Digital Network Exploitation Analyst

The DNEA analyzes intercepted intelligence information for metadata and content. They use this data to reconstruct and document target networks to judge the intelligence value and maintain target continuity. DNEAs understand and analyze target implementation of communication technologies and digital network systems. They discover methods and suggest strategies to exploit specific target networks, computer systems, or specific hardware and/or software.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1107 additional Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).
• T1112 additional Reconstruct a malicious attack or activity based off network traffic.
• T2001 additional Accurately characterize targets.
• T2059 additional Provide expertise to course of action development.
• T2066 additional Provide expertise to the development of measures of effectiveness and measures of performance.
• T2072 additional Perform analysis for target infrastructure exploitation activities.
• T2081 additional Classify documents in accordance with classification guidelines.
• T2087 additional Collaborate with intelligence analysts/targeting organizations involved in related areas.
• T2099 additional Compile, integrate, and/or interpret all-source data for intelligence or vulnerability value with respect to specific targets.
• T2101 additional Identify and conduct analysis of target communications to identify information essential to support operations.
• T2102 additional Conduct analysis of physical and logical digital technologies (e.g., wireless, SCADA, telecom) to identify potential avenues of access.
• T2127 additional Conduct quality control in order to determine validity and relevance of information gathered about networks.
• T2134 additional Conduct target research and analysis.
• T2194 additional Create comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities.
• T2195 additional Maintain awareness of internal and external cyber organization structures, strengths, and employments of staffing and technology.
• T2235 additional Determine how identified factors affect the tasking, collection, processing, exploitation and dissemination architecture's form and function.
• T2236 additional Determine if information meets reporting requirements.
• T2243 additional Determine what technologies are used by a given target.
• T2251 additional Apply analytic techniques to gain more target information.
• T2289 additional Develop measures of effectiveness and measures of performance.
• T2356 additional Engage customers to understand customers’ intelligence needs and wants.
• T2373 additional Establish alternative processing, exploitation and dissemination pathways to address identified issues or problems.
• T2393 additional Generate and evaluate the effectiveness of network analysis strategies.
• T2400 additional Examine intercept-related metadata and content with an understanding of targeting significance.
• T2427 additional Gather information about networks through traditional and alternative techniques, (e.g., social network analysis, call-chaining, traffic analysis.)
• T2429 additional Generate requests for information.
• T2434 additional Identify threat tactics, and methodologies.
• T2441 additional Identify and evaluate threat critical capabilities, requirements, and vulnerabilities.
• T2453 additional Identify collection gaps and potential collection strategies against targets.
• T2458 additional Identify critical target elements.
• T2459 additional Identify intelligence gaps and shortfalls.
• T2469 additional Identify network components and their functionality to enable analysis and target development.
• T2515 additional Initiate requests to guide tasking and assist with collection management.
• T2542 additional Maintain awareness of advancements in hardware and software technologies (e.g., attend training or conferences, reading) and their potential implications.
• T2568 additional Make recommendations to guide collection in support of customer requirements.
• T2608 additional Monitor target networks to provide indications and warning of target communications changes or processing failures.
• T2621 additional Provide SME and support to planning/developmental forums and working groups as appropriate.
• T2628 additional Participate in exercises.
• T2628A additional Provide subject matter expertise to development of exercises.
• T2639 additional Perform content and/or metadata analysis to meet organization objectives.
• T2714 additional Produce network reconstructions.
• T2719 additional Profile targets and their activities.
• T2770 additional Provide time sensitive targeting support.
• T2779 additional Review appropriate information sources to determine validity and relevance of information gathered.
• T2781 additional Reconstruct networks in diagram or report format.
• T2798 additional Research communications trends in emerging technologies (in computer and telephony networks, satellite, cable, and wireless) in both open and classified sources.
• T2818 additional Sanitize and minimize information to protect sources and methods.
• T2840 additional Support identification and documentation of collateral effects.
• T2894 additional Collaborate across internal and/or external organizational lines to enhance collection, analysis and dissemination.
• T2897 additional Conduct analysis of target communications to identify essential information in support of organization objectives.
