Cybersecurity Analyst Skill
Purpose
Analyze events through the disciplinary lens of cybersecurity, applying rigorous security frameworks (CIA triad, defense-in-depth, zero-trust), threat modeling methodologies (STRIDE, PASTA, VAST), attack surface analysis, and industry standards (NIST, ISO 27001, MITRE ATT&CK) to understand security risks, identify vulnerabilities, assess threat actors and attack vectors, evaluate defensive controls, and recommend risk mitigation strategies.
When to Use This Skill
- Security Incident Analysis: Investigate breaches, data leaks, ransomware attacks, insider threats
- Vulnerability Assessment: Identify weaknesses in systems, applications, networks, processes
- Threat Modeling: Analyze potential attack vectors and threat actors for new systems or changes
- Security Architecture Review: Evaluate design decisions for security implications and gaps
- Risk Assessment: Quantify and prioritize security risks using frameworks like CVSS, FAIR
- Compliance Analysis: Assess adherence to security standards (SOC 2, PCI-DSS, HIPAA, GDPR)
- Incident Response Planning: Design detection, containment, eradication, and recovery strategies
- Security Posture Evaluation: Assess overall defensive capabilities and maturity
- Code Security Review: Identify security vulnerabilities in software implementations
Core Philosophy: Security Thinking
Cybersecurity analysis rests on fundamental principles:
Defense in Depth: No single security control is perfect. Layer multiple independent controls so compromise of one doesn't compromise the whole system.
Assume Breach: Modern security assumes attackers will penetrate perimeter defenses. Design systems to minimize damage and enable detection when (not if) breach occurs.
Least Privilege: Grant minimum access necessary for legitimate function. Every excess permission is an opportunity for exploitation.
Zero Trust: Never trust, always verify. Verify explicitly, use least privilege access, and assume breach regardless of network location.
Security by Design: Security cannot be bolted on afterward. It must be fundamental to architecture and implementation from the beginning.
CIA Triad: Security protects three propertiesβConfidentiality (only authorized access), Integrity (only authorized modification), Availability (accessible when needed).
Threat-Informed Defense: Base defensive priorities on understanding of actual threat actors, their capabilities, motivations, and tactics (threat intelligence).
Risk-Based Approach: Perfect security is impossible. Prioritize security investments based on risk (likelihood Γ impact) to maximize security per dollar spent.
Theoretical Foundations (Expandable)
Foundation 1: CIA Triad (Classic Security Model)
Components:
Confidentiality: Information accessible only to authorized entities
- Protection mechanisms: Encryption, access controls, authentication
- Threats: Eavesdropping, data theft, unauthorized disclosure
- Example violations: Data breach, password theft, insider leak
Integrity: Information modifiable only by authorized entities in authorized ways
- Protection mechanisms: Hashing, digital signatures, access controls, version control
- Threats: Tampering, unauthorized modification, malware
- Example violations: Database manipulation, man-in-the-middle attacks, ransomware encryption
Availability: Information and systems accessible when needed by authorized entities
- Protection mechanisms: Redundancy, backups, DDoS mitigation, incident response
- Threats: Denial of service, ransomware, system destruction
- Example violations: DDoS attacks, ransomware, infrastructure failures
Extensions:
- Authenticity: Verified identity of entities and origin of information
- Non-repudiation: Cannot deny taking action
- Accountability: Actions traceable to entities
Application: Every security analysis should identify which aspects of CIA triad are at risk and how controls protect each.
Sources:
Foundation 2: Defense in Depth (Layered Security)
Principle: Deploy multiple layers of security controls so compromise of one layer doesn't compromise entire system.
Historical Origin: Military defensive strategyβmultiple concentric perimeter defenses
Security Layers:
- Physical: Facility access controls, locked server rooms
- Network: Firewalls, network segmentation, IDS/IPS
- Host: Endpoint protection, host firewalls, patch management
- Application: Input validation, secure coding, authentication
- Data: Encryption at rest and in transit, DLP, tokenization
- Human: Security awareness training, phishing simulation
Key Insight: Redundancy is not wasteβit's resilience. Even if attacker bypasses firewall, they still face authentication, authorization, monitoring, encryption, and detection controls.
Application: Security architecture should have multiple independent defensive layers protecting critical assets.
Limitation: Can create complexity and false sense of security if layers are not maintained or are interdependent.
Sources:
Foundation 3: Zero Trust Architecture
Core Principle: "Never trust, always verify" regardless of network location
Contrast with Perimeter Model: Traditional security assumed internal network is trusted ("castle and moat"). Zero trust assumes no network location is trusted.
