* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).

Provide input to the analysis, design, development or acquisition of capabilities used for meeting objectives.

Assess target vulnerabilities and/or operational capabilities to determine course of action.

Assist and advise inter-agency partners in identifying and developing best practices for facilitating operational support to achievement of organization objectives.

Provide input to the identification of cyber-related success criteria.

Develop, review and implement all levels of planning guidance in support of cyber operations.

Contribute to crisis action planning for cyber operations.

Contribute to the development of the organization’s decision support tools if necessary.

Coordinate, produce and track intelligence requirements.

Determine indicators (e.g., measures of effectiveness) that are best suited to specific cyber operation objectives.

Develop and maintain deliberate and/or crisis plans.

Develop and review specific cyber operations guidance for integration into broader planning activities.

Develop cyber operations plans and guidance to ensure that execution and resource allocation decisions align with organization objectives.

Develop, implement, and recommend changes to appropriate planning procedures and policies.

Ensure operational planning efforts are effectively transitioned to current operations.

Ensure that intelligence planning activities are integrated and synchronized with operational planning timelines.

Evaluate intelligence estimates to support the planning cycle.

Facilitate the sharing of “best practices” and “lessons learned” throughout the cyber operations community.

Incorporate cyber operations and communications security support plans into organization objectives.

Incorporate intelligence and counterintelligence to support plan development.

Identify and submit intelligence requirements for the purposes of designating priority information requirements.

Identify intelligence gaps and shortfalls.

Identify cyber intelligence gaps and shortfalls.

Provide input to or develop courses of action based on threat factors.

Integrate cyber planning/targeting efforts with other organizations.

Interpret environment preparations assessments to determine a course of action.

Issue requests for information.

Knowledge of organizational planning concepts.

Maintain relationships with internal and external partners involved in cyber planning or related areas.

Maintain situational awareness of cyber-related intelligence requirements and associated tasking.

Maintain situational awareness of partner capabilities and activities.

Monitor and evaluate integrated cyber operations to identify opportunities to meet organization objectives.

Provide SME and support to planning/developmental forums and working groups as appropriate.

Conduct long-range, strategic planning efforts with internal and external partners in cyber activities.

Provide subject matter expertise to planning efforts with internal and external cyber operations partners.

Participate in exercises.

Provide input to the administrative and logistical elements of an operational support plan.

Provide time sensitive targeting support.

Review and comprehend organizational leadership objectives and guidance for planning.

Submit or respond to requests for deconfliction of cyber operations.

Document lessons learned that convey the results of events and/or exercises.

Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.

Ability to apply critical reading/thinking skills.

Ability to collaborate effectively with others.

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Ability to coordinate cyber operations with other organization functions or support activities.

Ability to exercise judgment when policies are not well-defined.

Ability to identify external partners with common cyber operations interests.

Ability to tailor technical and planning information to a customer’s level of understanding.

Knowledge of virtualization products (Vmware, Virtual PC).

Knowledge of a wide range of basic communications media concepts and terminology (e.g., computer and telephone networks, satellite, cable, wireless).

Knowledge of all forms of intelligence support needs, topics, and focus areas.

Knowledge of both internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge of classification and control markings standards, policies and procedures.

Knowledge of cyber operations support or enabling processes.

Knowledge of crisis action planning and time sensitive planning procedures.

Knowledge of cyber laws and legal considerations and their effect on cyber planning.

Knowledge of cyber operations terminology/lexicon.

Knowledge of cyber operations.

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge of deconfliction processes and procedures.

Knowledge of target and threat organization structures, critical capabilities, and critical vulnerabilities.

Knowledge of evolving/emerging communications technologies.

Knowledge of existing, emerging, and long-range issues related to cyber operations strategy, policy, and organization.

Knowledge of staff management, assignment, and allocation processes.

Knowledge of internal and external partner cyber operations capabilities and tools.

Knowledge of how collection requirements and information needs are translated, tracked, and prioritized across the extended enterprise.

Knowledge of how modern wireless communications systems impact cyber operations.

Knowledge of intelligence reporting principles, policies, procedures, and vehicles, including report formats, reportability criteria (requirements and priorities), dissemination practices, and legal authorities and restrictions.

Knowledge of intelligence support to planning, execution, and assessment.

Knowledge of organization policies and planning concepts for partnering with internal and/or external organizations.

Knowledge of organizational hierarchy and cyber decision making processes.

Knowledge of malware.

Knowledge of objectives, situation, operational environment, and the status and disposition of internal and external partner collection capabilities available to support planning.

Knowledge of organization or partner exploitation of digital networks.

Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.

Knowledge of required intelligence planning products associated with cyber operational planning.

Knowledge of organizational structures and associated intelligence capabilities.

Knowledge of the organizational planning and staffing process.

Knowledge of organization decision support tools and/or methods.

Knowledge of the intelligence frameworks, processes, and related systems.

Knowledge of accepted organization planning systems.

Knowledge of the information environment.

Knowledge of the processes to synchronize operational assessment procedures with the critical information requirement process.

Knowledge of the relationships between end states, objectives, effects, lines of operation, etc.

Knowledge of the structure and intent of organization specific plans, guidance and authorizations.

Knowledge of the structure, architecture, and design of modern digital and telephony networks.

Knowledge of organization issues, objectives, and operations in cyber as well as regulations and policy directives governing cyber operations.

Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.

Skill in documenting and communicating complex technical and programmatic information.

Skill in evaluating information for reliability, validity, and relevance.

Skill in preparing and presenting briefings.

Skill to apply the process used to assess the performance and impact of cyber operations.

Skill to craft indicators of operational progress/success.

Skill to distinguish between notional and actual resources and their applicability to the plan under development.

Skill to synchronize operational assessment procedures with the critical information requirement process.

Knowledge of analytic tools and techniques.

Knowledge of the full-spectrum of cyberspace operational missions (e.g., DODIN Operations, DCO, OCO), principles, capabilities, limitations, and effects.

Knowledge of intelligence/SIGINT reporting and dissemination procedures.

Develop cyberspace operations TTPs for integration into operational and tactical levels of planning.

* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge of computer programming principles such as object-oriented design.

Knowledge of cryptography and cryptographic key management concepts.

Knowledge of organization’s evaluation and validation requirements.

Knowledge of cybersecurity principles and methods that apply to software development.

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge of low-level computer languages (e.g., assembly languages).

Knowledge of penetration testing principles, tools, and techniques.

Knowledge of programming language structures and logic.

Knowledge of software debugging principles.

Knowledge of software development models (e.g., Waterfall Model, Spiral Model).

Knowledge of software engineering.

Skill in conducting software debugging.

Skill in developing applications that can log and handle errors, exceptions, and application faults and logging.

Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN).

Knowledge of external organizations and academic institutions with cyber focus (e.g., cyber curriculum/training and Research & Development).

Analyze information to determine, recommend, and plan the development of a new application or modification of an existing application.

Analyze user needs and software requirements to determine feasibility of design within time and cost constraints.

Apply coding and testing standards, apply security testing tools including “‘fuzzing” static-analysis code scanning tools, and conduct code reviews.

Design, develop, and modify software systems, using scientific analysis and mathematical models to predict and measure outcome and consequences of design.

Develop software system testing and validation procedures, programming, and documentation.

Develop new or identify existing awareness and training materials that are appropriate for intended audiences.

Develop secure code and error handling.

Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable).

Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life.

Modify and maintain existing software to correct errors, to adapt it to new hardware, or to upgrade interfaces and improve performance.

Perform integrated quality assurance testing for security functionality and resiliency attack.

Perform secure programming and identify potential flaws in codes to mitigate vulnerabilities.

Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.

Prepare detailed workflow charts and diagrams that describe input, output, and logical operation, and convert them into a series of instructions coded in a computer language.

Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing.

Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.

Knowledge of interpreted and compiled computer languages.

