Cyberspace Effects

Cyberspace Effects

Personnel who plan, support, and execute cyberspace capabilities where the primary purpose is to externally defend or conduct force projection in or through cyberspace.



Below are the associated Work Roles. Click the arrow to expand/collapse the Work Role information and view the associated Core and Additional KSATs (Knowledge, Skills, Abilties, and Tasks). Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role. Click on the other blue links to further explore the information.
Cyber Operations Planner Work Role ID: 332 (NIST: CO-PL-002) Workforce Element: Cyberspace Effects

Develops detailed plans for the conduct or support of the applicable range of cyber operations through collaboration with other planners, operators and/or analysts. Participates in targeting selection, validation, synchronization, and enables integration during the execution of cyber actions.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
52

Knowledge of human-computer interaction principles.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
264

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge
1056

Knowledge of operations security.

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2009

Provide input to the analysis, design, development or acquisition of capabilities used for meeting objectives.

Task
2032

Apply expertise in policy and processes to facilitate the development, negotiation, and internal staffing of plans and/or memorandums of agreement.

Task
2052

Assess target vulnerabilities and/or operational capabilities to determine course of action.

Task
2073

Provide input to the identification of cyber-related success criteria.

Task
2130

Develop, review and implement all levels of planning guidance in support of cyber operations.

Task
2159

Contribute to crisis action planning for cyber operations.

Task
2180

Coordinate with intelligence and cyber defense partners to obtain relevant essential information.

Task
2192

Use intelligence estimates to counter potential target actions.

Task
2265

Develop and maintain deliberate and/or crisis plans.

Task
2266

Develop and review specific cyber operations guidance for integration into broader planning activities.

Task
2272

Develop cyber operations plans and guidance to ensure that execution and resource allocation decisions align with organization objectives.

Task
2308

Develop or participate in the development of standards for providing, requesting, and/or obtaining support from external partners to synchronize cyber operations.

Task
2310

Develop potential courses of action.

Task
2327

Develop, implement, and recommend changes to appropriate planning procedures and policies.

Task
2331

Devise, document, and validate cyber operation strategy, and planning documents.

Task
2365

Ensure operational planning efforts are effectively transitioned to current operations.

Task
2416

Facilitate interactions between internal and external partner decision makers to synchronize and integrate courses of action in support of objectives.

Task
2422

Gather and analyze data (e.g., measures of effectiveness) to determine effectiveness, and provide reporting for follow-on activities.

Task
2424

Incorporate cyber operations and communications security support plans into organization objectives.

Task
2524

Integrate cyber planning/targeting efforts with other organizations.

Task
2528

Interpret environment preparations assessments to determine a course of action.

Task
2529

Issue requests for information.

Task
2530

Knowledge and understanding of operational design.

Knowledge
2531

Knowledge of organizational planning concepts.

Knowledge
2564

Maintain situational awareness to determine if changes to the operating environment require review of the plan.

Task
2590

Monitor and evaluate integrated cyber operations to identify opportunities to meet organization objectives.

Task
2626

Provide subject matter expertise to planning efforts with internal and external cyber operations partners.

Task
2702

Prepare for and provide subject matter expertise to exercises.

Task
2746

Provide input for the development and refinement of the cyber operations objectives, priorities, strategies, plans, and programs.

Task
2752

Provide input to the administrative and logistical elements of an operational support plan.

Task
2761

Provide planning support between internal and external partners.

Task
2778

Recommend refinement, adaption, termination, and execution of operational plans as appropriate.

Task
2816

Review, approve, prioritize, and submit operational requirements for research, development, and/or acquisition of cyber capabilities.

Task
2837

Submit or respond to requests for deconfliction of cyber operations.

Task
2888

Document lessons learned that convey the results of events and/or exercises.

Task
3001

Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.

Ability
3003

Ability to adjust to and operate in a diverse, unpredictable, challenging, and fast-paced work environment.

Ability
3011

Ability to apply critical reading/thinking skills.

Ability
3015

Ability to apply approved planning development and staffing processes.

Ability
3021

Ability to collaborate effectively with others.

Ability
3022

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Ability
3033

Ability to coordinate cyber operations with other organization functions or support activities.

Ability
3040

Ability to develop or recommend planning solutions to problems and situations for which no precedent exists.

Ability
3041

Ability to effectively collaborate via virtual teams.

Ability
3044

Ability to exercise judgment when policies are not well-defined.

Ability
3048

Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—in order to leverage analytical and technical expertise.

Ability
3057

Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.

Ability
3060

Ability to interpret and understand complex and rapidly evolving concepts.

Ability
3066

Ability to participate as a member of planning teams, coordination groups, and task forces as necessary.

Ability
3076

Ability to tailor technical and planning information to a customer’s level of understanding.

Ability
3095

Knowledge of internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).

Knowledge
3098

Knowledge of virtualization products (Vmware, Virtual PC).

Knowledge
3106

Knowledge of a wide range of basic communications media concepts and terminology (e.g., computer and telephone networks, satellite, cable, wireless).

Knowledge
3107

Knowledge of a wide range of concepts associated with websites (e.g., website types, administration, functions, software systems, etc.).

Knowledge
3129

Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).

Knowledge
3154

Knowledge of classification and control markings standards, policies and procedures.

Knowledge
3155

Knowledge of client organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge
3159

Knowledge of cyber operations support or enabling processes.

Knowledge
3173

Knowledge of operational effectiveness assessment.

Knowledge
3177

Knowledge of common computer/network infections (virus, Trojan, etc.) and methods of infection (ports, attachments, etc.).

Knowledge
3188

Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

Knowledge
3194

Knowledge of crisis action planning and time sensitive planning procedures.

Knowledge
3211

Knowledge of cyber laws and legal considerations and their effect on cyber planning.

Knowledge
3215

Knowledge of cyber actions (i.e. cyber defense, information gathering, environment preparation, cyber attack) principles, capabilities, limitations, and effects.

Knowledge
3225

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge
3235

Knowledge of deconfliction processes and procedures.

Knowledge
3257

Knowledge of target and threat organization structures, critical capabilities, and critical vulnerabilities.

Knowledge
3262

Knowledge of evolving/emerging communications technologies.

Knowledge
3264

Knowledge of existing, emerging, and long-range issues related to cyber operations strategy, policy, and organization.

Knowledge
3268

Knowledge of staff management, assignment, and allocation processes.

Knowledge
3274

Knowledge of fundamental cyber operations concepts, terminology/lexicon (i.e., environment preparation, cyber attack, cyber defense), principles, capabilities, limitations, and effects.

Knowledge
3275

Knowledge of fundamental cyber concepts, principles, limitations, and effects.

Knowledge
3291

Knowledge of how internet applications work (SMTP email, web-based email, chat clients, VOIP).

Knowledge
3292

Knowledge of how modern digital and telephony networks impact cyber operations.

Knowledge
3326

Knowledge of information security concepts, facilitating technologies and methods.

Knowledge
3358

Knowledge of organizational hierarchy and cyber decision making processes.

Knowledge
3374

Knowledge of malware.

Knowledge
3388

Knowledge of crisis action planning for cyber operations.

Knowledge
3391

Knowledge of objectives, situation, operational environment, and the status and disposition of internal and external partner collection capabilities available to support planning.

Knowledge
3441

Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.

Knowledge
3444

Knowledge of planning activity initiation.

Knowledge
3445

Knowledge of planning timelines adaptive, crisis action, and time-sensitive planning.

Knowledge
3459

Knowledge of the functions and capabilities of internal teams that emulate threat activities to benefit the organization.

Knowledge
3539

Knowledge of telecommunications fundamentals.

Knowledge
3543

Knowledge of the basic structure, architecture, and design of modern communication networks.

Knowledge
3545

Knowledge of the basics of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

Knowledge
3554

Knowledge of the critical information requirements and how they’re used in planning.

Knowledge
3561

Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

Knowledge
3570

Knowledge of the organizational structure as it pertains to full spectrum cyber operations, including the functions, responsibilities, and interrelationships among distinct internal elements.

Knowledge
3585

Knowledge of accepted organization planning systems.

Knowledge
3591

Knowledge of organization objectives, leadership priorities, and decision-making risks.

Knowledge
3601

Knowledge of the outputs of course of action and exercise analysis.

Knowledge
3605

Knowledge of the information environment.

Knowledge
3606

Knowledge of the process used to assess the performance and impact of operations.

Knowledge
3609

Knowledge of the range of cyber operations and their underlying intelligence support needs, topics, and focus areas.

Knowledge
3610

Knowledge of the relationships between end states, objectives, effects, lines of operation, etc.

Knowledge
3613

Knowledge of the role of network operations in supporting and facilitating other organization operations.

Knowledge
3616

Knowledge of the structure, architecture, and design of modern digital and telephony networks.

Knowledge
3627

Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.

Knowledge
3630

Knowledge of the ways in which targets or threats use the Internet.

Knowledge
3639

Knowledge of organization cyber operations programs, strategies, and resources.

Knowledge
3651

Knowledge of what constitutes a “threat” to a network.

Knowledge
3659

Knowledge of wireless technologies (e.g., cellular, satellite, GSM) to include the basic structure, architecture, and design of modern wireless communications systems.

