Exploitation Analyst

Partners with cyberspace operations customers to identify access and collection gaps that can be satisfied through cyberspace exploitation. Develops detailed plans that are executed by cyber operators. Functions as navigator in cyber operations. Uses all source data to understand cyberspace targets. Employs all available techniques against targeted networks. Identifies capability gaps and submits cyberspace capability requirements to capability development organizations.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1032 additional Continuously validate the organization against policies/guidelines/procedures/regulations/laws to ensure compliance.
• T2029A additional Apply and utilize authorized cyber capabilities to enable access to targeted networks.
• T2033 additional Apply cyber collection, environment preparation and engagement expertise to enable new exploitation and/or continued collection operations, or in support of customer requirements.
• T2040 additional Apply and obey applicable statutes, laws, regulations and policies.
• T2063 additional Assist in the coordination, validation, and management of all-source collection requirements, plans, and/or activities.
• T2072 additional Perform analysis for target infrastructure exploitation activities.
• T2087 additional Collaborate with intelligence analysts/targeting organizations involved in related areas.
• T2089 additional Collaborate with other customer, Intelligence and targeting organizations involved in related cyber areas.
• T2090 additional Collaborate with other internal and external partner organizations on target access and operational issues.
• T2095 additional Communicate new developments, breakthroughs, challenges and lessons learned to leadership, and internal and external customers.
• T2102 additional Conduct analysis of physical and logical digital technologies (e.g., wireless, SCADA, telecom) to identify potential avenues of access.
• T2114 additional Conduct independent in-depth target and technical analysis including target-specific information (e.g., cultural, organizational, political) that results in access.
• T2134 additional Conduct target research and analysis.
• T2194 additional Create comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities.
• T2400 additional Examine intercept-related metadata and content with an understanding of targeting significance.
• T2419 additional Collaborate with developers, conveying target and technical knowledge in tool requirements submissions, to enhance tool development.
• T2441 additional Identify and evaluate threat critical capabilities, requirements, and vulnerabilities.
• T2461 additional Identify gaps in our understanding of target technology and developing innovative collection approaches.
• T2490 additional Identify, locate, and track targets via geospatial analysis techniques.
• T2534 additional Lead or enable exploitation operations in support of organization objectives and target requirements.
• T2608 additional Monitor target networks to provide indications and warning of target communications changes or processing failures.
• T2714 additional Produce network reconstructions.
• T2718 additional Profile network or system administrators and their activities.
• T2905 additional Identify target communications within the global network.
• T2906 additional Maintain awareness of target communication tools, techniques, and the characteristics of target communication networks (e.g., capacity, functionality, paths, critical nodes) and their potential implications for targeting, collection, and analysis.
• T2922 additional Tip critical or time-sensitive information to appropriate customers.
• T5210 additional Determine the extent of threats and recommend courses of action and countermeasures to mitigate risks.
• T8026 additional Build and maintain operational and mission data in a target tracker.
• T8028 additional Collaborate with analysts to ensure collected data is available to customers.
• T8031 additional Conduct foreignness checks.
• T8035 additional Conduct network target development in order to execute cyberspace operations.
• T8047 additional Contribute to Joint Cyber Tactics Manual or other required TTP documentation.
• T8051 additional Create respective Tactical level plans for cyberspace attack actions.
• T8075 additional Develop target access opportunities in support of cyberspace operations.
• T8082 additional Document the execution and results of a cyberspace operation.
• T8085 additional Employ cyberspace capabilities to achieve mission objectives.
• T8093 additional Ensure collected data is properly post-processed.
• T8094 additional Ensure cyber collection and mission management data is properly post processed.
• T8096 additional Evaluate EAs at the same skill level or below against JQR/JQS line items.
• T8103 additional Facilitate target deconfliction
• T8109 additional Identify new exploitation, collection, or effects opportunities.
• T8141 additional Participate in Operational level planning.
• T8147 additional Perform overwatch of targets before, during, and after a cyberspace operation.