Knowledge of secure coding techniques.

Apply cybersecurity functions (e.g., encryption, access control, and identity management) to reduce exploitation opportunities.

Design countermeasures and mitigations against potential exploitations of programming language weaknesses and vulnerabilities in system and elements.

Skill in using code analysis tools.

Knowledge of root cause analysis techniques.

Knowledge of supply chain risk management standards, processes, and practices.

Skill in performing root cause analysis.

Skill in secure test plan design (e. g. unit, integration, system, acceptance).

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge of operations security.

Knowledge of software reverse engineering techniques.

Ability to develop secure software according to secure software deployment methodologies, tools, and practices.

Collaborate with stakeholders to identify and/or develop appropriate solutions technology.

Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).

Enable applications with public keying by leveraging existing public key infrastructure (PKI) libraries and incorporating certificate management and encryption functionalities when appropriate.

Identify and leverage the enterprise-wide version control system while designing and developing secure applications.

Direct software programming and development of documentation.

Facilitate the sharing of “best practices” and “lessons learned” throughout the cyber operations community.

Maintain situational awareness of cyber-related intelligence requirements and associated tasking.

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Knowledge of basic programming concepts (e.g., levels, structures, compiled vs. interpreted languages).

Knowledge of both internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.

Knowledge of organizational and partner authorities, responsibilities, and contributions to achieving objectives.

Ability to program in at least one assembly languages.

Ability to use common networking protocols.

Ability to use data structures.

Ability to use reference documentation for C, Python, assembly, and other international technical standards and specifications (IEEE, ISO, IETF, etc.).

Ability to analyze, modify, develop, debug and document software and applications in C programming language.

Ability to analyze, modify, develop, debug and document software and applications in Python programming language.

Ability to analyze, modify, develop, debug and document software and applications utilizing standard, non-standard, specialized, serialization and/or unique network communication protocols.

Ability to interpret customer requirements and evaluate resource and system constraints to create solution design specifications.

Knowledge of cyber adversary threat tier taxonomy (2014 National Intelligence Estimate [NIE]), DIA/NSA Standard Cyber Threat Model, etc.).

Knowledge of cyber mission force equipment taxonomy (Platform-Access-Payloads/Toolset), capability development process and repository.

Knowledge of data serialization formats (e.g. XML, JSON, etc.).

Knowledge of embedded systems

Knowledge of modern software development methodologies (e.g. Continuous Integration (CI), Continuous Delivery (CD), Test Driven Development (TDD), etc.).

Knowledge of principles, methodologies, and tools used to improve quality of software (e.g. regression testing, test coverage, code review, pair programming, etc.).

Knowledge of relevant mission processes including version control processes, release processes, documentation requirements, and testing requirements.

Knowledge of sources and locations (public and classified) of capability development TTPs and tradecraft information/intelligence used by the US Gov and others.

Knowledge of sources and locations of cyber capability registries and repositories (e.g. Joint Cyber Tactics Manual (JCTM), Cyber Capability Registry (CCR), Agency and service repositories, etc.).

Knowledge of task and project management tools used for software development (e.g. Jira, Confluence, Trac, MediaWiki, etc.).

Knowledge of terms and concepts of operating system fundamentals (e.g. virtualization, paging, file systems, I/O, memory management, process abstraction, etc.).

Knowledge of the concepts and terminology of datastructures and associated algorithms (e.g., search, sort, traverse, insert, delete).

Knowledge of the supported organization’s approval process for operational use of a capability.

Knowledge of the use and application of static and dynamic program analysis.

Knowledge of your organizations project management, timeline estimation, and software engineering philosophy (e.g. CI/CD, TDD, etc.).

Skill in conducting “open source” research.

Knowledge of techniques to harden capabilities to prevent attacks and forensics.

Utilize different programming languages to write code, open files, read files, and write output to different files.

Analyze and document applications using assembly languages.

Analyze countermeasures and mitigations against potential exploitations of programming language weaknesses and vulnerabilities in system and elements.

Analyze, modify, develop, debug, and document software and applications using assembly languages.

Analyze, modify, develop, debug, and document software and applications utilizing standard, non-standard, specialized, and/or unique communication protocols.

Analyze, modify, develop, debug, and document software and applications which run in kernel space.

Analyze, modify, develop, debug, and document software and applications which run in user space.

Apply cryptography primitives to protect the confidentiality and integrity of sensitive data.

Apply software engineering best practices to enable sustainability and extensibility (Agile, TDD, CI/CD, etc.) to include containerization and virtualization technologies.

Architect design documents that describe input, output, and logical operation.

Conduct hardware and/or software static and dynamic analysis to reverse engineer malicious or benign systems.

Create or enhance cyberspace capabilities to compromise, deny, degrade, disrupt, destroy, or manipulate automated information systems.

Create or enhance cyberspace solutions to enable surveillance and reconnaissance of automated information systems.

Describe the most likely cause of an error and recommend a list of possible solutions given the description of error or system crash.

Design and develop data storage requirements, database structure, process flow, systematic procedures, algorithms, data analysis, and file structures.

Design and develop user interfaces (e.g. web pages, GUIs, CLIs, Console Interfaces)

Design and direct software development efforts to detect and disrupt nation-state cyber threat actors.

Develop content for cyber capabilities.

Develop, modify, and utilize automation technologies to enable employment of capabilities as efficiently as possible (e.g. TDD, CI/CD, etc.)

Document and communicate tradecraft, best practices, TTPs, training, briefings, presentations, papers, studies, lessons learned, etc. to both technical and non-technical audiences.

Enhance capability design strategies and tactics by synthesizing information, processes, and techniques in the areas of malicious software, vulnerabilities, reverse engineering, secure software engineering, and exploitation.

Enter work into Task and project management tools used for software development (e.g. Jira, Confluence, Trac, MediaWiki, etc.)

Generate proper supporting documentation of cyber capability.

Implement project management, software engineering philosophies, modern capability development methodologies (Agile, TDD, CI/CD, etc), at the team level.

Locate and utilize technical specifications and industry standards (e.g. Internet Engineering Task Force (IETF), IEEE, IEC, International Standards Organization (ISO)).

Make use of compiler attributes and platform-specific features.

Perform code review and analysis to inform OPSEC analysis and application (attribution, sanitization, etc.)

Perform requirements analysis to identify workable tasks needed to organize collaborative software and documentation development.

Perform static and dynamic analysis in order to find errors and flaws.

Produce artifacts to inform risk analysis, acceptance testing, and legal review.

Reference capability repositories and other sources to identify existing capabilities which fully/partially meet customer requirements (with or without modification).

Utilize data structures to organize, sort, and manipulate elements of information

Utilize secure coding techniques during development of software and applications

Utilize tools to decompile, disassembe, analzye, and reverse engineer compiled binaries.

* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).

Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).

Knowledge of virtualization technologies and virtual machine development and maintenance.

Skill in analyzing memory dumps to extract information.

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge of operating system structures and internals (e.g., process management, directory structure, installed applications).

Knowledge of Extensible Markup Language (XML) schemas.

Knowledge of debugging procedures and tools.

Knowledge of database access application programming interfaces (APIs) (e.g., Java Database Connectivity [JDBC]).

Analyze internal operational architecture, tools, and procedures for ways to improve performance.

Analyze target operational architecture for ways to gain access.

Collaborate with development organizations to create and deploy the tools needed to achieve objectives.

Conduct network scouting and vulnerability analyses of systems within a network.

Conduct on-net and off-net activities to control, and exfiltrate data from deployed, automated technologies.

Conduct open source data collection via various online tools.

Conduct survey of computer and digital networks.

Deploy tools to a target and utilize them once deployed (e.g., backdoors, sniffers).

Detect exploits against targeted networks and hosts and react accordingly.

Edit or execute simple scripts (e.g., PERL, VBS) on Windows and UNIX systems.

