* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge of capabilities and applications of network equipment including hubs, routers, switches, bridges, servers, transmission media, and related hardware.

Knowledge of cryptology.

Knowledge of database systems.

Knowledge of embedded systems.

Knowledge of fault tolerance.

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge of how system components are installed, integrated, and optimized.

Knowledge of human-computer interaction principles.

Knowledge of the Security Assessment and Authorization process.

Knowledge of incident response and handling methodologies.

Knowledge of industry-standard and organizationally accepted analysis principles and methods.

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).

Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.

Ability to build architectures and frameworks.

Knowledge of Risk Management Framework (RMF) requirements.

Knowledge of cybersecurity methods, such as firewalls, demilitarized zones, and encryption.

Knowledge of microprocessors.

Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs.

Knowledge of new and emerging information technology (IT) and cybersecurity technologies.

Knowledge of operating systems.

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol (TCP), Internet Protocol (IP), Open System Interconnection Model (OSI)).

Knowledge of penetration testing principles, tools, and techniques.

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge of secure configuration management techniques.

Knowledge of configuration management techniques.

Knowledge of key concepts in security management (e.g., Release Management, Patch Management).

Knowledge of security management.

Knowledge of security system design tools, methods, and techniques.

Knowledge of software design tools, methods, and techniques.

Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.

Knowledge of systems testing and evaluation methods.

Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.

Knowledge of the enterprise information technology (IT) architectural concepts and patterns to include baseline and target architectures.

Knowledge of integrating the organization’s goals and objectives into the architecture.

Knowledge of Virtual Private Network (VPN) security.

Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.

Skill in applying and incorporating information technologies into proposed solutions.

Skill in applying confidentiality, integrity, and availability principles.

Knowledge in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.

Skill in identifying and anticipating system/server performance, availability, capacity, or configuration problems.

Skill in implementing, maintaining, and improving established network security practices.

Skill in using protocol analyzers.

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).

Skill in analyzing memory dumps to extract information.

Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost).

Work with stakeholders to resolve computer security incidents and vulnerability compliance.

Skill in configuring and utilizing software-based computer protection tools (e.g., software firewalls, anti-virus software, anti-spyware).

Knowledge of collection management processes, capabilities, and limitations.

Knowledge of front-end collection systems, including traffic collection, filtering, and selection.

Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.

Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.

Determine and document software patches or the extent of releases that would leave software vulnerable.

Skill in using code analysis tools.

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge of program protection planning to include information technology (IT) supply chain security/risk management policies, anti-tampering techniques, and requirements.

Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability.

Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.

Isolate and remove malware.

Identify applications and operating systems of a network device based on network traffic.

Identify network mapping and operating system (OS) fingerprinting activities.

Knowledge of an organization’s information classification program and procedures for information compromise.

Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.

Assist in the coordination, validation, and management of all-source collection requirements, plans, and/or activities.

Conduct network scouting and vulnerability analyses of systems within a network.

Deploy tools to a target and utilize them once deployed (e.g., backdoors, sniffers).

Detect exploits against targeted networks and hosts and react accordingly.

Determine course of action for addressing changes to objectives, guidance, and operational environment.

Edit or execute simple scripts (e.g., PERL, VBS) on Windows and UNIX systems.

Identify threats to Blue Force vulnerabilities.

Generate requests for information.

Monitor operational environment and report on adversarial activities which fulfill leadership’s priority information requirements.

Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.

Ability to focus research efforts to meet the customer’s decision-making needs.

Ability to monitor system operations and react to events in response to triggers and/or observation of trends or unusual activity.

Knowledge of auditing and logging procedures (including server-based logging).

Knowledge of basic programming concepts (e.g., levels, structures, compiled vs. interpreted languages).

Knowledge of basic software applications (e.g., data storage and backup, database applications) and their vulnerabilities.

Knowledge of circuit analysis.

Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

Knowledge of all relevant reporting and dissemination procedures.

Knowledge of current software and methodologies for active defense and system hardening.

Knowledge of data backup and restoration concepts.

Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).

Knowledge of evasion strategies and techniques.

Knowledge of forensic implications of operating system structure and operations.

Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.

Knowledge of intrusion detection systems and signature development.

Knowledge of the Risk Management Framework Assessment Methodology.

Knowledge of methods and techniques used to detect various exploitation activities.

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

Knowledge of products and nomenclature of major vendors (e.g., security suites – Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.

Knowledge of the functions and capabilities of internal teams that emulate threat activities to benefit the organization.

Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.

Knowledge of security implications of software configurations.

Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).

Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.

Knowledge of telecommunications fundamentals.

Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.

Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Knowledge of various types of computer architectures.

Skill in determining installed patches on various operating systems and identifying patch signatures.

Skill in reverse engineering (e.g., hex editing, binary packaging utilities, debugging, and strings analysis) to identify function and ownership of remote tools.

Skill in identifying the devices that work at each level of protocol models.

Skill in interpreting vulnerability scanner results to identify vulnerabilities.

Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).

Ability to read, interpret, write, modify, and execute simple scripts (e.g. PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).

Skill in remote command line and Graphic User Interface (GUI) tool usage.

Skill in verifying the integrity of all files.

Knowledge of concepts related to websites (e.g., web servers/pages, hosting, DNS, registration, web languages such as HTML).

Ability to analyze a finding of a compromise and develop a custom signature(s) and/or rule(s) to identify it throughout the network

Ability to analyze adversarial avenues of approach on a mission-critical system

Ability to analyze Data at Rest and Data in Transit encryption methodologies and assess Data at Rest and Data in Transit policies in support of identifying outliers to delineate possible avenues of approach.

Ability to analyze how the tools operate to enumerate the system

Ability to analyze multiple memory captures, determine anomalous behavior and developed a detailed report that includes timeline of compromise

Ability to analyze organizational policies and documentation for appropriate use and user privileges to determine current user access rights policies

Ability to analyze potentially malicious processes, libraries and modules on a system

Ability to analyze process lists within Windows, Unix, or Linux operating systems

Ability to analyze software installed and in use on a system, and on a host machine and compare it to the authorized software list provided by the network owner

Ability to analyze tools/hardware used to extract/analyze/capture memory and disk images

Ability to analyze user-mode/kernel mode rootkits and how they function and differ

Ability to analyze vulnerabilities and misconfiguration without Information Assurance artifacts.

Ability to build a baseline of configuration/state for host machines

Ability to capture a memory image from a host workstation

Ability to capture forensically sound memory and disk images with regard to timeline analysis

Ability to compare active user accounts on a network to appropriate Standard Operating Procedure (SOP), gather active user accounts on a network and compare to authorized user list

Ability to compare current state against baselines

Ability to compile group policies and access control lists from mission partner networks.

Ability to compile host-based firewall configurations and host intrusion prevention system through group policy modifications from mission partner networks.

Ability to conduct disk forensics on multiple images

Ability to configure log aggregation

Ability to configure, forward and statistically analyze logs

Ability to correlate indicators of compromise

Ability to de-obfuscate (e.g. command line execution, string substitution, clandestine side channel, Base64).

Ability to develop a risk defense plan (e.g. behavioral development, etc.) and put active measures in place in defense of a network, endpoint, and/or host.

Ability to develop dashboards to better visualize data

Ability to develop host-based IDS/IPS signatures and settings

Ability to develop the reporting and recording of discovered potentially malicious processes, libraries, and modules on a compromised system

Ability to enumerate domain security groups.

Ability to enumerate knowledge management applications (e.g. SharePoint) and their service accounts/security groups.

Ability to enumerate network shares and identify ACLs/security permissions and analyze for vulnerabilities/misconfigurations (e.g. SMB, NFS, ISCSI).

Ability to evaluate common Tactics, Techniques and Procedures (TTP) used in malware and open-source and Intelligence Community (IC) resources available to identify emerging TTPs

Ability to evaluate compliance with Security Technical Implementation Guides (STIGs) on host machines by utilizing a compliance scanner in support of identifying outliers in order to delineate possible avenues of approach

Ability to evaluate if patches are up to date for all hosts, determine current process for updating patches and determine current patch level for all hosts on a network according to NIST Special Publications 800-40 in support of identifying outliers in order to delineate possible avenues of approach.

Ability to evaluate rogue/unauthorized systems on a network

Ability to evaluate security posture shortcomings in group policy

Ability to evaluate steps taken after host-based IDS/IPS alerts, verify the finding and ensure its volatility

Ability to evaluate systems resiliency in adverse conditions

Ability to export/enumerate information (e.g., users, groups) from a Domain Controller.

Ability to identify activity context in log entries to correlate indicators of compromise.

Ability to identify anomalous network traffic on a host machine.

Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.

Ability to identify new indicators of compromise through anomalous behavior in log entries.

Ability to identify security posture shortcomings

Ability to identify tools and techniques available for analyzing binary applications and interpreted scripts.

