Mapping a Curriculum to the NICE Cybersecurity Workforce Framework

Here’s a scenario: a cybersecurity analyst might have to respond to a network that has been compromised by sophisticated malware evading traditional security measures. The analyst would need to quickly detect and analyze the attack, identify the type of malware, and develop and implement a response plan to contain and mitigate the damage.

That’s a lot to unravel to ensure someone is competently trained to handle the challenge above.

Enter the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, which provides a comprehensive and detailed description of expected cybersecurity workforce roles, including the cyber defense analyst role (in other words, a cybersecurity analyst). The framework describes the skills, knowledge, and abilities required for individuals in a given role to detect, analyze, and respond to cyber threats and attacks on computer networks and systems. 

Ultimately, it helps to establish a common understanding of what a role entails, which can facilitate workforce development, training, and recruitment efforts in the field of cybersecurity. More specifically, the KSAs (Knowledge Skills, Abilities) can be found here. 

So why did we choose it over the CompTIA Security+ objectives? Here’s our take on why:

1. Comprehensive: The NICE framework provides a comprehensive and structured approach to cybersecurity workforce development. It covers a wide range of KSAs that are required for various cybersecurity roles, including cyber defense analysts.
2. Role-Based: The NICE framework is role-based, meaning it defines the KSAs required for specific cybersecurity roles. This approach helps individuals and organizations understand the specific skills and competencies required for different cybersecurity roles and helps ensure that the right people are in the right jobs.
3. Standardized: The NICE framework is a standardized way of describing cybersecurity roles and the associated KSAs. This helps ensure that individuals and organizations have a common understanding of what is required for different cybersecurity roles.

The competencies within the KSAs can be summarized below:

1. Threat Analysis: The ability to identify and analyze potential threats to an organization's information systems and networks.
2. Incident Response: The ability to respond to cybersecurity incidents, including detecting, investigating, and mitigating security breaches.
3. Vulnerability Assessment and Management: The ability to assess and manage vulnerabilities in an organization's information systems and networks.
4. Cyber Defense: The ability to develop and implement security measures to defend an organization's information systems and networks against cyber attacks.
5. Information Assurance: The ability to ensure the confidentiality, integrity, and availability of an organization's information systems and networks.
6. Risk Management: The ability to identify and assess risks to an organization's information systems and networks, and develop strategies to mitigate those risks.
7. Communication: The ability to communicate effectively with technical and non-technical stakeholders regarding cybersecurity issues and solutions.

Let’s go back to that scenario now.

In the opening scenario, the NICE Cybersecurity Workforce Framework can help ensure that an analyst trained using this framework has the necessary skills and knowledge to effectively respond to the attack. The framework outlines several key competencies we can expand upon further that are required for the cyber defense analyst role in this scenario, including:

1. Threat Analysis and Intelligence: The analyst should be able to identify and analyze threats to the company's network and systems, and develop strategies to mitigate those threats.
2. Incident Response: The analyst should be able to quickly respond to security incidents, contain the damage, and develop and implement a response plan.
3. Network Defense: The analyst should have a deep understanding of network architecture and protocols, and be able to implement effective security measures to protect the company's network.
4. Cybersecurity Tools: The analyst should be proficient in using cybersecurity tools, such as intrusion detection systems and firewalls, to monitor and protect the company's network.

Using this framework, a cyber defense analyst would be trained to approach the malware attack in a systematic and effective way. They would use their skills and knowledge to detect and analyze the attack, identify the type of malware, and develop a response plan that includes containing the attack and mitigating the damage. They would also use their knowledge of network defense and cybersecurity tools to implement effective security measures to prevent future attacks.

So what does this look like in the course? 

Well here’s a breakdown of two of our labs as a result of our mapping content to the framework using our experience in the field to ensure relativity:

Lab 1 - Introduction to the Elastic Stack (ELK)

Description:

It helps learners to get familiar with the three components of ELK, namely Elastic, Logstash, and Kibana. The lab content focuses on using Kibana to query the Elastic database and output data in a usable format. 

Learning Objectives:

The learning objectives are to understand the layout of ELK, generate basic queries, and visualizations. By the end of the lab, learners should be able to interact with Kibana to query the Elastic database, filter results using key-value pairs, and specify a time range. 

Competencies:

The competencies developed include data querying, filtering, and visualization. It helps learners develop competencies in analyzing logs and detecting threats to protect and defend systems.

NICE Mapping:

The lab is relevant to the NICE framework page provided earlier as it falls under the "Protect and Defend" category, particularly in the Cyber Defense Analysis (CDA) specialty area.

Lab 2 - Windows Security

Description:

Understand how to use the Sysinternals suite to detect potentially malicious applications running on a Windows system using tools such as Autoruns, Sigcheck, and TCPView. 

Learning Objectives:

The learning objectives of the lab are to teach users how to identify potentially malicious applications running on a Windows system by: Using Autoruns to identify services and scheduled tasks that start up when the computer boots, filter out Windows-related entries, and identify suspicious entries, using Sigcheck to verify the signature of a binary and determine its validity, and using TCPView to show which network sockets are open on the computer including listening ports and established connections.

Competencies:

This lab helps develop the technical skills and knowledge needed for cybersecurity professionals, particularly in the areas of malware detection and analysis, system monitoring and analysis, and network security. It also emphasizes the importance of understanding and using security tools to secure Windows systems.

NICE Mapping:

The lab is relevant to the NICE Framework particularly in the Protect and Defend category, which includes the skills needed to identify cybersecurity threats and vulnerabilities, develop and implement safeguards, and identify suspicious network activities. 

Want to learn more? Check out our free 12 hour Cybersecurity Foundations course that comes with five challenging assessments and a digital badge to earn upon passing them!