Key Tenets (NIST SP 800-207):
- Verify explicitly: Always authenticate and authorize based on all available data points
- Least privilege access: Limit user access with Just-In-Time and Just-Enough-Access
- Assume breach: Minimize blast radius and segment access; verify end-to-end encryption
Components:
- Identity-centric security: Identity becomes new perimeter
- Micro-segmentation: Network divided into small zones with separate controls
- Continuous verification: Authentication and authorization are continuous, not one-time
- Data-centric: Protect data itself, not just perimeter around it
Drivers:
- Cloud adoption (no clear perimeter)
- Remote work (users outside traditional perimeter)
- Sophisticated attacks (perimeter breaches common)
Application: Modern security architectures should be designed with zero trust principles, especially for cloud and hybrid environments.
Sources:
Foundation 4: Threat Modeling
Definition: Structured approach to identify and prioritize potential threats to a system
Purpose: Proactively identify security issues during design phase when fixes are cheapest
Benefits:
- Find vulnerabilities before implementation
- Prioritize security work
- Communicate risks to stakeholders
- Guide security testing
Common Methodologies:
STRIDE (Microsoft):
- Spoofing identity
- Tampering with data
- Repudiation
- Information disclosure
- Denial of service
- Elevation of privilege
PASTA (Process for Attack Simulation and Threat Analysis):
- Seven-stage risk-centric methodology
- Aligns business objectives with technical requirements
VAST (Visual, Agile, and Simple Threat modeling):
- Scalable for agile development
- Two types: application threat models and operational threat models
Application: Use threat modeling for new features, architecture changes, or security reviews.
Sources:
Foundation 5: MITRE ATT&CK Framework
Description: Knowledge base of adversary tactics and techniques based on real-world observations
Purpose: Understand how attackers operate to inform defense, detection, and threat hunting
Structure:
- Tactics: High-level goals (e.g., Initial Access, Execution, Persistence, Privilege Escalation)
- Techniques: Ways to achieve tactics (e.g., Phishing, Exploiting Public Applications)
- Sub-techniques: Specific implementations
- Procedures: Specific attacker behaviors
14 Tactics (Enterprise Matrix):
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Control
- Exfiltration
- Impact
Application:
- Map defensive controls to ATT&CK techniques
- Identify detection gaps
- Threat intelligence sharing
- Red team/purple team exercises
Value: Common language for describing attacker behavior; basis for threat-informed defense
Sources:
Core Analytical Frameworks (Expandable)
Framework 1: Attack Surface Analysis
Definition: Identification and assessment of all points where unauthorized user could enter or extract data from system
Components:
Attack Surface Elements:
- Network attack surface: Exposed ports, services, protocols
- Software attack surface: Applications, APIs, web interfaces
- Human attack surface: Users, administrators, social engineering targets
- Physical attack surface: Facility access, hardware access
Attack Vectors: Methods attackers use to exploit attack surface
- Network-based: Port scanning, protocol exploits, man-in-the-middle
- Web-based: SQL injection, XSS, CSRF, authentication bypass
- Email-based: Phishing, malicious attachments, credential harvesting
- Physical: Theft, unauthorized access, evil maid attacks
- Social engineering: Pretexting, baiting, tailgating
Analysis Process:
- Enumerate: List all entry points and assets
- Classify: Categorize by type and criticality
- Assess: Evaluate exploitability and impact
- Prioritize: Rank by risk
- Reduce: Minimize unnecessary exposure
Metrics:
- Number of exposed services
- Number of internet-facing applications
- Number of privileged accounts
- Lines of code exposed to untrusted input
Application: Reducing attack surface is fundamental defensive strategy. Eliminate unnecessary exposure.
Sources:
Framework 2: Risk Assessment Frameworks
Purpose: Quantify and prioritize security risks to guide resource allocation
Common Frameworks:
CVSS (Common Vulnerability Scoring System):
- Standard for assessing vulnerability severity
- Score 0-10 based on exploitability, impact, scope
- Base score (intrinsic characteristics) + temporal + environmental scores
- Widely used but criticized for not capturing actual risk in specific contexts
FAIR (Factor Analysis of Information Risk):
- Quantitative risk framework
- Risk = Loss Event Frequency Γ Loss Magnitude
- Enables cost-benefit analysis of security investments
- More complex but provides dollar-denominated risk figures
NIST Risk Management Framework (RMF):
- Seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
- Links security controls to risk management
- Used by U.S. federal agencies
Qualitative vs. Quantitative:
- Qualitative: High/Medium/Low risk ratings (simpler, faster, subjective)
- Quantitative: Numerical risk values (complex, objective, requires data)
Application: Risk assessment informs prioritization. Not all vulnerabilities are equally importantβfocus on highest risks.
