* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge of communication methods, principles, and concepts (e.g., crypto, dual hubs, time multiplexers) that support the network infrastructure.

Knowledge of capabilities and applications of network equipment including hubs, routers, switches, bridges, servers, transmission media, and related hardware.

Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.

Knowledge of cryptology.

Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.

Knowledge of organization’s enterprise information security architecture system.

Knowledge of organization’s evaluation and validation requirements.

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge of the Security Assessment and Authorization process.

Knowledge of incident response and handling methodologies.

Knowledge of industry-standard and organizationally accepted analysis principles and methods.

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge of cybersecurity methods, such as firewalls, demilitarized zones, and encryption.

Skill in applying cybersecurity methods, such as firewalls, demilitarized zones, and encryption.

Knowledge of local area and wide area networking principles and concepts including bandwidth management.

Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).

Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs.

Knowledge of network traffic analysis methods.

Knowledge of new and emerging information technology (IT) and cybersecurity technologies.

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).

Knowledge of performance tuning tools and techniques.

Knowledge of principles and methods for integrating system components.

Knowledge of secure configuration management techniques.

Knowledge of key concepts in security management (e.g., Release Management, Patch Management).

Knowledge of security management.

Knowledge of technology integration processes.

Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).

Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.

Knowledge of integrating the organization’s goals and objectives into the architecture.

Knowledge of the type and frequency of routine maintenance needed to keep equipment functioning properly.

Knowledge of Virtual Private Network (VPN) security.

Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.

Skill in analyzing network traffic capacity and performance characteristics.

Skill in applying and incorporating information technologies into proposed solutions.

Skill in conducting system/server planning, management, and maintenance.

Skill in correcting physical and technical problems that impact system/server performance.

Knowledge of countermeasure design for identified security risks.

Skill in designing countermeasures to identified security risks.

Knowledge in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.

Skill in developing and applying security system access controls.

Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.

Skill in diagnosing connectivity problems.

Skill in discerning the protection needs (i.e., security controls) of information systems and networks.

Skill in establishing a routing schema.

Skill in identifying and anticipating system/server performance, availability, capacity, or configuration problems.

Skill in installing system and component upgrades.

Skill in installing, configuring, and troubleshooting LAN and WAN components such as routers, hubs, and switches.

Skill in monitoring and optimizing system/server performance.

Skill in using network management tools to analyze network traffic patterns (e.g., simple network management protocol).

Ability to determine the validity of technology trend data.

Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).

Analyze information to determine, recommend, and plan the development of a new application or modification of an existing application.

Develop content for cyber defense tools.

Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces.

Coordinate with enterprise-wide cyber defense staff to validate network alerts.

Monitor network capacity and performance.

Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.

Plan and recommend modifications or adjustments based on exercise results or system environment.

Provide feedback on network requirements, including network architecture and infrastructure.

Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters.

Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.

Store, retrieve, and manipulate data for analysis of system capabilities and requirements.

Work with stakeholders to resolve computer security incidents and vulnerability compliance.

Knowledge of collection management processes, capabilities, and limitations.

Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.

Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.

Design countermeasures and mitigations against potential exploitations of programming language weaknesses and vulnerabilities in system and elements.

Knowledge of root cause analysis techniques.

Knowledge of organizational information technology (IT) user security policies (e.g., account creation, password rules, access control).

Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization’s enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]).

Skill in secure test plan design (e. g. unit, integration, system, acceptance).

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge of information technology (IT) risk management policies, requirements, and procedures.

Knowledge of program protection planning to include information technology (IT) supply chain security/risk management policies, anti-tampering techniques, and requirements.

Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability.

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.

Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.

Knowledge of transmission records (e.g., Bluetooth, Radio Frequency Identification (RFID), Infrared Networking (IR), Wireless Fidelity (Wi-Fi). paging, cellular, satellite dishes, Voice over Internet Protocol (VoIP)), and jamming techniques that enable transmission of undesirable information, or prevent installed systems from operating correctly.

Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).

Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).

Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.

Identify applications and operating systems of a network device based on network traffic.

Identify network mapping and operating system (OS) fingerprinting activities.

Knowledge of an organization’s information classification program and procedures for information compromise.

Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.

Collaborate with intelligence analysts/targeting organizations involved in related areas.

Conduct analysis of physical and logical digital technologies (e.g., wireless, SCADA, telecom) to identify potential avenues of access.