Ability to identify/select the most appropriate tools and solutions for the specific environment (e.g. disk/memory forensics/capture, host enumeration, application whitelisting, log aggregation and analysis, HIPS/HIDS solutions, etc.).

Ability to implement and configure host-based firewalls and host intrusion prevention systems

Ability to implement Data at Rest and Data in Transit encryption methodologies, Assess Data at Rest and Data in Transit polices.

Ability to measure known vulnerabilities against known vectors of approach.

Ability to monitor Active Directory (AD) for creation of unauthorized/potentially malicious accounts.

Ability to operate specified tools to enumerate a system.

Ability to organize Active Directories (AD) hierarchy structure.

Ability to organize logging and auditing procedures including server-based logging.

Ability to organize order of the volatility when capturing artifacts.

Ability to perform and analyze situational awareness commands within Windows, Unix, and Linux operating systems (e.g. system info, net stat, ipconfig, task list, ls, ifconfig, etc…)

Ability to perform and analyze vulnerability scans on host machines in support of identifying outliers in order to delineate possible avenues of approach.

Ability to perform complex root-cause analysis and recommend mitigations to determine root cause of an intrusion.

Ability to perform dynamic analysis.

Ability to perform static analysis.

Ability to prioritize how Operating System (OS) and application patches are distributed in different systems.

Ability to prioritize Operating Systems (OS) default processes, library, and modules based on boot order, dependencies, or key operations.

Ability to provide host analysis for Risk Mitigation Plan (RMP) to improve customer security overall posture.

Ability to provide mitigations to recover from a full network compromise.

Ability to select the best tools to enumerate a given set of host machines in order to validate whether they match known baselines.

Ability to use and integrate a Security Information and Event Management (SIEM) platform.

Ability to use host volatile data to compare active processes, libraries and modules against databases of known good/bad.

Ability to utilize Defense Information Systems Agency (DISA)/ Department of Defense (DoD) system configuration guidelines.

Knowledge of active directory federated services.

Knowledge of common information network malware (e.g., viruses, trojans, etc.) and vectors of attack (e.g., ports, attachments, etc.).

Knowledge of common obfuscation techniques (e.g. command line execution, string substitution, clandestine side channel, Base64).

Knowledge of common persistence locations within Windows, Unix, or Linux operating systems.

Knowledge of cybersecurity and cybersecurity-enabled software products.

Knowledge of cybersecurity controls and design principles and methods (e.g., firewalls, DMZ, and encryption).

Knowledge of cybersecurity Risk Management Framework (RMF) process.

Knowledge of DCO capabilities, including open-source tools, and their capabilities.

Knowledge of Defense-In-Depth principles.

Knowledge of different types of log subscriptions (e.g. push vs pull, MS Windows event forwarding, winlogbeat, syslog).

Knowledge of evasion strategies and TTPs (e.g., noise, stealth, situational awareness, bandwidth throttling).

Knowledge of existing cybersecurity principles, policies, and procedures

Knowledge of full-spectrum of cyberspace operations in an intelligence-driven DCO environment.

Knowledge of non-Active Directory domains (e.g. IDM, LDAP).

Knowledge of public key infrastructure (PKI) libraries, certificate authorities, certificate management, and encryption functionalities.

Knowledge of stream providers (e.g. KAFKA).

Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).

Knowledge of the U.S. Security System authorities, responsibilities, and contributions to the cyberspace operations mission.

Knowledge of the Windows registry hive keys and the information contained within each one.

Knowledge of typical system processes within Windows, Unix, or Linux operating systems

Knowledge of web applications and their common attack vectors.

Skill in analyzing endpoint collection data.

Skill in providing support to intelligence analysts to understand the operational environment and how it ties to intelligence reporting.

Skill in refining research (e.g., vulnerabilities, TTPs) to assist intelligence analysts’ preparation of products.

Skill in run level configurations in a Linux or UNIX environment

Skill in using various online tools for open-source research (e.g., online trade, DNS, mail, etc.).

Knowledge of critical protocols (e.g., IPSEC, AES, GRE, IKE).

Knowledge of multi-level/security cross domain solutions.

Knowledge of network architecture concepts including topology, protocols, and components.

Conduct open source research via various online tools.

Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces.

Identify potential points of strength and vulnerability among segments of a network map.

Identify tools/hardware used to extract/analyze/capture memory and disk images.

Perform security reviews and identify gaps in security architecture that can be used in the development of a security risk management plan.

Provide and maintain documentation for TTPs as inputs to training programs.

Validate intrusion detection system (IDS) alerts.