Knowledge
3665

Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.

Skill
3681

Skill in applying analytical methods typically employed to support planning and to justify recommended strategies and courses of action.

Skill
3685

Skill in applying crisis planning procedures.

Skill
3747

Skill in developing and executing comprehensive cyber operations assessment programs for assessing and validating operational performance characteristics.

Skill
3766

Skill in documenting and communicating complex technical and programmatic information.

Skill
3772

Skill in evaluating information for reliability, validity, and relevance.

Skill
3844

Skill in preparing and presenting briefings.

Skill
3845

Skill in preparing plans and related correspondence.

Skill
3879

Skill in reviewing and editing plans.

Skill
3938

Skill in utilizing feedback in order to improve processes, products, and services.

Skill
3946

Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat rooms, SharePoint).

Skill
3967

Skill to anticipate key target or threat activities which are likely to prompt a leadership decision.

Skill
4023

Skill to graphically depict decision support materials containing intelligence and partner capability estimates.

Skill
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
2058

Assist and advise inter-agency partners in identifying and developing best practices for facilitating operational support to achievement of organization objectives.

Task
2160

Contribute to the development of the organization’s decision support tools if necessary.

Task
2237

Determine indicators (e.g., measures of effectiveness) that are best suited to specific cyber operation objectives.

Task
2368

Ensure that intelligence planning activities are integrated and synchronized with operational planning timelines.

Task
2386

Evaluate intelligence estimates to support the planning cycle.

Task
2459A

Identify cyber intelligence gaps and shortfalls.

Task
2558

Maintain relationships with internal and external partners involved in cyber planning or related areas.

Task
2561

Maintain situational awareness of cyber-related intelligence requirements and associated tasking.

Task
2562

Maintain situational awareness of partner capabilities and activities.

Task
2624

Conduct long-range, strategic planning efforts with internal and external partners in cyber activities.

Task
3054

Ability to identify external partners with common cyber operations interests.

Ability
3114

Knowledge of all forms of intelligence support needs, topics, and focus areas.

Knowledge
3271

Knowledge of internal and external partner cyber operations capabilities and tools.

Knowledge
3293

Knowledge of how modern wireless communications systems impact cyber operations.

Knowledge
3342

Knowledge of intelligence support to planning, execution, and assessment.

Knowledge
3356

Knowledge of organization policies and planning concepts for partnering with internal and/or external organizations.

Knowledge
3419

Knowledge of organization or partner exploitation of digital networks.

Knowledge
3463

Knowledge of required intelligence planning products associated with cyber operational planning.

Knowledge
3489

Knowledge of organizational structures and associated intelligence capabilities.

Knowledge
3571

Knowledge of the organizational planning and staffing process.

Knowledge
3572

Knowledge of organization decision support tools and/or methods.

Knowledge
3607

Knowledge of the processes to synchronize operational assessment procedures with the critical information requirement process.

Knowledge
3615

Knowledge of the structure and intent of organization specific plans, guidance and authorizations.

Knowledge
3638

Knowledge of organization issues, objectives, and operations in cyber as well as regulations and policy directives governing cyber operations.

Knowledge
3976

Skill to apply the process used to assess the performance and impact of cyber operations.

Skill
3998

Skill to craft indicators of operational progress/success.

Skill
4008

Skill to distinguish between notional and actual resources and their applicability to the plan under development.

Skill
4058

Skill to synchronize operational assessment procedures with the critical information requirement process.

Skill
4451

Knowledge of full-spectrum cyberspace operational missions (e.g., DODIN Operations, DCO, OCO, cyberspace ISR, and Operational Preparation of the Environment (OPE)), principles, capabilities, limitations, and effects.

KSA
4471

Knowledge of intelligence/SIGINT reporting and dissemination procedures.

KSA
8069

Develop cyberspace operations TTPs for integration into operational and tactical levels of planning.

Task
Cyberspace Operator Work Role ID: 322 (NIST: N/A) Workforce Element: Cyberspace Effects

Cyberspace Operators use a wide range of software applications for network navigation, tactical forensic analysis, surveillance and reconnaissance, and executing on-net operations in support of offensive cyberspace operations when directed.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
4191

Ability to apply tradecraft to minimize risk of detection, mitigate risk, and minimize creation of behavioral signature

Ability
4199

Ability to characterize a target admin/user’s technical abilities, habits, and skills.

Ability
4204

Ability to communicate operational plans and actions and provide feedback regarding OPSEC and tradecraft during mission pre-brief

Ability
4213

Ability to conduct open source research.

Ability
4219

Ability to construct a course of action using available exploitation tools and techniques.

Ability
4222

Ability to continually research and develop new tools/techniques

Ability
4229

Ability to create rules and filters (e.g., Berkeley Packet Filter, Regular Expression).

Ability
4243

Ability to ensure collected data is transferred to the appropriate storage locations.

Ability
4244

Ability to enumerate a network.

Ability
4248

Ability to enumerate user permissions and privileges.

Ability
4249

Ability to evade or counter security products or host based defenses.

Ability
4261

Ability to exploit vulnerabilities to gain additional access.

Ability
4263

Ability to extract credentials from hosts

Ability
4271

Ability to identify capability gaps (e.g., insufficient tools, training, or infrastructure)

Ability
4276

Ability to identify files containing information critical to operational objectives.

Ability
4278

Ability to identify legal, policy, and technical limitations when conducting cyberspace operations.

Ability
4279

Ability to identify logging capabilities on host

Ability
4285

Ability to identify what tools or Tactics, Techniques, and Procedures (TTPs) are applicable to a given situation

Ability
4292

Ability to improve the performance of cyberspace operators by providing constructive (positive and negative) feedback.

Ability
4293

Ability to install/modify/uninstall tools on target systems in accordance with current policies and procedures.

Ability
4296

Ability to interpret device configurations.

Ability
4297

Ability to interpret technical materials such as RFCs and technical manuals.

Ability
4298

Ability to maintain situational awareness of target environment.

Ability
4305

Ability to model a simulated environment to conduct mission rehearsal and mitigate risk of actions taken during operations.

Ability
4308

Ability to operate automated systems to interact with target environment.

Ability
4324

Ability to perform masquerade operations.

Ability
4325

Ability to perform privilege escalation.

Ability
4327

Ability to persist access to a target.

Ability
4330

Ability to plan, brief, execute, and debrief a mission.

Ability
4334

Ability to promote and enable organizational change.

Ability
4335

Ability to provide advice and guidance to various stakeholders regarding technical issues, capabilities, and approaches.

Ability
4336

Ability to provide feedback to developers if a tool requires continued development.

Ability
4340

Ability to provide technical leadership within an organization.

Ability
4341

Ability to read, write, modify, and execute compiled languages (e.g., C).

Ability
4342

Ability to recognize and extract salient information from large data set (e.g., critical information, anomalies).

Ability
4343

Ability to recognize and report mistakes or poor tradecraft to appropriate leadership in accordance with Standard Operating Procedures (SOPs).

Ability
4344

Ability to recognize and respond appropriately to Non-Standard Events.

Ability
4345

Ability to redirect and tunnel through target systems.

Ability
4346

Ability to remediate indicators of compromise.

Ability
4347

Ability to research non-standards within a project.

Ability
4350

Ability to retrieve historical operational and open-source data to analyze compatibility with approved capabilities.

Ability
4359

Ability to train other cyberspace operators.

Ability
4361

Ability to troubleshoot technical problems.

Ability
4367

Ability to use core toolset (e.g., implants, remote access tools).

Ability
4369

Ability to use dynamic analysis tools (e.g. process monitor, process explorer, and registry analysis)

Ability
4370

Ability to use enterprise tools to enumerate target information.

Ability
4378

Ability to verify file integrity for both uploads and downloads.

Ability
4379

Ability to weaken a target to facilitate/enable future access.

Ability
4380

Ability to write and modify markup languages (e.g., HTML, XML).

Ability
4381

Ability to write and modify source code (e.g., C).

Ability
4388

Knowledge of access control models (Role Based Access Control, Attribute Based Access Control).

Knowledge
4391

Knowledge of advanced redirection techniques.

Knowledge
4393

Knowledge of appropriate/inappropriate information to include in operational documentation (e.g., OPNOTES, technical summaries, action maps, etc.).

Knowledge
4395

Knowledge of basic client software applications and their attack surfaces.

Knowledge
4396

Knowledge of basic cloud-based technologies and concepts.

Knowledge
4399

Knowledge of basic Embedded Systems concepts.

Knowledge
4402

Knowledge of basic redirection techniques (e.g. IP Tables, SSH Tunneling, netsh)

Knowledge
4403

Knowledge of basic server software applications and their attack surfaces.

Knowledge
4404

Knowledge of code injection and its employment in cyberspace operations.

Knowledge
4414

Knowledge of common network administration best practices and the impact to operations.

Knowledge
4419

Knowledge of credential sources and restrictions related to credential usage.

Knowledge
4437

Knowledge of device reboots, including when they occur and their impact on tool functionality.

Knowledge
4444

Knowledge of evolving technologies.

