Exploitation Analyst

Exploitation Analyst Work Role ID: 121 (NIST: AN-XA-001) Category/Specialty Area: Analyze / Exploitation Analysis Workforce Element: Cyberspace Effects

Collaborates to identify access and collection gaps that can be satisfied through cyber collection and/or preparation activities. Leverages all authorized resources and analytic techniques to penetrate targeted networks.


Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
264

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2194

Create comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities.

Task
2400

Examine intercept-related metadata and content with an understanding of targeting significance.

Task
2718

Profile network or system administrators and their activities.

Task
3021

Ability to collaborate effectively with others.

Ability
3022

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Ability
3095

Knowledge of internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).

Knowledge
3103A

Ability to identify/describe target vulnerability.

Ability
3103

Ability to identify/describe techniques/methods for conducting technical exploitation of the target.

Ability
3106

Knowledge of a wide range of basic communications media concepts and terminology (e.g., computer and telephone networks, satellite, cable, wireless).

Knowledge
3107

Knowledge of a wide range of concepts associated with websites (e.g., website types, administration, functions, software systems, etc.).

Knowledge
3129

Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).

Knowledge
3137

Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and enumeration).

Knowledge
3179

Knowledge of common networking devices and their configurations.

Knowledge
3191

Knowledge of concepts for operating systems (e.g., Linux, Unix).

Knowledge
3225

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge
3289

Knowledge of how hubs, switches, routers work together in the design of a network.

Knowledge
3291

Knowledge of how internet applications work (SMTP email, web-based email, chat clients, VOIP).

Knowledge
3346

Knowledge of Internet and routing protocols.

Knowledge
3407

Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

Knowledge
3410

Knowledge of network topology.

Knowledge
3513

Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.

Knowledge
3543

Knowledge of the basic structure, architecture, and design of modern communication networks.

Knowledge
3801

Skill in identifying the devices that work at each level of protocol models.

Skill
3867

Skill in recognizing technical information that may be used for leads to enable remote operations (data includes users, passwords, email addresses, IP ranges of the target, frequency in DNI behavior, mail servers, domain servers, SMTP header information).

Skill
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
345

Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.

Knowledge
363

Skill in identifying gaps in technical capabilities.

Skill
912

Knowledge of collection management processes, capabilities, and limitations.

Knowledge
915

Knowledge of front-end collection systems, including traffic collection, filtering, and selection.

Knowledge
2029A

Apply and utilize authorized cyber capabilities to enable access to targeted networks.

Task
2033

Apply cyber collection, environment preparation and engagement expertise to enable new exploitation and/or continued collection operations, or in support of customer requirements.

Task
2040

Apply and obey applicable statutes, laws, regulations and policies.

Task
2072

Perform analysis for target infrastructure exploitation activities.

Task
2090

Collaborate with other internal and external partner organizations on target access and operational issues.

Task
2095

Communicate new developments, breakthroughs, challenges and lessons learned to leadership, and internal and external customers.

Task
2102

Conduct analysis of physical and logical digital technologies (e.g., wireless, SCADA, telecom) to identify potential avenues of access.

Task
2114

Conduct independent in-depth target and technical analysis including target-specific information (e.g., cultural, organizational, political) that results in access.

Task
2419

Collaborate with developers, conveying target and technical knowledge in tool requirements submissions, to enhance tool development.

Task
2461

Identify gaps in our understanding of target technology and developing innovative collection approaches.

Task
2490

Identify, locate, and track targets via geospatial analysis techniques.

Task
2534

Lead or enable exploitation operations in support of organization objectives and target requirements.

Task
2542

Maintain awareness of advancements in hardware and software technologies (e.g., attend training or conferences, reading) and their potential implications.

Task
2608

Monitor target networks to provide indications and warning of target communications changes or processing failures.

Task
2714

Produce network reconstructions.

Task
3001

Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.

Ability
3039

Ability to develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists.

Ability
3043

Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.

Ability
3055A

Ability to select the appropriate implant to achieve operational goals.

Ability
3055B

Knowledge of basic implants.

Knowledge
3101

Ability to expand network access by conducting target analysis and collection in order to identify targets of interest.

Ability
3113

Knowledge of target intelligence gathering and operational preparation techniques and life cycles.

Knowledge
3139

Knowledge of basic principles of the collection development processes (e.g., Dialed Number Recognition, Social Network Analysis).

Knowledge
3146

Knowledge of both internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge
3155

Knowledge of client organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge
3166

Knowledge of collection searching/analyzing techniques and tools for chat/buddy list, emerging technologies, VOIP, Media Over IP, VPN, VSAT/wireless, web mail and cookies.

Knowledge
3181

Knowledge of common reporting databases and tools.

Knowledge
3201

Knowledge of all relevant reporting and dissemination procedures.

Knowledge
3226

Knowledge of data flow process for terminal or environment collection.

Knowledge
3256

Knowledge of terminal or environmental collection (process, objectives, organization, targets, etc.).

Knowledge
3261

Knowledge of evasion strategies and techniques.

Knowledge
3296

Knowledge of how to collect, view, and identify essential information on targets of interest from metadata (e.g., email, http).

Knowledge
3349

Knowledge of intrusion sets.

Knowledge
3367

Knowledge of all applicable statutes, laws, regulations and policies governing cyber targeting and exploitation.

Knowledge
3386

Knowledge of midpoint collection (process, objectives, organization, targets, etc.).

Knowledge
3432

Knowledge of identification and reporting processes.

Knowledge
3454

Knowledge of products and nomenclature of major vendors (e.g., security suites – Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.

Knowledge
3474

Knowledge of scripting

Knowledge
3505

Knowledge of strategies and tools for target research.

Knowledge
3525

Knowledge of organizational and partner policies, tools, capabilities, and procedures.

Knowledge
3542

Knowledge of the basic structure, architecture, and design of converged applications.

Knowledge
3622

Knowledge of organizational and partner authorities, responsibilities, and contributions to achieving objectives.

Knowledge
3637

Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Knowledge
3678

Skill in analyzing traffic to identify network devices.

Skill
3715

Skill in creating and extracting important information from packet captures.

Skill
3718A

Skill in creating collection requirements in support of data acquisition activities.

Skill
3718

Skill in creating plans in support of remote operations.

Skill
3726

Skill in depicting source or collateral data on a network map.

Skill
3741

Skill in determining the effect of various router and firewall configurations on traffic patterns and network performance in both LAN and WAN environments.

Skill
3774

Skill in evaluating accesses for intelligence value.

Skill
3803

Skill in identifying, locating, and tracking targets via geospatial analysis techniques

Skill
3810

Skill in interpreting compiled and interpretive programming languages.

Skill
3812

Skill in interpreting metadata and content as applied by collection systems.

Skill
3814

Skill in using trace route tools and interpreting the results as they apply to network analysis and reconstruction.

Skill
3818

Skill in generating operation plans in support of mission and target requirements.

Skill
3828

Skill in navigating network visualization software.

Skill
3837

Skill in performing data fusion from existing intelligence for enabling new and continued collection.

Skill
3860

Skill in recognizing and interpreting malicious network activity in traffic.

Skill
3863

Skill in recognizing midpoint opportunities and essential information.

Skill
3874

Skill in researching vulnerabilities and exploits utilized in traffic.

Skill
3894

Skill in target development in direct support of collection operations.

Skill
3913

Skill in using databases to identify target-relevant information.

Skill
3923

Skill in using non-attributable networks.

Skill
3950

Skill in writing (and submitting) requirements to meet gaps in technical capabilities.

Skill