• T2902 additional Evaluate and interpret metadata to look for patterns, anomalies, or events, thereby optimizing targeting, analysis and processing.
• T2905 additional Identify target communications within the global network.
• T2906 additional Maintain awareness of target communication tools, techniques, and the characteristics of target communication networks (e.g., capacity, functionality, paths, critical nodes) and their potential implications for targeting, collection, and analysis.
• T2909 additional Provide feedback to collection managers to enhance future collection and analysis.
• T2912 additional Perform or support technical network analysis and mapping.
• T2919 additional Perform social network analysis and document as appropriate.
• T2922 additional Tip critical or time-sensitive information to appropriate customers.
• T8011 additional Apply and/or develop analytic techniques to provide better intelligence.
• T8013 additional Apply customer requirements to the analysis process.
• T8023 additional Assist planners in the development of courses of action
• T8063 additional Develop analytical techniques to gain more target information.
• T8064 additional Develop and lead exercises
• T8065 additional Develop and maintain target profiles using appropriate corporate tools and databases (e.g. Target associations, activities, communication infrastructures, etc.).
• T8081 additional Document and disseminate analytic findings.
• T8090 additional Enable targeting offices to find new sources of collection.
• T8100 additional Evaluate the strengths and weaknesses of the intelligence source.
• T8101 additional Evaluate threat critical capabilities, requirements, and vulnerabilities.
• T8102 additional Facilitate collaboration with customers, Intelligence and targeting organizations involved in related cyber areas.
• T8108 additional Identify and facilitate partner relationships to enhance mission capabilities
• T8128 additional Lead work role working groups/planning and development forums
• T8137 additional Manipulate information in mission relevant databases (e.g., converting data, generating reports).
• T8138 additional Mitigate collection gaps
• T8145 additional Perform network analysis to support new or continued collection.
• T8157 additional Produce digital network intelligence against specific named target sets.
• T8164 additional Provide expertise in support of operational effects generated through cyber activities.
• T8173 additional Provide intel target recommendations which meet leadership objectives.
• T8191 additional Select, build, and develop query strategies against appropriate collection databases.
• T8205 additional Understand technologies used by a given target
• T8206 additional Understand TTPs and methodologies to enable access ops or access vector opportunities.
• T959 additional Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• A244 ability additional Ability to determine the validity of technology trend data.
• A3001 ability additional Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.
• A3002 ability additional Ability to focus research efforts to meet the customer’s decision-making needs.
• A3020 ability additional Ability to clearly articulate intelligence requirements into well-formulated research questions and requests for information.
• A3021 ability additional Ability to collaborate effectively with others.
• A3022 ability additional Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
• A3039 ability additional Ability to develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists.
• A3043 ability additional Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.
• A3044 ability additional Ability to exercise judgment when policies are not well-defined.
• A3047 ability additional Ability to function effectively in a dynamic, fast-paced environment.
• A3048 ability additional Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—in order to leverage analytical and technical expertise.
• A3052 ability additional Ability to identify intelligence gaps.
• A3073 ability additional Ability to recognize and mitigate cognitive biases which may affect analysis.
• A3074 ability additional Ability to recognize and mitigate deception in reporting and analysis.
• A3077 ability additional Ability to think critically.
• A3081 ability additional Ability to utilize multiple intelligence sources across all intelligence disciplines.
• K0282 knowledge additional Knowledge of emerging computer-based technology that has potential for exploitation by adversaries.
• K0912 knowledge additional Knowledge of collection management processes, capabilities, and limitations.
• K0915 knowledge additional Knowledge of front-end collection systems, including traffic collection, filtering, and selection.
• K1056 knowledge additional Knowledge of operations security.
• K3078 knowledge additional Knowledge of target methods and procedures.
• K3095 knowledge additional Knowledge of internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).
• K3106 knowledge additional Knowledge of a wide range of basic communications media concepts and terminology (e.g., computer and telephone networks, satellite, cable, wireless).
• K3113 knowledge additional Knowledge of target intelligence gathering and operational preparation techniques and life cycles.
• K3129 knowledge additional Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).
