The older readers among our audience might remember them: The painfully long discussions on online forums and usenet groups regarding the definition of a hacker. The difference to the so-called cracker was just as important as the debate, if self-proclaimed hackers have forfeited the right to the label by assigning it to themselves and are to be considered lamers. Generally, there is a lot of lingo in the hacker and infosec realm that leaves room for interpretation: The terms whitehat, blackhat and greyhat were often used to identify the ethical alignment of a person. But especially with the third term, the definition was often lost in more than fifty shades of grey of moral ambiguity.

Definitions Today

Even though these discussions have become a bit less frequent these days, the bickering about words has not fully subsided: The term cyber has been thrown around in marketing pitches so relentlessly, many infosec professionals have almost developed an allergy towards it – even though the general public, including the board of directors and other high-level executives could relate way better to the term cybersecurity than to the more obscure information security or its abbreviation, infosec.

The discussion regarding standardized labels goes further than one might think: Generic job titles like Security Analyst are common, but say little about the specific abilities and skills possessed by the individual bearing the title. The field of information security is so broad, that even experienced professionals with a broad base of knowledge have specific strengths and weaknesses. Especially with regards to job postings, it is often not completely clear what is expected from an analyst. A vulnerability assessment requires a very different skill set than a forensic data examination – but both these activities are often performed by Security Analysts.

This problem has also been encountered in the less formal times of the security- and hacker community. A real solution was never to be found, even though Geek Code, for example, a code format by Robert A. Hayden published in 1993 tried to formalize the expression of ones own strengths and weaknesses in a Public Key-style code block.

-----BEGIN GEEK CODE BLOCK-----
GED/J d-- s:++>: a--
C++(++++) ULU++ P+ L++
E---- W+(-) N+++ o+ K+++ w--- O-
M+ V--
PS++>$ PE++>$
Y++ PGP++ t-
5+++ X++ R+++>$
TV+ b+ DI+++ D+++ G+++++ e++  h r--
y++**
------END GEEK CODE BLOCK------

Given those ambiguities, nobody should be surprised that the definition of job titles has become somewhat odd. One example: Thought Leader. Let’s not waste any time talking about that one in more detail.

A certain clarity in the era of cybersecurity would actually be very important. Ambiguous or lacking internal communication is one of the core reasons for bad strategic decisions regarding infosec investments within Swiss corporations. Help has, maybe, arrived with a new document authored by the National Institute of Standards and Technology (NIST), the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NICE).

The 135-page document makes a structured attempt, for the terminology of job titles, skills, abilities and tasks to be unified and labelled using standardized language. This standardization is important to assure that communication can be unobstructed and clear beyond company- and country borders. It could also be highly beneficial with regards to training, qualification letters and CVs. Standardization does not necessary mean a reduction of complexity though. Much more, it means the reduction of ambiguity that might lead to errors and misinterpretation.

A standardization of labels means that one might also need to re-visit some commonly used labels in the own vocabulary. Hence, the author of the article you are reading at this point was also surprised to see that performing security assessments might fit both the role of Secure Software Assessor (SP-DEV-002) as well as the Exploitation Analyst (AN-EXP-001), but that the paper was not defining a role called Penetration Tester or similar. Upon closer inspection, the specific definition of both these roles are very interesting. So, let us look at the Exploitation Analyst, a label that probably matches the classic penetration tester, the way we see it at scip AG, the best. The NIST paper does not list every role in full, but only provides lookup tables. To give a sense of understanding, we compiled a full list of the tasks, abilities, skills and knowledge items linked to the role:

Example Exploitation Analyst

Description

Collaborates to identify access and collection gaps that can be satisfied through cyber collection and/or preparation activities. Leverages all authorized resources and analytic techniques to penetrate targeted networks.

Tasks

• T0028: Conduct and/or support authorized penetration testing on enterprise network assets.
• T0266: Perform penetration testing as required for new or updated applications.
• T0570: Apply and utilize authorized cyber capabilities to enable access to targeted networks.
• T0572: Apply cyber collection, environment preparation and engagement expertise to enable new exploitation and/or continued collection operations, or in support of customer requirements.
• T0574: Apply and obey applicable statutes, laws, regulations and policies
• T0591: Perform analysis for target infrastructure exploitation activities.
• T0600: Collaborate with other internal and external partner organizations on target access and operational issues.
• T0603: Communicate new developments, breakthroughs, challenges and lessons learned to leadership, and internal and external customers.
• T0608: Conduct analysis of physical and logical digital technologies (e.g., wireless, SCADA, telecom) to identify potential avenues of access.
• T0614: Conduct independent in-depth target and technical analysis including target-specific information (e.g., cultural, organizational, political) that results in access.
• T0641: Create comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities.
• T0695: Examine intercept-related metadata and content with an understanding of targeting significance.
• T0701: Collaborate with developers, conveying target and technical knowledge in tool requirements submissions, to enhance tool development.
• T0720: Identify gaps in our understanding of target technology and developing innovative collection approaches.
• T0727: Identify, locate, and track targets via geospatial analysis techniques.
• T0736: Lead or enable exploitation operations in support of organization objectives and target requirements.
• T0738: Maintain awareness of advancements in hardware and software technologies (e.g., attend training or conferences, reading) and their potential implications
• T0754: Monitor target networks to provide indications and warning of target communications changes or processing failures.
• T0775: Produce network reconstructions.
• T0777: Profile network or system administrators and their activities.