Identify potential points of strength and vulnerability within a network.

Maintain situational awareness and functionality of organic operational infrastructure.

Conduct cyber activities to degrade/remove information resident in computers and computer networks.

Process exfiltrated data for analysis and/or dissemination to customers.

Ability to adjust to and operate in a diverse, unpredictable, challenging, and fast-paced work environment.

Ability to analyze malware.

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Ability to interpret and translate customer requirements into operational action.

Ability to monitor system operations and react to events in response to triggers and/or observation of trends or unusual activity.

Ability to produce technical documentation.

Ability to identify/describe target vulnerability.

Knowledge of assembly code.

Knowledge of auditing and logging procedures (including server-based logging).

Knowledge of basic back-up and recovery procedures including different types of backups (e.g., full, incremental).

Knowledge of basic programming concepts (e.g., levels, structures, compiled vs. interpreted languages).

Knowledge of basic software applications (e.g., data storage and backup, database applications) and their vulnerabilities.

Knowledge of basic wireless applications, including vulnerabilities in various types of wireless applications.

Knowledge of current software and methodologies for active defense and system hardening.

Knowledge of deconfliction processes and procedures.

Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).

Knowledge of enterprise-wide information management.

Knowledge of evasion strategies and techniques.

Knowledge of deconfliction reporting to include external organization interaction.

Knowledge of internal and external partner reporting.

Knowledge of forensic implications of operating system structure and operations.

Knowledge of host-based security products and how they affect exploitation and vulnerability.

Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.

Knowledge of Internet and routing protocols.

Knowledge of malware.

Knowledge of methods and techniques used to detect various exploitation activities.

Knowledge of network administration.

Knowledge of network construction and topology.

Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.

Knowledge of products and nomenclature of major vendors (e.g., security suites – Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.

Knowledge of satellite-based communication systems.

Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.

Knowledge of security implications of software configurations.

Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).

Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.

Knowledge of organizational and partner policies, tools, capabilities, and procedures.

Knowledge of target, including related current events, communication profile, actors, and history (language, culture) and/or frame of reference.

Knowledge of the basic structure, architecture, and design of modern communication networks.

Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

Knowledge of the fundamentals of digital forensics in order to extract actionable intelligence.

Knowledge of targeting cycles.

Knowledge of internal and external partner organization capabilities and limitations (those with tasking, collection, processing, exploitation and dissemination responsibilities).

Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Knowledge of various types of computer architectures.

Knowledge of virtual machine technologies.

Ability to perform network collection tactics, techniques, and procedures to include decryption capabilities/tools.

Knowledge of network collection procedures to include decryption capabilities/tools, techniques, and procedures.

Skill in analyzing terminal or environment collection data.

Skill in assessing current tools to identify needed improvements.

Skill in auditing firewalls, perimeters, routers, and intrusion detection systems.

Skill in data mining techniques (e.g., searching file systems) and analysis.

Skill in determining installed patches on various operating systems and identifying patch signatures.

Skill in reverse engineering (e.g., hex editing, binary packaging utilities, debugging, and strings analysis) to identify function and ownership of remote tools.

Skill in extracting information from packet captures.

Skill in identifying the devices that work at each level of protocol models.

Skill in interpreting vulnerability scanner results to identify vulnerabilities.

Skill in knowledge management, including technical documentation techniques (e.g., Wiki page).

Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).

Ability to read, interpret, write, modify, and execute simple scripts (e.g. PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).

Skill in remote command line and Graphic User Interface (GUI) tool usage.

Skill in server administration.

Skill in technical writing.

Skill in testing and evaluating tools for implementation.

Skill in using tools, techniques, and procedures to remotely exploit and establish persistence on a target.

Skill in using tools, techniques, and procedures to exploit a target.

Skill in verifying the integrity of all files.

Knowledge of relevant laws, regulations, and policies.

Ability to apply tradecraft to minimize risk of detection, mitigate risk, and minimize creation of behavioral signature

Ability to characterize a target admin/user’s technical abilities, habits, and skills.

Ability to communicate operational plans and actions and provide feedback regarding OPSEC and tradecraft during mission pre-brief

Ability to conduct open source research.

Ability to construct a COA using available tools and techniques.

Ability to continually research and develop new tools/techniques

Ability to create rules and filters (e.g., Berkeley Packet Filter, Regular Expression).

Ability to ensure collected data is transferred to the appropriate storage locations.

Ability to enumerate a network.

Ability to enumerate user permissions and privileges.

Ability to evade or counter security products or host based defenses.

Ability to exploit vulnerabilities to gain additional access.

Ability to extract credentials from hosts

Ability to identify capability gaps (e.g., insufficient tools, training, or infrastructure)

Ability to identify files containing information critical to operational objectives.

Ability to identify legal, policy, and technical limitations when conducting cyberspace operations.

Ability to identify logging capabilities on host

Ability to identify what tools or Tactics, Techniques, and Procedures (TTPs) are applicable to a given situation

Ability to improve the performance of cyberspace operators by providing constructive (positive and negative) feedback.

Ability to install/modify/uninstall tools on target systems in accordance with current policies and procedures.

Ability to interpret device configurations.

Ability to interpret cyberspace technical materials and documentation (e.g. CVEs, API).

Ability to maintain situational awareness of target environment.

Ability to model a simulated environment to conduct mission rehearsal and mitigate risk of actions taken during operations.

Ability to operate automated systems to interact with target environment.

Ability to perform masquerade operations.

Ability to perform privilege escalation.

Ability to persist access to a target.

Ability to plan, brief, execute, and debrief a mission.

Ability to promote and enable organizational change.

Ability to provide advice and guidance to various stakeholders regarding technical issues, capabilities, and approaches.

Ability to provide feedback to developers if a tool requires continued development.

Ability to provide technical leadership within an organization.

Ability to read, write, modify, and execute compiled languages (e.g., C).

Ability to extract specific information from large data set (e.g., grep, regex critical).

Ability to recognize and report mistakes or poor tradecraft to appropriate leadership in accordance with Standard Operating Procedures (SOPs).

Ability to recognize and respond appropriately to Non-Standard Events.

Ability to redirect and tunnel through target systems.

Ability to remediate indicators of compromise.

Ability to research non-standards within a project.

Ability to retrieve historical operational data.

Ability to train other cyberspace operators.

Ability to troubleshoot technical problems.

Ability to use core toolset (e.g., implants, remote access tools).

Ability to use dynamic analysis tools (e.g. process monitor, process explorer, and registry analysis)

Ability to use enterprise tools to enumerate target information.

Ability to verify file integrity for both uploads and downloads.

Ability to weaken a target to facilitate/enable future access.

Ability to write and modify markup languages (e.g., HTML, XML).

Ability to write and modify source code (e.g., C).

Knowledge of access control models (Role Based Access Control, Attribute Based Access Control).

Knowledge of advanced redirection techniques.

Knowledge of appropriate/inappropriate information to include in operational documentation (e.g., OPNOTES, technical summaries, action maps, etc.).

Knowledge of basic client software applications and their attack surfaces.

Knowledge of basic cloud-based technologies and concepts.

Knowledge of basic Embedded Systems concepts.

Knowledge of basic redirection techniques (e.g. IP Tables, SSH Tunneling, netsh)

Knowledge of basic server software applications and their attack surfaces.

Knowledge of code injection and its employment in cyberspace operations.

Knowledge of common network administration best practices and the impact to operations.

Knowledge of credential sources and restrictions related to credential usage.

Knowledge of device reboots, including when they occur and their impact on tool functionality.

Knowledge of evolving technologies.

Knowledge of factors that would suspend or abort an operation.

Knowledge of historical data relating to particular targets and projects, prior to an operation to include reviewing TECHSUMs, previous OPNOTEs, etc.

