Cyberspace Operator
Cyberspace Operators use a wide range of software applications for network navigation, tactical forensic analysis, surveillance and reconnaissance, and executing on-net operations in support of offensive cyberspace operations when directed.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
49 | Knowledge of host/network access control mechanisms (e.g., access control list). |
Knowledge |
81A | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. |
Knowledge |
105 | Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
264 | Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage). |
Knowledge |
286 | Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip). |
Knowledge |
287 | Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]). |
Knowledge |
344 | Knowledge of virtualization technologies and virtual machine development and maintenance. |
Knowledge |
350 | Skill in analyzing memory dumps to extract information. |
Skill |
1033 | Knowledge of basic system administration, network, and operating system hardening techniques. |
Knowledge |
1063A | Knowledge of operating system structures and internals (e.g., process management, directory structure, installed applications). |
Knowledge |
1064 | Knowledge of Extensible Markup Language (XML) schemas. |
Knowledge |
1094 | Knowledge of debugging procedures and tools. |
Knowledge |
1128A | Knowledge of database access application programming interfaces (APIs) (e.g., Java Database Connectivity [JDBC]). |
Knowledge |
2020 | Analyze internal operational architecture, tools, and procedures for ways to improve performance. |
Task |
2020A | Analyze target operational architecture for ways to gain access. |
Task |
2088 | Collaborate with development organizations to create and deploy the tools needed to achieve objectives. |
Task |
2119 | Conduct network scouting and vulnerability analyses of systems within a network. |
Task |
2123 | Conduct on-net and off-net activities to control, and exfiltrate data from deployed, automated technologies. |
Task |
2124 | Conduct open source data collection via various online tools. |
Task |
2133 | Conduct survey of computer and digital networks. |
Task |
2205 | Deploy tools to a target and utilize them once deployed (e.g., backdoors, sniffers). |
Task |
2226 | Detect exploits against targeted networks and hosts and react accordingly. |
Task |
2353 | Edit or execute simple scripts (e.g., PERL, VBS) on Windows and UNIX systems. |
Task |
2477 | Identify potential points of strength and vulnerability within a network. |
Task |
2559 | Maintain situational awareness and functionality of organic operational infrastructure. |
Task |
2660 | Conduct cyber activities to degrade/remove information resident in computers and computer networks. |
Task |
2708 | Process exfiltrated data for analysis and/or dissemination to customers. |
Task |
3003 | Ability to adjust to and operate in a diverse, unpredictable, challenging, and fast-paced work environment. |
Ability |
3007 | Ability to analyze malware. |
Ability |
3022 | Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means. |
Ability |
3059 | Ability to interpret and translate customer requirements into operational action. |
Ability |
3063 | Ability to monitor system operations and react to events in response to triggers and/or observation of trends or unusual activity. |
Ability |
3069 | Ability to produce technical documentation. |
Ability |
3103A | Ability to identify/describe target vulnerability. |
Ability |
3125 | Knowledge of assembly code. |
Knowledge |
3130 | Knowledge of auditing and logging procedures (including server-based logging). |
Knowledge |
3133 | Knowledge of basic back-up and recovery procedures including different types of backups (e.g., full, incremental). |
Knowledge |
3140 | Knowledge of basic programming concepts (e.g., levels, structures, compiled vs. interpreted languages). |
Knowledge |
3141 | Knowledge of basic software applications (e.g., data storage and backup, database applications) and their vulnerabilities. |
Knowledge |
3144 | Knowledge of basic wireless applications, including vulnerabilities in various types of wireless applications. |
Knowledge |
3206 | Knowledge of current software and methodologies for active defense and system hardening. |
