Cyberspace Operator

Cyberspace Operator Work Role ID: 322 (NIST: N/A) Workforce Element: Cyberspace Effects

Cyberspace Operators use a wide range of software applications for network navigation, tactical forensic analysis, surveillance and reconnaissance, and executing on-net operations in support of offensive cyberspace operations when directed.


Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
49

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
264

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge
286

Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).

Knowledge
287

Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).

Knowledge
344

Knowledge of virtualization technologies and virtual machine development and maintenance.

Knowledge
350

Skill in analyzing memory dumps to extract information.

Skill
1033

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge
1063A

Knowledge of operating system structures and internals (e.g., process management, directory structure, installed applications).

Knowledge
1064

Knowledge of Extensible Markup Language (XML) schemas.

Knowledge
1094

Knowledge of debugging procedures and tools.

Knowledge
1128A

Knowledge of database access application programming interfaces (APIs) (e.g., Java Database Connectivity [JDBC]).

Knowledge
2020

Analyze internal operational architecture, tools, and procedures for ways to improve performance.

Task
2020A

Analyze target operational architecture for ways to gain access.

Task
2088

Collaborate with development organizations to create and deploy the tools needed to achieve objectives.

Task
2119

Conduct network scouting and vulnerability analyses of systems within a network.

Task
2123

Conduct on-net and off-net activities to control, and exfiltrate data from deployed, automated technologies.

Task
2124

Conduct open source data collection via various online tools.

Task
2133

Conduct survey of computer and digital networks.

Task
2205

Deploy tools to a target and utilize them once deployed (e.g., backdoors, sniffers).

Task
2226

Detect exploits against targeted networks and hosts and react accordingly.

Task
2353

Edit or execute simple scripts (e.g., PERL, VBS) on Windows and UNIX systems.

Task
2477

Identify potential points of strength and vulnerability within a network.

Task
2559

Maintain situational awareness and functionality of organic operational infrastructure.

Task
2660

Conduct cyber activities to degrade/remove information resident in computers and computer networks.

Task
2708

Process exfiltrated data for analysis and/or dissemination to customers.

Task
3003

Ability to adjust to and operate in a diverse, unpredictable, challenging, and fast-paced work environment.

Ability
3007

Ability to analyze malware.

Ability
3022

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Ability
3059

Ability to interpret and translate customer requirements into operational action.

Ability
3063

Ability to monitor system operations and react to events in response to triggers and/or observation of trends or unusual activity.

Ability
3069

Ability to produce technical documentation.

Ability
3103A

Ability to identify/describe target vulnerability.

Ability
3125

Knowledge of assembly code.

Knowledge
3130

Knowledge of auditing and logging procedures (including server-based logging).

Knowledge
3133

Knowledge of basic back-up and recovery procedures including different types of backups (e.g., full, incremental).

Knowledge
3140

Knowledge of basic programming concepts (e.g., levels, structures, compiled vs. interpreted languages).

Knowledge
3141

Knowledge of basic software applications (e.g., data storage and backup, database applications) and their vulnerabilities.

Knowledge
3144

Knowledge of basic wireless applications, including vulnerabilities in various types of wireless applications.

Knowledge
3206

Knowledge of current software and methodologies for active defense and system hardening.

Knowledge
3235

Knowledge of deconfliction processes and procedures.

Knowledge
3253

Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).

Knowledge
3259

Knowledge of enterprise-wide information management.

Knowledge
3261

Knowledge of evasion strategies and techniques.

Knowledge
3267

Knowledge of deconfliction reporting to include external organization interaction.

Knowledge
3267A

Knowledge of internal and external partner reporting.

Knowledge
3270

Knowledge of forensic implications of operating system structure and operations.

Knowledge
3286

Knowledge of host-based security products and how they affect exploitation and vulnerability.

Knowledge
3317

Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.

Knowledge
3346

Knowledge of Internet and routing protocols.

Knowledge
3374

Knowledge of malware.

Knowledge
3378

Knowledge of methods and techniques used to detect various exploitation activities.

Knowledge
3399

Knowledge of network administration.

Knowledge
3402

Knowledge of network construction and topology.

Knowledge
3441

Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.

Knowledge
3454

Knowledge of products and nomenclature of major vendors (e.g., security suites – Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.

Knowledge
3473

Knowledge of satellite-based communication systems.

Knowledge
3479

Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.