Knowledge of how computer programs are executed

Knowledge of how host-based security products, logging, and malware may affect tool functionality

Knowledge of how other actors may affect operations

Knowledge of how race conditions occur and can be employed to compromise shared resources

Knowledge of malware triage.

Knowledge of methods and procedures for sending a payload via an existing implant

Knowledge of methods, strategies, and techniques of evading detection while conducting operations, such as noise, stealth, situational awareness, etc.

Knowledge of methods, tools, and procedures for collecting information, including accessing databases and file systems

Knowledge of methods, tools, and procedures for exploiting target systems

Knowledge of methods, tools, and techniques used to determine the path to a target host/network (e.g., identify satellite hops).

Knowledge of models for examining cyber threats (e.g. cyber kill chain, MITRE ATT&CK).

Knowledge of modes of communication used by a target, such as cable, fiber optic, satellite, microwave, VSAT, or combinations of these.

Knowledge of open source tactics that enable initial access (e.g. social engineering, phishing)

Knowledge of operating system command shells, configuration data.

Knowledge of operational infrastructure

Knowledge of operational security, logging, admin concepts, and troubleshooting.

Knowledge of password cracking techniques.

Knowledge of process migration

Knowledge of system administration concepts for distributed or managed operating environments.

Knowledge of system administration concepts for stand alone operating systems.

Knowledge of system calls

Knowledge of the components of an authentication system.

Knowledge of the concept of an advanced persistent threat (APT)

Knowledge of the location and use of tool documentation.

Knowledge of the methods and procedures for communicating with tools/modules, including the use of listening posts.

Knowledge of the methods of persistence.

Knowledge of the Mission Improvement Process

Knowledge of the Plan, Brief, Execute, and Debrief process

Knowledge of the tactics development process

Knowledge of threats to OPSEC when installing, using, modifying, and uninstalling tools.

Knowledge of tool release/testing process

Knowledge of VPNs, their purpose, and how they can be leveraged.

Skill in enumerating a host (e.g. file systems, host meta data host characteristics).

Skill in manipulating firewall/host based security configuration and rulesets.

Skill in retrieving memory resident data.

Skill in transferring files to target devices (e.g., scp, tftp, http, ftp).

Skill in using network enumeration and analysis tools, both active and passive.

Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.

Advise leadership on operational tradecraft, emerging technology, and technical health of the force.

Approve remediation actions.

As authorized, train cyberspace operators at one’s certification level or below.

Assess the technical health of the cyberspace operator work role.

Assess, recommend, and evaluate remediation actions.

Conduct cyber activities to deny, degrade, disrupt, destroy, manipulate, (D4M).

Conduct post-mission actions.

Conduct pre-mission actions

Conduct pre-operation research and prep.

Create/normalize/document/evaluate TTPs in cyberspace operations.

Develop and/or inform risk assessments.

Develop Operational Training Solultions.

Develop remediation actions.

Develop risk assessments for non-standard events and ad hoc tradecraft.

Employ collection TTPs in cyberspace operations.

Employ credential access TTPs in cyberspace operations.

Employ discovery TTPs in cyberspace operations.

Employ exfiltration TTPs in cyberspace operations.

Employ lateral movement TTPs in cyberspace operations.

Employ TTPs in categories at one’s certification level or below.

Evaluate cyberspace operator performance at one’s certification level or below.

Identify targets of opportunity in order to influence operational planning.

Identify the appropriate operating authorities and guidance

Maintain operational and technical situational awareness during operations

Produce strategy to inform commander’s decision making process.

Provide input to mission debrief.

Provide input to operational policy.

Provide input to post mission planning.

Provide input to pre-mission planning.

Recognize and respond to indicators of compromise (IOC).

Recognize and respond to events that change risk.

Record and document activities during cyberspace operations.

Steward the cyberspace operator work role.

Train cyberspace operators at their certified level or below.

* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Ability to determine the validity of technology trend data.

Knowledge of emerging computer-based technology that has potential for exploitation by adversaries.

Knowledge of industry technologies and how differences affect exploitation/vulnerabilities.

Knowledge of collection management processes, capabilities, and limitations.

Knowledge of front-end collection systems, including traffic collection, filtering, and selection.

Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.

Knowledge of operations security.

Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).

Reconstruct a malicious attack or activity based off network traffic.

Accurately characterize targets.

Provide expertise to course of action development.

Provide expertise to the development of measures of effectiveness and measures of performance.

Perform analysis for target infrastructure exploitation activities.

Classify documents in accordance with classification guidelines.

Collaborate with intelligence analysts/targeting organizations involved in related areas.

Compile, integrate, and/or interpret all-source data for intelligence or vulnerability value with respect to specific targets.

Identify and conduct analysis of target communications to identify information essential to support operations.

Conduct analysis of physical and logical digital technologies (e.g., wireless, SCADA, telecom) to identify potential avenues of access.

Conduct quality control in order to determine validity and relevance of information gathered about networks.

Conduct target research and analysis.

Create comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities.

Maintain awareness of internal and external cyber organization structures, strengths, and employments of staffing and technology.

Determine how identified factors affect the tasking, collection, processing, exploitation and dissemination architecture’s form and function.

Determine if information meets reporting requirements.

Determine what technologies are used by a given target.

Apply analytic techniques to gain more target information.

Develop measures of effectiveness and measures of performance.

Engage customers to understand customers’ intelligence needs and wants.

Establish alternative processing, exploitation and dissemination pathways to address identified issues or problems.

Generate and evaluate the effectiveness of network analysis strategies.

Examine intercept-related metadata and content with an understanding of targeting significance.

Gather information about networks through traditional and alternative techniques, (e.g., social network analysis, call-chaining, traffic analysis.)

Generate requests for information.

Identify threat tactics, and methodologies.

Identify and evaluate threat critical capabilities, requirements, and vulnerabilities.

Identify collection gaps and potential collection strategies against targets.

Identify critical target elements.

Identify intelligence gaps and shortfalls.

Identify network components and their functionality to enable analysis and target development.

Initiate requests to guide tasking and assist with collection management.

Maintain awareness of advancements in hardware and software technologies (e.g., attend training or conferences, reading) and their potential implications.

Make recommendations to guide collection in support of customer requirements.

Monitor target networks to provide indications and warning of target communications changes or processing failures.

Provide SME and support to planning/developmental forums and working groups as appropriate.

Provide subject matter expertise to development of exercises.

Participate in exercises.

Perform content and/or metadata analysis to meet organization objectives.

Produce network reconstructions.

Profile targets and their activities.

Provide time sensitive targeting support.

Review appropriate information sources to determine validity and relevance of information gathered.

Reconstruct networks in diagram or report format.

Research communications trends in emerging technologies (in computer and telephony networks, satellite, cable, and wireless) in both open and classified sources.

Sanitize and minimize information to protect sources and methods.

Support identification and documentation of collateral effects.

Collaborate across internal and/or external organizational lines to enhance collection, analysis and dissemination.

Conduct analysis of target communications to identify essential information in support of organization objectives.

Evaluate and interpret metadata to look for patterns, anomalies, or events, thereby optimizing targeting, analysis and processing.

Identify target communications within the global network.

Maintain awareness of target communication tools, techniques, and the characteristics of target communication networks (e.g., capacity, functionality, paths, critical nodes) and their potential implications for targeting, collection, and analysis.

Provide feedback to collection managers to enhance future collection and analysis.

Perform or support technical network analysis and mapping.

Perform social network analysis and document as appropriate.

Tip critical or time-sensitive information to appropriate customers.

Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.

Ability to focus research efforts to meet the customer’s decision-making needs.

Ability to clearly articulate intelligence requirements into well-formulated research questions and requests for information.

Ability to collaborate effectively with others.

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Ability to develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists.

Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.

Ability to exercise judgment when policies are not well-defined.

Ability to function effectively in a dynamic, fast-paced environment.

Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—in order to leverage analytical and technical expertise.

Ability to identify intelligence gaps.

Ability to recognize and mitigate cognitive biases which may affect analysis.

Ability to recognize and mitigate deception in reporting and analysis.

Ability to think critically.

Knowledge of target methods and procedures.

Ability to utilize multiple intelligence sources across all intelligence disciplines.

Knowledge of internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).

Knowledge of a wide range of basic communications media concepts and terminology (e.g., computer and telephone networks, satellite, cable, wireless).

Knowledge of target intelligence gathering and operational preparation techniques and life cycles.

Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).

Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and enumeration).

Knowledge of both internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge of classification and control markings standards, policies and procedures.

Knowledge of cyber operation objectives, policies, and legalities.

Knowledge of collection searching/analyzing techniques and tools for chat/buddy list, emerging technologies, VOIP, Media Over IP, VPN, VSAT/wireless, web mail and cookies.

Knowledge of collection sources including conventional and non-conventional sources.

Knowledge of the intelligence requirements development and request for information processes.

Knowledge of common networking devices and their configurations.

Knowledge of common reporting databases and tools.

Knowledge of cyber operations.

Knowledge of denial and deception techniques.

Knowledge of document classification procedures, policy, resources, and personnel.

Knowledge of evolving/emerging communications technologies.

Knowledge of general SCADA system components.

Knowledge of how converged technologies impact cyber operations (e.g., digital, telephony, wireless).

Knowledge of how internet applications work (SMTP email, web-based email, chat clients, VOIP).

Knowledge of how modern digital and telephony networks impact cyber operations.

Knowledge of how modern wireless communications systems impact cyber operations.

Knowledge of how to collect, view, and identify essential information on targets of interest from metadata (e.g., email, http).

Knowledge of how to extract, analyze, and use metadata.

Knowledge of information and collateral intelligence sources.

Knowledge of intelligence reporting principles, policies, procedures, and vehicles, including report formats, reportability criteria (requirements and priorities), dissemination practices, and legal authorities and restrictions.

Knowledge of Internet and routing protocols.

Knowledge of intrusion detection systems and signature development.

Knowledge of malware analysis and characteristics.

Knowledge of methods to integrate and summarize information from any potential sources.

Knowledge of midpoint collection (process, objectives, organization, targets, etc.).

Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

Knowledge of organization and/or partner collection systems, capabilities, and processes (e.g., collection and protocol processors).

Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.

Knowledge of principles and practices related to target development such as target knowledge, associations, communication systems, and infrastructure.

Knowledge of strategies and tools for target research.

Knowledge of target, including related current events, communication profile, actors, and history (language, culture) and/or frame of reference.

Knowledge of the basic structure, architecture, and design of converged applications.

Knowledge of the data flow from collection origin to repositories and tools.

Knowledge of the intelligence frameworks, processes, and related systems.

Knowledge of the organization, roles and responsibilities of higher, lower and adjacent sub-elements.

Knowledge of the principal methods, procedures, and techniques of gathering information and producing intelligence.

Knowledge of the purpose and contribution of target templates.

Knowledge of the structure, architecture, and design of modern digital and telephony networks.

Knowledge of the structure, architecture, and design of modern wireless communications systems.

Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.

Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Skill in identifying how a target communicates.

Skill in analyzing a target’s communication networks.

Skill in analyzing essential network data (e.g., router configuration files, routing protocols).

Skill in analyzing traffic to identify network devices.

Skill in applying various analytical methods, tools, and techniques (e.g., competing hypotheses; chain of reasoning; scenario methods; denial and deception detection; high impact-low probability; network/association or link analysis; Bayesian, Delphi, and Pattern analyses).

Skill in assessing the applicability of available analytical tools to various situations.

Skill in conducting social network analysis, buddy list analysis, and/or cookie analysis.

Skill in depicting source or collateral data on a network map.

Skill in determining the physical location of network devices.

Skill in disseminating items of highest intelligence value in a timely manner.

Skill in evaluating data sources for relevance, reliability, and objectivity.

Skill in evaluating information for reliability, validity, and relevance.

Skill in evaluating information to recognize relevance, priority, etc.

Skill in evaluating accesses for intelligence value.

Skill in exploiting/querying organizational and/or partner collection databases.

Skill in identifying a target’s communications networks.

Skill in identifying leads for target development.

Skill in identifying, locating, and tracking targets via geospatial analysis techniques

Skill in interpreting compiled and interpretive programming languages.

Skill in interpreting metadata and content as applied by collection systems.

Skill in using trace route tools and interpreting the results as they apply to network analysis and reconstruction.

Skill in managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results.

Skill in navigating network visualization software.

Skill in recognizing and interpreting malicious network activity in traffic.

Skill in recognizing relevance of information.

Skill in recognizing significant changes in a target’s communication patterns.

Skill in recognizing technical information that may be used for leads for metadata analysis.

Skill in recognizing technical information that may be used for target development including intelligence development.

Skill in researching essential information.

Skill in researching vulnerabilities and exploits utilized in traffic.

Skill in fusion analysis

Skill in survey, collection, and analysis of wireless LAN metadata.

Skill in synthesizing, analyzing, and prioritizing meaning across data sets.

Skill in target network anomaly identification (e.g., intrusions, dataflow or processing, target implementation of new technologies).

Skill in using research methods including multiple, different sources to reconstruct a target network.

Skill in using geospatial data and applying geospatial resources.

Skill in using non-attributable networks.

Skill in writing about facts and ideas in a clear, convincing, and organized manner.

Knowledge of collection systems, capabilities, and processes.

Knowledge of the feedback cycle in collection processes.

Knowledge of target or threat cyber actors and procedures.

Knowledge of basic cyber operations activity concepts (e.g., foot printing, scanning and enumeration, penetration testing, white/black listing).

Knowledge of approved intelligence dissemination processes.

Knowledge of relevant laws, regulations, and policies.

Knowledge of target communication profiles and their key elements (e.g., target associations, activities, communication infrastructure).

Knowledge of target communication tools and techniques.

Knowledge of the characteristics of targeted communication networks (e.g., capacity, functionality, paths, critical nodes).

Knowledge of networking and internet communications fundamentals (i.e. devices, device configuration, hardware, software, applications, ports/protocols, addressing, network architecture and infrastructure, routing, operating systems, etc.).

Knowledge of concepts related to websites (e.g., web servers/pages, hosting, DNS, registration, web languages such as HTML).

Knowledge of network security implementations (e.g., host-based IDS, IPS, access control lists), including their function and placement in a network.

Knowledge of customer information needs.

Knowledge of analytic tools and techniques.

Skill in identifying a target’s network characteristics.

Skill in assessing a target’s frame of reference (e.g., motivation, technical capability, organizational structure, sensitivities).

Skill in conducting research using all available sources.

Skill in complying with the legal restrictions for targeted information.

Skill in developing intelligence reports.

Skill in evaluating and interpreting metadata.

Skill in identifying intelligence gaps and limitations.

Skill in providing analysis on target-related matters (e.g., language, cultural, communications).

Skill in interpreting traceroute results, as they apply to network analysis and reconstruction.

Knowledge of obfuscation techniques (e.g., TOR/Onion/anonymizers, VPN/VPS, encryption).

Knowledge of computer programming concepts, including computer languages, programming, testing, debugging, and file types.

Knowledge of basic cloud-based technologies and concepts.

Knowledge of basic Embedded Systems concepts.

Knowledge of basic reconnaissance activity concepts and techniques (foot printing, scanning and enumeration).

Knowledge of Critical Intelligence Communication (CRITIC) identification and reporting process.

Knowledge of cryptologic and SIGINT reporting and dissemination procedures.

Knowledge of cybersecurity concepts and principles.

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge of how and when to request assistance from the Cryptanalysis and Signals Analysis and/or CNO.

Knowledge of intelligence sources and their characteristics.