• K3137 knowledge additional Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and enumeration).
• K3146 knowledge additional Knowledge of both internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.
• K3154 knowledge additional Knowledge of classification and control markings standards, policies and procedures.
• K3158 knowledge additional Knowledge of cyber operation objectives, policies, and legalities.
• K3166 knowledge additional Knowledge of collection searching/analyzing techniques and tools for chat/buddy list, emerging technologies, VOIP, Media Over IP, VPN, VSAT/wireless, web mail and cookies.
• K3172 knowledge additional Knowledge of collection sources including conventional and non-conventional sources.
• K3174 knowledge additional Knowledge of the intelligence requirements development and request for information processes.
• K3179 knowledge additional Knowledge of common networking devices and their configurations.
• K3181 knowledge additional Knowledge of common reporting databases and tools.
• K3219 knowledge additional Knowledge of cyber operations.
• K321A knowledge additional Knowledge of industry technologies and how differences affect exploitation/vulnerabilities.
• K3237 knowledge additional Knowledge of denial and deception techniques.
• K3242 knowledge additional Knowledge of document classification procedures, policy, resources, and personnel.
• K3262 knowledge additional Knowledge of evolving/emerging communications technologies.
• K3277 knowledge additional Knowledge of general SCADA system components.
• K3288 knowledge additional Knowledge of how converged technologies impact cyber operations (e.g., digital, telephony, wireless).
• K3291 knowledge additional Knowledge of how internet applications work (SMTP email, web-based email, chat clients, VOIP).
• K3292 knowledge additional Knowledge of how modern digital and telephony networks impact cyber operations.
• K3293 knowledge additional Knowledge of how modern wireless communications systems impact cyber operations.
• K3296 knowledge additional Knowledge of how to collect, view, and identify essential information on targets of interest from metadata (e.g., email, http).
• K3298 knowledge additional Knowledge of how to extract, analyze, and use metadata.
• K3324 knowledge additional Knowledge of information and collateral intelligence sources.
• K3338 knowledge additional Knowledge of intelligence reporting principles, policies, procedures, and vehicles, including report formats, reportability criteria (requirements and priorities), dissemination practices, and legal authorities and restrictions.
• K3346 knowledge additional Knowledge of Internet and routing protocols.
• K3348 knowledge additional Knowledge of intrusion detection systems and signature development.
• K3372 knowledge additional Knowledge of malware analysis and characteristics.
• K3382 knowledge additional Knowledge of methods to integrate and summarize information from any potential sources.
• K3386 knowledge additional Knowledge of midpoint collection (process, objectives, organization, targets, etc.).
• K3407 knowledge additional Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).
• K3418 knowledge additional Knowledge of organization and/or partner collection systems, capabilities, and processes (e.g., collection and protocol processors).
• K3441 knowledge additional Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.
• K3450 knowledge additional Knowledge of principles and practices related to target development such as target knowledge, associations, communication systems, and infrastructure.
• K3505 knowledge additional Knowledge of strategies and tools for target research.
• K3534 knowledge additional Knowledge of target, including related current events, communication profile, actors, and history (language, culture) and/or frame of reference.
• K3542 knowledge additional Knowledge of the basic structure, architecture, and design of converged applications.
• K3564 knowledge additional Knowledge of the data flow from collection origin to repositories and tools.
• K3582 knowledge additional Knowledge of the intelligence frameworks, processes, and related systems.
• K3595 knowledge additional Knowledge of the organization, roles and responsibilities of higher, lower and adjacent sub-elements.
• K3603 knowledge additional Knowledge of the principal methods, procedures, and techniques of gathering information and producing intelligence.
• K3608 knowledge additional Knowledge of the purpose and contribution of target templates.
• K3616 knowledge additional Knowledge of the structure, architecture, and design of modern digital and telephony networks.
• K3617 knowledge additional Knowledge of the structure, architecture, and design of modern wireless communications systems.
• K3627 knowledge additional Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.
• K3637 knowledge additional Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).
• K4072 knowledge additional Knowledge of collection systems, capabilities, and processes.
• K4073 knowledge additional Knowledge of the feedback cycle in collection processes.
