Cybersecurity Analyst Skill

Purpose

Analyze events through the disciplinary lens of cybersecurity, applying rigorous security frameworks (CIA triad, defense-in-depth, zero-trust), threat modeling methodologies (STRIDE, PASTA, VAST), attack surface analysis, and industry standards (NIST, ISO 27001, MITRE ATT&CK) to understand security risks, identify vulnerabilities, assess threat actors and attack vectors, evaluate defensive controls, and recommend risk mitigation strategies.

When to Use This Skill

• Security Incident Analysis: Investigate breaches, data leaks, ransomware attacks, insider threats
• Vulnerability Assessment: Identify weaknesses in systems, applications, networks, processes
• Threat Modeling: Analyze potential attack vectors and threat actors for new systems or changes
• Security Architecture Review: Evaluate design decisions for security implications and gaps
• Risk Assessment: Quantify and prioritize security risks using frameworks like CVSS, FAIR
• Compliance Analysis: Assess adherence to security standards (SOC 2, PCI-DSS, HIPAA, GDPR)
• Incident Response Planning: Design detection, containment, eradication, and recovery strategies
• Security Posture Evaluation: Assess overall defensive capabilities and maturity
• Code Security Review: Identify security vulnerabilities in software implementations

Core Philosophy: Security Thinking

Cybersecurity analysis rests on fundamental principles:

Defense in Depth: No single security control is perfect. Layer multiple independent controls so compromise of one doesn't compromise the whole system.

Assume Breach: Modern security assumes attackers will penetrate perimeter defenses. Design systems to minimize damage and enable detection when (not if) breach occurs.

Least Privilege: Grant minimum access necessary for legitimate function. Every excess permission is an opportunity for exploitation.

Zero Trust: Never trust, always verify. Verify explicitly, use least privilege access, and assume breach regardless of network location.

Security by Design: Security cannot be bolted on afterward. It must be fundamental to architecture and implementation from the beginning.

CIA Triad: Security protects three properties—Confidentiality (only authorized access), Integrity (only authorized modification), Availability (accessible when needed).

Threat-Informed Defense: Base defensive priorities on understanding of actual threat actors, their capabilities, motivations, and tactics (threat intelligence).

Risk-Based Approach: Perfect security is impossible. Prioritize security investments based on risk (likelihood × impact) to maximize security per dollar spent.

---

Theoretical Foundations (Expandable)

Foundation 1: CIA Triad (Classic Security Model)

Components:

Confidentiality: Information accessible only to authorized entities

• Protection mechanisms: Encryption, access controls, authentication
• Threats: Eavesdropping, data theft, unauthorized disclosure
• Example violations: Data breach, password theft, insider leak

Integrity: Information modifiable only by authorized entities in authorized ways

• Protection mechanisms: Hashing, digital signatures, access controls, version control
• Threats: Tampering, unauthorized modification, malware
• Example violations: Database manipulation, man-in-the-middle attacks, ransomware encryption

Availability: Information and systems accessible when needed by authorized entities

• Protection mechanisms: Redundancy, backups, DDoS mitigation, incident response
• Threats: Denial of service, ransomware, system destruction
• Example violations: DDoS attacks, ransomware, infrastructure failures

Extensions:

• Authenticity: Verified identity of entities and origin of information
• Non-repudiation: Cannot deny taking action
• Accountability: Actions traceable to entities

Application: Every security analysis should identify which aspects of CIA triad are at risk and how controls protect each.

Sources:

• CIA Triad - Wikipedia
• NIST Cybersecurity Framework

Foundation 2: Defense in Depth (Layered Security)

Principle: Deploy multiple layers of security controls so compromise of one layer doesn't compromise entire system.

Historical Origin: Military defensive strategy—multiple concentric perimeter defenses

Security Layers:

1. Physical: Facility access controls, locked server rooms
2. Network: Firewalls, network segmentation, IDS/IPS
3. Host: Endpoint protection, host firewalls, patch management
4. Application: Input validation, secure coding, authentication
5. Data: Encryption at rest and in transit, DLP, tokenization
6. Human: Security awareness training, phishing simulation

Key Insight: Redundancy is not waste—it's resilience. Even if attacker bypasses firewall, they still face authentication, authorization, monitoring, encryption, and detection controls.

Application: Security architecture should have multiple independent defensive layers protecting critical assets.

Limitation: Can create complexity and false sense of security if layers are not maintained or are interdependent.

Sources:

• Defense in Depth - NSA
• Layered Security - CISA

Foundation 3: Zero Trust Architecture

Core Principle: "Never trust, always verify" regardless of network location

Contrast with Perimeter Model: Traditional security assumed internal network is trusted ("castle and moat"). Zero trust assumes no network location is trusted.

