Red Team Specialist

Leverages tools, systems, and utilities necessary to enhance the security posture of an organization, conducts threat and risk assessments, and performs testing and evaluation in accordance with legal and organizational requirements, policies, and regulations.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1104 additional Examine network topologies to understand data flows through the network.
• T1111 additional Identify applications and operating systems of a network device based on network traffic.
• T2123 additional Conduct on-net and off-net activities to control, and exfiltrate data from deployed, automated technologies.
• T448 additional Conduct and/or support authorized penetration testing on enterprise network assets.
• T767 additional Perform security reviews and identify security gaps in security architecture resulting in recommendations for the inclusion into the risk mitigation strategy.
• T801B additional Provide cybersecurity and supply chain risk management guidance.
• T806A additional Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.
• T8189 additional Review requirements to verify mission scope.
• T8194 additional Submit capabilities requirements to developers.
• T8209 additional Utilize multi-faceted intelligence resources to develop comprehensive operational strategies.
• T8227 additional Conduct shaping activities in order to scope and execute red team operations.
• T8228 additional Assess access controls based on principles of least privilege and need-to-know.
• T8229 additional Maintain consistent operational logs to facilitate deconfliction and sanitization.
• T8230 additional Conduct red team operations in accordance with organizational policies and regulations.
• T8231 additional Document the execution and results of a red team operation.
• T8232 additional Employ lateral movement TTPs in red team operations
• T8233 additional Record and document activities during red team operations.
• T940B additional Perform technical (evaluation of technology) and non-technical (evaluation of people and operations) risk and vulnerability assessments of relevant technology focus areas (e.g., local computing environment, network and infrastructure, control system and operational environments, enclave boundary, supporting infrastructure, and applications).