Knowledge |
3235 | Knowledge of deconfliction processes and procedures. |
Knowledge |
3253 | Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP). |
Knowledge |
3259 | Knowledge of enterprise-wide information management. |
Knowledge |
3261 | Knowledge of evasion strategies and techniques. |
Knowledge |
3267 | Knowledge of deconfliction reporting to include external organization interaction. |
Knowledge |
3267A | Knowledge of internal and external partner reporting. |
Knowledge |
3270 | Knowledge of forensic implications of operating system structure and operations. |
Knowledge |
3286 | Knowledge of host-based security products and how they affect exploitation and vulnerability. |
Knowledge |
3317 | Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP. |
Knowledge |
3346 | Knowledge of Internet and routing protocols. |
Knowledge |
3374 | Knowledge of malware. |
Knowledge |
3378 | Knowledge of methods and techniques used to detect various exploitation activities. |
Knowledge |
3399 | Knowledge of network administration. |
Knowledge |
3402 | Knowledge of network construction and topology. |
Knowledge |
3441 | Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc. |
Knowledge |
3454 | Knowledge of products and nomenclature of major vendors (e.g., security suites – Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities. |
Knowledge |
3473 | Knowledge of satellite-based communication systems. |
Knowledge |
3479 | Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation. |
Knowledge |
3480 | Knowledge of security implications of software configurations. |
Knowledge |
3508 | Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network). |
Knowledge |
3513 | Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems. |
Knowledge |
3525 | Knowledge of organizational and partner policies, tools, capabilities, and procedures. |
Knowledge |
3534 | Knowledge of target, including related current events, communication profile, actors, and history (language, culture) and/or frame of reference. |
Knowledge |
3543 | Knowledge of the basic structure, architecture, and design of modern communication networks. |
Knowledge |
3561 | Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications. |
Knowledge |
3579 | Knowledge of the fundamentals of digital forensics in order to extract actionable intelligence. |
Knowledge |
3587 | Knowledge of targeting cycles. |
Knowledge |
3631 | Knowledge of internal and external partner organization capabilities and limitations (those with tasking, collection, processing, exploitation and dissemination responsibilities). |
Knowledge |
3637 | Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications). |
Knowledge |
3642 | Knowledge of various types of computer architectures. |
Knowledge |
3644 | Knowledge of virtual machine technologies. |
Knowledge |
3658B | Ability to perform network collection tactics, techniques, and procedures to include decryption capabilities/tools. |
Ability |
3658 | Knowledge of network collection procedures to include decryption capabilities/tools, techniques, and procedures. |
Knowledge |
3670 | Skill in analyzing terminal or environment collection data. |
Skill |
3690 | Skill in assessing current tools to identify needed improvements. |
Skill |
3695 | Skill in auditing firewalls, perimeters, routers, and intrusion detection systems. |
Skill |
3722 | Skill in data mining techniques (e.g., searching file systems) and analysis. |
Skill |
3740 | Skill in determining installed patches on various operating systems and identifying patch signatures. |
Skill |
3777 | Skill in reverse engineering (e.g., hex editing, binary packaging utilities, debugging, and strings analysis) to identify function and ownership of remote tools. |
Skill |
3779 | Skill in extracting information from packet captures. |
Skill |
3801 | Skill in identifying the devices that work at each level of protocol models. |
Skill |
3815 | Skill in interpreting vulnerability scanner results to identify vulnerabilities. |
Skill |
3817 | Skill in knowledge management, including technical documentation techniques (e.g., Wiki page). |
Skill |
3859 | Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data). |
Skill |