Key Tenets (NIST SP 800-207):

1. Verify explicitly: Always authenticate and authorize based on all available data points
2. Least privilege access: Limit user access with Just-In-Time and Just-Enough-Access
3. Assume breach: Minimize blast radius and segment access; verify end-to-end encryption

Components:

• Identity-centric security: Identity becomes new perimeter
• Micro-segmentation: Network divided into small zones with separate controls
• Continuous verification: Authentication and authorization are continuous, not one-time
• Data-centric: Protect data itself, not just perimeter around it

Drivers:

• Cloud adoption (no clear perimeter)
• Remote work (users outside traditional perimeter)
• Sophisticated attacks (perimeter breaches common)

Application: Modern security architectures should be designed with zero trust principles, especially for cloud and hybrid environments.

Sources:

• NIST SP 800-207: Zero Trust Architecture
• Zero Trust - Microsoft Security

Foundation 4: Threat Modeling

Definition: Structured approach to identify and prioritize potential threats to a system

Purpose: Proactively identify security issues during design phase when fixes are cheapest

Benefits:

• Find vulnerabilities before implementation
• Prioritize security work
• Communicate risks to stakeholders
• Guide security testing

Common Methodologies:

STRIDE (Microsoft):

• Spoofing identity
• Tampering with data
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege

PASTA (Process for Attack Simulation and Threat Analysis):

• Seven-stage risk-centric methodology
• Aligns business objectives with technical requirements

VAST (Visual, Agile, and Simple Threat modeling):

• Scalable for agile development
• Two types: application threat models and operational threat models

Application: Use threat modeling for new features, architecture changes, or security reviews.

Sources:

• Threat Modeling - OWASP
• STRIDE Threat Model - Microsoft

Foundation 5: MITRE ATT&CK Framework

Description: Knowledge base of adversary tactics and techniques based on real-world observations

Purpose: Understand how attackers operate to inform defense, detection, and threat hunting

Structure:

• Tactics: High-level goals (e.g., Initial Access, Execution, Persistence, Privilege Escalation)
• Techniques: Ways to achieve tactics (e.g., Phishing, Exploiting Public Applications)
• Sub-techniques: Specific implementations
• Procedures: Specific attacker behaviors

14 Tactics (Enterprise Matrix):

1. Reconnaissance
2. Resource Development
3. Initial Access
4. Execution
5. Persistence
6. Privilege Escalation
7. Defense Evasion
8. Credential Access
9. Discovery
10. Lateral Movement
11. Collection
12. Command and Control
13. Exfiltration
14. Impact

Application:

• Map defensive controls to ATT&CK techniques
• Identify detection gaps
• Threat intelligence sharing
• Red team/purple team exercises

Value: Common language for describing attacker behavior; basis for threat-informed defense

Sources:

• MITRE ATT&CK
• ATT&CK Navigator

---

Core Analytical Frameworks (Expandable)

Framework 1: Attack Surface Analysis

Definition: Identification and assessment of all points where unauthorized user could enter or extract data from system

Components:

Attack Surface Elements:

• Network attack surface: Exposed ports, services, protocols
• Software attack surface: Applications, APIs, web interfaces
• Human attack surface: Users, administrators, social engineering targets
• Physical attack surface: Facility access, hardware access

Attack Vectors: Methods attackers use to exploit attack surface

• Network-based: Port scanning, protocol exploits, man-in-the-middle
• Web-based: SQL injection, XSS, CSRF, authentication bypass
• Email-based: Phishing, malicious attachments, credential harvesting
• Physical: Theft, unauthorized access, evil maid attacks
• Social engineering: Pretexting, baiting, tailgating

Analysis Process:

1. Enumerate: List all entry points and assets
2. Classify: Categorize by type and criticality
3. Assess: Evaluate exploitability and impact
4. Prioritize: Rank by risk
5. Reduce: Minimize unnecessary exposure

Metrics:

• Number of exposed services
• Number of internet-facing applications
• Number of privileged accounts
• Lines of code exposed to untrusted input

Application: Reducing attack surface is fundamental defensive strategy. Eliminate unnecessary exposure.

Sources:

• Attack Surface Analysis - OWASP
• Reducing Attack Surface - Microsoft

Framework 2: Risk Assessment Frameworks

Purpose: Quantify and prioritize security risks to guide resource allocation

Common Frameworks:

CVSS (Common Vulnerability Scoring System):

• Standard for assessing vulnerability severity
• Score 0-10 based on exploitability, impact, scope
• Base score (intrinsic characteristics) + temporal + environmental scores
• Widely used but criticized for not capturing actual risk in specific contexts

FAIR (Factor Analysis of Information Risk):

• Quantitative risk framework
• Risk = Loss Event Frequency × Loss Magnitude
• Enables cost-benefit analysis of security investments
• More complex but provides dollar-denominated risk figures

NIST Risk Management Framework (RMF):

• Seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
• Links security controls to risk management
• Used by U.S. federal agencies

Qualitative vs. Quantitative:

• Qualitative: High/Medium/Low risk ratings (simpler, faster, subjective)
• Quantitative: Numerical risk values (complex, objective, requires data)

Application: Risk assessment informs prioritization. Not all vulnerabilities are equally important—focus on highest risks.