Knowledge of methods, tools, sources, and techniques used to research, integrate and summarize all-source information pertaining to target.

Knowledge of quality review process and procedures.

Knowledge of SIGINT laws and directives.

Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).

Knowledge of the overall mission of the Cyber Mission Forces (CMF).

Knowledge of the specific missions for CMF (i.e., Cyber Mission Teams (CMT), National Mission Teams (NMT), Combat Support Team (CST), National Support Team (NST), Cyber Protection Team (CPT).

Knowledge of the U.S. SIGNIT System (USSS) authorities, responsibilities, and contributions to the cyberspace operations mission.

Skill in analyzing endpoint collection data.

Skill in developing and maintaining target profiles.

Skill in geolocating targets.

Skill in operational use of raw collection databases.

Skill in performing data fusion from all-source intelligence for geospatial analysis.

Skill in performing data fusion from all-source intelligence for network analysis and reconstruction (e.g., Single Table Inheritance (STIs), network maps).

Skill in performing data fusion from all-source intelligence.

Skill in providing feedback to enhance future collection and analysis.

Skill in recognizing exploitation opportunities.

Skill in recognizing the value of survey data.

Skill in selector normalization.

Skill in targeting (e.g., selectors).

Apply and/or develop analytic techniques to provide better intelligence.

Apply customer requirements to the analysis process.

Assist planners in the development of courses of action

Develop analytical techniques to gain more target information.

Develop and lead exercises

Develop and maintain target profiles using appropriate corporate tools and databases (e.g. Target associations, activities, communication infrastructures, etc.).

Document and disseminate analytic findings.

Enable targeting offices to find new sources of collection.

Evaluate the strengths and weaknesses of the intelligence source.

Evaluate threat critical capabilities, requirements, and vulnerabilities.

Facilitate collaboration with customers, Intelligence and targeting organizations involved in related cyber areas.

Identify and facilitate partner relationships to enhance mission capabilities

Lead work role working groups/planning and development forums

Manipulate information in mission relevant databases (e.g., converting data, generating reports).

Mitigate collection gaps

Perform network analysis to support new or continued collection.

Produce digital network intelligence against specific named target sets.

Provide expertise in support of operational effects generated through cyber activities.

Provide intel target recommendations which meet leadership objectives.

Select, build, and develop query strategies against appropriate collection databases.

Understand technologies used by a given target

Understand TTPs and methodologies to enable access ops or access vector opportunities.

* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge of programming language structures and logic.

Skill in using knowledge management technologies.

Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.

Skill in identifying gaps in technical capabilities.

Knowledge of collection management processes, capabilities, and limitations.

Knowledge of front-end collection systems, including traffic collection, filtering, and selection.

Continuously validate the organization against policies/guidelines/procedures/regulations/laws to ensure compliance.

Apply and utilize authorized cyber capabilities to enable access to targeted networks.

Apply cyber collection, environment preparation and engagement expertise to enable new exploitation and/or continued collection operations, or in support of customer requirements.

Apply and obey applicable statutes, laws, regulations and policies.

Assist in the coordination, validation, and management of all-source collection requirements, plans, and/or activities.

Perform analysis for target infrastructure exploitation activities.

Collaborate with intelligence analysts/targeting organizations involved in related areas.

Collaborate with other internal and external partner organizations on target access and operational issues.

Communicate new developments, breakthroughs, challenges and lessons learned to leadership, and internal and external customers.

Conduct analysis of physical and logical digital technologies (e.g., wireless, SCADA, telecom) to identify potential avenues of access.

Conduct independent in-depth target and technical analysis including target-specific information (e.g., cultural, organizational, political) that results in access.

Conduct target research and analysis.

Create comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities.

Examine intercept-related metadata and content with an understanding of targeting significance.

Collaborate with developers, conveying target and technical knowledge in tool requirements submissions, to enhance tool development.

Identify and evaluate threat critical capabilities, requirements, and vulnerabilities.

Identify gaps in our understanding of target technology and developing innovative collection approaches.

Identify, locate, and track targets via geospatial analysis techniques.

Lead or enable exploitation operations in support of organization objectives and target requirements.

Maintain awareness of advancements in hardware and software technologies (e.g., attend training or conferences, reading) and their potential implications.

Monitor target networks to provide indications and warning of target communications changes or processing failures.

Produce network reconstructions.

Profile network or system administrators and their activities.

Tip critical or time-sensitive information to appropriate customers.

Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.

Ability to collaborate effectively with others.

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Ability to communicate effectively when writing.

Ability to develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists.

Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.

Ability to function effectively in a dynamic, fast-paced environment.

Ability to select the appropriate implant to achieve operational goals.

Knowledge of basic implants.

Ability to interpret and translate customer requirements into operational action.

Knowledge of internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).

Ability to expand network access by conducting target analysis and collection in order to identify targets of interest.

Knowledge of a wide range of basic communications media concepts and terminology (e.g., computer and telephone networks, satellite, cable, wireless).

Knowledge of a wide range of concepts associated with websites (e.g., website types, administration, functions, software systems, etc.).

Knowledge of target intelligence gathering and operational preparation techniques and life cycles.

Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).

Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and enumeration).

Knowledge of basic principles of the collection development processes (e.g., Dialed Number Recognition, Social Network Analysis).

Knowledge of both internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge of client organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge of collection searching/analyzing techniques and tools for chat/buddy list, emerging technologies, VOIP, Media Over IP, VPN, VSAT/wireless, web mail and cookies.

Knowledge of common networking devices and their configurations.

Knowledge of common reporting databases and tools.

Knowledge of concepts for operating systems (e.g., Linux, Unix).

Knowledge of all relevant reporting and dissemination procedures.

Knowledge of current software and methodologies for active defense and system hardening.

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge of data flow process for terminal or environment collection.

Knowledge of deconfliction processes and procedures.

Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).

Knowledge of terminal or environmental collection (process, objectives, organization, targets, etc.).

Knowledge of evasion strategies and techniques.

Knowledge of how hubs, switches, routers work together in the design of a network.

Knowledge of how internet applications work (SMTP email, web-based email, chat clients, VOIP).

Knowledge of how to collect, view, and identify essential information on targets of interest from metadata (e.g., email, http).

Knowledge of how to establish priorities for resources.

Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.

Knowledge of Internet and routing protocols.

Knowledge of intrusion sets.

Knowledge of all applicable statutes, laws, regulations and policies governing cyber targeting and exploitation.

Knowledge of methods and techniques used to detect various exploitation activities.

Knowledge of midpoint collection (process, objectives, organization, targets, etc.).

Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

Knowledge of network topology.

Knowledge of identification and reporting processes.

Knowledge of products and nomenclature of major vendors (e.g., security suites – Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.

Knowledge of scripting

Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.

Knowledge of security implications of software configurations.

Knowledge of strategies and tools for target research.

Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.

Knowledge of organizational and partner policies, tools, capabilities, and procedures.

Knowledge of the basic structure, architecture, and design of converged applications.

Knowledge of the data flow from collection origin to repositories and tools.

Knowledge of targeting cycles.

Knowledge of organizational and partner authorities, responsibilities, and contributions to achieving objectives.

Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Knowledge of network collection procedures to include decryption capabilities/tools, techniques, and procedures.

Skill in analyzing traffic to identify network devices.

Skill in creating and extracting important information from packet captures.

Skill in creating collection requirements in support of data acquisition activities.

Skill in creating plans in support of remote operations.

Skill in data mining techniques (e.g., searching file systems) and analysis.

Skill in depicting source or collateral data on a network map.

Skill in determining installed patches on various operating systems and identifying patch signatures.

Skill in determining the effect of various router and firewall configurations on traffic patterns and network performance in both LAN and WAN environments.

Skill in evaluating accesses for intelligence value.

Skill in exploiting/querying organizational and/or partner collection databases.