3859A | Ability to read, interpret, write, modify, and execute simple scripts (e.g. PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data). |
Ability |
3871 | Skill in remote command line and Graphic User Interface (GUI) tool usage. |
Skill |
3883 | Skill in server administration. |
Skill |
3897 | Skill in technical writing. |
Skill |
3899 | Skill in testing and evaluating tools for implementation. |
Skill |
3929 | Skill in using tools, techniques, and procedures to remotely exploit and establish persistence on a target. |
Skill |
3929A | Skill in using tools, techniques, and procedures to exploit a target. |
Skill |
3948 | Skill in verifying the integrity of all files. |
Skill |
4086 | Knowledge of relevant laws, regulations, and policies. |
Knowledge |
4191 | Ability to apply tradecraft to minimize risk of detection, mitigate risk, and minimize creation of behavioral signature |
Ability |
4199 | Ability to characterize a target admin/user’s technical abilities, habits, and skills. |
Ability |
4204 | Ability to communicate operational plans and actions and provide feedback regarding OPSEC and tradecraft during mission pre-brief |
Ability |
4213 | Ability to conduct open source research. |
Ability |
4219 | Ability to construct a COA using available tools and techniques. |
Ability |
4222 | Ability to continually research and develop new tools/techniques |
Ability |
4229 | Ability to create rules and filters (e.g., Berkeley Packet Filter, Regular Expression). |
Ability |
4243 | Ability to ensure collected data is transferred to the appropriate storage locations. |
Ability |
4244 | Ability to enumerate a network. |
Ability |
4248 | Ability to enumerate user permissions and privileges. |
Ability |
4249 | Ability to evade or counter security products or host based defenses. |
Ability |
4261 | Ability to exploit vulnerabilities to gain additional access. |
Ability |
4263 | Ability to extract credentials from hosts |
Ability |
4271 | Ability to identify capability gaps (e.g., insufficient tools, training, or infrastructure) |
Ability |
4276 | Ability to identify files containing information critical to operational objectives. |
Ability |
4278 | Ability to identify legal, policy, and technical limitations when conducting cyberspace operations. |
Ability |
4279 | Ability to identify logging capabilities on host |
Ability |
4285 | Ability to identify what tools or Tactics, Techniques, and Procedures (TTPs) are applicable to a given situation |
Ability |
4292 | Ability to improve the performance of cyberspace operators by providing constructive (positive and negative) feedback. |
Ability |
4293 | Ability to install/modify/uninstall tools on target systems in accordance with current policies and procedures. |
Ability |
4296 | Ability to interpret device configurations. |
Ability |
4297 | Ability to interpret cyberspace technical materials and documentation (e.g. CVEs, API). |
Ability |
4298 | Ability to maintain situational awareness of target environment. |
Ability |
4305 | Ability to model a simulated environment to conduct mission rehearsal and mitigate risk of actions taken during operations. |
Ability |
4308 | Ability to operate automated systems to interact with target environment. |
Ability |
4324 | Ability to perform masquerade operations. |
Ability |
4325 | Ability to perform privilege escalation. |
Ability |
4327 | Ability to persist access to a target. |
Ability |
4330 | Ability to plan, brief, execute, and debrief a mission. |
Ability |
4334 | Ability to promote and enable organizational change. |
Ability |
4335 | Ability to provide advice and guidance to various stakeholders regarding technical issues, capabilities, and approaches. |
Ability |
4336 | Ability to provide feedback to developers if a tool requires continued development. |
Ability |
4340 | Ability to provide technical leadership within an organization. |
Ability |
4341 | Ability to read, write, modify, and execute compiled languages (e.g., C). |
Ability |
4342 | Ability to extract specific information from large data set (e.g., grep, regex critical). |
Ability |
4343 | Ability to recognize and report mistakes or poor tradecraft to appropriate leadership in accordance with Standard Operating Procedures (SOPs). |
Ability |
