Host Analyst

Host Analyst Work Role ID: 463 (NIST: N/A) Workforce Element: Cyberspace Effects

A Host Analyst (HA) will have knowledge of various system configurations encountered. This work role also performs analysis using built-in tools and capabilities. A Host Analyst will have knowledge of system services and the security and configuration of them, as well as knowledge of file systems, permissions, and operation system configurations. The Host Analyst conducts analysis using built-in tools and capabilities.


Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
4171

Ability to analyze a finding of a compromise and develop a custom signature(s) and/or rule(s) to identify it throughout the network

Ability
4172

Ability to analyze adversarial avenues of approach on a mission-critical system

Ability
4174

Ability to analyze Data at Rest and Data in Transit encryption methodologies and assess Data at Rest and Data in Transit policies in support of identifying outliers to delineate possible avenues of approach.

Ability
4176

Ability to analyze how the tools operate to enumerate the system

Ability
4179

Ability to analyze multiple memory captures, determine anomalous behavior and developed a detailed report that includes timeline of compromise

Ability
4182

Ability to analyze organizational policies and documentation for appropriate use and user privileges to determine current user access rights policies

Ability
4184

Ability to analyze potentially malicious processes, libraries and modules on a system

Ability
4185

Ability to analyze process lists within Windows, Unix, or Linux operating systems

Ability
4186

Ability to analyze software installed and in use on a system, and on a host machine and compare it to the authorized software list provided by the network owner

Ability
4187

Ability to analyze tools/hardware used to extract/analyze/capture memory and disk images

Ability
4188

Ability to analyze user-mode/kernel mode rootkits and how they function and differ

Ability
4189

Ability to analyze vulnerabilities and misconfiguration without Information Assurance artifacts.

Ability
4195

Ability to build a baseline of configuration/state for host machines

Ability
4197

Ability to capture a memory image from a host workstation

Ability
4198

Ability to capture forensically sound memory and disk images with regard to timeline analysis

Ability
4206

Ability to compare active user accounts on a network to appropriate Standard Operating Procedure (SOP), gather active user accounts on a network and compare to authorized user list

Ability
4207

Ability to compare current state against baselines

Ability
4209

Ability to compile group policies and access control lists from mission partner networks.

Ability
4210

Ability to compile host-based firewall configurations and host intrusion prevention system through group policy modifications

Ability
4211

Ability to conduct disk forensics on multiple images

Ability
4216

Ability to configure log aggregation

Ability
4217

Ability to configure, forward and statistically analyze logs

Ability
4225

Ability to correlate indicators of compromise

Ability
4232

Ability to de-obfuscate (e.g. command line execution, string substitution, clandestine side channel, Base64).

Ability
4234

Ability to develop a risk defense plan (e.g. behavioral development, etc.) and put active measures in place in defense of a network, endpoint, and/or host.

Ability
4237

Ability to develop dashboards to better visualize data

Ability
4238

Ability to develop host-based IDS/IPS signatures and settings

Ability
4239

Ability to develop the reporting and recording of discovered potentially malicious processes, libraries, and modules on a compromised system

Ability
4245

Ability to enumerate domain security groups.

Ability
4246

Ability to enumerate knowledge management applications (e.g. SharePoint) and their service accounts/security groups.

Ability
4247

Ability to enumerate network shares and identify ACLs/security permissions and analyze for vulnerabilities/misconfigurations (e.g. SMB, NFS, ISCSI).

Ability
4250

Ability to evaluate common Tactics, Techniques and Procedures (TTP) used in malware and open-source and Intelligence Community (IC) resources available to identify emerging TTPs

Ability
4251

Ability to evaluate compliance with Security Technical Implementation Guides (STIGs) on host machines by utilizing a compliance scanner in support of identifying outliers in order to delineate possible avenues of approach

Ability
4252

Ability to evaluate if patches are up to date for all hosts, determine current process for updating patches and determine current patch level for all hosts on a network according to NIST Special Publications 800-40 in support of identifying outliers in order to delineate possible avenues of approach.

Ability
4256

Ability to evaluate rogue/unauthorized systems on a network

Ability
4257

Ability to evaluate security posture shortcomings in group policy

Ability
4258

Ability to evaluate steps taken after host-based IDS/IPS alerts, verify the finding and ensure its volatility

Ability
4259

Ability to evaluate systems resiliency in adverse conditions

Ability
4262

Ability to export/enumerate information (e.g., users, groups) from a Domain Controller.

Ability
4266

Ability to identify activity context in log entries to correlate indicators of compromise.

Ability
4269

Ability to identify anomalous network traffic on a host machine.

Ability
4273

Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.

Ability
4281

Ability to identify new indicators of compromise through anomalous behavior in log entries.

Ability
4283

Ability to identify security posture shortcomings

Ability
4284

Ability to identify tools and techniques available for analyzing binary applications and interpreted scripts.

Ability
4287

Ability to identify/select the most appropriate tools and solutions for the specific environment (e.g. disk/memory forensics/capture, host enumeration, application whitelisting, log aggregation and analysis, HIPS/HIDS solutions, etc.).