Conduct network scouting and vulnerability analyses of systems within a network.

Conduct open source data collection via various online tools.

Detect exploits against targeted networks and hosts and react accordingly.

Identify threats to Blue Force vulnerabilities.

Generate requests for information.

Identify potential points of strength and vulnerability within a network.

Monitor operational environment and report on adversarial activities which fulfill leadership’s priority information requirements.

Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.

Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.

Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and enumeration).

Knowledge of both internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

Knowledge of all relevant reporting and dissemination procedures.

Knowledge of current software and methodologies for active defense and system hardening.

Knowledge of evasion strategies and techniques.

Knowledge of general SCADA system components.

Knowledge of Internet and routing protocols.

Knowledge of intrusion sets.

Knowledge of the Risk Management Framework Assessment Methodology.

Knowledge of methods and techniques used to detect various exploitation activities.

Knowledge of network administration.

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

Knowledge of products and nomenclature of major vendors (e.g., security suites – Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.

Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.

Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).

Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.

Skill in auditing firewalls, perimeters, routers, and intrusion detection systems.

Skill in determining installed patches on various operating systems and identifying patch signatures.

Skill in extracting information from packet captures.

Skill in identifying the devices that work at each level of protocol models.

Skill in interpreting vulnerability scanner results to identify vulnerabilities.

Skill in remote command line and Graphic User Interface (GUI) tool usage.

Skill in using Boolean operators to construct simple and complex queries.

Skill in using various open source data collection tools (online trade, DNS, mail, etc.).

Skill in verifying the integrity of all files.

Ability to accurately document results

Ability to analyze a finding of a compromise and develop a custom signature(s) and/or rule(s) to identify it throughout the network

Ability to analyze Data at Rest and Data in Transit encryption methodologies and assess Data at Rest and Data in Transit polices

Ability to analyze device/protocol discovery tool output

Ability to analyze interior and exterior routing protocols (e.g. RIP, EIGRP, OSPF, IS-IS, etc…)

Ability to analyze mitigations to recover from a full network compromise

Ability to analyze network infrastructure to identify and recommend key terrain or critical infrastructure.

Ability to analyze organizational policies and documentation for appropriate use and user privileges as they apply to networking devices.

Ability to analyze potential adversarial attack vectors on a mission-critical system.

Ability to assess Data in Transit encryption policies.

Ability to characterize network traffic for trends and patterns.

Ability to communicate with Sr Leaders of an Org. to ensure shared responsibility for supporting Org. mission/business functions using external providers of systems, services and apps receives visibility and is elevated to the appropriate decisionmaking authorities.

Ability to compile access control lists and firewall configurations.

Ability to Conduct flow data analysis

Ability to conduct research on vulnerabilites found and correlate current versions to known vulnerable releases

Ability to configure, forward and statistically analyze logs

Ability to configure, place, and maintain a distributed sensor grid.

Ability to construct accurate maps of the network devices

Ability to construct log aggregation solutions and analysis platforms

Ability to correlate indicators of compromise

Ability to create baselines/PPS documents and to compare current state against documentation.

Ability to create rules/alerts for traffic validation.

Ability to define caching and analyze the information contained within

Ability to detect mismatched port-application traffic

Ability to develop a risk defense plan to put active measure in place in defense of a network

Ability to develop dashboards to better visualize data

Ability to dissect and analyze a packet header

Ability to document findings of any anomalous connections

Ability to evaluate common Tactics, Techniques and Procedures (TTP) used in malware and open-source and Intelligence Community (IC) resources available to identify emerging TTPs

Ability to evaluate information (e.g. trust relationships and security policies) from a domain to identify vulnerabilities/misconfiguration

Ability to evaluate mitigations to recover from a full-network compromise.

Ability to evaluate network diagram

Ability to evaluate rogue/unauthorized systems on a network

Ability to evaluate systems resiliency in adverse conditions

Ability to identify activity in log entries to correlate indicators of compromise.

Ability to identify anomalous activity based off of known trends and patterns.

Ability to identify C2 Beaconing in normal network traffic.

Ability to identify complex root-cause analysis and recommend mitigations

Ability to identify Data in Transit encryption methodologies.

Ability to identify exfiltration of data in normal network traffic

Ability to identify IPv6 and differentiate between Link Local, Multicast, Unicast, and Anycast.

