerabilities
- K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
- K0784: Knowledge of insider threat laws and regulations
- K0785: Knowledge of insider threat tools and techniques
- K0862: Knowledge of data remediation tools and techniques
- K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
- K0871: Knowledge of enterprise architecture (EA) principles and practices
- K0909: Knowledge of abnormal physical and physiological behaviors
- K1014: Knowledge of network security principles and practices
- K1023: Knowledge of network exploitation tools and techniques
- K1031: Knowledge of risk mitigation tools and techniques
- K1085: Knowledge of exploitation tools and techniques
- K1096: Knowledge of data analysis tools and techniques
- K1115: Knowledge of Chain of Custody (CoC) processes and procedures
- K1139: Knowledge of cybersecurity threats and vulnerabilities
- K1151: Knowledge of digital evidence cataloging tools and techniques
- K1152: Knowledge of digital evidence extraction tools and techniques
- K1154: Knowledge of digital evidence packaging tools and techniques
- K1155: Knowledge of digital evidence preservation tools and techniques
- K1180: Knowledge of organizational cybersecurity goals and objectives
- K1188: Knowledge of organizational policies and procedures
- K1197: Knowledge of priority intelligence requirements
- K1209: Knowledge of risk mitigation principles and practices
- K1241: Knowledge of cultural, political, and organizational assets
- K1242: Knowledge of cybersecurity review processes and procedures
- K1243: Knowledge of cybersecurity threat remediation principles and practices
- K1244: Knowledge of cybersecurity tools and techniques
- K1245: Knowledge of data exfiltration tools and techniques
- K1246: Knowledge of data handling tools and techniques
- K1247: Knowledge of data monitoring tools and techniques
- K1248: Knowledge of digital and physical security vulnerabilities
- K1249: Knowledge of digital and physical security vulnerability remediation principles and practices
- K1250: Knowledge of external organization roles and responsibilities
- K1251: Knowledge of external referrals policies and procedures
- K1252: Knowledge of high value asset characteristics
- K1253: Knowledge of information collection tools and techniques
- K1254: Knowledge of insider threat hub policies and procedures
- K1255: Knowledge of insider threat hub operations
- K1256: Knowledge of insider threat operational indicators
- K1257: Knowledge of insider threat policies and procedures
- K1258: Knowledge of insider threat tactics
- K1259: Knowledge of insider threat targets
- K1260: Knowledge of intelligence laws and regulations
- K1261: Knowledge of known insider attacks
- K1262: Knowledge of network endpoints
- K1263: Knowledge of notification policies and procedures
- K1265: Knowledge of organizational objectives, resources, and capabilities
- K1267: Knowledge of previously referred potential insider threats
- K1268: Knowledge of risk reduction metrics
- K1269: Knowledge of security information and event management (SIEM) tools and techniques
- K1270: Knowledge of suspicious activity response processes
- K1271: Knowledge of system alert policies and procedures
- K1272: Knowledge of system components
- K1273: Knowledge of threat investigation policies and procedures
- K1274: Knowledge of threat modeling tools and techniques
- K1275: Knowledge of User Activity Monitoring (UAM) tools and techniques
- S0378: Skill in decrypting information
- S0442: Skill in collecting network data
- S0477: Skill in identifying anomalous activity
- S0540: Skill in identifying network threats
- S0558: Skill in developing algorithms
- S0559: Skill in performing data structure analysis
- S0579: Skill in preparing reports
- S0588: Skill in performing threat modeling
- S0606: Skill in manipulating operating system components
- S0610: Skill in communicating effectively
- S0688: Skill in performing network data analysis
- S0690: Skill in performing midpoint collection data analysis
- S0728: Skill in preparing briefings
- S0748: Skill in querying data
- S0791: Skill in presenting to an audience
- S0817: Skill in building internal and external relationships
- S0821: Skill in collaborating with internal and external stakeholders
- S0848: Skill in performing behavioral analysis
- S0854: Skill in performing data analysis
- S0866: Skill in performing log file analysis
- S0874: Skill in performing network traffic analysis
- S0890: Skill in performing threat analysis
- S0896: Skill in recognizing behavioral patterns
- S0900: Skill in analyzing information from multiple sources
- S0902: Skill in building relationships remotely and in person
- S0904: Skill in correlating data from multiple tools
- S0905: Skill in determining what information may helpful to a specific audience
- S0906: Skill in identifying insider risk security gaps
- S0907: Skill in identifying insider threats
- S0908: Skill in determining the importance of assets
- S0909: Skill in integrating information from multiple sources
- S0910: Skill in performing cyberintelligence data analysis
- S0911: Skill in performing data queries
- S0912: Skill in performing human behavioral analysis
- S0913: Skill in performing link analysis
- S0916: Skill in recognizing recurring threat incidents
Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)