Knowledge
3480

Knowledge of security implications of software configurations.

Knowledge
3508

Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).

Knowledge
3513

Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.

Knowledge
3525

Knowledge of organizational and partner policies, tools, capabilities, and procedures.

Knowledge
3534

Knowledge of target, including related current events, communication profile, actors, and history (language, culture) and/or frame of reference.

Knowledge
3543

Knowledge of the basic structure, architecture, and design of modern communication networks.

Knowledge
3561

Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

Knowledge
3579

Knowledge of the fundamentals of digital forensics in order to extract actionable intelligence.

Knowledge
3587

Knowledge of targeting cycles.

Knowledge
3631

Knowledge of internal and external partner organization capabilities and limitations (those with tasking, collection, processing, exploitation and dissemination responsibilities).

Knowledge
3637

Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Knowledge
3642

Knowledge of various types of computer architectures.

Knowledge
3644

Knowledge of virtual machine technologies.

Knowledge
3658B

Ability to perform network collection tactics, techniques, and procedures to include decryption capabilities/tools.

Ability
3658

Knowledge of network collection procedures to include decryption capabilities/tools, techniques, and procedures.

Knowledge
3670

Skill in analyzing terminal or environment collection data.

Skill
3690

Skill in assessing current tools to identify needed improvements.

Skill
3695

Skill in auditing firewalls, perimeters, routers, and intrusion detection systems.

Skill
3722

Skill in data mining techniques (e.g., searching file systems) and analysis.

Skill
3740

Skill in determining installed patches on various operating systems and identifying patch signatures.

Skill
3777

Skill in reverse engineering (e.g., hex editing, binary packaging utilities, debugging, and strings analysis) to identify function and ownership of remote tools.

Skill
3779

Skill in extracting information from packet captures.

Skill
3801

Skill in identifying the devices that work at each level of protocol models.

Skill
3815

Skill in interpreting vulnerability scanner results to identify vulnerabilities.

Skill
3817

Skill in knowledge management, including technical documentation techniques (e.g., Wiki page).

Skill
3859

Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).

Skill
3859A

Ability to read, interpret, write, modify, and execute simple scripts (e.g. PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).

Ability
3871

Skill in remote command line and Graphic User Interface (GUI) tool usage.

Skill
3883

Skill in server administration.

Skill
3897

Skill in technical writing.

Skill
3899

Skill in testing and evaluating tools for implementation.

Skill
3929

Skill in using tools, techniques, and procedures to remotely exploit and establish persistence on a target.

Skill
3929A

Skill in using tools, techniques, and procedures to exploit a target.

Skill
3948

Skill in verifying the integrity of all files.

Skill
4086

Knowledge of relevant laws, regulations, and policies.

Knowledge
4191

Ability to apply tradecraft to minimize risk of detection, mitigate risk, and minimize creation of behavioral signature

Ability
4199

Ability to characterize a target admin/user’s technical abilities, habits, and skills.

Ability
4204

Ability to communicate operational plans and actions and provide feedback regarding OPSEC and tradecraft during mission pre-brief

Ability
4213

Ability to conduct open source research.

Ability
4219

Ability to construct a COA using available tools and techniques.

Ability
4222

Ability to continually research and develop new tools/techniques

Ability
4229

Ability to create rules and filters (e.g., Berkeley Packet Filter, Regular Expression).

Ability
4243

Ability to ensure collected data is transferred to the appropriate storage locations.

Ability
4244

Ability to enumerate a network.

Ability
4248

Ability to enumerate user permissions and privileges.

Ability
4249

Ability to evade or counter security products or host based defenses.

Ability
4261

Ability to exploit vulnerabilities to gain additional access.

Ability
4263

Ability to extract credentials from hosts

Ability
4271

Ability to identify capability gaps (e.g., insufficient tools, training, or infrastructure)

Ability
4276

Ability to identify files containing information critical to operational objectives.

Ability
4278

Ability to identify legal, policy, and technical limitations when conducting cyberspace operations.

Ability
4279

Ability to identify logging capabilities on host

Ability
4285

Ability to identify what tools or Tactics, Techniques, and Procedures (TTPs) are applicable to a given situation

Ability
4292

Ability to improve the performance of cyberspace operators by providing constructive (positive and negative) feedback.

Ability
4293

Ability to install/modify/uninstall tools on target systems in accordance with current policies and procedures.

Ability
4296

Ability to interpret device configurations.