4344 | Ability to recognize and respond appropriately to Non-Standard Events. |
Ability |
4345 | Ability to redirect and tunnel through target systems. |
Ability |
4346 | Ability to remediate indicators of compromise. |
Ability |
4347 | Ability to research non-standards within a project. |
Ability |
4350 | Ability to retrieve historical operational data. |
Ability |
4359 | Ability to train other cyberspace operators. |
Ability |
4361 | Ability to troubleshoot technical problems. |
Ability |
4367 | Ability to use core toolset (e.g., implants, remote access tools). |
Ability |
4369 | Ability to use dynamic analysis tools (e.g. process monitor, process explorer, and registry analysis) |
Ability |
4370 | Ability to use enterprise tools to enumerate target information. |
Ability |
4378 | Ability to verify file integrity for both uploads and downloads. |
Ability |
4379 | Ability to weaken a target to facilitate/enable future access. |
Ability |
4380 | Ability to write and modify markup languages (e.g., HTML, XML). |
Ability |
4381 | Ability to write and modify source code (e.g., C). |
Ability |
4388 | Knowledge of access control models (Role Based Access Control, Attribute Based Access Control). |
Knowledge |
4391 | Knowledge of advanced redirection techniques. |
Knowledge |
4393 | Knowledge of appropriate/inappropriate information to include in operational documentation (e.g., OPNOTES, technical summaries, action maps, etc.). |
Knowledge |
4395 | Knowledge of basic client software applications and their attack surfaces. |
Knowledge |
4396 | Knowledge of basic cloud-based technologies and concepts. |
Knowledge |
4399 | Knowledge of basic Embedded Systems concepts. |
Knowledge |
4402 | Knowledge of basic redirection techniques (e.g. IP Tables, SSH Tunneling, netsh) |
Knowledge |
4403 | Knowledge of basic server software applications and their attack surfaces. |
Knowledge |
4404 | Knowledge of code injection and its employment in cyberspace operations. |
Knowledge |
4414 | Knowledge of common network administration best practices and the impact to operations. |
Knowledge |
4419 | Knowledge of credential sources and restrictions related to credential usage. |
Knowledge |
4437 | Knowledge of device reboots, including when they occur and their impact on tool functionality. |
Knowledge |
4444 | Knowledge of evolving technologies. |
Knowledge |
4447 | Knowledge of factors that would suspend or abort an operation. |
Knowledge |
4458 | Knowledge of historical data relating to particular targets and projects, prior to an operation to include reviewing TECHSUMs, previous OPNOTEs, etc. |
Knowledge |
4463 | Knowledge of how computer programs are executed |
Knowledge |
4464 | Knowledge of how host-based security products, logging, and malware may affect tool functionality |
Knowledge |
4465 | Knowledge of how other actors may affect operations |
Knowledge |
4466 | Knowledge of how race conditions occur and can be employed to compromise shared resources |
Knowledge |
4482 | Knowledge of malware triage. |
Knowledge |
4485 | Knowledge of methods and procedures for sending a payload via an existing implant |
Knowledge |
4486 | Knowledge of methods, strategies, and techniques of evading detection while conducting operations, such as noise, stealth, situational awareness, etc. |
Knowledge |
4487 | Knowledge of methods, tools, and procedures for collecting information, including accessing databases and file systems |
Knowledge |
4488 | Knowledge of methods, tools, and procedures for exploiting target systems |
Knowledge |
4489 | Knowledge of methods, tools, and techniques used to determine the path to a target host/network (e.g., identify satellite hops). |
Knowledge |
4496 | Knowledge of models for examining cyber threats (e.g. cyber kill chain, MITRE ATT&CK). |
Knowledge |
4498 | Knowledge of modes of communication used by a target, such as cable, fiber optic, satellite, microwave, VSAT, or combinations of these. |
Knowledge |
4502 | Knowledge of open source tactics that enable initial access (e.g. social engineering, phishing) |
Knowledge |
4503 | Knowledge of operating system command shells, configuration data. |
Knowledge |
4505 | Knowledge of operational infrastructure |
Knowledge |
4508 | Knowledge of operational security, logging, admin concepts, and troubleshooting. |