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• A3003 ability additional Ability to adjust to and operate in a diverse, unpredictable, challenging, and fast-paced work environment.
• A4 ability additional Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.
• A4192 ability additional Ability to articulate and recommend changes to policies, processes, and procedures.
• A4262 ability additional Ability to export/enumerate information (e.g., users, groups) from a Domain Controller.
• A4280 ability additional Ability to identify new and emerging vulnerabilities.
• A4282 ability additional Ability to identify opportunities for conducting server side and client side exploits.
• A4299 ability additional Ability to manage implants and deployment strategies.
• A4718 ability additional Ability to properly identify, coordinate, and remediate a halting condition.
• A4719 ability additional Ability to conduct technical exchanges and hot washes of assessment findings with non-technical audiences.
• A4720 ability additional Ability to operate covertly within a target network.
• A4721 ability additional Ability to leverage implants and/or exploit vulnerabilities on a target system to facilitate intial access.
• A4722 ability additional Ability to leverage tools for passive and active reconnaissance of target networks and/or systems.
• A4723 ability additional Ability to recognize and respond to unanticipated events (e.g., identification of information spillage, misuse of government information systems) during Red Team operations, in accordance with organizational policies.
• K0010 knowledge additional Knowledge of application vulnerabilities.
• K0019 knowledge additional Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.
• K0025 knowledge additional Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).
• K0027 knowledge additional Knowledge of cryptography and cryptographic key management concepts.
• K0034 knowledge additional Knowledge of database systems.
• K0049 knowledge additional Knowledge of host/network access control mechanisms (e.g., access control list).
• K0058 knowledge additional Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.
• K0063 knowledge additional Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• K0070 knowledge additional Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
• K0079 knowledge additional Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).
• K0087 knowledge additional Knowledge of network traffic analysis methods.
• K0092 knowledge additional Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
• K0102 knowledge additional Knowledge of programming language structures and logic.
• K0105 knowledge additional Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• K0111 knowledge additional Knowledge of security system design tools, methods, and techniques.
• K0138 knowledge additional Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization.
• K0148 knowledge additional Knowledge of Virtual Private Network (VPN) security.
• K0270 knowledge additional Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).
• K081A knowledge additional Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
• K088A knowledge additional Knowledge of current and emerging cyber technologies.
• K0904 knowledge additional Knowledge of interpreted and compiled computer languages.
• K0991 knowledge additional Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).
• K1033 knowledge additional Knowledge of basic system administration, network, and operating system hardening techniques.
• K1034A knowledge additional Knowledge of Personally Identifiable Information (PII) data security standards.
• K1036 knowledge additional Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
• K1069 knowledge additional Knowledge of general attack stages (e.g., foot printing and scanning, enumeration, gaining access, escalation or privileges, maintaining access, network exploitation, covering tracks).
• K1069A knowledge additional Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
• K1072 knowledge additional Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
• K1114 knowledge additional Knowledge of encryption methodologies.
• K1121 knowledge additional Knowledge of Windows/Unix ports and services.
• K1141A knowledge additional Knowledge of an organization's information classification program and procedures for information compromise.
• K130A knowledge additional Knowledge of systems security testing and evaluation methods.
• K177B knowledge additional Knowledge of countermeasures for identified security risks.
• K212A knowledge additional Knowledge of network mapping and recreating network topologies.
• K214B knowledge additional Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
• K3150 knowledge additional Knowledge of ethical hacking principles and techniques.
• K3154 knowledge additional Knowledge of classification and control markings standards, policies and procedures.
• K3274 knowledge additional Knowledge of fundamental cyber operations concepts, terminology/lexicon (i.e., environment preparation, cyber attack, cyber defense), principles, capabilities, limitations, and effects.
• K3513 knowledge additional Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.
• K4097 knowledge additional Knowledge of network security implementations (e.g., host-based IDS, IPS, access control lists), including their function and placement in a network.
• K4400 knowledge additional Knowledge of basic operational infrastructure.
• K4411 knowledge additional Knowledge of command line and GUI interfaces.
• K4450 knowledge additional Knowledge of Friendly Network Forces (FNF) reporting procedures (i.e. deconfliction) to include external organization interaction.
• K4462 knowledge additional Knowledge of how authentication and logging systems are implemented within a target network.
• K4483 knowledge additional Knowledge of Malware TTPs
• K4512 knowledge additional Knowledge of persistence tools and methods (e.g. Implants/Rootkits, Tunneling, Native Actions).
• K4515 knowledge additional Knowledge of Post-Exploitation TTPs (e.g. data exfiltration, privilege escalation, operational prep of the environment).
• K4550 knowledge additional Knowledge of the structure, architecture, design, and vulnerabilities of digital communications networks.
• K4553 knowledge additional Knowledge of the concept of an advanced persistent threat (APT)
• K4575 knowledge additional Knowledge of the risks associated with manuever, capabilities, and TTPs against target systems.
• K4592 knowledge additional Knowledge of virtualized and cloud based systems.
• K4709 knowledge additional Knowledge of process manipulation (e.g. hollowing, injection, etc.).
• K4710 knowledge additional Knowledge of the Trusted Agent Program.
• K4711 knowledge additional Knowledge of web application vulnerabilities.
• K4712 knowledge additional Knowledge of Active Directory.
• K4713 knowledge additional Knowledge of credential cracking techniques.
• K4714 knowledge additional Knowledge of Command and Control (C2) frameworks.
• K4715 knowledge additional Knowledge of the appropriate authorities, responsibilities, and approval processes that enable red team operations.
• K4716 knowledge additional Knowledge of factors that would suspend or abort an operation.
• K4717 knowledge additional Knowledge of individual training and certification requirements for the individual members of the mission team.
• K922A knowledge additional Knowledge of how to use network analysis tools to identify vulnerabilities.
• K992C knowledge additional Knowledge of threat environments (e.g., threat actors, threat activities).
• S10A skill additional Skill in conducting application vulnerability assessments.
• S162 skill additional Skill in conducting capabilities and requirements analysis.
• S179A skill additional Skill in assessing security controls based on cybersecurity principles and tenets.
• S210 skill additional Skill in mimicking threat behaviors.
• S3929 skill additional Skill in using tools, techniques, and procedures to remotely exploit and establish persistence on a target.
• S3B skill additional Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.
• S4602 skill additional Skill in analyzing network device configurations.
• S4608 skill additional Skill in assessing target security posture.
• S4644 skill additional Skill in peforming research through open source tools.
• S4682 skill additional Skill in utilizing network mapping.
• S4704 skill additional Skill in leading red team operations in support of mission and target requirements.
• S4705 skill additional Skill in using network analysis tools.
• S4706 skill additional Skill in leveraging tools, system services, or utilities to laterally move to target systems.
• S4707 skill additional Skill in exploiting system vulnerabilities to escalate privileges.
• S4708 skill additional Skill in enumerating a system or network for situational awareness of the target environment and current level of access.
• S6660 skill additional Skill in reviewing logs to identify evidence of past intrusions.
• S75C skill additional Skill in conducting trend analysis.
• S897A skill additional Skill in performing impact/risk assessments.

EWU courses that develop this role

Skill drills that practice this role

Exam questions from CSCD 240. Click any to work it.

• CSCD240-E1-B-Q01 primary navigation pwd=/home/operator/target/foothold, home=/home/operator. For each cd: cd, cd ../pivot, cd ~/intel, cd ../../.., cd /tmp
• CSCD240-E1-B-Q02 primary recon Landing on a target; identify host kernel + architecture in one command.
• CSCD240-E1-B-Q03 primary recon Print your current username.
• CSCD240-E1-B-Q49 primary history-hygiene Delete the in-memory command history for the current shell.

Other roles in this element