Attention: CISA Learning is now available! If you are an EXTERNAL (non-CISA) user access the new system using this url: CISA Learning. The Federal Virtual Training Environment (FedVTE) has been permanently decommissioned and replaced by CISA Learning. Please reference the CISA Learning page for the latest information. Please note: CISA Users (staff and contractors) should access CISA Learning through the internal site. You should have received an email on December 4, 2024, titled “CISA Learning is LIVE!” with more information.

PD-WRL-006

Threat Analysis

Responsible for collecting, processing, analyzing, and disseminating cybersecurity threat assessments. Develops cybersecurity indicators to maintain awareness of the status of the highly dynamic operating environment.

Task statements

T0569: Answer requests for information
T0685: Evaluate threat decision-making processes
T0698: Facilitate continuously updated intelligence, surveillance, and visualization input to common operational picture managers
T0707: Generate requests for information
T0718: Identify intelligence gaps and shortfalls
T0751: Monitor open source websites for hostile content directed towards organizational or partner interests
T0845: Identify cyber threat tactics and methodologies
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1035: Determine how threat activity groups employ encryption to support their operations
T1053: Identify and characterize intrusion activities against a victim or target
T1054: Scope analysis reports to various audiences that accounts for data sharing classification restrictions
T1055: Determine if priority information requirements are satisfied
T1640: Determine effectiveness of intelligence collection operations
T1641: Recommend adjustments to intelligence collection strategies
T1643: Develop common operational pictures
T1644: Develop cyber operations indicators
T1645: Coordinate all-source collection activities
T1646: Validate all-source collection requirements and plans
T1647: Develop priority information requirements
T1651: Prepare threat and target briefings
T1652: Prepare threat and target situational updates
T1686: Identify intelligence requirements
T1762: Modify collection requirements
T1763: Determine effectiveness of collection requirements
T1765: Monitor changes to designated cyber operations warning problem sets
T1766: Prepare change reports for designated cyber operations warning problem sets
T1767: Monitor threat activities
T1768: Prepare threat activity reports
T1770: Report on adversarial activities that fulfill priority information requirements
T1772: Identify indications and warnings of target communication changes or processing failures
T1775: Prepare cyber operations intelligence reports
T1776: Prepare indications and warnings intelligence reports
T1792: Assess effectiveness of intelligence production
T1793: Assess effectiveness of intelligence reporting
T1798: Provide intelligence analysis and support
T1799: Notify appropriate personnel of imminent hostile intentions or activities
T1804: Prepare network intrusion reports
T1835: Determine if intelligence requirements and collection plans are accurate and up-to-date