Knowledge

• K0001: computer networking concepts and protocols, and network security methodologies.
• K0002: risk management processes (e.g., methods for assessing and mitigating risk).
• K0003: laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
• K0004: cybersecurity and privacy principles.
• K0005: cyber threats and vulnerabilities.
• K0006: specific operational impacts of cybersecurity lapses.
• K0108: concepts, terminology, and operations of a wide range of communications media (computer and telephone networks, satellite, fiber, wireless).
• K0109: physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
• K0131: web mail collection, searching/analyzing techniques, tools, and cookies
• K0142: collection management processes, capabilities, and limitations
• K0143: front-end collection systems, including traffic collection, filtering, and selection.
• K0177: cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
• K0224: system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems.
• K0349: website types, administration, functions, and content management system (CMS).
• K0362: attack methods and techniques (DDoS, brute force, spoofing, etc.).
• K0417: data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).
• K0444: how Internet applications work (SMTP email, web-based email, chat clients, VOIP).
• K0471: Internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).
• K0560: the basic structure, architecture, and design of modern communication networks.
• K0351: applicable statutes, laws, regulations and policies governing cyber targeting and exploitation.
• K0354: relevant reporting and dissemination procedures.
• K0368: implants that enable cyber collection and/or preparation activities.
• K0371: principles of the collection development processes (e.g., Dialed Number Recognition, Social Network Analysis).
• K0376: internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc
• K0379: client organizations, including information needs, objectives, structure, capabilities, etc.
• K0388: collection searching/analyzing techniques and tools for chat/buddy list, emerging technologies, VOIP, Media Over IP, VPN, VSAT/wireless, web mail and cookies.
• K0393: common networking devices and their configurations.
• K0394: common reporting databases and tools.
• K0397: security concepts in operating systems (e.g., Linux, Unix.)
• K0418: data flow process for terminal or environment collection
• K0430: evasion strategies and techniques.
• K0443: how hubs, switches, routers work together in the design of a network.
• K0447: how to collect, view, and identify essential information on targets of interest from metadata (e.g., email, http).
• K0451: identification and reporting processes
• K0470: Internet and routing protocols.
• K0473: intrusion sets
• K0484: midpoint collection (process, objectives, organization, targets, etc.).
• K0487: network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).
• K0489: network topology.
• K0509: organizational and partner authorities, responsibilities, and contributions to achieving objectives.
• K0510: organizational and partner policies, tools, capabilities, and procedures.
• K0523: products and nomenclature of major vendors (e.g., security suites – Trend Micro, Symantec, McAfee, Outpost, and Panda) and how those products affect exploitation and reduce vulnerabilities.
• K0529: scripting
• K0535: strategies and tools for target research.
• K0544: target intelligence gathering and operational preparation techniques and life cycles.
• K0557: terminal or environmental collection (process, objectives, organization, targets, etc.)
• K0559: the basic structure, architecture, and design of converged applications.
• K0608: Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Skills

• S0066: identifying gaps in technical capabilities
• S0184: analyzing traffic to identify network devices
• S0199: creating and extracting important information from packet captures
• S0200: creating collection requirements in support of data acquisition activities
• S0201: creating plans in support of remote operations. (i.e., hot/warm/cold/alternative sites, disaster recovery).
• S0204: depicting source or collateral data on a network map.
• S0207: determining the effect of various router and firewall configurations on traffic patterns and network performance in both LAN and WAN environments.
• S0214: evaluating accesses for intelligence value.
• S0223: generating operation plans in support of mission and target requirements.
• S0236: identifying the devices that work at each level of protocol models
• S0237: identifying, locating, and tracking targets via geospatial analysis techniques
• S0239: interpreting compiled and interpretive programming languages.
• S0240: interpreting metadata and content as applied by collection systems.
• S0245: navigating network visualization software.
• S0247: performing data fusion from existing intelligence for enabling new and continued collection.
• S0258: recognizing and interpreting malicious network activity in traffic.
• S0260: recognizing midpoint opportunities and essential information
• S0264: recognizing technical information that may be used for leads to enable remote operations (data includes users, passwords, email addresses, IP ranges of the target, frequency in DNI behavior, mail servers, domain servers, SMTP header information).
• S0269: researching vulnerabilities and exploits utilized in traffic.
• S0279: target development in direct support of collection operations.
• S0286: using databases to identify target-relevant information.
• S0290: using non-attributable networks.
• S0294: using trace route tools and interpreting the results as they apply to network analysis and reconstruction.
• S0300: writing (and submitting) requirements to meet gaps in technical capabilities

Abilities

• A0013: communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
• A0066: accurately and completely source all data used in intelligence, assessment and/or planning products.
• A0080: develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists.
• A0084: evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.
• A0074: collaborate effectively with others.
• A0086: expand network access by conducting target analysis and collection to identify targets of interest.
• A0092: identify/describe target vulnerability.
• A0093: identify/describe techniques/methods for conducting technical exploitation of the target.
• A0104: select the appropriate implant to achieve operational goals.

Despite the list being somewhat long, it manages to describe the core abilities of a good penetration tester – or exploitation analyst, if you will – surprisingly well. One might complain about the varying levels of granularity in the single items, but generally NIST SP 800-181 provides a very useful resource to more accurately represent job functions within the field.

Conclusion

Time will tell if the NICE framework and the role descriptions in the form they currently exist will fully penetrate the field and become standard terminology. A lot of organizations still lack the maturity to be able to fully harness the granular descriptions and compartmentalizations.

Nevertheless: The paper is a step towards a better situation, even if it is just to provide a more comprehensive overview over the field of information security and the multitude of roles it contains.

About the Author

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

• http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf