Network Analyst

The Network Analyst will understand network traffic signatures and discover anomalies through network traffic and packet capture (PCAP) analysis. The Network Analyst will identify, assess, and mitigate intrusions into networks that are vital to cyberspace operations security. Network Analysts also use GUI or command-line based tools and assist in developing network mapping and signatures. Network Analysts will develop advanced network detection rules and alerts, queries and dashboards to gain a holistic view of the network.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1107 additional Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).
• T1109 additional Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.
• T1111 additional Identify applications and operating systems of a network device based on network traffic.
• T1113 additional Identify network mapping and operating system (OS) fingerprinting activities.
• T2062 additional Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.
• T2087 additional Collaborate with intelligence analysts/targeting organizations involved in related areas.
• T2102 additional Conduct analysis of physical and logical digital technologies (e.g., wireless, SCADA, telecom) to identify potential avenues of access.
• T2119 additional Conduct network scouting and vulnerability analyses of systems within a network.
• T2124 additional Conduct open source data collection via various online tools.
• T2226 additional Detect exploits against targeted networks and hosts and react accordingly.
• T2379B additional Identify threats to Blue Force vulnerabilities.
• T2429 additional Generate requests for information.
• T2477 additional Identify potential points of strength and vulnerability within a network.
• T2603 additional Monitor operational environment and report on adversarial activities which fulfill leadership’s priority information requirements.
• T2611 additional Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event's history, status, and potential impact for further action in accordance with the organization's cyber incident response plan.
• T408 additional Analyze information to determine, recommend, and plan the development of a new application or modification of an existing application.
• T427 additional Develop content for cyber defense tools.
• T461 additional Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces.
• T472 additional Coordinate with enterprise-wide cyber defense staff to validate network alerts.
• T718 additional Monitor network capacity and performance.
• T765 additional Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
• T782 additional Plan and recommend modifications or adjustments based on exercise results or system environment.
• T8000 additional Adhere to DCO policies and procedures reflecting applicable laws, policies, procedures, and regulations (such as United States Code Titles 10 and 50).
• T8019 additional Assess exploited systems’ potential to provide additional access, target development information, intelligence and/or covert infrastructure.
• T802 additional Provide feedback on network requirements, including network architecture and infrastructure.
• T8061 additional Determine and document software patches or the extent of releases that would harden vulnerable software.
• T8062 additional Determine location of tool(s) deployment and utilize them once deployed (e.g., monitor agent, sensor).
• T8066 additional Develop and review cyberspace operations TTPs for integration into strategic, operational and tactical levels of planning.
• T8099 additional Evaluate security architecture and its design against cyberspace threats as identified in operational and acquisition documents.
• T8136 additional Manage threat or target analysis of DCO information and production of threat information for networks and enclave environments.
• T8161 additional Provide and maintain documentation for TTPs as inputs to training programs.
• T8171 additional Provide input to the analysis, design, development or acquisition of capabilities used for meeting mission objectives.
• T8179 additional Read, write, and interpret simple scripts to collect remote data and automation tasks.
• T818 additional Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters.
• T8180 additional Read, write, and interpret simple scripts to parse large data files.
• T8182 additional Recommend Patch network vulnerabilities to ensure information is safeguarded against outside parties via Risk Mitigation Plans.
• T823 additional Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.
• T850 additional Store, retrieve, and manipulate data for analysis of system capabilities and requirements.
• T880A additional Work with stakeholders to resolve computer security incidents and vulnerability compliance.
• T958 additional Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.
• T959 additional Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.
• T971 additional Design countermeasures and mitigations against potential exploitations of programming language weaknesses and vulnerabilities in system and elements.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• A244 ability additional Ability to determine the validity of technology trend data.
• A3030 ability additional Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.
• A4170 ability additional Ability to accurately document results
• A4171 ability additional Ability to analyze a finding of a compromise and develop a custom signature(s) and/or rule(s) to identify it throughout the network
• A4173 ability additional Ability to analyze Data at Rest and Data in Transit encryption methodologies and assess Data at Rest and Data in Transit polices
• A4175 ability additional Ability to analyze device/protocol discovery tool output
• A4177 ability additional Ability to analyze interior and exterior routing protocols (e.g. RIP, EIGRP, OSPF, IS-IS, etc…)
• A4178 ability additional Ability to analyze mitigations to recover from a full network compromise
• A4180 ability additional Ability to analyze network infrastructure to identify and recommend key terrain or critical infrastructure.
• A4181 ability additional Ability to analyze organizational policies and documentation for appropriate use and user privileges as they apply to networking devices.
• A4183 ability additional Ability to analyze potential adversarial attack vectors on a mission-critical system.
• A4193 ability additional Ability to assess Data in Transit encryption policies.
• A4201 ability additional Ability to characterize network traffic for trends and patterns.
• A4205 ability additional Ability to communicate with Sr Leaders of an Org. to ensure shared responsibility for supporting Org. mission/business functions using external providers of systems, services and apps receives visibility and is elevated to the appropriate decision_x0002_making authorities.
• A4208 ability additional Ability to compile access control lists and firewall configurations.
• A4212 ability additional Ability to Conduct flow data analysis
• A4214 ability additional Ability to conduct research on vulnerabilites found and correlate current versions to known vulnerable releases
• A4217 ability additional Ability to configure, forward and statistically analyze logs
• A4218 ability additional Ability to configure, place, and maintain a distributed sensor grid.
• A4220 ability additional Ability to construct accurate maps of the network devices
• A4221 ability additional Ability to construct log aggregation solutions and analysis platforms
• A4225 ability additional Ability to correlate indicators of compromise
• A4226 ability additional Ability to create baselines/PPS documents and to compare current state against documentation.
• A4230 ability additional Ability to create rules/alerts for traffic validation.
• A4231 ability additional Ability to define caching and analyze the information contained within
• A4233 ability additional Ability to detect mismatched port-application traffic
• A4235 ability additional Ability to develop a risk defense plan to put active measure in place in defense of a network
• A4237 ability additional Ability to develop dashboards to better visualize data
• A4241 ability additional Ability to dissect and analyze a packet header
• A4242 ability additional Ability to document findings of any anomalous connections
• A4250 ability additional Ability to evaluate common Tactics, Techniques and Procedures (TTP) used in malware and open-source and Intelligence Community (IC) resources available to identify emerging TTPs
• A4253 ability additional Ability to evaluate information (e.g. trust relationships and security policies) from a domain to identify vulnerabilities/misconfiguration
• A4254 ability additional Ability to evaluate mitigations to recover from a full-network compromise.
• A4255 ability additional Ability to evaluate network diagram
• A4256 ability additional Ability to evaluate rogue/unauthorized systems on a network
• A4259 ability additional Ability to evaluate systems resiliency in adverse conditions
• A4267 ability additional Ability to identify activity in log entries to correlate indicators of compromise.
• A4268 ability additional Ability to identify anomalous activity based off of known trends and patterns.
• A4270 ability additional Ability to identify C2 Beaconing in normal network traffic.
• A4272 ability additional Ability to identify complex root-cause analysis and recommend mitigations
• A4274 ability additional Ability to identify Data in Transit encryption methodologies.
• A4275 ability additional Ability to identify exfiltration of data in normal network traffic
• A4277 ability additional Ability to identify IPv6 and differentiate between Link Local, Multicast, Unicast, and Anycast.
• A4286 ability additional Ability to identify wireless encryption and differentiate between WEP, WPA (all versions) and WAPI
• A4290 ability additional Ability to implement network TAP configuration
• A4295 ability additional Ability to integrate information security requirements into the acquisition process, using applicable baseline security controls as one of the sources for security requirements, and ensuring a robust software quality control process.
• A4301 ability additional Ability to measure application whitelisting/blacklisting solutions
• A4303 ability additional Ability to measure principle of vulnerability exploitation
• A4304 ability additional Ability to measure the effectiveness of white/blacklisting solutions on network devices.
• A4307 ability additional Ability to monitor network data and perform triage on triggered events.
• A4310 ability additional Ability to operate the tools to enumerate a system
• A4311 ability additional Ability to organize a list of mission infrastructure to identify which dependent systems are key terrain
• A4314 ability additional Ability to organize Network System Architecture and the dependencies formed from relationships between systems
• A4321 ability additional Ability to perform conversation calculations across Hexadecimal, Octal, Decimal, and binary.
• A4322 ability additional Ability to perform device discovery
• A4348 ability additional Ability to research protocol utilization and determine anomalous use
• A4357 ability additional Ability to test tools within sensor grid
• A4364 ability additional Ability to use and integrate Security Information and Event Management (SIEM) capabilities in the analysis process.
• A4375 ability additional Ability to utilize Defense Information Systems Agency (DISA)/ Department of Defense (DoD) system configuration guidelines
• A6030 ability additional Ability to apply an organization's goals and objectives to develop and maintain architecture.
• A6150 ability additional Ability to optimize systems to meet enterprise performance requirements.
• A993A ability additional Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization's enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]).
• K0012 knowledge additional Knowledge of communication methods, principles, and concepts (e.g., crypto, dual hubs, time multiplexers) that support the network infrastructure.
• K0015 knowledge additional Knowledge of capabilities and applications of network equipment including hubs, routers, switches, bridges, servers, transmission media, and related hardware.
• K0019 knowledge additional Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.
• K0029 knowledge additional Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.