Knowledge
4447

Knowledge of factors that would suspend or abort an operation.

Knowledge
4458

Knowledge of historical data relating to particular targets and projects, prior to an operation to include reviewing TECHSUMs, previous OPNOTEs, etc.

Knowledge
4463

Knowledge of how computer programs are executed

Knowledge
4464

Knowledge of how host-based security products, logging, and malware may affect tool functionality

Knowledge
4465

Knowledge of how other actors may affect operations

Knowledge
4466

Knowledge of how race conditions occur and can be employed to compromise shared resources

Knowledge
4482

Knowledge of malware triage.

Knowledge
4485

Knowledge of methods and procedures for sending a payload via an existing implant

Knowledge
4486

Knowledge of methods, strategies, and techniques of evading detection while conducting operations, such as noise, stealth, situational awareness, etc.

Knowledge
4487

Knowledge of methods, tools, and procedures for collecting information, including accessing databases and file systems

Knowledge
4488

Knowledge of methods, tools, and procedures for exploiting target systems

Knowledge
4489

Knowledge of methods, tools, and techniques used to determine the path to a target host/network (e.g., identify satellite hops).

Knowledge
4496

Knowledge of models for examining cyber threats (e.g. cyber kill chain, MITRE ATT&CK).

Knowledge
4498

Knowledge of modes of communication used by a target, such as cable, fiber optic, satellite, microwave, VSAT, or combinations of these.

Knowledge
4502

Knowledge of open source tactics that enable initial access (e.g. social engineering, phishing)

Knowledge
4503

Knowledge of operating system command shells, configuration data.

Knowledge
4505

Knowledge of operational infrastructure

Knowledge
4508

Knowledge of operational security, logging, admin concepts, and troubleshooting.

Knowledge
4510

Knowledge of password cracking techniques.

Knowledge
4519

Knowledge of process migration

Knowledge
4540

Knowledge of system administration concepts for distributed or managed operating environments.

Knowledge
4541

Knowledge of system administration concepts for stand alone operating systems.

Knowledge
4542

Knowledge of system calls

Knowledge
4552

Knowledge of the components of an authentication system.

Knowledge
4553

Knowledge of the concept of an advanced persistent threat (APT)

Knowledge
4563

Knowledge of the location and use of tool documentation.

Knowledge
4564

Knowledge of the methods and procedures for communicating with tools/modules, including the use of listening posts.

Knowledge
4565

Knowledge of the methods of persistence.

Knowledge
4567

Knowledge of the Mission Improvement Process

Knowledge
4571

Knowledge of the Plan, Brief, Execute, and Debrief process

Knowledge
4581

Knowledge of the tactics development process

Knowledge
4586

Knowledge of threats to OPSEC when installing, using, modifying, and uninstalling tools.

Knowledge
4587

Knowledge of tool release/testing process

Knowledge
4593

Knowledge of VPNs, their purpose, and how they can be leveraged.

Knowledge
4628

Skill in enumerating a host (e.g. file systems, host meta data host characteristics).

Skill
4641

Skill in manipulating firewall/host based security configuration and rulesets.

Skill
4663

Skill in retrieving memory resident data.

Skill
4670

Skill in transferring files to target devices (e.g., scp, tftp, http, ftp).

Skill
4674

Skill in using network enumeration and analysis tools, both active and passive.

Skill
8001

Advise leadership on operational tradecraft, emerging technology, and technical health of the force.

Task
8015

Approve remediation actions.

Task
8017

As authorized, train cyberspace operators at one’s certification level or below.

Task
8020

Assess the technical health of the cyberspace operator work role.

Task
8021

Assess, recommend, and evaluate remediation actions.

Task
8030

Conduct cyber activities to deny, degrade, disrupt, destroy, manipulate, (D4M).

Task
8037

Conduct post-mission actions.

Task
8039

Conduct pre-mission actions

Task
8040

Conduct pre-operation research and prep.

Task
8052

Create/normalize/document/evaluate TTPs in cyberspace operations.

Task
8067

Develop and/or inform risk assessments.

Task
8071

Develop Operational Training Solultions.

Task
8073

Develop remediation actions.

Task
8074

Develop risk assessments for non-standard events and ad hoc tradecraft.

Task
8083

Employ collection TTPs in cyberspace operations.

Task
8084

Employ credential access TTPs in cyberspace operations.

Task
8086

Employ discovery TTPs in cyberspace operations.

Task
8087

Employ exfiltration TTPs in cyberspace operations.

Task
8088

Employ lateral movement TTPs in cyberspace operations.

Task
8089

Employ TTPs in categories at one’s certification level or below.

Task
8097

Evaluate cyberspace operator performance at one’s certification level or below.

Task
8112

Identify targets of opportunity in order to influence operational planning.

Task
8113

Identify the appropriate operating authorities and guidance

Task
8130

Maintain operational and technical situational awareness during operations

Task
8158

Produce strategy to inform commander’s decision making process.

Task
8167

Provide input to mission debrief.

Task
8168

Provide input to operational policy.

Task
8169

Provide input to post mission planning.

Task
8170

Provide input to pre-mission planning.

Task
8174

Provide oversight of operations.

Task
8175

Provide quality control of operations and cyberspace operator products at one’s certification level or below.

Task
8181

Recognize and respond to indicators of compromise (IOC).

Task
8183

Recognize and respond to events that change risk.

Task
8184

Record and document activities during cyberspace operations.

Task
8192

Steward the cyberspace operator work role.

Task
8197

Train cyberspace operators at their certified level or below.

Task
Digital Network Exploitation Analyst Work Role ID: 122 (NIST: N/A) Workforce Element: Cyberspace Effects

The DNEA analyzes intercepted intelligence information for metadata and content. They use this data to reconstruct and document target networks to judge the intelligence value and maintain target continuity. DNEAs understand and analyze target implementation of communication technologies and digital network systems. They discover methods and suggest strategies to exploit specific target networks, computer systems, or specific hardware and/or software.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
4396

Knowledge of basic cloud-based technologies and concepts.

Knowledge
4399

Knowledge of basic Embedded Systems concepts.

Knowledge
4401

Knowledge of basic reconnaissance activity concepts and techniques (foot printing, scanning and enumeration).

Knowledge
4420

Knowledge of Critical Intelligence Communication (CRITIC) identification and reporting process.

Knowledge
4423

Knowledge of cryptologic and SIGINT reporting and dissemination procedures.

Knowledge
4428

Knowledge of cybersecurity concepts and principles.

Knowledge
4431

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge
4460

Knowledge of how and when to request assistance from the Cryptanalysis and Signals Analysis and/or CNO.

Knowledge
4470

Knowledge of intelligence sources and their characteristics.

Knowledge
4490

Knowledge of methods, tools, sources, and techniques used to research, integrate and summarize all-source information pertaining to target.

Knowledge
4523

Knowledge of quality review process and procedures.

Knowledge
4533

Knowledge of SIGINT laws and directives.

Knowledge
4539

Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).

Knowledge
4570

Knowledge of the overall mission of the Cyber Mission Forces (CMF).

Knowledge
4578

Knowledge of the specific missions for CMF (i.e., Cyber Mission Teams (CMT), National Mission Teams (NMT), Combat Support Team (CST), National Support Team (NST), Cyber Protection Team (CPT).

Knowledge
4582

Knowledge of the U.S. Cryptologic Systems authorities, responsibilities, and contributions to the cyberspace operations mission.

Knowledge
4601

Skill in analyzing endpoint collection data.

Skill
4620

Skill in developing and maintaining target profiles.

Skill
4631

Skill in geolocating targets.

Skill
4643

Skill in operational use of raw collection databases.

Skill
4645

Skill in performing data fusion from all-source intelligence for geospatial analysis.

Skill
4646

Skill in performing data fusion from all-source intelligence for network analysis and reconstruction (e.g., Single Table Inheritance (STIs), network maps).

Skill
4647

Skill in performing data fusion from all-source intelligence.

Skill
4651

Skill in providing feedback to enhance future collection and analysis.

Skill
4656

Skill in recognizing exploitation opportunities.

Skill
4659

Skill in recognizing the value of survey data.

Skill
4667

Skill in selector normalization.

Skill
4669

Skill in targeting (e.g., selectors).

Skill
8011

Apply and/or develop analytic techniques to provide better intelligence.

Task
8013

Apply customer requirements to the analysis process.

Task
8023

Assist planners in the development of courses of action

Task
8063

Develop analytical techniques to gain more target information.

Task
8064

Develop and lead exercises

Task
8065

Develop and maintain target profiles using appropriate corporate tools and databases (e.g. Target associations, activities, communication infrastructures, etc.).

Task
8081

Document and disseminate analytic findings.

Task
8090

Enable targeting offices to find new sources of collection.

Task
8100

Evaluate the strengths and weaknesses of the intelligence source.

Task
8101

Evaluate threat critical capabilities, requirements, and vulnerabilities.

Task
8102

Facilitate collaboration with customers, Intelligence and targeting organizations involved in related cyber areas.

Task
8108

Identify and facilitate partner relationships to enhance mission capabilities

Task
8128

Lead work role working groups/planning and development forums

Task
8137

Manipulate information in mission relevant databases (e.g., converting data, generating reports).

Task
8138

Mitigate collection gaps

Task
8145

Perform network analysis to support new or continued collection.

Task
8157

Produce digital network intelligence against specific named target sets.

Task
8164

Provide expertise in support of operational effects generated through cyber activities.

Task
8173

Provide intel target recommendations which meet leadership objectives.

Task
8191

Select, build, and develop query strategies against appropriate collection databases.

Task
8205

Understand technologies used by a given target

Task
8206

Understand TTPs and methodologies to enable access ops or access vector opportunities.

Task
Exploitation Analyst Work Role ID: 121 (NIST: AN-XA-001) Workforce Element: Cyberspace Effects

Collaborates to identify access and collection gaps that can be satisfied through cyber collection and/or preparation activities. Leverages all authorized resources and analytic techniques to penetrate targeted networks.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
264

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2194

Create comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities.

Task
2400

Examine intercept-related metadata and content with an understanding of targeting significance.

Task
2718

Profile network or system administrators and their activities.

Task
3021

Ability to collaborate effectively with others.

Ability
3022

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Ability
3095

Knowledge of internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).

Knowledge
3103A

Ability to identify/describe target vulnerability.

Ability
3103

Ability to identify/describe techniques/methods for conducting technical exploitation of the target.

Ability
3106

Knowledge of a wide range of basic communications media concepts and terminology (e.g., computer and telephone networks, satellite, cable, wireless).

Knowledge
3107

Knowledge of a wide range of concepts associated with websites (e.g., website types, administration, functions, software systems, etc.).

Knowledge
3129

Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).

Knowledge
3137

Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and enumeration).

Knowledge
3179

Knowledge of common networking devices and their configurations.

Knowledge
3191

Knowledge of concepts for operating systems (e.g., Linux, Unix).

Knowledge
3225

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge
3289

Knowledge of how hubs, switches, routers work together in the design of a network.

Knowledge
3291

Knowledge of how internet applications work (SMTP email, web-based email, chat clients, VOIP).

Knowledge
3346

Knowledge of Internet and routing protocols.

Knowledge
3407

Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

Knowledge
3410

Knowledge of network topology.

Knowledge
3513

Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.

Knowledge
3543

Knowledge of the basic structure, architecture, and design of modern communication networks.

Knowledge
3801

Skill in identifying the devices that work at each level of protocol models.

Skill
3867

Skill in recognizing technical information that may be used for leads to enable remote operations (data includes users, passwords, email addresses, IP ranges of the target, frequency in DNI behavior, mail servers, domain servers, SMTP header information).

Skill
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
345

Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.

Knowledge
363

Skill in identifying gaps in technical capabilities.

Skill
912

Knowledge of collection management processes, capabilities, and limitations.

Knowledge
915

Knowledge of front-end collection systems, including traffic collection, filtering, and selection.

Knowledge
2029A

Apply and utilize authorized cyber capabilities to enable access to targeted networks.

Task
2033

Apply cyber collection, environment preparation and engagement expertise to enable new exploitation and/or continued collection operations, or in support of customer requirements.

Task
2040

Apply and obey applicable statutes, laws, regulations and policies.

Task
2072

Perform analysis for target infrastructure exploitation activities.

Task
2090

Collaborate with other internal and external partner organizations on target access and operational issues.

Task
2095

Communicate new developments, breakthroughs, challenges and lessons learned to leadership, and internal and external customers.

Task
2102

Conduct analysis of physical and logical digital technologies (e.g., wireless, SCADA, telecom) to identify potential avenues of access.

Task
2114

Conduct independent in-depth target and technical analysis including target-specific information (e.g., cultural, organizational, political) that results in access.

Task
2419

Collaborate with developers, conveying target and technical knowledge in tool requirements submissions, to enhance tool development.

Task
2461

Identify gaps in our understanding of target technology and developing innovative collection approaches.

Task
2490

Identify, locate, and track targets via geospatial analysis techniques.

Task
2534

Lead or enable exploitation operations in support of organization objectives and target requirements.

Task
2542

Maintain awareness of advancements in hardware and software technologies (e.g., attend training or conferences, reading) and their potential implications.

Task
2608

Monitor target networks to provide indications and warning of target communications changes or processing failures.

Task
2714

Produce network reconstructions.

Task
3001

Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.

Ability
3039

Ability to develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists.

Ability
3043

Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.

Ability
3055B

Knowledge of basic implants.

Knowledge
3055A

Ability to select the appropriate implant to achieve operational goals.

Ability
3101

Ability to expand network access by conducting target analysis and collection in order to identify targets of interest.

Ability
3113

Knowledge of target intelligence gathering and operational preparation techniques and life cycles.

Knowledge
3139

Knowledge of basic principles of the collection development processes (e.g., Dialed Number Recognition, Social Network Analysis).

Knowledge
3146

Knowledge of both internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge
3155

Knowledge of client organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge
3166

Knowledge of collection searching/analyzing techniques and tools for chat/buddy list, emerging technologies, VOIP, Media Over IP, VPN, VSAT/wireless, web mail and cookies.

Knowledge
3181

Knowledge of common reporting databases and tools.

Knowledge
3201

Knowledge of all relevant reporting and dissemination procedures.

Knowledge
3226

Knowledge of data flow process for terminal or environment collection.

Knowledge
3256

Knowledge of terminal or environmental collection (process, objectives, organization, targets, etc.).

Knowledge
3261

Knowledge of evasion strategies and techniques.

Knowledge
3296

Knowledge of how to collect, view, and identify essential information on targets of interest from metadata (e.g., email, http).

Knowledge
3349

Knowledge of intrusion sets.

Knowledge
3367

Knowledge of all applicable statutes, laws, regulations and policies governing cyber targeting and exploitation.

Knowledge
3386

Knowledge of midpoint collection (process, objectives, organization, targets, etc.).

Knowledge
3432

Knowledge of identification and reporting processes.

Knowledge
3454

Knowledge of products and nomenclature of major vendors (e.g., security suites – Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.

Knowledge
3474

Knowledge of scripting

Knowledge
3505

Knowledge of strategies and tools for target research.

Knowledge
3525

Knowledge of organizational and partner policies, tools, capabilities, and procedures.

Knowledge
3542

Knowledge of the basic structure, architecture, and design of converged applications.

Knowledge
3622

Knowledge of organizational and partner authorities, responsibilities, and contributions to achieving objectives.

Knowledge
3637

Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Knowledge
3678

Skill in analyzing traffic to identify network devices.

Skill
3715

Skill in creating and extracting important information from packet captures.

Skill
3718A

Skill in creating collection requirements in support of data acquisition activities.

Skill
3718

Skill in creating plans in support of remote operations.

Skill
3726

Skill in depicting source or collateral data on a network map.

Skill
3741

Skill in determining the effect of various router and firewall configurations on traffic patterns and network performance in both LAN and WAN environments.

Skill
3774

Skill in evaluating accesses for intelligence value.

Skill
3803

Skill in identifying, locating, and tracking targets via geospatial analysis techniques

Skill
3810

Skill in interpreting compiled and interpretive programming languages.

Skill
3812

Skill in interpreting metadata and content as applied by collection systems.

Skill
3814

Skill in using trace route tools and interpreting the results as they apply to network analysis and reconstruction.

Skill
3818

Skill in generating operation plans in support of mission and target requirements.

Skill
3828

Skill in navigating network visualization software.

Skill
3837

Skill in performing data fusion from existing intelligence for enabling new and continued collection.

Skill
3860

Skill in recognizing and interpreting malicious network activity in traffic.

Skill
3863

Skill in recognizing midpoint opportunities and essential information.

Skill
3874

Skill in researching vulnerabilities and exploits utilized in traffic.

Skill
3894

Skill in target development in direct support of collection operations.

Skill
3913

Skill in using databases to identify target-relevant information.

Skill
3923

Skill in using non-attributable networks.

Skill
3950

Skill in writing (and submitting) requirements to meet gaps in technical capabilities.

Skill
Host Analyst Work Role ID: 463 (NIST: N/A) Workforce Element: Cyberspace Effects

A Host Analyst (HA) will have knowledge of various system configurations encountered. This work role also performs analysis using built-in tools and capabilities. A Host Analyst will have knowledge of system services and the security and configuration of them, as well as knowledge of file systems, permissions, and operation system configurations. The Host Analyst conducts analysis using built-in tools and capabilities.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
4171

Ability to analyze a finding of a compromise and develop a custom signature(s) and/or rule(s) to identify it throughout the network

Ability
4172

Ability to analyze adversarial avenues of approach on a mission-critical system

Ability
4174

Ability to analyze Data at Rest and Data in Transit encryption methodologies and assess Data at Rest and Data in Transit policies in support of identifying outliers to delineate possible avenues of approach.

