● Monitor external data sources (e.g., cyber defense vendor sites, computer emergency response teams, security focus) to maintain currency of cyber defense threat conditions and determine which security issues may have an impact on the enterprise. ● Perform analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to network security. ● Perform cyber defense incident triage, including determining scope, urgency, and potential impact; identifying the specific vulnerability, and making recommendations that enable expeditious remediation. ● Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems. ● Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable incident response teams. ● Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts. ● Track and document cyber defense incidents from initial detection through final resolution. ● Perform cyber defense trend analysis and reporting. ● Build a new incident handling procedure, conduct training presentations. ● Assess the quality of security controls using performance indicators.

● Coordinate and provide expert technical support to enterprise-wide cyber defense technicians to resolve cyber defense incidents. ● Coordinate incident response functions. ● Coordinate with intelligence analysts to correlate threat assessment data. ● Conduct investigations of information security breaches to identify vulnerabilities and evaluate the damage. ● Coordinate vulnerability assessments or analysis of information security systems. ● Coordinate monitoring of networks or systems for security breaches or intrusions.

● Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation. ● Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies. ● Employ approved defense-in-depth principles and practices. (e.g., defense-in-multiple places, layered defenses, security robustness). ● Collect intrusion artifacts (e.g., source code, malware, Trojans) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. ● Serve as technical expert and liaison to law enforcement personnel and explain incident details as required. ● Write and publish after-action reviews. ● Analyze reports, dashboards, and alerts to provide operational oversight of the security posture of the enterprise environment. ● Provide constructive feedback to fellow analysts on events and review and update incident handling documentation.