• K0038 knowledge additional Knowledge of organization's enterprise information security architecture system.
• K0040 knowledge additional Knowledge of organization's evaluation and validation requirements.
• K0049 knowledge additional Knowledge of host/network access control mechanisms (e.g., access control list).
• K0053 knowledge additional Knowledge of measures or indicators of system performance and availability.
• K0061 knowledge additional Knowledge of incident response and handling methodologies.
• K0062 knowledge additional Knowledge of industry-standard and organizationally accepted analysis principles and methods.
• K0063 knowledge additional Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• K0072 knowledge additional Knowledge of local area and wide area networking principles and concepts including bandwidth management.
• K0079 knowledge additional Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).
• K0087 knowledge additional Knowledge of network traffic analysis methods.
• K0088 knowledge additional Knowledge of systems administration concepts.
• K0092 knowledge additional Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
• K0096 knowledge additional Knowledge of performance tuning tools and techniques.
• K0109 knowledge additional Knowledge of secure configuration management techniques.
• K0110 knowledge additional Knowledge of key concepts in security management (e.g., Release Management, Patch Management).
• K0132 knowledge additional Knowledge of technology integration processes.
• K0133 knowledge additional Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).
• K0139 knowledge additional Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.
• K0145 knowledge additional Knowledge of the type and frequency of routine maintenance needed to keep equipment functioning properly.
• K0148 knowledge additional Knowledge of Virtual Private Network (VPN) security.
• K0150 knowledge additional Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.
• K0270 knowledge additional Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).
• K027A knowledge additional Knowledge of cryptology.
• K070A knowledge additional Knowledge of cybersecurity methods, such as firewalls, demilitarized zones, and encryption.
• K082A knowledge additional Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs.
• K0912 knowledge additional Knowledge of collection management processes, capabilities, and limitations.
• K0986 knowledge additional Knowledge of organizational information technology (IT) user security policies (e.g., account creation, password rules, access control).
• K099A knowledge additional Knowledge of principles and methods for integrating system components.
• K1033 knowledge additional Knowledge of basic system administration, network, and operating system hardening techniques.
• K1037A knowledge additional Knowledge of information technology (IT) risk management policies, requirements, and procedures.
• K1037B knowledge additional Knowledge of program protection planning to include information technology (IT) supply chain security/risk management policies, anti-tampering techniques, and requirements.
• K1038 knowledge additional Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability.
• K1072 knowledge additional Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
• K1073 knowledge additional Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
• K1074A knowledge additional Knowledge of transmission records (e.g., Bluetooth, Radio Frequency Identification (RFID), Infrared Networking (IR), Wireless Fidelity (Wi-Fi). paging, cellular, satellite dishes, Voice over Internet Protocol (VoIP)), and jamming techniques that enable transmission of undesirable information, or prevent installed systems from operating correctly.
• K110A knowledge additional Knowledge of security management.
• K1141A knowledge additional Knowledge of an organization's information classification program and procedures for information compromise.
• K143A knowledge additional Knowledge of integrating the organization’s goals and objectives into the architecture.
• K177A knowledge additional Knowledge of countermeasure design for identified security risks.
• K183A knowledge additional Knowledge in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
• K3137 knowledge additional Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and enumeration).
• K3146 knowledge additional Knowledge of both internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.
• K3188 knowledge additional Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).
• K3201 knowledge additional Knowledge of all relevant reporting and dissemination procedures.
• K3206 knowledge additional Knowledge of current software and methodologies for active defense and system hardening.
• K3261 knowledge additional Knowledge of evasion strategies and techniques.
• K3277 knowledge additional Knowledge of general SCADA system components.
• K3346 knowledge additional Knowledge of Internet and routing protocols.
• K3349 knowledge additional Knowledge of intrusion sets.
• K3353 knowledge additional Knowledge of the Risk Management Framework Assessment Methodology.
• K3378 knowledge additional Knowledge of methods and techniques used to detect various exploitation activities.
• K3399 knowledge additional Knowledge of network administration.
• K3431 knowledge additional Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
• K3454 knowledge additional Knowledge of products and nomenclature of major vendors (e.g., security suites - Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect exploitation/vulnerabilities.
• K3479 knowledge additional Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.
• K3508 knowledge additional Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).
• K3627 knowledge additional Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.
• K4392 knowledge additional Knowledge of anomaly based detection and threat hunting
• K4394 knowledge additional Knowledge of attack principles, tools, and techniques.
• K4396 knowledge additional Knowledge of basic cloud based technologies and concepts.
• K4398 knowledge additional Knowledge of basic Cyber Threat Emulation concepts.
• K4399 knowledge additional Knowledge of basic Embedded Systems concepts.
• K4427 knowledge additional Knowledge of cybersecurity and cybersecurity-enabled software products.
