Job Title: Cybersecurity Analyst Levels 1-7, Threat Hunting and MITRE

Salary Range: Level 1: $82,857 - $105,000

Level 2: $87,685 - $115,500

Level 3: $95,929 - $127,050

Level 4: $102,760 - $139,755

Level 5: $114,537 - $153,731

Level 6: $124,311 - $169,104

Level 7: $140,917 - $186,014

POINTS:

Level 1 - 282

Level 2 - 323

Level 3 - 393

Level 4 - 451

Level 5 – 551

Level 6 – 634

Level 7 – 775

DEPT/DIV: MTA Information Technology/ Office of IT Cyber Security Services

SUPERVISOR: Cybersecurity Office Manager

LOCATION: 2 Broadway, New York, NY 10004

HOURS OF WORK: 9:00am-530pm (7.5 hours/day) or as required

This position is eligible for telework. New Hires are eligible to apply 30 days after their effective date of hire.

In order to protect our employees and continue to provide safe and reliable service to our communities, as of November 14, 2021, we are requiring all new MTA hires to be fully vaccinated against COVID-19 prior to their start date. MTA will consider exceptions for religious and medical reasons, where appropriate. “Fully vaccinated” means you must have both doses of a 2-dose vaccine and two weeks have elapsed since the second dose or have received 1 dose of a 1-dose vaccine and two weeks have elapsed since the dose. Proof of your vaccination status in the form of a CDC vaccine card must be submitted prior to your start date.

The purpose of this position is to provide critical technical expertise in threat hunting and automation functions. Cybersecurity Analyst will be tasked with remaining up to date on the latest risks and threats to the MTA as the threat landscape gradually evolves. This position will work in conjunction with the MTA’s SOC, MSSP, and other cybersecurity partners to perform effective threat hunting and anticipation. Upon developing effective threat hunting enterprise searches, the analyst must also assist in creating content detection / prevention rules. The analyst is part of a Tier 3 SOC function and must be able to create searches with high fidelity and minimize/negate potential false-positives. This position will also work in conjunction with existing MITRE ATT&CK framework adherence efforts and must be capable of making recommendations for enterprise-level visibility gaps.

Responsibilities:

• Administration of Threat Intelligence Platform (TIP)
• Performs threat hunting searches across a variety of technologies that are on-prem, cloud-based, and hybrid
• Assesses existing MITRE ATT&CK detection capabilities
• Identifies the tactics, techniques, and procedures (TTPs) of potential threats through the MITRE ATT&CK or similar frameworks
• Researching emerging threats and vulnerabilities to aid in the identification of network incidents, and supports the creation of new architecture, policies, standards, and guidance to address them
• Provide incident response support, including mitigating actions to contain activity and facilitating forensics analysis when necessary
• Conducts security monitoring and intrusion detection analysis using various technology and analytic tools, such as web and next generation firewalls, machine and human behavior learning tools, host-based security system, security event and incident monitoring systems, virtual, physical, and cloud platforms, user endpoint (laptop, desktop, mobile, and internet of things/IOT) systems, etc.
• Correlates events and activities across systems to identify trends of unauthorized use
• Reviews alerts and data from sensors and documents formal, technical incident reports
• Tests new systems and manage cybersecurity risks and remediation through analysis
• Responds to computer security incidents according to the computer security incident response policy and procedures
• Provides technical guidance to first responders for handling information security incidents
• Provides timely and relevant updates to appropriate stakeholders and decision makers
• Communicates investigation findings to relevant business units to help improve the information security posture
• Validates and maintains incident response plans and processes to address potential threats
• Compiles and analyzes data for management reporting and metrics
• Monitors relevant information sources to stay up to date on current attacks and trends
• Analyzes potential impact of new threats and communicates risks back to detection engineering functions
• Performs root-cause analysis to document findings, and participate in root-cause elimination activities as required
• Works with data sets to identify patterns
• Understands data automation and analysis techniques
• Uses judgment to form conclusions that may challenge conventional wisdom
• Hypothesizes new threats and indicators of compromise
• Monitors threat intelligence feeds to identify a range of threats, including indicators of compromise and advanced persistent threats (APTs)
• Participate in the creation of enterprise security documents (policies, standards, baselines, guidelines, and procedures) under the direction of the IT Security Manager, where appropriate.
• Perform Contract management and supply management functions appropriate to reduce security risks

The role will provide a proactive approach to cybersecurity while also performing investigation of security incidents related to MTA operations related to Cyber Security.

Level 1

• Perform threat hunting exercises against a variety of systems through MD5s, SHA256s, IPs, Domains, URLs, and Emails.
• High-level TIP intelligence ingestion and intelligence classification in accordance with TLP protocol
• Assesses existing MITRE ATT&CK detection capabilities
• Tracking of advanced threats, actors, and groups
• Ability to verify intelligence for accuracy
• Drafts intelligence Report for dissemination
• Assists with automation of intelligence efforts
• Participates in MSSP calls for threat hunting exercises
• Works closely with senior threat hunters on incident triaging
• Serves as part of a Tier 3 24/7 SOC
• Performs basic analysis while following established procedures to ensure security of systems, contractor, and/or process.
• Assists in executing tests and reporting on system security parameters to support security of system, contractor, and/or vendor.
• Performs basic troubleshooting and escalates issues as appropriate to ensure effective resolution of security baseline deviations and risks.
• Reviews and correlates system logs and provides support
• Participates on project teams, providing information and documentation and executing well defined changes under guidance to ensure the infrastructure meets organization needs

Level 2

Same as Level 1 with the following additional responsibilities:

• Provide guidance to MSSP partners for threat hunting direction
• Threat hunting that aligns with MITRE ATT&CK framework
• Escalates threat hunting true-positive incidents to Incident Response / Forensics teams, as appropriate
• Maps existing MITRE ATT&CK capabilities in alignment with best practices for existing and future technology stack
• Provides containment recommendations when Incidents have been validated
• Collaborates with MTA purple team to determine effectiveness of existing countermeasures
• Threat hunting triaging of findings
• Documents threat hunting findings and provides reports / recommendations
• Provides routine analysis on assigned technologies, following established procedures to ensure safety and security of systems, vendor performance, or processes.
• Reviews and correlates system logs to identify potential cybersecurity and technical issues.

Level 3

Same as Level 2 with the following additional responsibilities:

• Collaboration with threat intelligence partners & community
• Participate in Transit consortium calls
• Creates threat-actor and threat specific portfolios; maintains these reports for accuracy
• Design reports on trending threat landscape activities including trends over time and industry comparisons
• Provides recommendations for alignment with MITRE ATT&CK framework
• Determine root cause issues from threat hunting findings
• Defines dark web searching requirements for personal/sensitive information
• Provides proactive monitoring and analysis for a domain of the cybersecurity to ensure systems security baseline targets are met.
• Implements changes to one or more cybersecurity related domain technologies, executing tests and reporting on security baselines, violations/anomalies, to meet requested needs.
• Troubleshoot and investigate cybersecurity incidents and issues by analyzing a chain of events and applying technical knowledge following established procedures and standards to resolve immediate customer needs.
• Maintains and updates existing documentation and standard operating procedures to ensure accurate and timely information is available for assigned systems.
• Works with more experienced colleagues and other IT technical resources to improve coordination of cybersecurity requirements and analyze issues as they arise
• Participate in the evaluation of new products and technologies, under the direction and guidance of senior colleagues, relevant to assigned cybersecurity area to enhance cybersecurity posture and reduce risk to the MTA while achieving objectives.

Level 4

Same as Level 3 with the following additional responsibilities:

• Disseminate threat hunting findings to senior IT-Security leadership
• Steers direction of threat hunting exercises based on existing detection gaps
• Collaborate with vendors to develop MITRE capabilities (where not available)
• Write SIEM content detection dashboards and correlation searches
• Performs threat hunting searches based on TTPs
• Augment Incident Response efforts as needed
• Develop policies & procedures for Threat Hunting and MITRE ATT&CK
• Executes to the defined product lifecycle, manages the product lifecycle for a component of the infrastructure, proposes changes for implementation, gathers data and analyzes capacity and performance to assure operational availability.
• Analyzes the current state of the infrastructure and identifies opportunities for improvement to ensure systems meet business needs. Contributes to changes to established roadmaps, documents them effectively and executes the implementation of changes in their area(s) of responsibility.
• Provides ongoing support and troubleshooting for installed technical solutions by analyzing a chain of events and applying technical knowledge, following established procedures and standards to resolve immediate customer needs.
• Investigates, evaluates, and tests new products and technologies relevant to assigned infrastructure subsets to enhance cybersecurity analytics and overall security posture. Implements and/or supports the implementation of new technologies for their area of the cybersecurity that affects infrastructure, applications and/or processes.
• Promotes security standards and supports efforts to expand and migrate to future security architecture to improve security and share learning.

Level 5

Same as Level 4 with the following additional responsibilities:

• Designs new MITRE ATT&CK based detection rules based on trending Incident escalations & threat hunting findings
• Attends and hosts regular intelligence briefings to a variety of internal and external stakeholders
• Provides security content engineering recommendations
• Defines dark web searching requirements for organizational proprietary/confidential information
• Serves as a threat hunting subject matter expert
• Adds new components to a roadmap, documents them effectively, and directs the testing and implementation of changes.
• When provided with an objective to improve security in their security domain(s) and related technology, develops and implements action plans needed to effect the change.
• Research new technologies/products and their impact on the infrastructure, prepares a preliminary evaluation of technologies/products and associated costs, and develops and presents recommendations to support anticipated future business needs.
• Receives security and performance data and analyzes the baselines and efficacy of installed technologies. Proposes and implements any required changes, including identifying and planning for any resulting impacts on other technologies to optimize system availability and continuity.
• Provides ongoing support and troubleshooting for incidents, correlations and reporting to more junior analysts to resolve immediate security threats and/or customer needs.
• Provides technical leadership to project teams in their area of expertise and/or leads teams to complete projects specific to their area(s) of expertise to maximize and share learning.
• Provides guidance and technical coaching to less experienced staff to support effective workflow and develop technical talent.

Level 6

Same as Level 5 with the following additional responsibilities:

• Aide partner organizations with MITRE ATT&CK framework
• Designs advanced threat hunting searches that require the correlation of several data sources
• Develops automation and integrations for custom business technologies
• Leads projects for enhancement of existing hunting and MITRE ATT&CK capabilities
• Lead custom intelligence briefing reports
• Interface with C-level IT leadership
• Serves as a technical resource for multiple components of the security architecture, risk analysis, and analytics to help define the problems and identify remediation strategies for them.
• Troubleshoots and analyzes most problems within assigned area(s), providing cybersecurity correlation, expertise, and resolution that may be complicated by technology interdependency and challenging security issues
• Participates in planning for the future technical architecture, providing insight into the future of their area of technology in order to continually improve effectiveness and efficiency.
• Participates in or leads the development of roadmaps related to their area(s) of expertise to manage and meet identified technology needs.
• Participates in the evaluation of new technologies relative to their domain(s) to determine applicability to and best meet the needs of MTA and constituent agencies.
• Specifies the monitoring points to assess performance of technologies in their domain(s). Recommends the necessary actions to ensure optimal performance and reliability.
• Develops disaster recovery and contingency plans for their domain(s) to provide users with minimal interruptions in service.
• Provides technical leadership to project teams in their area of expertise to promote technical understanding and talent development and/or leads teams to complete projects when a project manager has not been assigned.
• Contributes to the technical elements of RFPs and RFIs and negotiates with vendors on technical issues to ensure results are delivered in line with user and organization requirements.
• Interacts with major providers at the technical expert level to address mission critical issues, evaluates ongoing vendor service level and enforces SLAs and penalties.

Level 7

Same as Level 6 with the following additional responsibilities:

• Design custom engineering efforts to make standard technology-stack compliant with MITRE ATT&CK.
• Interface with all levels of stakeholders up to and including senior leadership
• Provides guidance and direction for hunting and MITRE ATT&CK framework adherence
• Mentors all junior team members and provides oversight on policy & process design
• Provides subject matter expertise in scripting
• Acts as a technical resource for multiple technologies, with vast knowledge of the capabilities and constraints of technologies supported to continually improve system effectiveness and efficiency.
• Demonstrates a strong understanding of the current and future technology architecture, including the inter-operability of technologies to effectively integrate MTA systems and support the long-term strategies of the business.
• Provides expert level guidance and training to the IT community to maximize and share learning.
• Analyzes cross-technology/platform issues and addresses problems factoring in an understanding of the current and future architectures to ensure optimal performance and reliability across systems.
• Leads the evaluation of new technologies relative to their domain(s) to determine applicability to and best meet the needs of MTA and constituent agencies. Proposes technology investments supported by a thorough technical analysis and business case.
• Develops disaster recovery and contingency plans for their domain(s) to provide users with minimal interruptions in service.
• Creates complete RFPs and RFIs and negotiates contract terms and conditions with vendors and procurement in consideration of the needs of the business.
• Interacts with major providers at the technical expert level to address mission critical issues, evaluates ongoing vendor service level and enforces SLAs and penalties.
• Establishes systems to monitor compliance with architectural standards and to ensure technical integrity.

Level 1

• Associate degree in Computer Science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.
• Basic knowledge and familiarity with monitoring, installing, maintaining and/or troubleshooting cybersecurity related issues associated with applications and/or infrastructure systems
• Understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
• Understanding of Operating Systems
• Scripting or programming skills (PERL, Python, PowerShell, etc.) preferred as needed

Level 2

• Associate degree in Computer Science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree and 2+ years of relevant experience, or a bachelor’s degree in Computer Science or related fields.
• Basic knowledge and familiarity with installing, maintaining and troubleshooting technology systems.
• Proven ability to troubleshoot and support technical issues.
• Proven ability to analyze a security risk assessment
• Understanding of Operating Systems
• Understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
• Scripting or programming skills (PERL, Python, PowerShell, etc.) preferred as needed.
• 6 months of experience in a specific (Cloud, Applications, Infrastructure, Security Technology, etc.) cybersecurity domain is preferred

Level 3

• Bachelor’s Degree in Computer Science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.
• CISSP or other advanced security-related certification preferred but not required.
• Certifications in technology subdomains preferred but not required (ie. Cloud, Applications, Infrastructure, Security Technology, etc.)
• 2+ years of relevant experience.
• Requires prior experience with installing, maintaining and troubleshooting technology systems.
• Proven ability to troubleshoot and support technical issues using standardized procedures.
• Proven ability to analyze a security risk assessment or conduct one with guidance
• Understanding of Operating Systems and Hardware
• Understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
• Scripting or programming skills (PERL, Python, PowerShell, etc.) preferred as needed.
• 1 year of experience in a specific (Cloud, Applications, Infrastructure, Security Technology, etc.) cybersecurity subdomain is preferred

Level 4

• Bachelor’s Degree in Computer Science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.
• 3+ years of relevant experience or 18 months of experience in a specific cybersecurity subdomain (Cloud, Applications, Infrastructure, Security Technology, etc.).
• Current CISSP or other advanced security-related certification preferred but not required.
• Certifications in technology subdomains preferred but not required (ie. Cloud, Applications, Infrastructure, Security Technology, etc.)
• Proven ability to independently evaluate and resolve most problems within an area of infrastructure, applications within a security domain context.
• Proven ability to analyze and/or conduct a security risk assessment
• Understanding of Operating Systems and Hardware
• Advanced understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
• Scripting or programming skills (PERL, Python, PowerShell, etc.).

Level 5

• Bachelor’s Degree in Computer Science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.

• Progressive cybersecurity related accomplishments
• Requires broad technical knowledge of multiple technologies, or an in-depth knowledge of one technology including its impact on other technologies.
• Proven ability to analyze and/or conduct a security risk assessment
• Understanding of Operating Systems and Hardware
• Advanced understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
• Scripting or programming skills (PERL, Python, PowerShell, etc.) as needed.

Level 6

• Bachelor’s Degree in Computer Science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.
• 8+ years of relevant experience or 4 years of experience in a specific cybersecurity subdomain (Cloud, Applications, Infrastructure, Security Technology, etc.).
• CISSP or other advanced security-related certification preferred
• Certifications in technology subdomains preferred (ie. Cloud, Applications, Infrastructure, Security Technology, etc.).
• Verifiable implementation of security domain controls for enterprise technologies
• Requires seasoned expertise in multiple technologies and strong understanding of the current and future technology architecture, including the inter-operability of technologies.
• Advanced ability to conduct and analyze a security risk assessment
• Understanding of Operating Systems and Hardware
• Expert understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
• Some scripting or programming skills (PERL, Python, PowerShell, etc.) as needed.

Level 7

• Bachelor’s Degree in Computer Science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.
• 10+ years of relevant technology based or cybersecurity experience or 5 years of experience in a specific cybersecurity subdomain (Cloud, Applications, Infrastructure, Security Technology, etc.).
• CISSP and other advanced security-related certification preferred.
• Certifications in technology subdomains preferred (ie. Cloud, Applications, Infrastructure, Security Technology, etc.).
• Significant practical expertise in cybersecurity related disciplines.
• Requires seasoned expertise in multiple security domains, technologies and strong understanding of the current and future technology and security architecture, including the inter-operability of security solutions and technologies.
• Requires proven track record of successful implementation of architectural designs.
• Expert ability to conduct and analyze a security risk assessment
• Advanced understanding of Operating Systems and Hardware
• Expert understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
• Some scripting or programming skills (PERL, Python, PowerShell, etc.) as needed

As an employee of MTA Headquarters, you may be required to complete an annual financial disclosure statement with the State of New York, if your position earns more than $105,472 (this figure is subject to change) per year or if the position is designated as a policy maker.

Qualified applicants can submit an online application