Collect and Operate

Performs activities to gather evidence on criminal or foreign intelligence entities to mitigate possible or real-time threats, protect against espionage or insider threats, foreign sabotage, international terrorist activities, or to support other intelligence activities.

Below are the roles for this Specialty Area. Click each role to see the KSAs (Knowledge, Skills, and Abilities) and Tasks.

  • A0095: Ability to interpret and translate customer requirements into operational action.
  • A0097: Ability to monitor system operations and react to events in response to triggers and/or observation of trends or unusual activity.
  • A0099: Ability to perform network collection tactics, techniques, and procedures to include decryption capabilities/tools.
  • A0100: Ability to perform wireless collection procedures to include decryption capabilities/tools.
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0009: Knowledge of application vulnerabilities. 
  • K0021: Knowledge of data backup and recovery. 
  • K0051: Knowledge of low-level computer languages (e.g., assembly languages). 
  • K0109: Knowledge of physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage). 
  • K0142: Knowledge of collection management processes, capabilities, and limitations.
  • K0224: Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems. 
  • K0363: Knowledge of auditing and logging procedures (including server-based logging).
  • K0372: Knowledge of programming concepts (e.g., levels, structures, compiled vs. interpreted languages). 
  • K0373: Knowledge of basic software applications (e.g., data storage and backup, database applications) and the types of vulnerabilities that have been found in those applications. 
  • K0375: Knowledge of wireless applications vulnerabilities. 
  • K0379: Knowledge of client organizations, including information needs, objectives, structure, capabilities, etc.
  • K0403: Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.
  • K0406: Knowledge of current software and methodologies for active defense and system hardening.
  • K0420: Knowledge of database theory.
  • K0423: Knowledge of deconfliction reporting to include external organization interaction.
  • K0427: Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).
  • K0428: Knowledge of encryption algorithms and tools for wireless local area networks (WLANs). 
  • K0429: Knowledge of enterprise-wide information management.
  • K0430: Knowledge of evasion strategies and techniques.
  • K0433: Knowledge of forensic implications of operating system structure and operations.
  • K0438: Knowledge of Global Systems for Mobile Communications (GSM) architecture.
  • K0440: Knowledge of host-based security products and how those products affect exploitation and reduce vulnerability. 
  • K0452: Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.
  • K0468: Knowledge of internal and external partner reporting.
  • K0480: Knowledge of malware.
  • K0481: Knowledge of methods and techniques used to detect various exploitation activities.
  • K0485: Knowledge of network administration.
  • K0486: Knowledge of network construction and topology.
  • K0516: Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.
  • K0528: Knowledge of satellite-based communication systems.
  • K0530: Knowledge of security hardware and software options, including the network artifacts they induce and their effects on exploitation.
  • K0531: Knowledge of security implications of software configurations.
  • K0536: Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).
  • K0560: Knowledge of the basic structure, architecture, and design of modern communication networks.
  • K0565: Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.
  • K0573: Knowledge of the fundamentals of digital forensics to extract actionable intelligence.
  • K0608: Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).
  • K0609: Knowledge of virtual machine technologies.
  • S0062: Skill in analyzing memory dumps to extract information.
  • S0182: Skill in analyzing target communications internals and externals collected from wireless LANs.
  • S0183: Skill in analyzing terminal or environment collection data.
  • S0190: Skill in assessing current tools to identify needed improvements.
  • S0192: Skill in auditing firewalls, perimeters, routers, and intrusion detection systems.
  • S0202: Skill in data mining techniques (e.g., searching file systems) and analysis.
  • S0206: Skill in determining installed patches on various operating systems and identifying patch signatures.
  • S0221: Skill in extracting information from packet captures.
  • S0236: Skill in identifying the devices that work at each level of protocol models.
  • S0242: Skill in interpreting vulnerability scanner results to identify vulnerabilities.
  • S0243: Skill in knowledge management, including technical documentation techniques (e.g., Wiki page).
  • S0252: Skill in processing collected data for follow-on analysis.
  • S0255: Skill in providing real-time, actionable geolocation information utilizing target infrastructures.
  • S0257: Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).
  • S0266: Skill in relevant programming languages (e.g., C++, Python, etc.).
  • S0267: Skill in remote command line and Graphic User Interface (GUI) tool usage.
  • S0270: Skill in reverse engineering (e.g., hex editing, binary packaging utilities, debugging, and strings analysis) to identify function and ownership of remote tools.
  • S0275: Skill in server administration.
  • S0276: Skill in survey, collection, and analysis of wireless LAN metadata.
  • S0281: Skill in technical writing.
  • S0282: Skill in testing and evaluating tools for implementation.
  • S0293: Skill in using tools, techniques, and procedures to remotely exploit and establish persistence on a target.
  • S0295: Skill in using various open source data collection tools (online trade, DNS, mail, etc.).
  • S0298: Skill in verifying the integrity of all files. (e.g., checksums, Exclusive OR, secure hashes, check constraints, etc.). 
  • S0299: Skill in wireless network target analysis, templating, and geolocation.
  • S0363: Skill to analyze and assess internal and external partner reporting. 
  • T0566: Analyze internal operational architecture, tools, and procedures for ways to improve performance.
  • T0567: Analyze target operational architecture for ways to gain access.
  • T0598: Collaborate with development organizations to create and deploy the tools needed to achieve objectives.
  • T0609: Conduct access enabling of wireless computer and digital networks.
  • T0610: Conduct collection and processing of wireless computer and digital networks.
  • T0612: Conduct exploitation of wireless computer and digital networks.
  • T0616: Conduct network scouting and vulnerability analyses of systems within a network.
  • T0618: Conduct on-net activities to control and exfiltrate data from deployed technologies.
  • T0619: Conduct on-net and off-net activities to control, and exfiltrate data from deployed, automated technologies.
  • T0620: Conduct open source data collection via various online tools.
  • T0623: Conduct survey of computer and digital networks.
  • T0643: Deploy tools to a target and utilize them once deployed (e.g., backdoors, sniffers).
  • T0644: Detect exploits against targeted networks and hosts and react accordingly.
  • T0664: Develop new techniques for gaining and keeping access to target systems.
  • T0677: Edit or execute simple scripts (e.g., Perl, VBScript) on Windows and UNIX systems.
  • T0696: Exploit network devices, security devices, and/or terminals or environments using various methods or tools.
  • T0697: Facilitate access enabling by physical and/or wireless means.
  • T0724: Identify potential points of strength and vulnerability within a network.
  • T0740: Maintain situational awareness and functionality of organic operational infrastructure.
  • T0756: Operate and maintain automated systems for gaining and maintaining access to target systems.
  • T0768: Conduct cyber activities to degrade/remove information resident in computers and computer networks.
  • T0774: Process exfiltrated data for analysis and/or dissemination to customers.
  • T0796: Provide real-time actionable geolocation information.
  • T0804: Record information collection and/or environment preparation activities against targets during operations designed to achieve cyber effects.
  • T0828: Test and evaluate locally developed tools for operational use.
  • T0829: Test internal developed tools and techniques against target tools.