Sources:

• CVSS
• FAIR Institute
• NIST RMF

Framework 3: Security Control Frameworks

Purpose: Structured set of security controls to achieve security objectives

Major Frameworks:

NIST Cybersecurity Framework:

• Five core functions: Identify, Protect, Detect, Respond, Recover
• Not prescriptive—flexible for different organizations
• Widely adopted across industries and internationally

NIST SP 800-53 (Security and Privacy Controls):

• Comprehensive catalog of security controls for federal systems
• 20 control families (Access Control, Incident Response, etc.)
• Detailed implementation guidance

CIS Controls (Center for Internet Security):

• 18 prioritized security controls
• Implementation groups (IG1, IG2, IG3) based on organizational maturity
• Actionable and measurable

ISO/IEC 27001:

• International standard for information security management systems
• 14 control domains, 114 controls
• Certification available

Application: Use frameworks to:

• Ensure comprehensive coverage
• Benchmark security posture
• Communicate with stakeholders
• Meet compliance requirements

Sources:

• NIST Cybersecurity Framework
• CIS Controls
• ISO 27001

Framework 4: Incident Response Lifecycle

Definition: Structured approach to handling security incidents

Standard Model (NIST SP 800-61):

Phase 1: Preparation

• Establish IR capability, tools, playbooks
• Training and exercises
• Communication plans

Phase 2: Detection and Analysis

• Monitoring and alerting
• Incident classification and prioritization
• Initial investigation
• Scope determination

Phase 3: Containment, Eradication, and Recovery

• Containment: Stop spread (short-term and long-term)
• Eradication: Remove threat from environment
• Recovery: Restore systems to normal operation

Phase 4: Post-Incident Activity

• Lessons learned
• Evidence preservation
• Incident report
• Process improvement

Key Concepts:

• Playbooks: Predefined procedures for common incident types
• Indicators of Compromise (IoCs): Artifacts indicating malicious activity
• Chain of custody: Evidence handling procedures
• Communication: Internal and external stakeholders, legal, PR

Metrics:

• Mean Time to Detect (MTTD)
• Mean Time to Respond (MTTR)
• Mean Time to Contain (MTTC)

Application: Effective incident response minimizes damage, reduces recovery time, and captures learning.

Sources:

• NIST SP 800-61: Computer Security Incident Handling Guide
• SANS Incident Response

Framework 5: Secure Development Lifecycle (SDL)

Purpose: Integrate security into software development process

Microsoft SDL Phases:

1. Training: Security training for developers
2. Requirements: Define security requirements and privacy requirements
3. Design: Threat modeling, attack surface reduction, defense in depth
4. Implementation: Secure coding standards, code analysis tools
5. Verification: Security testing (SAST, DAST, penetration testing)
6. Release: Final security review, incident response plan
7. Response: Execute incident response plan if vulnerability discovered

Key Practices:

• Static Analysis (SAST): Analyze source code for vulnerabilities
• Dynamic Analysis (DAST): Test running application
• Dependency Scanning: Check third-party libraries for known vulnerabilities
• Penetration Testing: Simulate real attacks
• Security Champions: Embed security expertise in development teams

OWASP SAMM (Software Assurance Maturity Model):

• Maturity model for secure software development
• Five business functions: Governance, Design, Implementation, Verification, Operations
• Three maturity levels for each function

Application: Security must be integrated throughout development lifecycle, not just at the end.

Sources:

• Microsoft SDL
• OWASP SAMM

---

Methodological Approaches (Expandable)

Method 1: Threat Intelligence Analysis

Purpose: Understand adversaries, their capabilities, tactics, and targets to inform defense

Types of Threat Intelligence:

Strategic: High-level trends for executives

• APT group activity and motivations
• Geopolitical cyber threats
• Industry-specific threat landscape

Operational: Campaign-level information for security operations

• Current attack campaigns
• Threat actor TTPs
• Malware families

Tactical: Technical indicators for immediate defense

• IP addresses, domains, file hashes
• YARA rules, Snort signatures
• CVEs being exploited

Analytical Process:

1. Collection: Gather data from internal sources, threat feeds, OSINT, dark web
2. Processing: Normalize, correlate, deduplicate
3. Analysis: Contextualize, attribute, assess intent and capability
4. Dissemination: Share with relevant teams in actionable format
5. Feedback: Assess effectiveness and refine

Frameworks:

• Diamond Model: Adversary, Capability, Infrastructure, Victim
• Kill Chain: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives
• MITRE ATT&CK: Map observed techniques to ATT&CK matrix

Application: Threat intelligence enables proactive, threat-informed