Ability
4176

Ability to analyze how the tools operate to enumerate the system

Ability
4179

Ability to analyze multiple memory captures, determine anomalous behavior and developed a detailed report that includes timeline of compromise

Ability
4182

Ability to analyze organizational policies and documentation for appropriate use and user privileges to determine current user access rights policies

Ability
4184

Ability to analyze potentially malicious processes, libraries and modules on a system

Ability
4185

Ability to analyze process lists within Windows, Unix, or Linux operating systems

Ability
4186

Ability to analyze software installed and in use on a system, and on a host machine and compare it to the authorized software list provided by the network owner

Ability
4187

Ability to analyze tools/hardware used to extract/analyze/capture memory and disk images

Ability
4188

Ability to analyze user-mode/kernel mode rootkits and how they function and differ

Ability
4189

Ability to analyze vulnerabilities and misconfiguration without Information Assurance artifacts.

Ability
4195

Ability to build a baseline of configuration/state for host machines

Ability
4197

Ability to capture a memory image from a host workstation

Ability
4198

Ability to capture forensically sound memory and disk images with regard to timeline analysis

Ability
4206

Ability to compare active user accounts on a network to appropriate Standard Operating Procedure (SOP), gather active user accounts on a network and compare to authorized user list

Ability
4207

Ability to compare current state against baselines

Ability
4209

Ability to compile group policies and access control lists from mission partner networks.

Ability
4210

Ability to compile host-based firewall configurations and host intrusion prevention system through group policy modifications

Ability
4211

Ability to conduct disk forensics on multiple images

Ability
4216

Ability to configure log aggregation

Ability
4217

Ability to configure, forward and statistically analyze logs

Ability
4225

Ability to correlate indicators of compromise

Ability
4232

Ability to de-obfuscate (e.g. command line execution, string substitution, clandestine side channel, Base64).

Ability
4234

Ability to develop a risk defense plan (e.g. behavioral development, etc.) and put active measures in place in defense of a network, endpoint, and/or host.

Ability
4237

Ability to develop dashboards to better visualize data

Ability
4238

Ability to develop host-based IDS/IPS signatures and settings

Ability
4239

Ability to develop the reporting and recording of discovered potentially malicious processes, libraries, and modules on a compromised system

Ability
4245

Ability to enumerate domain security groups.

Ability
4246

Ability to enumerate knowledge management applications (e.g. SharePoint) and their service accounts/security groups.

Ability
4247

Ability to enumerate network shares and identify ACLs/security permissions and analyze for vulnerabilities/misconfigurations (e.g. SMB, NFS, ISCSI).

Ability
4250

Ability to evaluate common Tactics, Techniques and Procedures (TTP) used in malware and open-source and Intelligence Community (IC) resources available to identify emerging TTPs

Ability
4251

Ability to evaluate compliance with Security Technical Implementation Guides (STIGs) on host machines by utilizing a compliance scanner in support of identifying outliers in order to delineate possible avenues of approach

Ability
4252

Ability to evaluate if patches are up to date for all hosts, determine current process for updating patches and determine current patch level for all hosts on a network according to NIST Special Publications 800-40 in support of identifying outliers in order to delineate possible avenues of approach.

Ability
4256

Ability to evaluate rogue/unauthorized systems on a network

Ability
4257

Ability to evaluate security posture shortcomings in group policy

Ability
4258

Ability to evaluate steps taken after host-based IDS/IPS alerts, verify the finding and ensure its volatility

Ability
4259

Ability to evaluate systems resiliency in adverse conditions

Ability
4262

Ability to export/enumerate information (e.g., users, groups) from a Domain Controller.

Ability
4266

Ability to identify activity context in log entries to correlate indicators of compromise.

Ability
4269

Ability to identify anomalous network traffic on a host machine.

Ability
4273

Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.

Ability
4281

Ability to identify new indicators of compromise through anomalous behavior in log entries.

Ability
4283

Ability to identify security posture shortcomings

Ability
4284

Ability to identify tools and techniques available for analyzing binary applications and interpreted scripts.

Ability
4287

Ability to identify/select the most appropriate tools and solutions for the specific environment (e.g. disk/memory forensics/capture, host enumeration, application whitelisting, log aggregation and analysis, HIPS/HIDS solutions, etc.).

Ability
4288

Ability to implement and configure host-based firewalls and host intrusion prevention systems

Ability
4289

Ability to implement Data at Rest and Data in Transit encryption methodologies, Assess Data at Rest and Data in Transit polices.

Ability
4302

Ability to measure known vulnerabilities against known vectors of approach.

Ability
4306

Ability to monitor Active Directory (AD) for creation of unauthorized/potentially malicious accounts.

Ability
4309

Ability to operate specified tools to enumerate a system.

Ability
4312

Ability to organize Active Directories (AD) hierarchy structure.

Ability
4313

Ability to organize logging and auditing procedures including server-based logging.

Ability
4315

Ability to organize order of the volatility when capturing artifacts.

Ability
4318

Ability to perform and analyze situational awareness commands within Windows, Unix, and Linux operating systems (e.g. system info, net stat, ipconfig, task list, ls, ifconfig, etc…)

Ability
4319

Ability to perform and analyze vulnerability scans on host machines in support of identifying outliers in order to delineate possible avenues of approach.

Ability
4320

Ability to perform complex root-cause analysis and recommend mitigations to determine root cause of an intrusion.

Ability
4323

Ability to perform dynamic analysis.

Ability
4326

Ability to perform static analysis.

Ability
4331

Ability to prioritize how Operating System (OS) and application patches are distributed in different systems.

Ability
4332

Ability to prioritize Operating Systems (OS) default processes, library, and modules based on boot order, dependencies, or key operations.

Ability
4337

Ability to provide host analysis for Risk Mitigation Plan (RMP) to improve customer security overall posture.

Ability
4339

Ability to provide mitigations to recover from a full network compromise.

Ability
4351

Ability to select the best tools to enumerate a given set of host machines in order to validate whether they match known baselines.

Ability
4363

Ability to use and integrate a Security Information and Event Management (SIEM) platform.

Ability
4371

Ability to use host volatile data to compare active processes, libraries and modules against databases of known good/bad.

Ability
4375

Ability to utilize Defense Information Systems Agency (DISA)/ Department of Defense (DoD) system configuration guidelines.

Ability
4390

Knowledge of active directory federated services.

Knowledge
4413

Knowledge of common information network malware (e.g., viruses, trojans, etc.) and vectors of attack (e.g., ports, attachments, etc.).

Knowledge
4415

Knowledge of common obfuscation techniques (e.g. command line execution, string substitution, clandestine side channel, Base64).

Knowledge
4416

Knowledge of common persistence locations within Windows, Unix, or Linux operating systems.

Knowledge
4427

Knowledge of cybersecurity and cybersecurity-enabled software products.

Knowledge
4429

Knowledge of cybersecurity controls and design principles and methods (e.g., firewalls, DMZ, and encryption).

Knowledge
4430

Knowledge of cybersecurity Risk Management Framework (RMF) process.

Knowledge
4434

Knowledge of DCO capabilities, including open-source tools, and their capabilities.

Knowledge
4435

Knowledge of Defense-In-Depth principles.

Knowledge
4438

Knowledge of different types of log subscriptions (e.g. push vs pull, MS Windows event forwarding, winlogbeat, syslog).

Knowledge
4443

Knowledge of evasion strategies and TTPs (e.g., noise, stealth, situational awareness, bandwidth throttling).

Knowledge
4445

Knowledge of existing cybersecurity principles, policies, and procedures

Knowledge
4452

Knowledge of full-spectrum of cyberspace operations in an intelligence-driven DCO environment.

Knowledge
4501

Knowledge of non-Active Directory domains (e.g. IDM, LDAP).

Knowledge
4522

Knowledge of public key infrastructure (PKI) libraries, certificate authorities, certificate management, and encryption functionalities.

Knowledge
4537

Knowledge of stream providers (e.g. KAFKA).

Knowledge
4539

Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).

Knowledge
4583

Knowledge of the U.S. Security System authorities, responsibilities, and contributions to the cyberspace operations mission.

Knowledge
4585

Knowledge of the Windows registry hive keys and the information contained within each one.

Knowledge
4589

Knowledge of typical system processes within Windows, Unix, or Linux operating systems

Knowledge
4595

Knowledge of web applications and their common attack vectors.

Knowledge
4599

Skill in analyzing endpoint collection data.

Skill
4655

Skill in providing support to intelligence analysts to understand the operational environment and how it ties to intelligence reporting.

Skill
4660

Skill in refining research (e.g., vulnerabilities, TTPs) to assist intelligence analysts’ preparation of products.

Skill
4665

Skill in run level configurations in a Linux or UNIX environment

Skill
4679

Skill in using various online tools for open-source research (e.g., online trade, DNS, mail, etc.).

Skill
8036

Conduct open source research via various online tools.

Task
8041

Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces.

Task
8111

Identify potential points of strength and vulnerability among segments of a network map.

Task
8115

Identify tools/hardware used to extract/analyze/capture memory and disk images.

Task
8151

Perform security reviews and identify gaps in security architecture that can be used in the development of a security risk management plan.

Task
8161

Provide and maintain documentation for TTPs as inputs to training programs.

Task
8212

Validate intrusion detection system (IDS) alerts.

Task
Joint Targeting Analyst Work Role ID: 131 (NIST: N/A) Workforce Element: Cyberspace Effects

Conducts target development at the system, component and entity levels. Builds and maintains Electronic Target Folders (ETFs), to include input from JIPOE, Target Systems Analysis, GMI and other IC sources. Senior analysts run collaborative target working groups across Geographic Combatant Commands (GCCs) and IC members, presenting candidate targets for IC vetting and commander’s approval for inclusion on the target list. Assess damage resulting from the application of lethal and non-lethal military force, writes Battle Damage Assessment reports, and coordinates federated support as required.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
4202

Ability to collaborate with the IC to leverage analytical and technical expertise.

Ability
4203

Ability to communicate effectively when writing and speaking.

Ability
4227

Ability to create products to meet decision making needs.

Ability
4356

Ability to support the joint targeting cycle in a dynamic environment.

Ability
4362

Ability to understand US Code Titles as they apply to targeting in support of operations in cyberspace.

Ability
4373

Ability to utilize analytical constructs.

Ability
4374

Ability to utilize and synthesize multiple intelligence sources to create products.

Ability
4405

Knowledge of Collateral Damage Estimate (CDE) methodology

Knowledge
4409

Knowledge of combat assessment.

Knowledge
4412

Knowledge of Command Structure (mission, C2).

Knowledge
4451

Knowledge of full-spectrum cyberspace operational missions (e.g., DODIN Operations, DCO, OCO, cyberspace ISR, and Operational Preparation of the Environment (OPE)), principles, capabilities, limitations, and effects.

KSA
4468

Knowledge of IC, to include members, structure, and associated missions.

Knowledge
4473

Knowledge of ISR capabilities and repositories (e.g., Geospatial Intelligence Information Management Services (GIMS), National SIGINT Requirements Process (NSRP), etc.).

Knowledge
4484

Knowledge of metadata.

Knowledge
4492

Knowledge of Mission Packages.

Knowledge
4514

Knowledge of Political, Military, Economic, Social, PMESII and Counter-Terrorism Analytical Framework analytical constructs and their use in assessing the operational environment.

Knowledge
4536

Knowledge of state and non-state target systems.

KSA
4556

Knowledge of the development of Intelligence Needs (INs), Intelligence Requirements (IRs), and Essential Elements of Information (EEI).

Knowledge
4559

Knowledge of the five target entity types.

Knowledge
4562

Knowledge of the Joint Tactical Cyber Request (JTCR).

Knowledge
4569

Knowledge of the National SIGINT system.

Knowledge
4572

Knowledge of the Request for Support (RFS) process.

Knowledge
4574

Knowledge of the review and approval process for cyberspace operations Review and Approval Process of Cyber Operations (RAP-CO) process.

Knowledge
4576

Knowledge of the sensitive target and review (STAR) process.

Knowledge
4596

Knowledge of what a Tasking Order is and the information contained in it (e.g., ATO, CTO, and MTO).

Knowledge
4617

Skill in creating and maintaining target materials.

Skill
4622

Skill in developing TSA products.

Skill
4634

Skill in identifying intelligence gaps to generate RFIs.

Skill
4654

Skill in providing input into Mission Packages.

Skill
4681

Skill in utilizing Microsoft Office applications (e.g., Word, PowerPoint, Excel, etc.).

Skill
4683

Skill in writing phased BDA reports.

Skill
8024

Attend or provide input for targeting community meetings (e.g., Targeting Issues Working Group (TIWG), Military Targeting Committee (MTC), etc.).

Task
8027

Build and maintain target materials.

Task
8077

Develop, or assist in the development, of a Collateral Effects Estimation (CEE) methodology for cyberspace.

Task
8133

Maintain situational awareness of the common intelligence picture and/or common operational picture as applicable

Task
8140

Participate in Boards, Bureaus, Cells, Centers, and Working Groups (B2C2WGs).

Task
8143

Participate in the Joint Planning Process and other commander and staff planning processes.

Task
8160

Provide analysis and support for combat assessments.

Task
8177

Provide targeting support to TST planning and operations.

Task
8195

Support target list management (i.e. Restricted Target List (RTL), Joint Target List (JTL), Candidate Target List (CTL), etc.).

Task
Network Analyst Work Role ID: 443 (NIST: N/A) Workforce Element: Cyberspace Effects

The Network Analyst will understand network traffic signatures and discover anomalies through network traffic and packet capture (PCAP) analysis. The Network Analyst will identify, assess, and mitigate intrusions into networks that are vital to cyberspace operations security. Network Analysts also use GUI or command-line based tools and assist in developing network mapping and signatures. Network Analysts will develop advanced network detection rules and alerts, queries and dashboards to gain a holistic view of the network.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
4170

Ability to accurately document results

Ability
4171

Ability to analyze a finding of a compromise and develop a custom signature(s) and/or rule(s) to identify it throughout the network

Ability
4173

Ability to analyze Data at Rest and Data in Transit encryption methodologies and assess Data at Rest and Data in Transit polices

Ability
4175

Ability to analyze device/protocol discovery tool output

Ability
4177

Ability to analyze interior and exterior routing protocols (e.g. RIP, EIGRP, OSPF, IS-IS, etc…)

Ability
4178

Ability to analyze mitigations to recover from a full network compromise

Ability
4180

Ability to analyze network infrastructure to identify and recommend key terrain or critical infrastructure.

Ability
4181

Ability to analyze organizational policies and documentation for appropriate use and user privileges as they apply to networking devices.

Ability
4183

Ability to analyze potential adversarial attack vectors on a mission-critical system.

Ability
4193

Ability to assess Data in Transit encryption policies.

Ability
4201

Ability to characterize network traffic for trends and patterns.

Ability
4205

Ability to communicate with Sr Leaders of an Org. to ensure shared responsibility for supporting Org. mission/business functions using external providers of systems, services and apps receives visibility and is elevated to the appropriate decisionmaking authorities.

Ability
4208

Ability to compile access control lists and firewall configurations.

Ability
4212

Ability to Conduct flow data analysis

Ability
4214

Ability to conduct research on vulnerabilites found and correlate current versions to known vulnerable releases

Ability
4217

Ability to configure, forward and statistically analyze logs

Ability
4218

Ability to configure, place, and maintain a distributed sensor grid.

Ability
4220

Ability to construct accurate maps of the network devices

Ability
4221

Ability to construct log aggregation solutions and analysis platforms

Ability
4225

Ability to correlate indicators of compromise

Ability
4226

Ability to create baselines/PPS documents and to compare current state against documentation.

Ability
4230

Ability to create rules/alerts for traffic validation.

Ability
4231

Ability to define caching and analyze the information contained within

Ability
4233

Ability to detect mismatched port-application traffic

Ability
4235

Ability to develop a risk defense plan to put active measure in place in defense of a network

Ability
4237

Ability to develop dashboards to better visualize data

Ability
4241

Ability to dissect and analyze a packet header

Ability
4242

Ability to document findings of any anomalous connections

Ability
4250

Ability to evaluate common Tactics, Techniques and Procedures (TTP) used in malware and open-source and Intelligence Community (IC) resources available to identify emerging TTPs

Ability
4253

Ability to evaluate information (e.g. trust relationships and security policies) from a domain to identify vulnerabilities/misconfiguration

Ability
4254

Ability to evaluate mitigations to recover from a full-network compromise.

Ability
4255

Ability to evaluate network diagram

Ability
4256

Ability to evaluate rogue/unauthorized systems on a network

Ability
4259

Ability to evaluate systems resiliency in adverse conditions

Ability
4267

Ability to identify activity in log entries to correlate indicators of compromise.

Ability
4268

Ability to identify anomalous activity based off of known trends and patterns.

Ability
4270

Ability to identify C2 Beaconing in normal network traffic.

Ability
4272

Ability to identify complex root-cause analysis and recommend mitigations

Ability
4274

Ability to identify Data in Transit encryption methodologies.

Ability
4275

Ability to identify exfiltration of data in normal network traffic

Ability
4277

Ability to identify IPv6 and differentiate between Link Local, Multicast, Unicast, and Anycast.

Ability
4286

Ability to identify wireless encryption and differentiate between WEP, WPA (all versions) and WAPI

Ability
4290

Ability to implement network TAP configuration

Ability
4295

Ability to integrate information security requirements into the acquisition process, using applicable baseline security controls as one of the sources for security requirements, and ensuring a robust software quality control process.

Ability
4301

Ability to measure application whitelisting/blacklisting solutions.

Ability
4303

Ability to measure principle of vulnerability exploitation.

Ability
4304

Ability to measure the effectiveness of white/blacklisting solutions on network devices.

Ability
4307

Ability to monitor network data and perform triage on triggered events.

Ability
4310

Ability to operate the tools to enumerate a system.

Ability
4311

Ability to organize a list of mission infrastructure to identify which dependent systems are key terrain.

Ability
4314

Ability to organize Network System Architecture and the dependencies formed from relationships between systems.

Ability
4321

Ability to perform conversation calculations across Hexadecimal, Octal, Decimal, and binary.

Ability
4322

Ability to perform device discovery.

Ability
4348

Ability to research protocol utilization and determine anomalous use.

Ability
4357

Ability to test tools within sensor grid.

Ability
4364

Ability to use and integrate Security Information and Event Management (SIEM) capabilities in the analysis process.

Ability
4375

Ability to utilize Defense Information Systems Agency (DISA)/ Department of Defense (DoD) system configuration guidelines.

Ability
4392

Knowledge of anomaly-based detection and threat hunting.

Knowledge
4394

Knowledge of attack principles, tools, and techniques.

Knowledge
4396

Knowledge of basic cloud-based technologies and concepts.

Knowledge
4398

Knowledge of basic Cyber Threat Emulation concepts.

Knowledge
4399

Knowledge of basic Embedded Systems concepts.

Knowledge
4427

Knowledge of cybersecurity and cybersecurity-enabled software products.

Knowledge
4440

Knowledge of DOD Component-level cybersecurity architecture.

Knowledge
4442

Knowledge of encryption algorithms and their implementation.

Knowledge
4450

Knowledge of Friendly Network Forces (FNF) reporting procedures (i.e. deconfliction) to include external organization interaction.

Knowledge
4455

Knowledge of hardware components and architecture including functions and limitations.

Knowledge
4456

Knowledge of hashing algorithms.

Knowledge
4457

Knowledge of Hexadecimal, Octal, Decimal, and binary

Knowledge
4467

Knowledge of HTML source code and the intelligence that can be derived from it.

Knowledge
4472

Knowledge of IPv6

Knowledge
4499

Knowledge of Network OSs.

Knowledge
4531

Knowledge of security implications of device and software configurations.

Knowledge
4539

Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).

Knowledge
4547

Knowledge of TCP flags

Knowledge
4557

Knowledge of the differences between distance vector and link-state routing protocols

Knowledge
4558

Knowledge of the different DNS resource records

Knowledge
4583

Knowledge of the U.S. Security System authorities, responsibilities, and contributions to the cyberspace operations mission.

Knowledge
4591

Knowledge of User Agent Strings and the intelligence that can be derived from them

Knowledge
4603

Skill in analyzing PCAP data

Skill
4614

Skill in conducting system planning, management, and maintenance.

Skill
4623

Skill in discerning the protection requirements (i.e. security controls) of IS and networks.

Skill
4636

Skill in implementing encryption algorithms.

Skill
4637

Skill in intrusion detection methodologies and techniques for detecting host and network-based intrusions for utilizing intrusion detection systems and signature development.

Skill
4642

Skill in network operating system administration.

Skill
4650

Skill in providing an understanding of the adversary through the identification and link analysis of physical, functional, or behavioral relationships within an operational environment.

Skill
4661

Skill in regular expressions

Skill
4671

Skill in understanding cybersecurity architecture, its implementation, and its expected behaviors and how changes in conditions affect outcomes.

Skill
4672

Skill in using Berkeley Packet filters.

Skill
4675

Skill in using network mapping tools to analyze identify and enumerate a network.

Skill
4680

Skill in utilizing a network traffic packet analyzer in order to detect anomalies in protocol utilization.

Skill
8000

Adhere to DCO policies and procedures reflecting applicable laws, policies, procedures, and regulations (such as United States Code Titles 10 and 50).

Task
8019

Assess exploited systems’ potential to provide additional access, target development information, intelligence and/or covert infrastructure.

Task
8061

Determine and document software patches or the extent of releases that would harden vulnerable software.

Task
8062

Determine location of tool(s) deployment and utilize them once deployed (e.g., monitor agent, sensor).

Task
8066

Develop and review cyberspace operations TTPs for integration into strategic, operational and tactical levels of planning.

Task
8099

Evaluate security architecture and its design against cyberspace threats as identified in operational and acquisition documents.

Task
8136

Manage threat or target analysis of DCO information and production of threat information for networks and enclave environments.

Task
8161

Provide and maintain documentation for TTPs as inputs to training programs.

Task
8171

Provide input to the analysis, design, development or acquisition of capabilities used for meeting mission objectives.

Task
8179

Read, write, and interpret simple scripts to collect remote data and automation tasks.

Task
8180

Read, write, and interpret simple scripts to parse large data files.

Task
8182

Recommend Patch network vulnerabilities to ensure information is safeguarded against outside parties via Risk Mitigation Plans.

Task
Network Technician Work Role ID: 442 (NIST: N/A) Workforce Element: Cyberspace Effects

The Network Technician provides enterprise and tactical infrastructure knowledge, experience, and integration to the Cyber Protection Team (CPT). The Network Technician supports CPT elements by understanding of network technologies, defining mission scope, and identifying terrain.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
4196

Ability to build, implement, and maintain distributed sensor grid.

Ability
4201

Ability to characterize network traffic for trends and patterns.

Ability
4215

Ability to configure and place distributed sensor grid

Ability
4224

Ability to coordinate with Sr Leaders of an Org. to ensure shared responsibility for supporting Org. mission/business functions using external providers of systems, services and apps receives visibility and is elevated to the appropriate decision-making authorities

Ability
4228

Ability to create rule sets within an Intrusion Detection System (IDS).

Ability
4230

Ability to create rules/alerts for traffic validation.

Ability
4273

Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.

Ability
4290

Ability to implement network TAP configuration

Ability
4291

Ability to implement sensors according to sensor plan

Ability
4294

Ability to integrate information security requirements into the acquisition process, using applicable baseline security controls as one of the sources for security requirements, ensuring a robust software quality control process and establishing multiple source

Ability
4316

Ability to organize policy standards to insure procedures and guidelines comply with cybersecurity policies.

Ability
4352

Ability to setup Serial and Ethernet interfaces.

Ability
4354

Ability to share meaningful insights about the context of an organization’s threat environment that improve its risk management posture.

Ability
4357

Ability to test tools within sensor grid.

Ability
4358

Ability to track the location and configuration of networked devices and software across departments, locations, facilities and potentially supporting business functions.

Ability
4360

Ability to troubleshoot computer software and hardware issues, make repairs, and schedule updates.

Ability
4365

Ability to use and/or integrate a Security Information and Event Management (SIEM) platform.

Ability
4390

Knowledge of active directory federated services.

Knowledge
4396

Knowledge of basic cloud-based technologies and concepts.

Knowledge
4398

Knowledge of basic Cyber Threat Emulation concepts.

Knowledge
4399

Knowledge of basic Embedded Systems concepts.

Knowledge
4415

Knowledge of common obfuscation techniques (e.g. command line execution, string substitution, clandestine side channel, Base64).

Knowledge
4429

Knowledge of cybersecurity controls and design principles and methods (e.g., firewalls, DMZ, and encryption).

Knowledge
4438

Knowledge of different types of log subscriptions (e.g. push vs pull, MS Windows event forwarding, winlogbeat, syslog).

Knowledge
4451

Knowledge of full-spectrum cyberspace operational missions (e.g., DODIN Operations, DCO, OCO, cyberspace ISR, and Operational Preparation of the Environment (OPE)), principles, capabilities, limitations, and effects.

KSA
4481

Knowledge of long haul circuits.

Knowledge
4499

Knowledge of Network OSs.

Knowledge
4500

Knowledge of network systems management methods including end-to-end systems performance monitoring.

Knowledge
4501

Knowledge of non-Active Directory domains (e.g. IDM, LDAP).

Knowledge
4516

Knowledge of principles and methods for integrating system and network components.

Knowledge
4522

Knowledge of public key infrastructure (PKI) libraries, certificate authorities, certificate management, and encryption functionalities.

Knowledge
4529

Knowledge of routing protocols such as RIPv1/v2, OSPF, IGRP, and EIGRP

Knowledge
4532

Knowledge of Security Technical Implementation Guide (STIG)

Knowledge
4537

Knowledge of stream providers (e.g. KAFKA).

Knowledge
4539

Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).

Knowledge
4588

Knowledge of transmission capabilities (e.g., Bluetooth, Radio Frequency Identification (RFID), Infrared Networking (IR), Wireless Fidelity (Wi-Fi). paging, cellular, satellite dishes, Voice over Internet Protocol (VoIP)).

Knowledge
4594

Knowledge of WAN technologies such as PPP, Frame-relay, dedicated T1s, ISDN, and routing protocols

Knowledge
4595

Knowledge of web applications and their common attack vectors.

Knowledge
4606

Skill in applying STIG upgrades

Skill
4609

Skill in cable management and organization

Skill
4615

Skill in configuring and utilizing software-based computer protection tools (e.g., software firewalls, anti-virus software, anti-spyware).

Skill
4635

Skill in implementing DHCP and DNS

Skill
4664

Skill in router IOS backup, recovery, and upgrade.

Skill
4671

Skill in understanding cybersecurity architecture, its implementation, and its expected behaviors and how changes in conditions affect outcomes.

Skill
8019

Assess exploited systems’ potential to provide additional access, target development information, intelligence and/or covert infrastructure.

Task
8042

Consult with customers about network system design and maintenance.

Task
8058

Design countermeasures and mitigations against potential weaknesses and vulnerabilities in system and elements.

Task
8059

Design, develop, and modify network systems, using scientific analysis and mathematical models to predict and measure outcome and consequences of design.

Task
8060

Detect exploits against networks and hosts and react accordingly (Does not apply to Red Team Interactive Operators).

