Intrusion detection and analysis

Skill definition

Intrusion detection and analysis consists of network and system activities to identify potential intrusion or other anomalous behaviour. Processes, methods and procedures include information analysis, security analytics including outputs from intelligence analysis, predictive research, and root cause analysis, vulnerability report analysis, and the production of warning materials. Further principles of the skill include monitoring, collating and filtering external vulnerability reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes, and ensuring that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available.

Awareness

Describes the basic principles of intrusion detection and analysis including the difference between intrusion prevention and intrusion detection
Follows documented principles and guidelines for intrusion detection and analysis activities
Implements intrusion detection and analysis processes and procedures

Working

Understands and explains the basic principles of monitoring network and system activity to identify potential intrusion or other anomalous behaviour
Uses information provided from various sources to identify, analyse, and report events that occur or might occur within the network. Uses a range of methods and procedures to identify, acquire, and preserve artefacts by means of controlled and documented analytical and investigative techniques
Understands the business context of the activities
Educates others on policies, procedures and guidelines relating to monitoring and analysing network and system activity

Practitioner

Understands and explains advanced principles of monitoring network and system activity to identify potential intrusion or other anomalous behaviour and applies the results in investigations
Collects information from a variety of sources (e.g. data from cyber defence tools, system logs) and uses it to identify, analyse, and report events that occur or might occur within the network. Uses a range of advanced methods and procedures (including intelligence analysis, predictive research, root cause analysis, vulnerability report analysis) to identify, acquire, analyse and preserve artefacts by means of controlled and documented analytical and investigative techniques
Supervises and manages teams undertaking intrusion detection and analysis
Creates policies, procedures and guidelines based on intrusion detection and analysis standards
Advises others on intrusion detection and analysis
Tailors and refines systems and processes to meet the organisation’s needs

Expert

Understands and explains advanced monitoring of network and system activity to identify potential intrusion or other anomalous behaviour and applies the results in complex investigations
Collects or oversees collection of information from a variety of sources (e.g. data from cyber defence tools, system logs) and uses it to identify, analyse, and report events that occur or might occur within the network. Uses a range of advanced methods and procedures (including intelligence analysis, predictive research, root cause analysis, vulnerability report analysis), developing techniques and tools where necessary, to identify, acquire, analyse and preserve artefacts by means of specialist analytical and investigative techniques
Leads and oversees intrusion detection and analysis function and activities for an organisation
Shapes intrusion detection and analysis strategy, policy, procedures and guidelines within the organisation and influences developments in the field at a national level
Advises and influences senior management on intrusion detection and analysis matters
Defines, articulates and communicates required capabilities and tools