Skill in identifying the devices that work at each level of protocol models.

Skill in identifying, locating, and tracking targets via geospatial analysis techniques

Skill in interpreting compiled and interpretive programming languages.

Skill in interpreting metadata and content as applied by collection systems.

Skill in using trace route tools and interpreting the results as they apply to network analysis and reconstruction.

Skill in interpreting vulnerability scanner results to identify vulnerabilities.

Skill in generating operation plans in support of mission and target requirements.

Skill in navigating network visualization software.

Skill in performing data fusion from existing intelligence for enabling new and continued collection.

Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).

Skill in recognizing and interpreting malicious network activity in traffic.

Skill in recognizing midpoint opportunities and essential information.

Skill in recognizing technical information that may be used for leads to enable remote operations (data includes users, passwords, email addresses, IP ranges of the target, frequency in DNI behavior, mail servers, domain servers, SMTP header information).

Skill in researching vulnerabilities and exploits utilized in traffic.

Skill in target development in direct support of collection operations.

Skill in using databases to identify target-relevant information.

Skill in using non-attributable networks.

Skill in verifying the integrity of all files.

Skill in writing (and submitting) requirements to meet gaps in technical capabilities.

Determine the extent of threats and recommend courses of action and countermeasures to mitigate risks.

* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge of capabilities and applications of network equipment including hubs, routers, switches, bridges, servers, transmission media, and related hardware.

Knowledge of cryptology.

Knowledge of database systems.

Knowledge of embedded systems.

Knowledge of fault tolerance.

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge of how system components are installed, integrated, and optimized.

Knowledge of human-computer interaction principles.

Knowledge of the Security Assessment and Authorization process.

Knowledge of incident response and handling methodologies.

Knowledge of industry-standard and organizationally accepted analysis principles and methods.

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).

Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.

Ability to build architectures and frameworks.

Knowledge of Risk Management Framework (RMF) requirements.

Knowledge of cybersecurity methods, such as firewalls, demilitarized zones, and encryption.

Knowledge of microprocessors.

Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs.

Knowledge of new and emerging information technology (IT) and cybersecurity technologies.

Knowledge of operating systems.

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol (TCP), Internet Protocol (IP), Open System Interconnection Model (OSI)).

Knowledge of penetration testing principles, tools, and techniques.

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge of secure configuration management techniques.

Knowledge of configuration management techniques.

Knowledge of key concepts in security management (e.g., Release Management, Patch Management).

Knowledge of security management.

Knowledge of security system design tools, methods, and techniques.

Knowledge of software design tools, methods, and techniques.

Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.

Knowledge of systems testing and evaluation methods.

Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.

Knowledge of the enterprise information technology (IT) architectural concepts and patterns to include baseline and target architectures.

Knowledge of integrating the organization’s goals and objectives into the architecture.

Knowledge of Virtual Private Network (VPN) security.

Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.

Skill in applying and incorporating information technologies into proposed solutions.

Skill in applying confidentiality, integrity, and availability principles.

Knowledge in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.

Skill in identifying and anticipating system/server performance, availability, capacity, or configuration problems.

Skill in implementing, maintaining, and improving established network security practices.

Skill in using protocol analyzers.

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).

Skill in analyzing memory dumps to extract information.

Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost).

Work with stakeholders to resolve computer security incidents and vulnerability compliance.

Skill in configuring and utilizing software-based computer protection tools (e.g., software firewalls, anti-virus software, anti-spyware).

Knowledge of collection management processes, capabilities, and limitations.

Knowledge of front-end collection systems, including traffic collection, filtering, and selection.

Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.

Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.

Determine and document software patches or the extent of releases that would leave software vulnerable.

Skill in using code analysis tools.

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge of program protection planning to include information technology (IT) supply chain security/risk management policies, anti-tampering techniques, and requirements.

Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability.

Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.

Isolate and remove malware.

Identify applications and operating systems of a network device based on network traffic.

Identify network mapping and operating system (OS) fingerprinting activities.

Knowledge of an organization’s information classification program and procedures for information compromise.

Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.

Assist in the coordination, validation, and management of all-source collection requirements, plans, and/or activities.

Conduct network scouting and vulnerability analyses of systems within a network.

Deploy tools to a target and utilize them once deployed (e.g., backdoors, sniffers).

Detect exploits against targeted networks and hosts and react accordingly.

Determine course of action for addressing changes to objectives, guidance, and operational environment.

Edit or execute simple scripts (e.g., PERL, VBS) on Windows and UNIX systems.

Identify threats to Blue Force vulnerabilities.

Generate requests for information.

Monitor operational environment and report on adversarial activities which fulfill leadership’s priority information requirements.

Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.

Ability to focus research efforts to meet the customer’s decision-making needs.

Ability to monitor system operations and react to events in response to triggers and/or observation of trends or unusual activity.

Knowledge of auditing and logging procedures (including server-based logging).

Knowledge of basic programming concepts (e.g., levels, structures, compiled vs. interpreted languages).

Knowledge of basic software applications (e.g., data storage and backup, database applications) and their vulnerabilities.

Knowledge of circuit analysis.

Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

Knowledge of all relevant reporting and dissemination procedures.

Knowledge of current software and methodologies for active defense and system hardening.

Knowledge of data backup and restoration concepts.

Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).

Knowledge of evasion strategies and techniques.

Knowledge of forensic implications of operating system structure and operations.

Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.

Knowledge of intrusion detection systems and signature development.

Knowledge of the Risk Management Framework Assessment Methodology.

Knowledge of methods and techniques used to detect various exploitation activities.

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

Knowledge of products and nomenclature of major vendors (e.g., security suites – Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.

Knowledge of the functions and capabilities of internal teams that emulate threat activities to benefit the organization.

Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.

Knowledge of security implications of software configurations.

Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).

Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.

Knowledge of telecommunications fundamentals.

Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.

Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Knowledge of various types of computer architectures.

Skill in determining installed patches on various operating systems and identifying patch signatures.

Skill in reverse engineering (e.g., hex editing, binary packaging utilities, debugging, and strings analysis) to identify function and ownership of remote tools.

Skill in identifying the devices that work at each level of protocol models.

Skill in interpreting vulnerability scanner results to identify vulnerabilities.

Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).

Ability to read, interpret, write, modify, and execute simple scripts (e.g. PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).

Skill in remote command line and Graphic User Interface (GUI) tool usage.

Skill in verifying the integrity of all files.

Knowledge of concepts related to websites (e.g., web servers/pages, hosting, DNS, registration, web languages such as HTML).

Ability to analyze a finding of a compromise and develop a custom signature(s) and/or rule(s) to identify it throughout the network

Ability to analyze adversarial avenues of approach on a mission-critical system

Ability to analyze Data at Rest and Data in Transit encryption methodologies and assess Data at Rest and Data in Transit policies in support of identifying outliers to delineate possible avenues of approach.

Ability to analyze how the tools operate to enumerate the system

Ability to analyze multiple memory captures, determine anomalous behavior and developed a detailed report that includes timeline of compromise

Ability to analyze organizational policies and documentation for appropriate use and user privileges to determine current user access rights policies

Ability to analyze potentially malicious processes, libraries and modules on a system

Ability to analyze process lists within Windows, Unix, or Linux operating systems

Ability to analyze software installed and in use on a system, and on a host machine and compare it to the authorized software list provided by the network owner

Ability to analyze tools/hardware used to extract/analyze/capture memory and disk images

Ability to analyze user-mode/kernel mode rootkits and how they function and differ

Ability to analyze vulnerabilities and misconfiguration without Information Assurance artifacts.

Ability to build a baseline of configuration/state for host machines

Ability to capture a memory image from a host workstation

Ability to capture forensically sound memory and disk images with regard to timeline analysis

Ability to compare active user accounts on a network to appropriate Standard Operating Procedure (SOP), gather active user accounts on a network and compare to authorized user list

Ability to compare current state against baselines

Ability to compile group policies and access control lists from mission partner networks.