• T8148 additional Perform Project Profile and Mission Profile management.
• T8153 additional Plan network target development in order to execute cyberspace operations.
• T8162 additional Provide information to aid in determining success of cyberspace operation execution.
• T8166 additional Provide input for the development of Cyber Effects Operations plans and targeting requirements.
• T8185 additional Reference and provide input to the Non-standard procedures and databases.
• T8189 additional Review requirements to verify mission scope.
• T8190 additional Sanitize and minimize operational information/TTPs to protect sources and methods.
• T8193 additional Submit automated and interactive cyberspace operations for scheduling.
• T8194 additional Submit capabilities requirements to developers.
• T8196 additional Train and mentor EAs.
• T8209 additional Utilize multi-faceted intelligence resources to develop comprehensive operational strategies.
• T8215 additional Submit a target deconfliction request.
• T8216 additional Conduct profile/equity reviews.
• T8217 additional Perform quality controls function to Eas during and post mission.
• T8218 additional Submit well formatted capability requirements to appropriate development teams.
• T8219 additional Provide tactical overwatch of cyber attack actions alongside operators.
• T8220 additional Author/update Joint Cyber Tactics Manual and/or other required TTP documentation in accordance with policy (e.g. the OE/OA process).
• T8221 additional Provide quality control of operational submissions (e.g. CTO, OPID).
• T8222 additional Verify health and status of mission infrastructure at frequency (IAW SOP).
• T8223 additional Write/Draft transition plans/CONOPS to move access from different cover infrastructures.
• T8224 additional Provide tactical overwatch alongside an operator during execution on infrastructure handoffs/transitions.
• T8225 additional Provide operational oversight for all efforts and assigned tactical elements.
• T8226 additional Shape, mold, and improve the EA work role.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• A3021 ability additional Ability to collaborate effectively with others.
• A3022 ability additional Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
• A3024 ability additional Ability to communicate effectively when writing.
• A3047 ability additional Ability to function effectively in a dynamic, fast-paced environment.
• A3059 ability additional Ability to interpret and translate customer requirements into operational action.
• A3101 ability additional Ability to expand network access by conducting target analysis and collection in order to identify targets of interest.
• A4192 ability additional Ability to articulate and recommend changes to policies, processes, and procedures.
• A4240 ability additional Ability to develop, validate, and steward the EA workrole
• A4280 ability additional Ability to identify new and emerging vulnerabilities.
• A4282 ability additional Ability to identify opportunities for conducting server side and client side exploits.
• A4299 ability additional Ability to manage implants and deployment strategies.
• A4300 ability additional Ability to manage mission profiles at the tactical and operational level
• A4328 ability additional Ability to plan and lead interactive operations.
• A4329 ability additional Ability to plan and manage automated operations.
• A4338 ability additional Ability to provide instruction on technical cyber capabilities, tools, and methods.
• A4691 ability additional Ability to utilize LoTL TTP (i.e., pivoting post initial access) in an operational setting.
• A4692 ability additional Ability to develop and recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists.
• A4693 ability additional Ability to conduct tool/capability pairing.
• A4694 ability additional Ability to provide effective project management.
• A4695 ability additional Ability to effectively manage personnel supporting a project or operation.
• A4696 ability additional Ability to identify and/or request a need for cyberspace capabilities, tools, or techniques.
• A4697 ability additional Ability to apply the Hacker Methodology.
• A4698 ability additional Ability to conduct project and admin oversight.
• A4699 ability additional Ability to employ access assurance principles.
• A4700 ability additional Ability to effectively collaborate and communicate the target environment.
• A4701 ability additional Ability to integrate effective OPSEC measures into operational planning.
• A4702 ability additional Ability to submit requests for additional capabilities for current operational mission.
• A4703 ability additional Ability to impart knowledge and advance the mission across the CMF.
• K0102 knowledge additional Knowledge of programming language structures and logic.