• K4440 knowledge additional Knowledge of DOD Component-level cybersecurity architecture.
• K4442 knowledge additional Knowledge of encryption algorithms and their implementation.
• K4450 knowledge additional Knowledge of Friendly Network Forces (FNF) reporting procedures (i.e. deconfliction) to include external organization interaction.
• K4455 knowledge additional Knowledge of hardware components and architecture including functions and limitations.
• K4456 knowledge additional Knowledge of hashing algorithms.
• K4457 knowledge additional Knowledge of Hexadecimal, Octal, Decimal, and binary
• K4467 knowledge additional Knowledge of HTML source code and the intelligence that can be derived from it.
• K4472 knowledge additional Knowledge of IPv6
• K4499 knowledge additional Knowledge of Network OSs.
• K4531 knowledge additional Knowledge of security implications of device and software configurations.
• K4539 knowledge additional Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model).
• K4547 knowledge additional Knowledge of TCP flags
• K4557 knowledge additional Knowledge of the differences between distance vector and link-state routing protocols
• K4558 knowledge additional Knowledge of the different DNS resource records
• K4583 knowledge additional Knowledge of the U.S. Security System authorities, responsibilities, and contributions to the cyberspace operations mission.
• K4591 knowledge additional Knowledge of User Agent Strings and the intelligence that can be derived from them
• K6330 knowledge additional Knowledge of multi-level/security cross domain solutions.
• K978A knowledge additional Knowledge of root cause analysis techniques.
• S0155 skill additional Skill in monitoring and optimizing system/server performance.
• S1020A skill additional Skill in secure test plan design (e. g. unit, integration, system, acceptance).
• S1073A skill additional Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
• S1091 skill additional Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).
• S154 skill additional Skill in analyzing network traffic capacity and performance characteristics.
• S167A skill additional Skill in conducting system/server planning, management, and maintenance.
• S171A skill additional Skill in correcting physical and technical problems that impact system/server performance.
• S177 skill additional Skill in designing countermeasures to identified security risks.
• S191 skill additional Skill in developing and applying security system access controls.
• S193 skill additional Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.
• S194 skill additional Skill in diagnosing connectivity problems.
• S197 skill additional Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
• S198 skill additional Skill in establishing a routing schema.
• S202A skill additional Skill in identifying and anticipating system/server performance, availability, capacity, or configuration problems.
• S206A skill additional Skill in installing system and component upgrades.
• S207 skill additional Skill in installing, configuring, and troubleshooting LAN and WAN components such as routers, hubs, and switches.
• S211A skill additional Skill in monitoring and optimizing system/server performance.
• S231 skill additional Skill in using network management tools to analyze network traffic patterns (e.g., simple network management protocol).
• S3695 skill additional Skill in auditing firewalls, perimeters, routers, and intrusion detection systems.
• S3740 skill additional Skill in determining installed patches on various operating systems and identifying patch signatures.
• S3779 skill additional Skill in extracting information from packet captures.
• S3801 skill additional Skill in identifying the devices that work at each level of protocol models.
• S3815 skill additional Skill in interpreting vulnerability scanner results to identify vulnerabilities.
• S3871 skill additional Skill in remote command line and Graphic User Interface (GUI) tool usage.
• S3910 skill additional Skill in using Boolean operators to construct simple and complex queries.
• S3931 skill additional Skill in using various open source data collection tools (online trade, DNS, mail, etc.).
• S3948 skill additional Skill in verifying the integrity of all files.
• S4603 skill additional Skill in analyzing PCAP data
• S4614 skill additional Skill in conducting system planning, management, and maintenance.
• S4623 skill additional Skill in discerning the protection requirements (i.e. security controls) of IS and networks.
• S4636 skill additional Skill in implementing encryption algorithms.
• S4637 skill additional Skill in intrusion detection methodologies and techniques for detecting host and network-based intrusions for utilizing intrusion detection systems and signature development.
• S4642 skill additional Skill in network operating system administration.
• S4650 skill additional Skill in providing an understanding of the adversary through the identification and link analysis of physical, functional, or behavioral relationships within an operational environment.
• S4661 skill additional Skill in regular expressions
• S4671 skill additional Skill in understanding cybersecurity architecture, its implementation, and its expected behaviors and how changes in conditions affect outcomes.
• S4672 skill additional Skill in using Berkeley Packet filters
• S4675 skill additional Skill in using network mapping tools to analyze identify and enumerate a network
• S4680 skill additional Skill in utilizing a network traffic packet analyzer in order to detect anomalies in protocol utilization
• S6590 skill additional Skill in interfacing with customers.
• S70B skill additional Skill in applying cybersecurity methods, such as firewalls, demilitarized zones, and encryption.

EWU courses that develop this role

Other roles in this element