Cyberspace Operator

Cyberspace Operators use a wide range of software applications for network navigation, tactical forensic analysis, surveillance and reconnaissance, and executing on-net operations in support of offensive cyberspace operations when directed.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T2020 additional Analyze internal operational architecture, tools, and procedures for ways to improve performance.
• T2020A additional Analyze target operational architecture for ways to gain access.
• T2088 additional Collaborate with development organizations to create and deploy the tools needed to achieve objectives.
• T2119 additional Conduct network scouting and vulnerability analyses of systems within a network.
• T2122 additional Conduct on-net activities to control and exfiltrate data from deployed technologies.
• T2123 additional Conduct on-net and off-net activities to control, and exfiltrate data from deployed, automated technologies.
• T2124 additional Conduct open source data collection via various online tools.
• T2133 additional Conduct survey of computer and digital networks.
• T2205 additional Deploy tools to a target and utilize them once deployed (e.g., backdoors, sniffers).
• T2226 additional Detect exploits against targeted networks and hosts and react accordingly.
• T2353 additional Edit or execute simple scripts (e.g., PERL, VBS) on Windows and UNIX systems.
• T2477 additional Identify potential points of strength and vulnerability within a network.
• T2559 additional Maintain situational awareness and functionality of organic operational infrastructure.
• T2660 additional Conduct cyber activities to degrade/remove information resident in computers and computer networks.
• T2708 additional Process exfiltrated data for analysis and/or dissemination to customers.
• T8001 additional Advise leadership on operational tradecraft, emerging technology, and technical health of the force.
• T8015 additional Approve remediation actions.
• T8017 additional As authorized, train cyberspace operators at one’s certification level or below.
• T8020 additional Assess the technical health of the cyberspace operator work role.
• T8021 additional Assess, recommend, and evaluate remediation actions.
• T8030 additional Conduct cyber activities to deny, degrade, disrupt, destroy, manipulate, (D4M).
• T8037 additional Conduct post-mission actions.
• T8039 additional Conduct pre-mission actions
• T8040 additional Conduct pre-operation research and prep.
• T8052 additional Create/normalize/document/evaluate TTPs in cyberspace operations.
• T8067 additional Develop and/or inform risk assessments.
• T8071 additional Develop Operational Training Solultions.
• T8073 additional Develop remediation actions.
• T8074 additional Develop risk assessments for non-standard events and ad hoc tradecraft.
• T8083 additional Employ collection TTPs in cyberspace operations.
• T8084 additional Employ credential access TTPs in cyberspace operations.
• T8086 additional Employ discovery TTPs in cyberspace operations.
• T8087 additional Employ exfiltration TTPs in cyberspace operations.
• T8088 additional Employ lateral movement TTPs in cyberspace operations.
• T8089 additional Employ TTPs in categories at one’s certification level or below.
• T8097 additional Evaluate cyberspace operator performance at one’s certification level or below.
• T8112 additional Identify targets of opportunity in order to influence operational planning.
• T8113 additional Identify the appropriate operating authorities and guidance
• T8130 additional Maintain operational and technical situational awareness during operations
• T8158 additional Produce strategy to inform commander's decision making process.
• T8167 additional Provide input to mission debrief.
• T8168 additional Provide input to operational policy.
• T8169 additional Provide input to post mission planning.
• T8170 additional Provide input to pre-mission planning.
• T8175 additional Provide quality control of operations and cyberspace operator products at one’s certification level or below.
• T8181 additional Recognize and respond to indicators of compromise (IOC).
• T8183 additional Recongnize and respond to events that change risk.
• T8184 additional Record and document activities during cyberspace operations.
• T8192 additional Steward the cyberspace operator work role.
• T8197 additional Train cyberspace operators at their certified level or below.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• A3003 ability additional Ability to adjust to and operate in a diverse, unpredictable, challenging, and fast-paced work environment.
• A3007 ability additional Ability to analyze malware.
• A3022 ability additional Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
• A3059 ability additional Ability to interpret and translate customer requirements into operational action.
• A3063 ability additional Ability to monitor system operations and react to events in response to triggers and/or observation of trends or unusual activity.
• A3069 ability additional Ability to produce technical documentation.
• A3103A ability additional Ability to identify/describe target vulnerability.
• A3658B ability additional Ability to perform network collection tactics, techniques, and procedures to include decryption capabilities/tools.
• A3859A ability additional Ability to read, interpret, write, modify, and execute simple scripts (e.g. PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).
• A4191 ability additional Ability to apply tradecraft to minimize risk of detection, mitigate risk, and minimize creation of behavioral signature
• A4199 ability additional Ability to characterize a target admin/user's technical abilities, habits, and skills.
• A4204 ability additional Ability to communicate operational plans and actions and provide feedback regarding OPSEC and tradecraft during mission pre-brief
• A4213 ability additional Ability to conduct open source research.
• A4219 ability additional Ability to construct a COA using available tools and techniques.
• A4222 ability additional Ability to continually research and develop new tools/techniques
• A4229 ability additional Ability to create rules and filters (e.g., Berkeley Packet Filter, Regular Expression).
• A4243 ability additional Ability to ensure collected data is transferred to the appropriate storage locations.
• A4244 ability additional Ability to enumerate a network.
• A4248 ability additional Ability to enumerate user permissions and privileges.
• A4249 ability additional Ability to evade or counter security products or host based defenses.
• A4261 ability additional Ability to exploit vulnerabilities to gain additional access.
• A4263 ability additional Ability to extract credentials from hosts
• A4271 ability additional Ability to identify capability gaps (e.g., insufficient tools, training, or infrastructure)
• A4276 ability additional Ability to identify files containing information critical to operational objectives.
• A4278 ability additional Ability to identify legal, policy, and technical limitations when conducting cyberspace operations.
• A4279 ability additional Ability to identify logging capabilities on host
• A4285 ability additional Ability to identify what tools or Tactics, Techniques, and Procedures (TTPs) are applicable to a given situation
• A4292 ability additional Ability to improve the performance of cyberspace operators by providing constructive (positive and negative) feedback.
• A4293 ability additional Ability to install/modify/uninstall tools on target systems in accordance with current policies and procedures.
• A4296 ability additional Ability to interpret device configurations.
• A4297 ability additional Ability to interpret cyberspace technical materials and documentation (e.g. CVEs, API).
• A4298 ability additional Ability to maintain situational awareness of target environment
• A4305 ability additional Ability to model a simulated environment to conduct mission rehearsal and mitigate risk of actions taken during operations
• A4308 ability additional Ability to operate automated systems to interact with target environment
• A4324 ability additional Ability to perform masquerade operations.
• A4325 ability additional Ability to perform privilege escalation
• A4327 ability additional Ability to persist access to a target.
• A4330 ability additional Ability to plan, brief, execute, and debrief a mission
• A4334 ability additional Ability to promote and enable organizational change
• A4335 ability additional Ability to provide advice and guidance to various stakeholders regarding technical issues, capabilities, and approaches
• A4336 ability additional Ability to provide feedback to developers if a tool requires continued development
• A4340 ability additional Ability to provide technical leadership within an organization.
• A4341 ability additional Ability to read, write, modify, and execute compiled languages (e.g., C).
• A4342 ability additional Ability to extract specific information from large data set (e.g., grep, regex).
• A4343 ability additional Ability to recognize and report mistakes or poor tradecraft to appropriate leadership in accordance with Standard Operating Procedures (SOPs)
• A4344 ability additional Ability to recognize and respond appropriately to Non-Standard Events.
• A4345 ability additional Ability to redirect and tunnel through target systems
• A4346 ability additional Ability to remediate indicators of compromise.
• A4347 ability additional Ability to research non-standards within a project.
• A4350 ability additional Ability to retrieve historical operational data.
• A4359 ability additional Ability to train other cyberspace operators.
• A4361 ability additional Ability to troubleshoot technical problems
• A4367 ability additional Ability to use core toolset (e.g., implants, remote access tools).
• A4369 ability additional Ability to use dynamic analysis tools (e.g. process monitor, process explorer, and registry analysis)
• A4370 ability additional Ability to use enterprise tools to enumerate target information
• A4378 ability additional Ability to verify file integrity for both uploads and downloads
• A4379 ability additional Ability to weaken a target to facilitate/enable future access
• A4380 ability additional Ability to write and modify markup languages (e.g., HTML, XML).
• A4381 ability additional Ability to write and modify source code (e.g., C).
• A6100 ability additional Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
• K0049 knowledge additional Knowledge of host/network access control mechanisms (e.g., access control list).
• K0105 knowledge additional Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• K0264 knowledge additional Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
• K0286 knowledge additional Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).
• K0287 knowledge additional Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).
• K0344 knowledge additional Knowledge of virtualization technologies and virtual machine development and maintenance.
• K081A knowledge additional Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
• K1033 knowledge additional Knowledge of basic system administration, network, and operating system hardening techniques.
• K1063A knowledge additional Knowledge of operating system structures and internals (e.g., process management, directory structure, installed applications).
• K1064 knowledge additional Knowledge of Extensible Markup Language (XML) schemas.
• K1094 knowledge additional Knowledge of debugging procedures and tools.
• K1128A knowledge additional Knowledge of database access application programming interfaces (APIs) (e.g., Java Database Connectivity [JDBC]).
• K3125 knowledge additional Knowledge of assembly code.
• K3130 knowledge additional Knowledge of auditing and logging procedures (including server-based logging).
• K3133 knowledge additional Knowledge of basic back-up and recovery procedures including different types of backups (e.g., full, incremental).
• K3140 knowledge additional Knowledge of basic programming concepts (e.g., levels, structures, compiled vs. interpreted languages).
• K3141 knowledge additional Knowledge of basic software applications (e.g., data storage and backup, database applications) and their vulnerabilities.
• K3144 knowledge additional Knowledge of basic wireless applications, including vulnerabilities in various types of wireless applications.
• K3206 knowledge additional Knowledge of current software and methodologies for active defense and system hardening.
• K3235 knowledge additional Knowledge of deconfliction processes and procedures.
• K3253 knowledge additional Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).
• K3259 knowledge additional Knowledge of enterprise-wide information management.
• K3261 knowledge additional Knowledge of evasion strategies and techniques.
• K3267 knowledge additional Knowledge of deconfliction reporting to include external organization interaction.
• K3267A knowledge additional Knowledge of internal and external partner reporting.
• K3270 knowledge additional Knowledge of forensic implications of operating system structure and operations.
• K3286 knowledge additional Knowledge of host-based security products and how they affect exploitation and vulnerability.
• K3317 knowledge additional Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.
• K3346 knowledge additional Knowledge of Internet and routing protocols.
• K3374 knowledge additional Knowledge of malware.
• K3378 knowledge additional Knowledge of methods and techniques used to detect various exploitation activities.
• K3399 knowledge additional Knowledge of network administration.
• K3402 knowledge additional Knowledge of network construction and topology.
• K3441 knowledge additional Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.
• K3454 knowledge additional Knowledge of products and nomenclature of major vendors (e.g., security suites - Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.
• K3473 knowledge additional Knowledge of satellite-based communication systems.
• K3479 knowledge additional Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.
• K3480 knowledge additional Knowledge of security implications of software configurations.
• K3508 knowledge additional Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).
• K3513 knowledge additional Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.
• K3525 knowledge additional Knowledge of organizational and partner policies, tools, capabilities, and procedures.
• K3534 knowledge additional Knowledge of target, including related current events, communication profile, actors, and history (language, culture) and/or frame of reference.
• K3543 knowledge additional Knowledge of the basic structure, architecture, and design of modern communication networks.
• K3561 knowledge additional Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.
• K3579 knowledge additional Knowledge of the fundamentals of digital forensics in order to extract actionable intelligence.
• K3587 knowledge additional Knowledge of targeting cycles.
• K3631 knowledge additional Knowledge of internal and external partner organization capabilities and limitations (those with tasking, collection, processing, exploitation and dissemination responsibilities).
• K3637 knowledge additional Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).
• K3642 knowledge additional Knowledge of various types of computer architectures.
• K3644 knowledge additional Knowledge of virtual machine technologies.
• K3658 knowledge additional Knowledge of network collection procedures to include decryption capabilities/tools, techniques, and procedures.
• K4086 knowledge additional Knowledge of relevant laws, regulations, and policies.
• K4388 knowledge additional Knowledge of access control models (Role Based Access Control, Attribute Based Access Control).
• K4391 knowledge additional Knowledge of advanced redirection techniques.
• K4393 knowledge additional Knowledge of appropriate/inappropriate information to include in operational documentation (e.g., OPNOTES, technical summaries, action maps, etc.)
• K4395 knowledge additional Knowledge of basic client software applications and their attack surfaces.
• K4396 knowledge additional Knowledge of basic cloud based technologies and concepts.
• K4399 knowledge additional Knowledge of basic Embedded Systems concepts.
• K4402 knowledge additional Knowledge of basic redirection techniques (e.g. IP Tables, SSH Tunneling, netsh)
• K4403 knowledge additional Knowledge of basic server software applications and their attack surfaces.
• K4404 knowledge additional Knowledge of code injection and its employment in cyberspace operations.
• K4414 knowledge additional Knowledge of common network administration best practices and the impact to operations.
• K4419 knowledge additional Knowledge of credential sources and restrictions related to credential usage
• K4437 knowledge additional Knowledge of device reboots, including when they occur and their impact on tool functionality
• K4444 knowledge additional Knowledge of evolving technologies.
• K4447 knowledge additional Knowledge of factors that would suspend or abort an operation.
• K4458 knowledge additional Knowledge of historical data relating to particular targets and projects, prior to an operation to include reviewing TECHSUMs, previous OPNOTEs, etc.
• K4463 knowledge additional Knowledge of how computer programs are executed
• K4464 knowledge additional Knowledge of how host-based security products, logging, and malware may affect tool functionality
• K4465 knowledge additional Knowledge of how other actors may affect operations
• K4466 knowledge additional Knowledge of how race conditions occur and can be employed to compromise shared resources
• K4482 knowledge additional Knowledge of malware triage.
• K4485 knowledge additional Knowledge of methods and procedures for sending a payload via an existing implant
• K4486 knowledge additional Knowledge of methods, strategies, and techniques of evading detection while conducting operations, such as noise, stealth, situational awareness, etc.
• K4487 knowledge additional Knowledge of methods, tools, and procedures for collecting information, including accessing databases and file systems
• K4488 knowledge additional Knowledge of methods, tools, and procedures for exploiting target systems
• K4489 knowledge additional Knowledge of methods, tools, and techniques used to determine the path to a target host/network (e.g., identify satellite hops).
• K4496 knowledge additional Knowledge of models for examining cyber threats (e.g. cyber kill chain, MITRE ATT&CK).
• K4498 knowledge additional Knowledge of modes of communication used by a target, such as cable, fiber optic, satellite, microwave, VSAT, or combinations of these.
• K4502 knowledge additional Knowledge of open source tactics that enable initial access (e.g. social engineering, phishing)
• K4503 knowledge additional Knowledge of operating system command shells, configuration data.
• K4505 knowledge additional Knowledge of operational infrastructure
• K4508 knowledge additional Knowledge of operational security, logging, admin concepts, and troubleshooting.
• K4510 knowledge additional Knowledge of password cracking techniques.
• K4519 knowledge additional Knowledge of process migration
• K4540 knowledge additional Knowledge of system administration concepts for distributed or managed operating environments.
• K4541 knowledge additional Knowledge of system administration concepts for stand alone operating systems.
• K4542 knowledge additional Knowledge of system calls
• K4552 knowledge additional Knowledge of the components of an authentication system.
• K4553 knowledge additional Knowledge of the concept of an advanced persistent threat (APT)
• K4563 knowledge additional Knowledge of the location and use of tool documentation.
• K4564 knowledge additional Knowledge of the methods and procedures for communicating with tools/modules, including the use of listening posts.
• K4565 knowledge additional Knowledge of the methods of persistence.
• K4567 knowledge additional Knowledge of the Mission Improvement Process
• K4571 knowledge additional Knowledge of the Plan, Brief, Execute, and Debrief process
• K4581 knowledge additional Knowledge of the tactics development process
• K4586 knowledge additional Knowledge of threats to OPSEC when installing, using, modifying, and uninstalling tools.
• K4587 knowledge additional Knowledge of tool release/testing process
• K4593 knowledge additional Knowledge of VPNs, their purpose, and how they can be leveraged.
• S350 skill additional Skill in analyzing memory dumps to extract information.
• S3670 skill additional Skill in analyzing terminal or environment collection data.
• S3690 skill additional Skill in assessing current tools to identify needed improvements.
• S3695 skill additional Skill in auditing firewalls, perimeters, routers, and intrusion detection systems.
• S3722 skill additional Skill in data mining techniques (e.g., searching file systems) and analysis.
• S3740 skill additional Skill in determining installed patches on various operating systems and identifying patch signatures.
• S3777 skill additional Skill in reverse engineering (e.g., hex editing, binary packaging utilities, debugging, and strings analysis) to identify function and ownership of remote tools.
• S3779 skill additional Skill in extracting information from packet captures.
• S3801 skill additional Skill in identifying the devices that work at each level of protocol models.
• S3815 skill additional Skill in interpreting vulnerability scanner results to identify vulnerabilities.
• S3817 skill additional Skill in knowledge management, including technical documentation techniques (e.g., Wiki page).
• S3859 skill additional Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).
• S3871 skill additional Skill in remote command line and Graphic User Interface (GUI) tool usage.
• S3883 skill additional Skill in server administration.
• S3897 skill additional Skill in technical writing.
• S3899 skill additional Skill in testing and evaluating tools for implementation.
• S3929 skill additional Skill in using tools, techniques, and procedures to remotely exploit and establish persistence on a target.
• S3929A skill additional Skill in using tools, techniques, and procedures to exploit a target.
• S3948 skill additional Skill in verifying the integrity of all files.
• S4628 skill additional Skill in enumerating a host (e.g. file systems, host meta data host characteristics).
• S4641 skill additional Skill in manipulating firewall/host based security configuration and rulesets.
• S4663 skill additional Skill in retrieving memory resident data.
• S4670 skill additional Skill in transfering files to target devices (e.g., scp, tftp, http, ftp).
• S4674 skill additional Skill in using network enumeration and analysis tools, both active and passive.

EWU courses that develop this role

Other roles in this element