Intrusion detection and analysis

Skill definition

Intrusion detection and analysis consists of network and system activities to identify potential intrusion or other anomalous behaviour. Processes, methods and procedures include information analysis, security analytics including outputs from intelligence analysis, predictive research, and root cause analysis, vulnerability report analysis, and the production of warning materials. Further principles of the skill include monitoring, collating and filtering external vulnerability reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes, and ensuring that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available.

Awareness

Describes the basic principles of intrusion detection and analysis including the difference between intrusion prevention and intrusion detection

Follows documented principles and guidelines for intrusion detection and analysis activities

Implements intrusion detection and analysis processes and procedures

Working

Understands and explains the basic principles of monitoring network and system activity to identify potential intrusion or other anomalous behaviour

Uses information provided from various sources to identify, analyse, and report events that occur or might occur within the network. Uses a range of methods and procedures to identify, acquire, and preserve artefacts by means of controlled and documented analytical and investigative techniques

Understands the business context of the activities

Educates others on policies, procedures and guidelines relating to monitoring and analysing network and system activity

Practitioner

Understands and explains advanced principles of monitoring network and system activity to identify potential intrusion or other anomalous behaviour and applies the results in investigations

Collects information from a variety of sources (e.g. data from cyber defence tools, system logs) and uses it to identify, analyse, and report events that occur or might occur within the network. Uses a range of advanced methods and procedures (including intelligence analysis, predictive research, root cause analysis, vulnerability report analysis) to identify, acquire, analyse and preserve artefacts by means of controlled and documented analytical and investigative techniques

Supervises and manages teams undertaking intrusion detection and analysis

Creates policies, procedures and guidelines based on intrusion detection and analysis standards

Advises others on intrusion detection and analysis

Tailors and refines systems and processes to meet the organisation’s needs

Expert

Understands and explains advanced monitoring of network and system activity to identify potential intrusion or other anomalous behaviour and applies the results in complex investigations

Collects or oversees collection of information from a variety of sources (e.g. data from cyber defence tools, system logs) and uses it to identify, analyse, and report events that occur or might occur within the network. Uses a range of advanced methods and procedures (including intelligence analysis, predictive research, root cause analysis, vulnerability report analysis), developing techniques and tools where necessary, to identify, acquire, analyse and preserve artefacts by means of specialist analytical and investigative techniques

Leads and oversees intrusion detection and analysis function and activities for an organisation

Shapes intrusion detection and analysis strategy, policy, procedures and guidelines within the organisation and influences developments in the field at a national level

Advises and influences senior management on intrusion detection and analysis matters

Defines, articulates and communicates required capabilities and tools