Ability to compile host-based firewall configurations and host intrusion prevention system through group policy modifications from mission partner networks.

Ability to conduct disk forensics on multiple images

Ability to configure log aggregation

Ability to configure, forward and statistically analyze logs

Ability to correlate indicators of compromise

Ability to de-obfuscate (e.g. command line execution, string substitution, clandestine side channel, Base64).

Ability to develop a risk defense plan (e.g. behavioral development, etc.) and put active measures in place in defense of a network, endpoint, and/or host.

Ability to develop dashboards to better visualize data

Ability to develop host-based IDS/IPS signatures and settings

Ability to develop the reporting and recording of discovered potentially malicious processes, libraries, and modules on a compromised system

Ability to enumerate domain security groups.

Ability to enumerate knowledge management applications (e.g. SharePoint) and their service accounts/security groups.

Ability to enumerate network shares and identify ACLs/security permissions and analyze for vulnerabilities/misconfigurations (e.g. SMB, NFS, ISCSI).

Ability to evaluate common Tactics, Techniques and Procedures (TTP) used in malware and open-source and Intelligence Community (IC) resources available to identify emerging TTPs

Ability to evaluate compliance with Security Technical Implementation Guides (STIGs) on host machines by utilizing a compliance scanner in support of identifying outliers in order to delineate possible avenues of approach

Ability to evaluate if patches are up to date for all hosts, determine current process for updating patches and determine current patch level for all hosts on a network according to NIST Special Publications 800-40 in support of identifying outliers in order to delineate possible avenues of approach.

Ability to evaluate rogue/unauthorized systems on a network

Ability to evaluate security posture shortcomings in group policy

Ability to evaluate steps taken after host-based IDS/IPS alerts, verify the finding and ensure its volatility

Ability to evaluate systems resiliency in adverse conditions

Ability to export/enumerate information (e.g., users, groups) from a Domain Controller.

Ability to identify activity context in log entries to correlate indicators of compromise.

Ability to identify anomalous network traffic on a host machine.

Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.

Ability to identify new indicators of compromise through anomalous behavior in log entries.

Ability to identify security posture shortcomings

Ability to identify tools and techniques available for analyzing binary applications and interpreted scripts.

Ability to identify/select the most appropriate tools and solutions for the specific environment (e.g. disk/memory forensics/capture, host enumeration, application whitelisting, log aggregation and analysis, HIPS/HIDS solutions, etc.).

Ability to implement and configure host-based firewalls and host intrusion prevention systems

Ability to implement Data at Rest and Data in Transit encryption methodologies, Assess Data at Rest and Data in Transit polices.

Ability to measure known vulnerabilities against known vectors of approach.

Ability to monitor Active Directory (AD) for creation of unauthorized/potentially malicious accounts.

Ability to operate specified tools to enumerate a system.

Ability to organize Active Directories (AD) hierarchy structure.

Ability to organize logging and auditing procedures including server-based logging.

Ability to organize order of the volatility when capturing artifacts.

Ability to perform and analyze situational awareness commands within Windows, Unix, and Linux operating systems (e.g. system info, net stat, ipconfig, task list, ls, ifconfig, etc…)

Ability to perform and analyze vulnerability scans on host machines in support of identifying outliers in order to delineate possible avenues of approach.

Ability to perform complex root-cause analysis and recommend mitigations to determine root cause of an intrusion.

Ability to perform dynamic analysis.

Ability to perform static analysis.

Ability to prioritize how Operating System (OS) and application patches are distributed in different systems.

Ability to prioritize Operating Systems (OS) default processes, library, and modules based on boot order, dependencies, or key operations.

Ability to provide host analysis for Risk Mitigation Plan (RMP) to improve customer security overall posture.

Ability to provide mitigations to recover from a full network compromise.

Ability to select the best tools to enumerate a given set of host machines in order to validate whether they match known baselines.

Ability to use and integrate a Security Information and Event Management (SIEM) platform.

Ability to use host volatile data to compare active processes, libraries and modules against databases of known good/bad.

Ability to utilize Defense Information Systems Agency (DISA)/ Department of Defense (DoD) system configuration guidelines.

Knowledge of active directory federated services.

Knowledge of common information network malware (e.g., viruses, trojans, etc.) and vectors of attack (e.g., ports, attachments, etc.).

Knowledge of common obfuscation techniques (e.g. command line execution, string substitution, clandestine side channel, Base64).

Knowledge of common persistence locations within Windows, Unix, or Linux operating systems.

Knowledge of cybersecurity and cybersecurity-enabled software products.

Knowledge of cybersecurity controls and design principles and methods (e.g., firewalls, DMZ, and encryption).

Knowledge of cybersecurity Risk Management Framework (RMF) process.

Knowledge of DCO capabilities, including open-source tools, and their capabilities.

Knowledge of Defense-In-Depth principles.

Knowledge of different types of log subscriptions (e.g. push vs pull, MS Windows event forwarding, winlogbeat, syslog).

Knowledge of evasion strategies and TTPs (e.g., noise, stealth, situational awareness, bandwidth throttling).

Knowledge of existing cybersecurity principles, policies, and procedures

Knowledge of full-spectrum of cyberspace operations in an intelligence-driven DCO environment.

Knowledge of non-Active Directory domains (e.g. IDM, LDAP).

Knowledge of public key infrastructure (PKI) libraries, certificate authorities, certificate management, and encryption functionalities.

Knowledge of stream providers (e.g. KAFKA).

Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).

Knowledge of the U.S. Security System authorities, responsibilities, and contributions to the cyberspace operations mission.

Knowledge of the Windows registry hive keys and the information contained within each one.

Knowledge of typical system processes within Windows, Unix, or Linux operating systems

Knowledge of web applications and their common attack vectors.

Skill in analyzing endpoint collection data.

Skill in providing support to intelligence analysts to understand the operational environment and how it ties to intelligence reporting.

Skill in refining research (e.g., vulnerabilities, TTPs) to assist intelligence analysts’ preparation of products.

Skill in run level configurations in a Linux or UNIX environment

Skill in using various online tools for open-source research (e.g., online trade, DNS, mail, etc.).

Knowledge of critical protocols (e.g., IPSEC, AES, GRE, IKE).

Knowledge of multi-level/security cross domain solutions.

Knowledge of network architecture concepts including topology, protocols, and components.

Conduct open source research via various online tools.

Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces.

Identify potential points of strength and vulnerability among segments of a network map.

Identify tools/hardware used to extract/analyze/capture memory and disk images.

Perform security reviews and identify gaps in security architecture that can be used in the development of a security risk management plan.

Provide and maintain documentation for TTPs as inputs to training programs.

Validate intrusion detection system (IDS) alerts.

* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge of operations security.

Accurately characterize targets.

Assist in the identification of intelligence collection shortfalls.

Collaborate with other customer, Intelligence and targeting organizations involved in related cyber areas.

Conduct target research and analysis.

Coordinate target vetting with appropriate partners.

Develop measures of effectiveness and measures of performance.

Identify intelligence gaps and shortfalls.

Integrate cyber planning/targeting efforts with other organizations.

Participate in exercises.

Produce target system analysis products.

Work closely with planners, analysts, and collection managers to identify intelligence gaps and ensure intelligence requirements are accurate and up-to-date.

Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.

Ability to develop or recommend planning solutions to problems and situations for which no precedent exists.

Ability to exercise judgment when policies are not well-defined.

Ability to recognize and mitigate cognitive biases which may affect analysis.

Knowledge of classification and control markings standards, policies and procedures.

Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

Knowledge of criticality and vulnerability factors (e.g., value, recuperation, cushion, countermeasures) for target selection and applicability to the cyber domain.

Knowledge of cyber operations terminology/lexicon.