Ability
4297

Ability to interpret cyberspace technical materials and documentation (e.g. CVEs, API).

Ability
4298

Ability to maintain situational awareness of target environment.

Ability
4305

Ability to model a simulated environment to conduct mission rehearsal and mitigate risk of actions taken during operations.

Ability
4308

Ability to operate automated systems to interact with target environment.

Ability
4324

Ability to perform masquerade operations.

Ability
4325

Ability to perform privilege escalation.

Ability
4327

Ability to persist access to a target.

Ability
4330

Ability to plan, brief, execute, and debrief a mission.

Ability
4334

Ability to promote and enable organizational change.

Ability
4335

Ability to provide advice and guidance to various stakeholders regarding technical issues, capabilities, and approaches.

Ability
4336

Ability to provide feedback to developers if a tool requires continued development.

Ability
4340

Ability to provide technical leadership within an organization.

Ability
4341

Ability to read, write, modify, and execute compiled languages (e.g., C).

Ability
4342

Ability to extract specific information from large data set (e.g., grep, regex critical).

Ability
4343

Ability to recognize and report mistakes or poor tradecraft to appropriate leadership in accordance with Standard Operating Procedures (SOPs).

Ability
4344

Ability to recognize and respond appropriately to Non-Standard Events.

Ability
4345

Ability to redirect and tunnel through target systems.

Ability
4346

Ability to remediate indicators of compromise.

Ability
4347

Ability to research non-standards within a project.

Ability
4350

Ability to retrieve historical operational data.

Ability
4359

Ability to train other cyberspace operators.

Ability
4361

Ability to troubleshoot technical problems.

Ability
4367

Ability to use core toolset (e.g., implants, remote access tools).

Ability
4369

Ability to use dynamic analysis tools (e.g. process monitor, process explorer, and registry analysis)

Ability
4370

Ability to use enterprise tools to enumerate target information.

Ability
4378

Ability to verify file integrity for both uploads and downloads.

Ability
4379

Ability to weaken a target to facilitate/enable future access.

Ability
4380

Ability to write and modify markup languages (e.g., HTML, XML).

Ability
4381

Ability to write and modify source code (e.g., C).

Ability
4388

Knowledge of access control models (Role Based Access Control, Attribute Based Access Control).

Knowledge
4391

Knowledge of advanced redirection techniques.

Knowledge
4393

Knowledge of appropriate/inappropriate information to include in operational documentation (e.g., OPNOTES, technical summaries, action maps, etc.).

Knowledge
4395

Knowledge of basic client software applications and their attack surfaces.

Knowledge
4396

Knowledge of basic cloud-based technologies and concepts.

Knowledge
4399

Knowledge of basic Embedded Systems concepts.

Knowledge
4402

Knowledge of basic redirection techniques (e.g. IP Tables, SSH Tunneling, netsh)

Knowledge
4403

Knowledge of basic server software applications and their attack surfaces.

Knowledge
4404

Knowledge of code injection and its employment in cyberspace operations.

Knowledge
4414

Knowledge of common network administration best practices and the impact to operations.

Knowledge
4419

Knowledge of credential sources and restrictions related to credential usage.

Knowledge
4437

Knowledge of device reboots, including when they occur and their impact on tool functionality.

Knowledge
4444

Knowledge of evolving technologies.

Knowledge
4447

Knowledge of factors that would suspend or abort an operation.

Knowledge
4458

Knowledge of historical data relating to particular targets and projects, prior to an operation to include reviewing TECHSUMs, previous OPNOTEs, etc.

Knowledge
4463

Knowledge of how computer programs are executed

Knowledge
4464

Knowledge of how host-based security products, logging, and malware may affect tool functionality

Knowledge
4465

Knowledge of how other actors may affect operations

Knowledge
4466

Knowledge of how race conditions occur and can be employed to compromise shared resources

Knowledge
4482

Knowledge of malware triage.

Knowledge
4485

Knowledge of methods and procedures for sending a payload via an existing implant

Knowledge
4486

Knowledge of methods, strategies, and techniques of evading detection while conducting operations, such as noise, stealth, situational awareness, etc.

Knowledge
4487

Knowledge of methods, tools, and procedures for collecting information, including accessing databases and file systems

Knowledge
4488

Knowledge of methods, tools, and procedures for exploiting target systems

Knowledge
4489

Knowledge of methods, tools, and techniques used to determine the path to a target host/network (e.g., identify satellite hops).