Task
8078

Diagnose network connectivity problems.

Task
8091

Engage customers to understand their expectations and wants.

Task
8099

Evaluate security architecture and its design against cyberspace threats as identified in operational and acquisition documents.

Task
8110

Identify optimal locations for network sensor placement to collect on targeted devices.

Task
8117

Implement and enforce DCO policies and procedures reflecting applicable laws, policies, procedures, and regulations (such as United States Code Titles 10 and 50).

Task
8131

Maintain Operational, technical, and authoritative situational awareness during effects-based operations

Task
8139

Notify designated mission leadership or applicable team members of any suspected cyber incident.

Task
8161

Provide and maintain documentation for TTPs as inputs to training programs.

Task
8165

Provide feedback for RFI generation.

Task
8187

Repair network connectivity problems.

Task
Target Analyst Reporter Work Role ID: 133 (NIST: N/A) Workforce Element: Cyberspace Effects

The Target Analyst Reporter (TAR) provides synthesized products to customers by researching, analyzing, and reporting intelligence via appropriate reporting vehicles in response to customer requirements and IAW missions of SIGINT, cybersecurity, and cyberspace operations. They prioritize, assess, evaluate, and report information obtained from SIGINT collection, cyber surveillance, and reconnaissance operations sources. The TAR enhances reporting with collateral information as required, maintains awareness of internal and external customer requirements, and collaborates with other collectors and analysts to refine collection and reporting requirements. The TAR shares target-related information and provides feedback to customers as appropriate. The TAR develops working aids and provides database updates on target activity to enhance and build target knowledge and improve collection. The TAR performs quality control and product-release functions.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
4396

Knowledge of basic cloud-based technologies and concepts.

Knowledge
4421

Knowledge of Critical Intelligence Communication (CRITIC) identification and reporting process.

Knowledge
4423

Knowledge of cryptologic and SIGINT reporting and dissemination procedures.

Knowledge
4460

Knowledge of how and when to request assistance from the Cryptanalysis and Signals Analysis and/or CNO.

Knowledge
4470

Knowledge of intelligence sources and their characteristics.

Knowledge
4491

Knowledge of methods, tools, sources, and techniques used to research, integrate and summarize information pertaining to target.

Knowledge
4523

Knowledge of quality review process and procedures.

Knowledge
4570

Knowledge of the overall mission of the Cyber Mission Forces (CMF).

Knowledge
4578

Knowledge of the specific missions for CMF (i.e., Cyber Mission Teams (CMT), National Mission Teams (NMT), Combat Support Team (CST), National Support Team (NST), Cyber Protection Team (CPT).

Knowledge
4582

Knowledge of the U.S. Cryptologic Systems authorities, responsibilities, and contributions to the cyberspace operations mission.

Knowledge
4612

Skill in conducting derivative classification IAW organization standards/Policy

Skill
4613

Skill in conducting quality review of serialized reports and reporting for time-sensitive USCYBERCOM operations.

Skill
4619

Skill in developing and maintaining target profiles.

Skill
4625

Skill in drafting serialized reports to support time-sensitive USCYBERCOM operations.

Skill
4626

Skill in drafting serialized reports to the quality level meeting release standards.

Skill
4629

Skill in executing post publication processes IAW organization standards/Policy

Skill
4651

Skill in providing feedback to enhance future collection and analysis.

Skill
4656

Skill in recognizing exploitation opportunities.

Skill
4657

Skill in recognizing targeting opportunities and essential information.

Skill
4662

Skill in releasing serialized and time-sensitive reports.

Skill
8010

Apply analytic techniques to validate information or data in reporting.

Task
8011

Apply and/or develop analytic techniques to provide better intelligence.

Task
8013

Apply customer requirements to the analysis process.

Task
8022

Assist in the mitigation of collection gaps.

Task
8023

Assist planners in the development of courses of action

Task
8038

Conduct pre and post publication actions

Task
8063

Develop analytical techniques to gain more target information.

Task
8065

Develop and maintain target profiles using appropriate corporate tools and databases (e.g. Target associations, activities, communication infrastructures, etc.).

Task
8081

Document and disseminate analytic findings.

Task
8090

Enable targeting offices to find new sources of collection.

Task
8100

Evaluate the strengths and weaknesses of the intelligence source.

Task
8101

Evaluate threat critical capabilities, requirements, and vulnerabilities.

Task
8108

Identify and facilitate partner relationships to enhance mission capabilities

Task
8128

Lead work role working groups/planning and development forums

Task
8137

Manipulate information in mission relevant databases (e.g., converting data, generating reports).

Task
8138

Mitigate collection gaps

Task
8145

Perform network analysis to support new or continued collection.

Task
8149

Perform quality review and provide feedback on the materials delivered on which analysis and reporting is conducted.

Task
8155

Prioritize reporting based on SIGINT reporting instructions or other mission reporting priorities.

Task
8157

Produce digital network intelligence against specific named target sets.

Task
8173

Provide intel target recommendations which meet leadership objectives.

Task
8176

Provide SME support for the development and implementation of exercises.

Task
8191

Select, build, and develop query strategies against appropriate collection databases.

Task
8203

Understand hacker TTPs and methodologies.

Task
8204

Understand network components and their functionality to enable analysis and target development.

Task
8205

Understand technologies used by a given target

Task
8213

Verify and validate that network graphics are accurate and comply with reporting policy.

Task
Target Digital Network Analyst Work Role ID: 132 (NIST: N/A) Workforce Element: Cyberspace Effects

The TDNA conducts advanced analysis of collection and open-source data to ensure target continuity, profile targets and their activities, and develop techniques to gain more target cyberspace operations related information. They possess knowledge of target cyberspace technologies and apply skills and knowledge of cyberspace networks and the applications on them to determine how targets communicate, move, operate, and live within the cyberspace domain. TDNAs apply analytical techniques to review relevant content carried in target cyberspace communications. The TDNA uses data from networks of all forms for target development. TDNAs are technology savvy and can be flexible enough to rapidly shift from one target to another.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
4223

Ability to contribute to the collection management process

Ability
4421

Knowledge of Critical Intelligence Communication (CRITIC) identification and reporting process.

Knowledge
4423

Knowledge of cryptologic and SIGINT reporting and dissemination procedures.

Knowledge
4428

Knowledge of cybersecurity concepts and principles.

Knowledge
4431

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge
4460

Knowledge of how and when to request assistance from the Cryptanalysis and Signals Analysis and/or CNO.

Knowledge
4470

Knowledge of intelligence sources and their characteristics.

Knowledge
4490

Knowledge of methods, tools, sources, and techniques used to research, integrate and summarize all-source information pertaining to target.

Knowledge
4523

Knowledge of quality review process and procedures.

Knowledge
4533

Knowledge of SIGINT laws and directives.

Knowledge
4570

Knowledge of the overall mission of the Cyber Mission Forces (CMF).

Knowledge
4578

Knowledge of the specific missions for CMF (i.e., Cyber Mission Teams (CMT), National Mission Teams (NMT), Combat Support Team (CST), National Support Team (NST), Cyber Protection Team (CPT).

Knowledge
4582

Knowledge of the U.S. Cryptologic Systems authorities, responsibilities, and contributions to the cyberspace operations mission.

Knowledge
4631

Skill in geolocating targets.

Skill
4643

Skill in operational use of raw collection databases.

Skill
4645

Skill in performing data fusion from all-source intelligence for geospatial analysis.

Skill
4651

Skill in providing feedback to enhance future collection and analysis.

Skill
4656

Skill in recognizing exploitation opportunities.

Skill
4659

Skill in recognizing the value of survey data.

Skill
4667

Skill in selector normalization.

Skill
4669

Skill in targeting (e.g., selectors).

Skill
8011

Apply and/or develop analytic techniques to provide better intelligence.

Task
8013

Apply customer requirements to the analysis process.

Task
8023

Assist planners in the development of courses of action

Task
8025

Be aware of hacker TTPs and methodologies.

Task
8063

Develop analytical techniques to gain more target information.

Task
8064

Develop and lead exercises

Task
8065

Develop and maintain target profiles using appropriate corporate tools and databases (e.g. Target associations, activities, communication infrastructures, etc.).

Task
8081

Document and disseminate analytic findings.

Task
8090

Enable targeting offices to find new sources of collection.

Task
8100

Evaluate the strengths and weaknesses of the intelligence source.

Task
8108

Identify and facilitate partner relationships to enhance mission capabilities

Task
8128

Lead work role working groups/planning and development forums

Task
8137

Manipulate information in mission relevant databases (e.g., converting data, generating reports).

Task
8138

Mitigate collection gaps

Task
8145

Perform network analysis to support new or continued collection.

Task
8157

Produce digital network intelligence against specific named target sets.

Task
8172

Provide input to training and mitigation plan based on advancements in hardware and software technologies (e.g. attend training or conferences, reading) and their potential implications.

Task
8173

Provide intel target recommendations which meet leadership objectives.

Task
8178

Provide time sensitive support to operations.

Task
8191

Select, build, and develop query strategies against appropriate collection databases.

Task
8205

Understand technologies used by a given target

Task