Cyberspace Operator

Cyberspace Operator Work Role ID: 322 (NIST: N/A) Workforce Element: Cyberspace Effects

Cyberspace Operators use a wide range of software applications for network navigation, tactical forensic analysis, surveillance and reconnaissance, and executing on-net operations in support of offensive cyberspace operations when directed.


Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
4191

Ability to apply tradecraft to minimize risk of detection, mitigate risk, and minimize creation of behavioral signature

Ability
4199

Ability to characterize a target admin/user’s technical abilities, habits, and skills.

Ability
4204

Ability to communicate operational plans and actions and provide feedback regarding OPSEC and tradecraft during mission pre-brief

Ability
4213

Ability to conduct open source research.

Ability
4219

Ability to construct a course of action using available exploitation tools and techniques.

Ability
4222

Ability to continually research and develop new tools/techniques

Ability
4229

Ability to create rules and filters (e.g., Berkeley Packet Filter, Regular Expression).

Ability
4243

Ability to ensure collected data is transferred to the appropriate storage locations.

Ability
4244

Ability to enumerate a network.

Ability
4248

Ability to enumerate user permissions and privileges.

Ability
4249

Ability to evade or counter security products or host based defenses.

Ability
4261

Ability to exploit vulnerabilities to gain additional access.

Ability
4263

Ability to extract credentials from hosts

Ability
4271

Ability to identify capability gaps (e.g., insufficient tools, training, or infrastructure)

Ability
4276

Ability to identify files containing information critical to operational objectives.

Ability
4278

Ability to identify legal, policy, and technical limitations when conducting cyberspace operations.

Ability
4279

Ability to identify logging capabilities on host

Ability
4285

Ability to identify what tools or Tactics, Techniques, and Procedures (TTPs) are applicable to a given situation

Ability
4292

Ability to improve the performance of cyberspace operators by providing constructive (positive and negative) feedback.

Ability
4293

Ability to install/modify/uninstall tools on target systems in accordance with current policies and procedures.

Ability
4296

Ability to interpret device configurations.

Ability
4297

Ability to interpret technical materials such as RFCs and technical manuals.

Ability
4298

Ability to maintain situational awareness of target environment.

Ability
4305

Ability to model a simulated environment to conduct mission rehearsal and mitigate risk of actions taken during operations.

Ability
4308

Ability to operate automated systems to interact with target environment.

Ability
4324

Ability to perform masquerade operations.

Ability
4325

Ability to perform privilege escalation.

Ability
4327

Ability to persist access to a target.

Ability
4330

Ability to plan, brief, execute, and debrief a mission.

Ability
4334

Ability to promote and enable organizational change.

Ability
4335

Ability to provide advice and guidance to various stakeholders regarding technical issues, capabilities, and approaches.

Ability
4336

Ability to provide feedback to developers if a tool requires continued development.

Ability
4340

Ability to provide technical leadership within an organization.

Ability
4341

Ability to read, write, modify, and execute compiled languages (e.g., C).

Ability
4342

Ability to recognize and extract salient information from large data set (e.g., critical information, anomalies).

Ability
4343

Ability to recognize and report mistakes or poor tradecraft to appropriate leadership in accordance with Standard Operating Procedures (SOPs).

Ability
4344

Ability to recognize and respond appropriately to Non-Standard Events.

Ability
4345

Ability to redirect and tunnel through target systems.

Ability
4346

Ability to remediate indicators of compromise.

Ability
4347

Ability to research non-standards within a project.

Ability
4350

Ability to retrieve historical operational and open-source data to analyze compatibility with approved capabilities.

Ability
4359

Ability to train other cyberspace operators.

Ability
4361

Ability to troubleshoot technical problems.

Ability
4367

Ability to use core toolset (e.g., implants, remote access tools).

Ability
4369

Ability to use dynamic analysis tools (e.g. process monitor, process explorer, and registry analysis)

Ability
4370

Ability to use enterprise tools to enumerate target information.

Ability
4378

Ability to verify file integrity for both uploads and downloads.

Ability
4379

Ability to weaken a target to facilitate/enable future access.

Ability
4380

Ability to write and modify markup languages (e.g., HTML, XML).

Ability
4381

Ability to write and modify source code (e.g., C).

Ability
4388

Knowledge of access control models (Role Based Access Control, Attribute Based Access Control).

Knowledge
4391

Knowledge of advanced redirection techniques.

Knowledge
4393

Knowledge of appropriate/inappropriate information to include in operational documentation (e.g., OPNOTES, technical summaries, action maps, etc.).

Knowledge
4395

Knowledge of basic client software applications and their attack surfaces.

Knowledge
4396

Knowledge of basic cloud-based technologies and concepts.

Knowledge
4399

Knowledge of basic Embedded Systems concepts.

Knowledge
4402

Knowledge of basic redirection techniques (e.g. IP Tables, SSH Tunneling, netsh)

Knowledge
4403

Knowledge of basic server software applications and their attack surfaces.

Knowledge
4404

Knowledge of code injection and its employment in cyberspace operations.

Knowledge
4414

Knowledge of common network administration best practices and the impact to operations.

Knowledge
4419

Knowledge of credential sources and restrictions related to credential usage.

Knowledge
4437

Knowledge of device reboots, including when they occur and their impact on tool functionality.

Knowledge
4444

Knowledge of evolving technologies.

Knowledge
4447

Knowledge of factors that would suspend or abort an operation.

Knowledge
4458

Knowledge of historical data relating to particular targets and projects, prior to an operation to include reviewing TECHSUMs, previous OPNOTEs, etc.

Knowledge
4463

Knowledge of how computer programs are executed

Knowledge
4464

Knowledge of how host-based security products, logging, and malware may affect tool functionality

Knowledge
4465

Knowledge of how other actors may affect operations

Knowledge
4466

Knowledge of how race conditions occur and can be employed to compromise shared resources

Knowledge
4482

Knowledge of malware triage.

Knowledge
4485

Knowledge of methods and procedures for sending a payload via an existing implant

Knowledge
4486

Knowledge of methods, strategies, and techniques of evading detection while conducting operations, such as noise, stealth, situational awareness, etc.

Knowledge
4487

Knowledge of methods, tools, and procedures for collecting information, including accessing databases and file systems

Knowledge
4488

Knowledge of methods, tools, and procedures for exploiting target systems

Knowledge
4489

Knowledge of methods, tools, and techniques used to determine the path to a target host/network (e.g., identify satellite hops).

Knowledge
4496

Knowledge of models for examining cyber threats (e.g. cyber kill chain, MITRE ATT&CK).

Knowledge
4498

Knowledge of modes of communication used by a target, such as cable, fiber optic, satellite, microwave, VSAT, or combinations of these.

Knowledge
4502

Knowledge of open source tactics that enable initial access (e.g. social engineering, phishing)

Knowledge
4503

Knowledge of operating system command shells, configuration data.

Knowledge
4505

Knowledge of operational infrastructure

Knowledge
4508

Knowledge of operational security, logging, admin concepts, and troubleshooting.

Knowledge
4510

Knowledge of password cracking techniques.

Knowledge
4519

Knowledge of process migration

Knowledge
4540

Knowledge of system administration concepts for distributed or managed operating environments.

Knowledge
4541

Knowledge of system administration concepts for stand alone operating systems.

Knowledge
4542

Knowledge of system calls

Knowledge
4552

Knowledge of the components of an authentication system.

Knowledge
4553

Knowledge of the concept of an advanced persistent threat (APT)

Knowledge
4563

Knowledge of the location and use of tool documentation.

Knowledge
4564

Knowledge of the methods and procedures for communicating with tools/modules, including the use of listening posts.

Knowledge
4565

Knowledge of the methods of persistence.

Knowledge
4567

Knowledge of the Mission Improvement Process

Knowledge
4571

Knowledge of the Plan, Brief, Execute, and Debrief process

Knowledge
4581

Knowledge of the tactics development process

Knowledge
4586

Knowledge of threats to OPSEC when installing, using, modifying, and uninstalling tools.

Knowledge
4587

Knowledge of tool release/testing process

Knowledge
4593

Knowledge of VPNs, their purpose, and how they can be leveraged.

Knowledge
4628

Skill in enumerating a host (e.g. file systems, host meta data host characteristics).

Skill
4641

Skill in manipulating firewall/host based security configuration and rulesets.

Skill
4663

Skill in retrieving memory resident data.

Skill
4670

Skill in transferring files to target devices (e.g., scp, tftp, http, ftp).

Skill
4674

Skill in using network enumeration and analysis tools, both active and passive.

Skill
8001

Advise leadership on operational tradecraft, emerging technology, and technical health of the force.

Task
8015

Approve remediation actions.

Task
8017

As authorized, train cyberspace operators at one’s certification level or below.

Task
8020

Assess the technical health of the cyberspace operator work role.

Task
8021

Assess, recommend, and evaluate remediation actions.

Task
8030

Conduct cyber activities to deny, degrade, disrupt, destroy, manipulate, (D4M).

Task
8037

Conduct post-mission actions.

Task
8039

Conduct pre-mission actions

Task
8040

Conduct pre-operation research and prep.

Task
8052

Create/normalize/document/evaluate TTPs in cyberspace operations.

Task
8067

Develop and/or inform risk assessments.

Task
8071

Develop Operational Training Solultions.

Task
8073

Develop remediation actions.

Task
8074

Develop risk assessments for non-standard events and ad hoc tradecraft.

Task
8083

Employ collection TTPs in cyberspace operations.

Task
8084

Employ credential access TTPs in cyberspace operations.

Task
8086

Employ discovery TTPs in cyberspace operations.

Task
8087

Employ exfiltration TTPs in cyberspace operations.

Task
8088

Employ lateral movement TTPs in cyberspace operations.

Task
8089

Employ TTPs in categories at one’s certification level or below.

Task
8097

Evaluate cyberspace operator performance at one’s certification level or below.

Task
8112

Identify targets of opportunity in order to influence operational planning.

Task
8113

Identify the appropriate operating authorities and guidance

Task
8130

Maintain operational and technical situational awareness during operations

Task
8158

Produce strategy to inform commander’s decision making process.

Task
8167

Provide input to mission debrief.

Task
8168

Provide input to operational policy.

Task
8169

Provide input to post mission planning.

Task
8170

Provide input to pre-mission planning.

Task
8174

Provide oversight of operations.

Task
8175

Provide quality control of operations and cyberspace operator products at one’s certification level or below.

Task
8181

Recognize and respond to indicators of compromise (IOC).

Task
8183

Recognize and respond to events that change risk.

Task
8184

Record and document activities during cyberspace operations.

Task
8192

Steward the cyberspace operator work role.

Task
8197

Train cyberspace operators at their certified level or below.

Task