• K024A knowledge additional Knowledge of basic concepts and practices of processing digital forensic data.
• K0912 knowledge additional Knowledge of collection management processes, capabilities, and limitations.
• K3095 knowledge additional Knowledge of internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).
• K3106 knowledge additional Knowledge of a wide range of basic communications media concepts and terminology (e.g., computer and telephone networks, satellite, cable, wireless).
• K3107 knowledge additional Knowledge of a wide range of concepts associated with websites (e.g., website types, administration, functions, software systems, etc.).
• K3129 knowledge additional Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).
• K3137 knowledge additional Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and enumeration).
• K3146 knowledge additional Knowledge of both internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.
• K3179 knowledge additional Knowledge of common networking devices and their configurations.
• K3191 knowledge additional Knowledge of concepts for operating systems (e.g., Linux, Unix).
• K3206 knowledge additional Knowledge of current software and methodologies for active defense and system hardening.
• K3225 knowledge additional Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).
• K3235 knowledge additional Knowledge of deconfliction processes and procedures.
• K3253 knowledge additional Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).
• K3289 knowledge additional Knowledge of how hubs, switches, routers work together in the design of a network.
• K3291 knowledge additional Knowledge of how internet applications work (SMTP email, web-based email, chat clients, VOIP).
• K3296 knowledge additional Knowledge of how to collect, view, and identify essential information on targets of interest from metadata (e.g., email, http).
• K3297 knowledge additional Knowledge of how to establish priorities for resources.
• K3317 knowledge additional Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.
• K3346 knowledge additional Knowledge of Internet and routing protocols.
• K3378 knowledge additional Knowledge of methods and techniques used to detect various exploitation activities.
• K3407 knowledge additional Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).
• K3410 knowledge additional Knowledge of network topology.
• K3454 knowledge additional Knowledge of products and nomenclature of major vendors (e.g., security suites - Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.
• K3479 knowledge additional Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.
• K3480 knowledge additional Knowledge of security implications of software configurations.
• K3513 knowledge additional Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.
• K3564 knowledge additional Knowledge of the data flow from collection origin to repositories and tools.
• K3587 knowledge additional Knowledge of targeting cycles.
• K3658 knowledge additional Knowledge of network collection procedures to include decryption capabilities/tools, techniques, and procedures.
• K4387 knowledge additional Knowledge of a Cyber Tasking Order (CTO).
• K4400 knowledge additional Knowledge of basic operational infrastructure.
• K4407 knowledge additional Knowledge of collection searching/analyzing techniques and tools.
• K4411 knowledge additional Knowledge of command line and GUI interfaces.
• K4417 knowledge additional Knowledge of concealing network presence on adversary networks
• K4461 knowledge additional Knowledge of how and where to effectively deploy capabilities into target space.
• K4462 knowledge additional Knowledge of how authentication and logging systems are implemented within a target network.
• K4483 knowledge additional Knowledge of Malware TTPs
• K4494 knowledge additional Knowledge of mission required capabilities.
• K4509 knowledge additional Knowledge of OPSEC posture in a target environment (e.g., noise, stealth, situational awareness, bandwidth throttling).
• K4549 knowledge additional Knowledge of the appropriate authorities, responsibilities, and approval processes that enable cyberspace operations.
• K4550 knowledge additional Knowledge of the structure, architecture, design, and vulnerabilities of digital communications networks.
• K4561 knowledge additional Knowledge of the JCTM and capability Operational Acceptance (OA) approval process.
• K4575 knowledge additional Knowledge of the risks associated with manuever, capabilities, and TTPs against target systems.
• K4577 knowledge additional Knowledge of the SIGINT enterprise and its capabilities, limitations, and contributions to cyberspace operations missions.
• K4592 knowledge additional Knowledge of virtualized and cloud based systems.
• K4597 knowledge additional Knowledge of wireless network collection TTPs.
• K4685 knowledge additional Knowledge of a broad range of malicious activity concepts.
• K4686 knowledge additional Knowledge of the capabilities and requirements development lifecycle.
• K4687 knowledge additional Knowledge of industry/commercial LoTL TTPs.
• K4688 knowledge additional Knowledge of holistic TTP, employment of innovative approaches, and transcending challenges that face the operational mission.
• K4689 knowledge additional Knowledge of operational mission capabilities requirements, development, and pipelines.
• S230 skill additional Skill in using knowledge management technologies.
• S363 skill additional Skill in identifying gaps in technical capabilities.
• S3715 skill additional Skill in creating and extracting important information from packet captures.
• S3718 skill additional Skill in creating plans in support of remote operations.
• S3722 skill additional Skill in data mining techniques (e.g., searching file systems) and analysis.
• S3740 skill additional Skill in determining installed patches on various operating systems and identifying patch signatures.
• S3778 skill additional Skill in exploiting/querying organizational and/or partner collection databases.
• S3801 skill additional Skill in identifying the devices that work at each level of protocol models.
• S3815 skill additional Skill in interpreting vulnerability scanner results to identify vulnerabilities.
• S3859 skill additional Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).
• S3867 skill additional Skill in recognizing technical information that may be used for leads to enable remote operations (data includes users, passwords, email addresses, IP ranges of the target, frequency in DNI behavior, mail servers, domain servers, SMTP header information).
• S3948 skill additional Skill in verifying the integrity of all files.
• S4602 skill additional Skill in analyzing network device configurations.
• S4604 skill additional Skill in analyzing target communications.
• S4608 skill additional Skill in assessing target security posture.
• S4621 skill additional Skill in developing packet capture filters.
• S4624 skill additional Skill in documenting the execution and results in conducting a cyber operation.
• S4638 skill additional Skill in leading cyberspace operations in support of mission and target requirements.
• S4644 skill additional Skill in peforming research through open source tools.
• S4652 skill additional Skill in providing geolocation information utilizing target infrastructures.
• S4658 skill additional Skill in recognizing Technical Targeting Data to enable operations under C-S&R authority.
• S4673 skill additional Skill in using multiple information sources to document and enrich target knowledge.
• S4677 skill additional Skill in using non-attribution networks to obtain open source data.
• S4682 skill additional Skill in utilizing network mapping.
• S4690 skill additional Skill in identifying operational mission gaps within current capabilities.

Skill drills that practice this role

Exam questions from CSCD 240. Click any to work it.

• CSCD240-E1-B-Q04 primary recon Print the groups your user belongs to.
• CSCD240-E1-B-Q06 primary permissions-special Owner triad shows rws instead of rwx. Name the bit.
• CSCD240-E1-B-Q07 primary setuid-effect What does the setuid bit cause when the file is executed? Use "effective user ID".
• CSCD240-E1-B-Q08 primary setuid-chain Who owns /usr/bin/passwd in the ls -l line? Why does that matter for setuid?
• CSCD240-E1-B-Q09 primary octal-special Convert rwsr-xr-x to 4-digit octal including special bits.
• CSCD240-E1-B-Q10 primary enum-setuid Locate every setuid-root file on the filesystem; suppress permission-denied noise.
• CSCD240-E1-B-Q14 primary enum-misconfig Find every world-writable regular file under /var (common misconfig indicator).
• CSCD240-E1-C-Q04 primary setuid A -rwsr-xr-x file owned by root. Execution causes what?
• CSCD240-E1-C-Q13 primary enum-misconfig Find every regular file under /var that is world-writable?
• CSCD240-E1-C-Q18 primary octal-special chmod 4755 /opt/app/runner — which bit was set?
• CSCD240-E1-C-Q41 primary threat-reasoning -rwsrwxrwx root root .xhelper in /tmp. Why alarming?
• CSCD240-E1-C-Q46 secondary malicious-alias .bashrc contains alias ls='rm -rf'. Consequence if planted and user opens a new shell?

Other roles in this element