Knowledge |
4510 | Knowledge of password cracking techniques. |
Knowledge |
4519 | Knowledge of process migration |
Knowledge |
4540 | Knowledge of system administration concepts for distributed or managed operating environments. |
Knowledge |
4541 | Knowledge of system administration concepts for stand alone operating systems. |
Knowledge |
4542 | Knowledge of system calls |
Knowledge |
4552 | Knowledge of the components of an authentication system. |
Knowledge |
4553 | Knowledge of the concept of an advanced persistent threat (APT) |
Knowledge |
4563 | Knowledge of the location and use of tool documentation. |
Knowledge |
4564 | Knowledge of the methods and procedures for communicating with tools/modules, including the use of listening posts. |
Knowledge |
4565 | Knowledge of the methods of persistence. |
Knowledge |
4567 | Knowledge of the Mission Improvement Process |
Knowledge |
4571 | Knowledge of the Plan, Brief, Execute, and Debrief process |
Knowledge |
4581 | Knowledge of the tactics development process |
Knowledge |
4586 | Knowledge of threats to OPSEC when installing, using, modifying, and uninstalling tools. |
Knowledge |
4587 | Knowledge of tool release/testing process |
Knowledge |
4593 | Knowledge of VPNs, their purpose, and how they can be leveraged. |
Knowledge |
4628 | Skill in enumerating a host (e.g. file systems, host meta data host characteristics). |
Skill |
4641 | Skill in manipulating firewall/host based security configuration and rulesets. |
Skill |
4663 | Skill in retrieving memory resident data. |
Skill |
4670 | Skill in transferring files to target devices (e.g., scp, tftp, http, ftp). |
Skill |
4674 | Skill in using network enumeration and analysis tools, both active and passive. |
Skill |
6100 | Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities. |
Ability |
8001 | Advise leadership on operational tradecraft, emerging technology, and technical health of the force. |
Task |
8015 | Approve remediation actions. |
Task |
8017 | As authorized, train cyberspace operators at one’s certification level or below. |
Task |
8020 | Assess the technical health of the cyberspace operator work role. |
Task |
8021 | Assess, recommend, and evaluate remediation actions. |
Task |
8030 | Conduct cyber activities to deny, degrade, disrupt, destroy, manipulate, (D4M). |
Task |
8037 | Conduct post-mission actions. |
Task |
8039 | Conduct pre-mission actions |
Task |
8040 | Conduct pre-operation research and prep. |
Task |
8052 | Create/normalize/document/evaluate TTPs in cyberspace operations. |
Task |
8067 | Develop and/or inform risk assessments. |
Task |
8071 | Develop Operational Training Solultions. |
Task |
8073 | Develop remediation actions. |
Task |
8074 | Develop risk assessments for non-standard events and ad hoc tradecraft. |
Task |
8083 | Employ collection TTPs in cyberspace operations. |
Task |
8084 | Employ credential access TTPs in cyberspace operations. |
Task |
8086 | Employ discovery TTPs in cyberspace operations. |
Task |
8087 | Employ exfiltration TTPs in cyberspace operations. |
Task |
8088 | Employ lateral movement TTPs in cyberspace operations. |
Task |
8089 | Employ TTPs in categories at one’s certification level or below. |
Task |
8097 | Evaluate cyberspace operator performance at one’s certification level or below. |
Task |
8112 | Identify targets of opportunity in order to influence operational planning. |
Task |
8113 | Identify the appropriate operating authorities and guidance |
Task |
8130 | Maintain operational and technical situational awareness during operations |
Task |
8158 | Produce strategy to inform commander’s decision making process. |
Task |
8167 | Provide input to mission debrief. |
Task |
8168 | Provide input to operational policy. |
Task |
8169 | Provide input to post mission planning. |
Task |
8170 | Provide input to pre-mission planning. |
Task |
8181 | Recognize and respond to indicators of compromise (IOC). |
Task |
8183 | Recognize and respond to events that change risk. |
Task |
8184 | Record and document activities during cyberspace operations. |
Task |
8192 | Steward the cyberspace operator work role. |
Task |
8197 | Train cyberspace operators at their certified level or below. |
Task |