Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.

Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.

Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge of network traffic analysis methods.

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.

Skill in performing packet-level analysis.

Skill in collecting data from a variety of cyber defense resources.

Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.

Coordinate with enterprise-wide cyber defense staff to validate network alerts.

Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.

Perform cyber defense trend analysis and reporting.

Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.

Perform security reviews and identify security gaps in security architecture resulting in recommendations for the inclusion into the risk mitigation strategy.

Provide daily summary reports of network events and activity relevant to cyber defense practices.

Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.

Skill in recognizing and categorizing types of vulnerabilities and associated attacks.

Skill in using network analysis tools, including specialized tools for non-traditional systems and networks (e.g., control systems), to identify vulnerabilities.​

Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.

Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.

Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.

Knowledge of cyber defense policies, procedures, and regulations.

Knowledge of the common attack vectors on the network layer.

Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).

Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).

Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).

Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).

Identify applications and operating systems of a network device based on network traffic.

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Skill in recognizing vulnerabilities in information and/or data systems.

Knowledge of authentication, authorization, and access control methods.

Knowledge of computer algorithms.

Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).

Knowledge of cryptography and cryptographic key management concepts.

Knowledge of database systems.

Knowledge of embedded systems.

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.

Knowledge of incident response and handling methodologies.

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Skill in conducting trend analysis.

Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).

Knowledge of new and emerging control systems technologies.

Knowledge of operating systems.

Knowledge of penetration testing principles, tools, and techniques.

Knowledge of policy-based and risk adaptive access controls.

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge of key concepts in security management (e.g., Release Management, Patch Management).

Knowledge of security system design tools, methods, and techniques.

Knowledge of systems security testing and evaluation methods.

Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).

Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization.

Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.

Knowledge of Virtual Private Network (VPN) security.

Skill in developing and deploying signatures.

Knowledge of countermeasures for identified security risks.

Skill in assessing security controls based on cybersecurity principles and tenets.

Skill in detecting host and network based intrusions via intrusion detection technologies.

Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.

Skill in evaluating the adequacy of security designs.

Knowledge of network mapping and recreating network topologies.

Skill in using incident handling methodologies.

Skill in using protocol analyzers.

Knowledge of the use of sub-netting tools.

Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).

Knowledge of common network tools (e.g., ping, traceroute, nslookup).

Knowledge of defense-in-depth principles and network security architecture.

Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN).

Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).

Knowledge of operating system command line/prompt.

Develop content for cyber defense tools.

Analyze and report system security posture trends.

Analyze and report organizational security posture trends.

Ensure cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.

Assess adequate access controls based on principles of least privilege and need-to-know.

Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.

Assess and monitor cybersecurity related to system implementation and testing practices.

Plan and recommend modifications or adjustments based on exercise results or system environment.

Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.

Work with stakeholders to resolve computer security incidents and vulnerability compliance.

Knowledge of interpreted and compiled computer languages.

Knowledge of collection management processes, capabilities, and limitations.

Knowledge of front-end collection systems, including traffic collection, filtering, and selection.

Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.

Knowledge of threat environments (e.g., first generation threat actors, threat activities).

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.

Determine tactics, techniques, and procedures (TTPs) for intrusion sets.

Examine network topologies to understand data flows through the network.

Recommend computing environment vulnerability corrections.

Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.

Isolate and remove malware.

Identify applications and operating systems of a network device based on network traffic.

Reconstruct a malicious attack or activity based off network traffic.

Identify network mapping and operating system (OS) fingerprinting activities.

Knowledge of encryption methodologies.

Skill in reading and interpreting signatures (e.g., snort).

Knowledge of signature implementation impact.

Ability to interpret and incorporate data from multiple tool sources.

Knowledge of Windows/Unix ports and services.

Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).

Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.

Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.

Ability to analyze malware.

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities.

Knowledge of cloud service models and possible limitations for an incident response.