AN-EXP-001 Exploitation Analyst

Performs highly-specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.

Analyzes collected information to identify vulnerabilities and potential for exploitation.

Collaborates to identify access and collection gaps that can be satisfied through cyber collection and/or preparation activities. Leverages all authorized resources and analytic techniques to penetrate targeted networks.

Knowledges 48

Code	Description	Work Roles
K0001	Knowledge of computer networking concepts and protocols, and network security methodologies.	52
K0002	Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).	52
K0003	Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.	52
K0004	Knowledge of cybersecurity and privacy principles.	52
K0005	Knowledge of cyber threats and vulnerabilities.	52
K0006	Knowledge of specific operational impacts of cybersecurity lapses.	52
K0108	Knowledge of concepts, terminology, and operations of a wide range of communications media (computer and telephone networks, satellite, fiber, wireless).	11
K0109	Knowledge of physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).	15
K0131	Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.	3
K0142	Knowledge of collection management processes, capabilities, and limitations.	4
K0143	Knowledge of front-end collection systems, including traffic collection, filtering, and selection.	3
K0177	Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).	12
K0224	Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems.	5
K0349	Knowledge of website types, administration, functions, and content management system (CMS).	8
K0351	Knowledge of applicable statutes, laws, regulations and policies governing cyber targeting and exploitation.	3
K0354	Knowledge of relevant reporting and dissemination procedures.	1
K0362	Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).	9
K0368	Knowledge of implants that enable cyber collection and/or preparation activities.	1
K0371	Knowledge of principles of the collection development processes (e.g., Dialed Number Recognition, Social Network Analysis).	1
K0376	Knowledge of internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.	1
K0379	Knowledge of client organizations, including information needs, objectives, structure, capabilities, etc.	7
K0388	Knowledge of collection searching/analyzing techniques and tools for chat/buddy list, emerging technologies, VOIP, Media Over IP, VPN, VSAT/wireless, web mail and cookies.	1
K0393	Knowledge of common networking devices and their configurations.	1
K0394	Knowledge of common reporting databases and tools.	1
K0397	Knowledge of security concepts in operating systems (e.g., Linux, Unix.)	1
K0417	Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).	10
K0418	Knowledge of data flow process for terminal or environment collection.	1
K0430	Knowledge of evasion strategies and techniques.	2
K0443	WITHDRAWN: Knowledge of how hubs, switches, routers work together in the design of a network. (See K0143)	1
K0444	Knowledge of how Internet applications work (SMTP email, web-based email, chat clients, VOIP).	11
K0447	Knowledge of how to collect, view, and identify essential information on targets of interest from metadata (e.g., email, http).	1
K0451	Knowledge of identification and reporting processes.	1
K0470	Knowledge of Internet and routing protocols.	1
K0471	Knowledge of Internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).	9
K0473	Knowledge of intrusion sets.	3
K0484	Knowledge of midpoint collection (process, objectives, organization, targets, etc.).	1
K0487	Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).	4
K0489	Knowledge of network topology.	1
K0509	Knowledge of organizational and partner authorities, responsibilities, and contributions to achieving objectives.	1
K0510	Knowledge of organizational and partner policies, tools, capabilities, and procedures.	1
K0523	Knowledge of products and nomenclature of major vendors (e.g., security suites - Trend Micro, Symantec, McAfee, Outpost, and Panda) and how those products affect exploitation and reduce vulnerabilities.	1
K0529	Knowledge of scripting	1
K0535	Knowledge of strategies and tools for target research.	1
K0544	Knowledge of target intelligence gathering and operational preparation techniques and life cycles.	2
K0557	Knowledge of terminal or environmental collection (process, objectives, organization, targets, etc.).	1
K0559	Knowledge of the basic structure, architecture, and design of converged applications.	2
K0560	Knowledge of the basic structure, architecture, and design of modern communication networks.	10
K0608	Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).	2