• K4078 knowledge additional Knowledge of target or threat cyber actors and procedures.
• K4079 knowledge additional Knowledge of basic cyber operations activity concepts (e.g., foot printing, scanning and enumeration, penetration testing, white/black listing).
• K4085 knowledge additional Knowledge of approved intelligence dissemination processes.
• K4086 knowledge additional Knowledge of relevant laws, regulations, and policies.
• K4088 knowledge additional Knowledge of target communication profiles and their key elements (e.g., target associations, activities, communication infrastructure).
• K4089 knowledge additional Knowledge of target communication tools and techniques.
• K4090 knowledge additional Knowledge of the characteristics of targeted communication networks (e.g., capacity, functionality, paths, critical nodes).
• K4094 knowledge additional Knowledge of networking and internet communications fundamentals (i.e. devices, device configuration, hardware, software, applications, ports/protocols, addressing, network architecture and infrastructure, routing, operating systems, etc.).
• K4095 knowledge additional Knowledge of concepts related to websites (e.g., web servers/pages, hosting, DNS, registration, web languages such as HTML).
• K4097 knowledge additional Knowledge of network security implementations (e.g., host-based IDS, IPS, access control lists), including their function and placement in a network.
• K4099 knowledge additional Knowledge of customer information needs.
• K4106 knowledge additional Knowledge of analytic tools and techniques.
• K4165 knowledge additional Knowledge of obfuscation techniques (e.g., TOR/Onion/anonymizers, VPN/VPS, encryption).
• K4166 knowledge additional Knowledge of computer programming concepts, including computer languages, programming, testing, debugging, and file types.
• K4396 knowledge additional Knowledge of basic cloud based technologies and concepts.
• K4399 knowledge additional Knowledge of basic Embedded Systems concepts.
• K4401 knowledge additional Knowledge of basic reconnaissance activity concepts and techniques (foot printing, scanning and enumeration).
• K4420 knowledge additional Knowledge of Critical Intelligence Communication (CRITIC) identification and reporting process.
• K4423 knowledge additional Knowledge of cryptologic and SIGINT reporting and dissemination procedures.
• K4428 knowledge additional Knowledge of cybersecurity concepts and principles.
• K4431 knowledge additional Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).
• K4460 knowledge additional Knowledge of how and when to request assistance from the Cryptanalysis and Signals Analysis and/or CNO.
• K4470 knowledge additional Knowledge of intelligence sources and their characteristics.
• K4490 knowledge additional Knowledge of methods, tools, sources, and techniques used to research, integrate and summarize all-source information pertaining to target.
• K4523 knowledge additional Knowledge of quality review process and procedures.
• K4533 knowledge additional Knowledge of SIGINT laws and directives.
• K4539 knowledge additional Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).
• K4570 knowledge additional Knowledge of the overall mission of the Cyber Mission Forces (CMF).
• K4578 knowledge additional Knowledge of the specific missions for CMF (i.e., Cyber Mission Teams (CMT), National Mission Teams (NMT), Combat Support Team (CST), National Support Team (NST), Cyber Protection Team (CPT).
• K4582 knowledge additional Knowledge of the U.S. SIGINT System (USSS) authorities, responsibilities, and contributions to the cyberspace operations mission.
• S3664 skill additional Skill in identifying how a target communicates.
• S3667 skill additional Skill in analyzing a target's communication networks.
• S3671 skill additional Skill in analyzing essential network data (e.g., router configuration files, routing protocols).
• S3678 skill additional Skill in analyzing traffic to identify network devices.
• S3689 skill additional Skill in applying various analytical methods, tools, and techniques (e.g., competing hypotheses; chain of reasoning; scenario methods; denial and deception detection; high impact-low probability; network/association or link analysis; Bayesian, Delphi, and Pattern analyses).
• S3692 skill additional Skill in assessing the applicability of available analytical tools to various situations.
• S3708 skill additional Skill in conducting social network analysis, buddy list analysis, and/or cookie analysis.
• S3726 skill additional Skill in depicting source or collateral data on a network map.
• S3742 skill additional Skill in determining the physical location of network devices.
• S3765 skill additional Skill in disseminating items of highest intelligence value in a timely manner.
• S3771 skill additional Skill in evaluating data sources for relevance, reliability, and objectivity.
• S3772 skill additional Skill in evaluating information for reliability, validity, and relevance.
• S3773 skill additional Skill in evaluating information to recognize relevance, priority, etc.
• S3774 skill additional Skill in evaluating accesses for intelligence value.
• S3778 skill additional Skill in exploiting/querying organizational and/or partner collection databases.
• S3787 skill additional Skill in identifying a target’s communications networks.
• S3797 skill additional Skill in identifying leads for target development.
• S3803 skill additional Skill in identifying, locating, and tracking targets via geospatial analysis techniques
• S3810 skill additional Skill in interpreting compiled and interpretive programming languages.
• S3812 skill additional Skill in interpreting metadata and content as applied by collection systems.
• S3814 skill additional Skill in using trace route tools and interpreting the results as they apply to network analysis and reconstruction.
• S3822 skill additional Skill in managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results.
• S3828 skill additional Skill in navigating network visualization software.
• S3860 skill additional Skill in recognizing and interpreting malicious network activity in traffic.
• S3863 skill additional Skill in recognizing midpoint opportunities and essential information.
• S3864 skill additional Skill in recognizing relevance of information.
• S3865 skill additional Skill in recognizing significant changes in a target’s communication patterns.
• S3866 skill additional Skill in recognizing technical information that may be used for leads for metadata analysis.
• S3867A skill additional Skill in recognizing technical information that may be used for target development including intelligence development.
• S3873 skill additional Skill in researching essential information.
• S3874 skill additional Skill in researching vulnerabilities and exploits utilized in traffic.
• S3885 skill additional Skill in fusion analysis
• S3889 skill additional Skill in survey, collection, and analysis of wireless LAN metadata.
• S3890 skill additional Skill in synthesizing, analyzing, and prioritizing meaning across data sets.
• S3895 skill additional Skill in target network anomaly identification (e.g., intrusions, dataflow or processing, target implementation of new technologies).
• S3908 skill additional Skill in using research methods including multiple, different sources to reconstruct a target network.
• S3915 skill additional Skill in using geospatial data and applying geospatial resources.
• S3923 skill additional Skill in using non-attributable networks.
• S3951 skill additional Skill in writing about facts and ideas in a clear, convincing, and organized manner.
• S4118 skill additional Skill in identifying a target's network characteristics.
• S4121 skill additional Skill in assessing a target's frame of reference (e.g., motivation, technical capability, organizational structure, sensitivities).
• S4123 skill additional Skill in conducting research using all available sources.
• S4125 skill additional Skill in complying with the legal restrictions for targeted information.
• S4128 skill additional Skill in developing intelligence reports.
• S4129 skill additional Skill in evaluating and interpreting metadata.
• S4134 skill additional Skill in identifying intelligence gaps and limitations.
• S4141 skill additional Skill in providing analysis on target-related matters (e.g., language, cultural, communications).
• S4160 skill additional Skill in interpreting traceroute results, as they apply to network analysis and reconstruction.
• S4601 skill additional Skill in analyzing endpoint collection data.
• S4620 skill additional Skill in developing and maintaining target profiles.
• S4631 skill additional Skill in geolocating targets.
• S4643 skill additional Skill in operational use of raw collection databases.
• S4645 skill additional Skill in performing data fusion from all-source intelligence for geospatial analysis.
• S4646 skill additional Skill in performing data fusion from all-source intelligence for network analysis and reconstruction (e.g., Single Table Inheritance (STIs), network maps).
• S4647 skill additional Skill in performing data fusion from all-source intelligence.
• S4651 skill additional Skill in providing feedback to enhance future collection and analysis.
• S4656 skill additional Skill in recognizing exploitation opportunities.
• S4659 skill additional Skill in recognizing the value of survey data.
• S4667 skill additional Skill in selector normalization.
• S4669 skill additional Skill in targeting (e.g., selectors).

Other roles in this element