Sources:
Framework 3: Security Control Frameworks
Purpose: Structured set of security controls to achieve security objectives
Major Frameworks:
NIST Cybersecurity Framework:
- Five core functions: Identify, Protect, Detect, Respond, Recover
- Not prescriptiveβflexible for different organizations
- Widely adopted across industries and internationally
NIST SP 800-53 (Security and Privacy Controls):
- Comprehensive catalog of security controls for federal systems
- 20 control families (Access Control, Incident Response, etc.)
- Detailed implementation guidance
CIS Controls (Center for Internet Security):
- 18 prioritized security controls
- Implementation groups (IG1, IG2, IG3) based on organizational maturity
- Actionable and measurable
ISO/IEC 27001:
- International standard for information security management systems
- 14 control domains, 114 controls
- Certification available
Application: Use frameworks to:
- Ensure comprehensive coverage
- Benchmark security posture
- Communicate with stakeholders
- Meet compliance requirements
Sources:
Framework 4: Incident Response Lifecycle
Definition: Structured approach to handling security incidents
Standard Model (NIST SP 800-61):
Phase 1: Preparation
- Establish IR capability, tools, playbooks
- Training and exercises
- Communication plans
Phase 2: Detection and Analysis
- Monitoring and alerting
- Incident classification and prioritization
- Initial investigation
- Scope determination
Phase 3: Containment, Eradication, and Recovery
- Containment: Stop spread (short-term and long-term)
- Eradication: Remove threat from environment
- Recovery: Restore systems to normal operation
Phase 4: Post-Incident Activity
- Lessons learned
- Evidence preservation
- Incident report
- Process improvement
Key Concepts:
- Playbooks: Predefined procedures for common incident types
- Indicators of Compromise (IoCs): Artifacts indicating malicious activity
- Chain of custody: Evidence handling procedures
- Communication: Internal and external stakeholders, legal, PR
Metrics:
- Mean Time to Detect (MTTD)
- Mean Time to Respond (MTTR)
- Mean Time to Contain (MTTC)
Application: Effective incident response minimizes damage, reduces recovery time, and captures learning.
Sources:
Framework 5: Secure Development Lifecycle (SDL)
Purpose: Integrate security into software development process
Microsoft SDL Phases:
- Training: Security training for developers
- Requirements: Define security requirements and privacy requirements
- Design: Threat modeling, attack surface reduction, defense in depth
- Implementation: Secure coding standards, code analysis tools
- Verification: Security testing (SAST, DAST, penetration testing)
- Release: Final security review, incident response plan
- Response: Execute incident response plan if vulnerability discovered
Key Practices:
- Static Analysis (SAST): Analyze source code for vulnerabilities
- Dynamic Analysis (DAST): Test running application
- Dependency Scanning: Check third-party libraries for known vulnerabilities
- Penetration Testing: Simulate real attacks
- Security Champions: Embed security expertise in development teams
OWASP SAMM (Software Assurance Maturity Model):
- Maturity model for secure software development
- Five business functions: Governance, Design, Implementation, Verification, Operations
- Three maturity levels for each function
Application: Security must be integrated throughout development lifecycle, not just at the end.
Sources:
Methodological Approaches (Expandable)
Method 1: Threat Intelligence Analysis
Purpose: Understand adversaries, their capabilities, tactics, and targets to inform defense
Types of Threat Intelligence:
Strategic: High-level trends for executives
- APT group activity and motivations
- Geopolitical cyber threats
- Industry-specific threat landscape
Operational: Campaign-level information for security operations
- Current attack campaigns
- Threat actor TTPs
- Malware families
Tactical: Technical indicators for immediate defense
- IP addresses, domains, file hashes
- YARA rules, Snort signatures
- CVEs being exploited
Analytical Process:
- Collection: Gather data from internal sources, threat feeds, OSINT, dark web
- Processing: Normalize, correlate, deduplicate
- Analysis: Contextualize, attribute, assess intent and capability
- Dissemination: Share with relevant teams in actionable format
- Feedback: Assess effectiveness and refine
Frameworks:
- Diamond Model: Adversary, Capability, Infrastructure, Victim
- Kill Chain: Reconnaissance β Weaponization β Delivery β Exploitation β Installation β C2 β Actions on Objectives
- MITRE ATT&CK: Map observed techniques to ATT&CK matrix
Application: Threat intelligence enables proactive, threat-informed