Ability
4288

Ability to implement and configure host-based firewalls and host intrusion prevention systems

Ability
4289

Ability to implement Data at Rest and Data in Transit encryption methodologies, Assess Data at Rest and Data in Transit polices.

Ability
4302

Ability to measure known vulnerabilities against known vectors of approach.

Ability
4306

Ability to monitor Active Directory (AD) for creation of unauthorized/potentially malicious accounts.

Ability
4309

Ability to operate specified tools to enumerate a system.

Ability
4312

Ability to organize Active Directories (AD) hierarchy structure.

Ability
4313

Ability to organize logging and auditing procedures including server-based logging.

Ability
4315

Ability to organize order of the volatility when capturing artifacts.

Ability
4318

Ability to perform and analyze situational awareness commands within Windows, Unix, and Linux operating systems (e.g. system info, net stat, ipconfig, task list, ls, ifconfig, etc…)

Ability
4319

Ability to perform and analyze vulnerability scans on host machines in support of identifying outliers in order to delineate possible avenues of approach.

Ability
4320

Ability to perform complex root-cause analysis and recommend mitigations to determine root cause of an intrusion.

Ability
4323

Ability to perform dynamic analysis.

Ability
4326

Ability to perform static analysis.

Ability
4331

Ability to prioritize how Operating System (OS) and application patches are distributed in different systems.

Ability
4332

Ability to prioritize Operating Systems (OS) default processes, library, and modules based on boot order, dependencies, or key operations.

Ability
4337

Ability to provide host analysis for Risk Mitigation Plan (RMP) to improve customer security overall posture.

Ability
4339

Ability to provide mitigations to recover from a full network compromise.

Ability
4351

Ability to select the best tools to enumerate a given set of host machines in order to validate whether they match known baselines.

Ability
4363

Ability to use and integrate a Security Information and Event Management (SIEM) platform.

Ability
4371

Ability to use host volatile data to compare active processes, libraries and modules against databases of known good/bad.

Ability
4375

Ability to utilize Defense Information Systems Agency (DISA)/ Department of Defense (DoD) system configuration guidelines.

Ability
4390

Knowledge of active directory federated services.

Knowledge
4413

Knowledge of common information network malware (e.g., viruses, trojans, etc.) and vectors of attack (e.g., ports, attachments, etc.).

Knowledge
4415

Knowledge of common obfuscation techniques (e.g. command line execution, string substitution, clandestine side channel, Base64).

Knowledge
4416

Knowledge of common persistence locations within Windows, Unix, or Linux operating systems.

Knowledge
4427

Knowledge of cybersecurity and cybersecurity-enabled software products.

Knowledge
4429

Knowledge of cybersecurity controls and design principles and methods (e.g., firewalls, DMZ, and encryption).

Knowledge
4430

Knowledge of cybersecurity Risk Management Framework (RMF) process.

Knowledge
4434

Knowledge of DCO capabilities, including open-source tools, and their capabilities.

Knowledge
4435

Knowledge of Defense-In-Depth principles.

Knowledge
4438

Knowledge of different types of log subscriptions (e.g. push vs pull, MS Windows event forwarding, winlogbeat, syslog).

Knowledge
4443

Knowledge of evasion strategies and TTPs (e.g., noise, stealth, situational awareness, bandwidth throttling).

Knowledge
4445

Knowledge of existing cybersecurity principles, policies, and procedures

Knowledge
4452

Knowledge of full-spectrum of cyberspace operations in an intelligence-driven DCO environment.

Knowledge
4501

Knowledge of non-Active Directory domains (e.g. IDM, LDAP).

Knowledge
4522

Knowledge of public key infrastructure (PKI) libraries, certificate authorities, certificate management, and encryption functionalities.

Knowledge
4537

Knowledge of stream providers (e.g. KAFKA).

Knowledge
4539

Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).

Knowledge
4583

Knowledge of the U.S. Security System authorities, responsibilities, and contributions to the cyberspace operations mission.

Knowledge
4585

Knowledge of the Windows registry hive keys and the information contained within each one.

Knowledge
4589

Knowledge of typical system processes within Windows, Unix, or Linux operating systems

Knowledge
4595

Knowledge of web applications and their common attack vectors.

Knowledge
4599

Skill in analyzing endpoint collection data.

Skill
4655

Skill in providing support to intelligence analysts to understand the operational environment and how it ties to intelligence reporting.

Skill
4660

Skill in refining research (e.g., vulnerabilities, TTPs) to assist intelligence analysts’ preparation of products.

Skill
4665

Skill in run level configurations in a Linux or UNIX environment

Skill
4679

Skill in using various online tools for open-source research (e.g., online trade, DNS, mail, etc.).

Skill
8036

Conduct open source research via various online tools.

Task
8041

Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces.

Task
8111

Identify potential points of strength and vulnerability among segments of a network map.

Task
8115

Identify tools/hardware used to extract/analyze/capture memory and disk images.

Task
8151

Perform security reviews and identify gaps in security architecture that can be used in the development of a security risk management plan.

Task
8161

Provide and maintain documentation for TTPs as inputs to training programs.

Task
8212

Validate intrusion detection system (IDS) alerts.

Task