Skills 24

Code	Description	Work Roles
S0066	Skill in identifying gaps in technical capabilities.	2
S0184	Skill in analyzing traffic to identify network devices.	4
S0199	Skill in creating and extracting important information from packet captures.	1
S0200	Skill in creating collection requirements in support of data acquisition activities.	1
S0201	Skill in creating plans in support of remote operations. (i.e., hot/warm/cold/alternative sites, disaster recovery).	1
S0204	Skill in depicting source or collateral data on a network map.	1
S0207	Skill in determining the effect of various router and firewall configurations on traffic patterns and network performance in both LAN and WAN environments.	1
S0214	Skill in evaluating accesses for intelligence value.	1
S0223	Skill in generating operation plans in support of mission and target requirements.	1
S0236	Skill in identifying the devices that work at each level of protocol models.	3
S0237	Skill in identifying, locating, and tracking targets via geospatial analysis techniques	2
S0239	Skill in interpreting compiled and interpretive programming languages.	2
S0240	Skill in interpreting metadata and content as applied by collection systems.	2
S0245	Skill in navigating network visualization software.	1
S0247	Skill in performing data fusion from existing intelligence for enabling new and continued collection.	1
S0258	Skill in recognizing and interpreting malicious network activity in traffic.	1
S0260	Skill in recognizing midpoint opportunities and essential information.	1
S0264	Skill in recognizing technical information that may be used for leads to enable remote operations (data includes users, passwords, email addresses, IP ranges of the target, frequency in DNI behavior, mail servers, domain servers, SMTP header information).	1
S0269	Skill in researching vulnerabilities and exploits utilized in traffic.	1
S0279	Skill in target development in direct support of collection operations.	2
S0286	Skill in using databases to identify target-relevant information.	1
S0290	Skill in using non-attributable networks.	2
S0294	Skill in using trace route tools and interpreting the results as they apply to network analysis and reconstruction.	1
S0300	Skill in writing (and submitting) requirements to meet gaps in technical capabilities.	1

Abilities 9

Code	Description	Work Roles
A0013	Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.	14
A0066	Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.	12
A0080	Ability to develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists.	6
A0084	Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.	7
A0074	Ability to collaborate effectively with others.	6
A0086	Ability to expand network access by conducting target analysis and collection to identify targets of interest.	2
A0092	Ability to identify/describe target vulnerability.	2
A0093	Ability to identify/describe techniques/methods for conducting technical exploitation of the target.	2
A0104	Ability to select the appropriate implant to achieve operational goals.	2

Tasks 20

Code	Description	Work Roles
T0570	Apply and utilize authorized cyber capabilities to enable access to targeted networks.	1
T0572	Apply cyber collection, environment preparation and engagement expertise to enable new exploitation and/or continued collection operations, or in support of customer requirements.	1
T0574	Apply and obey applicable statutes, laws, regulations and policies.	1
T0591	Perform analysis for target infrastructure exploitation activities.	1
T0600	Collaborate with other internal and external partner organizations on target access and operational issues.	1
T0603	Communicate new developments, breakthroughs, challenges and lessons learned to leadership, and internal and external customers.	1
T0266	Perform penetration testing as required for new or updated applications.	2
T0028	Conduct and/or support authorized penetration testing on enterprise network assets.	2
T0608	Conduct analysis of physical and logical digital technologies (e.g., wireless, SCADA, telecom) to identify potential avenues of access.	1
T0614	Conduct independent in-depth target and technical analysis including target-specific information (e.g., cultural, organizational, political) that results in access.	1
T0641	Create comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities.	1
T0695	Examine intercept-related metadata and content with an understanding of targeting significance.	1
T0701	Collaborate with developers, conveying target and technical knowledge in tool requirements submissions, to enhance tool development.	1
T0720	Identify gaps in our understanding of target technology and developing innovative collection approaches.	1
T0727	Identify, locate, and track targets via geospatial analysis techniques.	1
T0736	Lead or enable exploitation operations in support of organization objectives and target requirements.	1
T0738	Maintain awareness of advancements in hardware and software technologies (e.g., attend training or conferences, reading) and their potential implications.	1
T0754	Monitor target networks to provide indications and warning of target communications changes or processing failures.	1
T0775	Produce network reconstructions.	1
T0777	Profile network or system administrators and their activities.	1