Ability to identify wireless encryption and differentiate between WEP, WPA (all versions) and WAPI

Ability to implement network TAP configuration

Ability to integrate information security requirements into the acquisition process, using applicable baseline security controls as one of the sources for security requirements, and ensuring a robust software quality control process.

Ability to measure application whitelisting/blacklisting solutions.

Ability to measure principle of vulnerability exploitation.

Ability to measure the effectiveness of white/blacklisting solutions on network devices.

Ability to monitor network data and perform triage on triggered events.

Ability to operate the tools to enumerate a system.

Ability to organize a list of mission infrastructure to identify which dependent systems are key terrain.

Ability to organize Network System Architecture and the dependencies formed from relationships between systems.

Ability to perform conversation calculations across Hexadecimal, Octal, Decimal, and binary.

Ability to perform device discovery.

Ability to research protocol utilization and determine anomalous use.

Ability to test tools within sensor grid.

Ability to use and integrate Security Information and Event Management (SIEM) capabilities in the analysis process.

Ability to utilize Defense Information Systems Agency (DISA)/ Department of Defense (DoD) system configuration guidelines.

Knowledge of anomaly-based detection and threat hunting.

Knowledge of attack principles, tools, and techniques.

Knowledge of basic cloud-based technologies and concepts.

Knowledge of basic Cyber Threat Emulation concepts.

Knowledge of basic Embedded Systems concepts.

Knowledge of cybersecurity and cybersecurity-enabled software products.

Knowledge of DOD Component-level cybersecurity architecture.

Knowledge of encryption algorithms and their implementation.

Knowledge of Friendly Network Forces (FNF) reporting procedures (i.e. deconfliction) to include external organization interaction.

Knowledge of hardware components and architecture including functions and limitations.

Knowledge of hashing algorithms.

Knowledge of Hexadecimal, Octal, Decimal, and binary

Knowledge of HTML source code and the intelligence that can be derived from it.

Knowledge of IPv6

Knowledge of Network OSs.

Knowledge of security implications of device and software configurations.

Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).

Knowledge of TCP flags

Knowledge of the differences between distance vector and link-state routing protocols

Knowledge of the different DNS resource records

Knowledge of the U.S. Security System authorities, responsibilities, and contributions to the cyberspace operations mission.

Knowledge of User Agent Strings and the intelligence that can be derived from them

Skill in analyzing PCAP data

Skill in conducting system planning, management, and maintenance.

Skill in discerning the protection requirements (i.e. security controls) of IS and networks.

Skill in implementing encryption algorithms.

Skill in intrusion detection methodologies and techniques for detecting host and network-based intrusions for utilizing intrusion detection systems and signature development.

Skill in network operating system administration.

Skill in providing an understanding of the adversary through the identification and link analysis of physical, functional, or behavioral relationships within an operational environment.

Skill in regular expressions

Skill in understanding cybersecurity architecture, its implementation, and its expected behaviors and how changes in conditions affect outcomes.

Skill in using Berkeley Packet filters.

Skill in using network mapping tools to analyze identify and enumerate a network.

Skill in utilizing a network traffic packet analyzer in order to detect anomalies in protocol utilization.

Ability to apply an organization’s goals and objectives to develop and maintain architecture.

Ability to optimize systems to meet enterprise performance requirements.

Knowledge of multi-level/security cross domain solutions.

Skill in interfacing with customers.

Adhere to DCO policies and procedures reflecting applicable laws, policies, procedures, and regulations (such as United States Code Titles 10 and 50).

Assess exploited systems’ potential to provide additional access, target development information, intelligence and/or covert infrastructure.

Determine and document software patches or the extent of releases that would harden vulnerable software.

Determine location of tool(s) deployment and utilize them once deployed (e.g., monitor agent, sensor).

Develop and review cyberspace operations TTPs for integration into strategic, operational and tactical levels of planning.

Evaluate security architecture and its design against cyberspace threats as identified in operational and acquisition documents.

Manage threat or target analysis of DCO information and production of threat information for networks and enclave environments.

Provide and maintain documentation for TTPs as inputs to training programs.

Provide input to the analysis, design, development or acquisition of capabilities used for meeting mission objectives.

Read, write, and interpret simple scripts to collect remote data and automation tasks.

Read, write, and interpret simple scripts to parse large data files.

Recommend Patch network vulnerabilities to ensure information is safeguarded against outside parties via Risk Mitigation Plans.