Knowledge
4496

Knowledge of models for examining cyber threats (e.g. cyber kill chain, MITRE ATT&CK).

Knowledge
4498

Knowledge of modes of communication used by a target, such as cable, fiber optic, satellite, microwave, VSAT, or combinations of these.

Knowledge
4502

Knowledge of open source tactics that enable initial access (e.g. social engineering, phishing)

Knowledge
4503

Knowledge of operating system command shells, configuration data.

Knowledge
4505

Knowledge of operational infrastructure

Knowledge
4508

Knowledge of operational security, logging, admin concepts, and troubleshooting.

Knowledge
4510

Knowledge of password cracking techniques.

Knowledge
4519

Knowledge of process migration

Knowledge
4540

Knowledge of system administration concepts for distributed or managed operating environments.

Knowledge
4541

Knowledge of system administration concepts for stand alone operating systems.

Knowledge
4542

Knowledge of system calls

Knowledge
4552

Knowledge of the components of an authentication system.

Knowledge
4553

Knowledge of the concept of an advanced persistent threat (APT)

Knowledge
4563

Knowledge of the location and use of tool documentation.

Knowledge
4564

Knowledge of the methods and procedures for communicating with tools/modules, including the use of listening posts.

Knowledge
4565

Knowledge of the methods of persistence.

Knowledge
4567

Knowledge of the Mission Improvement Process

Knowledge
4571

Knowledge of the Plan, Brief, Execute, and Debrief process

Knowledge
4581

Knowledge of the tactics development process

Knowledge
4586

Knowledge of threats to OPSEC when installing, using, modifying, and uninstalling tools.

Knowledge
4587

Knowledge of tool release/testing process

Knowledge
4593

Knowledge of VPNs, their purpose, and how they can be leveraged.

Knowledge
4628

Skill in enumerating a host (e.g. file systems, host meta data host characteristics).

Skill
4641

Skill in manipulating firewall/host based security configuration and rulesets.

Skill
4663

Skill in retrieving memory resident data.

Skill
4670

Skill in transferring files to target devices (e.g., scp, tftp, http, ftp).

Skill
4674

Skill in using network enumeration and analysis tools, both active and passive.

Skill
6100

Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.

Ability
8001

Advise leadership on operational tradecraft, emerging technology, and technical health of the force.

Task
8015

Approve remediation actions.

Task
8017

As authorized, train cyberspace operators at one’s certification level or below.

Task
8020

Assess the technical health of the cyberspace operator work role.

Task
8021

Assess, recommend, and evaluate remediation actions.

Task
8030

Conduct cyber activities to deny, degrade, disrupt, destroy, manipulate, (D4M).

Task
8037

Conduct post-mission actions.

Task
8039

Conduct pre-mission actions

Task
8040

Conduct pre-operation research and prep.

Task
8052

Create/normalize/document/evaluate TTPs in cyberspace operations.

Task
8067

Develop and/or inform risk assessments.

Task
8071

Develop Operational Training Solultions.

Task
8073

Develop remediation actions.

Task
8074

Develop risk assessments for non-standard events and ad hoc tradecraft.

Task
8083

Employ collection TTPs in cyberspace operations.

Task
8084

Employ credential access TTPs in cyberspace operations.

Task
8086

Employ discovery TTPs in cyberspace operations.

Task
8087

Employ exfiltration TTPs in cyberspace operations.

Task
8088

Employ lateral movement TTPs in cyberspace operations.

Task
8089

Employ TTPs in categories at one’s certification level or below.

Task
8097

Evaluate cyberspace operator performance at one’s certification level or below.

Task
8112

Identify targets of opportunity in order to influence operational planning.

Task
8113

Identify the appropriate operating authorities and guidance

Task
8130

Maintain operational and technical situational awareness during operations

Task
8158

Produce strategy to inform commander’s decision making process.

Task
8167

Provide input to mission debrief.

Task
8168

Provide input to operational policy.

Task
8169

Provide input to post mission planning.

Task
8170

Provide input to pre-mission planning.

Task
8181

Recognize and respond to indicators of compromise (IOC).

Task
8183

Recognize and respond to events that change risk.

Task
8184

Record and document activities during cyberspace operations.

Task
8192

Steward the cyberspace operator work role.

Task
8197

Train cyberspace operators at their certified level or below.

Task