Knowledge statements

K0018: Knowledge of encryption algorithms
K0480: Knowledge of malware
K0655: Knowledge of intelligence fusion
K0658: Knowledge of cognitive biases
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0689: Knowledge of network infrastructure principles and practices
K0690: Knowledge of requirements analysis principles and practices
K0697: Knowledge of encryption algorithm capabilities and applications
K0718: Knowledge of network communications principles and practices
K0719: Knowledge of human-computer interaction (HCI) principles and practices
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0766: Knowledge of data asset management principles and practices
K0773: Knowledge of telecommunications principles and practices
K0786: Knowledge of physical computer components
K0787: Knowledge of computer peripherals
K0788: Knowledge of adversarial tactics principles and practices
K0789: Knowledge of adversarial tactics tools and techniques
K0790: Knowledge of adversarial tactics policies and procedures
K0792: Knowledge of network configurations
K0806: Knowledge of machine virtualization tools and techniques
K0812: Knowledge of digital communication systems and software
K0818: Knowledge of new and emerging cybersecurity risks
K0825: Knowledge of threat vector characteristics
K0831: Knowledge of network attack vectors
K0844: Knowledge of cyber attack stages
K0845: Knowledge of cyber intrusion activity phases
K0857: Knowledge of malware analysis tools and techniques
K0858: Knowledge of virtual machine detection tools and techniques
K0865: Knowledge of data classification standards and best practices
K0866: Knowledge of data classification tools and techniques
K0915: Knowledge of network architecture principles and practices
K0916: Knowledge of malware analysis principles and practices
K0925: Knowledge of wireless communication tools and techniques
K0926: Knowledge of signal jamming tools and techniques
K0934: Knowledge of data classification policies and procedures
K0960: Knowledge of content management system (CMS) capabilities and applications
K0969: Knowledge of cyber-attack tools and techniques
K0983: Knowledge of computer networking principles and practices
K0984: Knowledge of web security principles and practices
K0989: Knowledge of intelligence information repositories
K0990: Knowledge of cyber operations principles and practices
K0994: Knowledge of denial and deception tools and techniques
K1002: Knowledge of supervisory control and data acquisition (SCADA) systems and software
K1005: Knowledge of intelligence collection capabilities and applications
K1007: Knowledge of intelligence requirements tasking systems and software
K1008: Knowledge of intelligence support activities
K1009: Knowledge of threat intelligence principles and practices
K1010: Knowledge of intelligence policies and procedures
K1011: Knowledge of network addressing principles and practices
K1014: Knowledge of network security principles and practices
K1019: Knowledge of operations security (OPSEC) principles and practices
K1025: Knowledge of decision-making policies and procedures
K1028: Knowledge of target development principles and practices
K1035: Knowledge of target research tools and techniques
K1049: Knowledge of routing protocols
K1059: Knowledge of request for information processes
K1066: Knowledge of threat behaviors
K1067: Knowledge of target behaviors
K1068: Knowledge of threat systems and software
K1069: Knowledge of virtual machine tools and technologies
K1100: Knowledge of analytical tools and techniques
K1101: Knowledge of analytics
K1109: Knowledge of virtual collaborative workspace tools and techniques
K1113: Knowledge of blue force tracking
K1197: Knowledge of priority intelligence requirements

Skill statements

S0111: Skill in interfacing with customers
S0194: Skill in conducting non-attributable research
S0385: Skill in communicating complex concepts
S0430: Skill in collaborating with others
S0433: Skill in creating analytics
S0434: Skill in extrapolating from incomplete data sets
S0435: Skill in analyzing large data sets
S0436: Skill in creating target intelligence products
S0438: Skill in functioning effectively in a dynamic, fast-paced environment
S0443: Skill in mitigating cognitive biases
S0444: Skill in mitigating deception in reporting and analysis
S0446: Skill in mimicking threat actors
S0472: Skill in developing virtual machines
S0473: Skill in maintaining virtual machines
S0494: Skill in performing operational environment analysis
S0505: Skill in performing intrusion data analysis
S0506: Skill in identifying customer information needs
S0509: Skill in evaluating security products
S0511: Skill in establishing priorities
S0512: Skill in extracting metadata
S0514: Skill in preparing operational environments
S0516: Skill in performing threat emulation tactics
S0517: Skill in anticipating threats
S0535: Skill in performing threat factor analysis
S0537: Skill in designing wireless communications systems
S0540: Skill in identifying network threats
S0555: Skill in performing capabilities analysis
S0556: Skill in performing requirements analysis
S0579: Skill in preparing reports
S0600: Skill in collecting relevant data from a variety of sources
S0633: Skill in developing position qualification requirements
S0673: Skill in translating operational requirements into security controls
S0696: Skill in conducting deep web research
S0702: Skill in defining an operational environment
S0704: Skill in performing target analysis
S0709: Skill in developing analytics
S0712: Skill in evaluating data source quality
S0713: Skill in evaluating information quality
S0718: Skill in identifying cybersecurity threats
S0719: Skill in identifying intelligence gaps
S0724: Skill in managing client relationships
S0728: Skill in preparing briefings
S0748: Skill in querying data
S0751: Skill in conducting open-source searches
S0756: Skill in incorporating feedback
S0765: Skill in converting intelligence requirements into intelligence production tasks
S0777: Skill in developing collection strategies
S0779: Skill in determining information requirements
S0791: Skill in presenting to an audience
S0869: Skill in performing metadata analysis
S0876: Skill in performing nodal analysis

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)