creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 07:53:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit - 611 cybersecurity skills across all subdomains

Browse Source
This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/implementing-continuous-security-validation-with-bas/SKILL.md
+233
View File
@@ -0,0 +1,233 @@
---
name: implementing-continuous-security-validation-with-bas
description: Deploy Breach and Attack Simulation tools to continuously validate security control effectiveness by safely emulating real-world attack techniques across the kill chain.
domain: cybersecurity
subdomain: vulnerability-management
tags: [breach-attack-simulation, bas, security-validation, safebreach, attackiq, picus, cymulate, mitre-attack]
version: "1.0"
author: mahipal
license: MIT
---
# Implementing Continuous Security Validation with BAS
## Overview
Breach and Attack Simulation (BAS) is an automated, continuous approach to validating security control effectiveness by safely executing real-world attack techniques against production security infrastructure. Unlike traditional penetration testing (point-in-time), BAS platforms continuously simulate threats mapped to MITRE ATT&CK, testing endpoint protection, network security, email gateways, SIEM detection, and incident response capabilities. Leading platforms include SafeBreach, AttackIQ, Picus Security (2024 Gartner Customers' Choice), Cymulate, Pentera, and SCYTHE. BAS 2.0 solutions safely emulate real attacker behavior across the entire IT environment without requiring pre-deployed agents on every endpoint.
## Prerequisites
- BAS platform license (SafeBreach, AttackIQ, Picus, Cymulate, or Pentera)
- Deployed security controls to validate (EDR, NGFW, email gateway, SIEM, WAF)
- MITRE ATT&CK framework familiarity
- Network segments accessible by BAS agents/simulators
- Security operations team to act on validation results
- Change management approval for running simulations in production
## Core Concepts
### BAS vs Traditional Security Testing
| Aspect | BAS | Penetration Testing | Red Team |
|--------|-----|-------------------|----------|
| Frequency | Continuous/scheduled | Annual/quarterly | Annual |
| Automation | Fully automated | Manual with tools | Manual |
| Scope | Full kill chain | Specific targets | Goal-oriented |
| Safety | Safe simulation, no exploitation | Controlled exploitation | Real exploitation |
| Coverage | Thousands of techniques | Hundreds of tests | Focused scenarios |
| Output | Control gap analysis | Vulnerability report | Narrative report |
| Cost model | Subscription | Per engagement | Per engagement |
### MITRE ATT&CK Coverage Mapping
| Tactic | Example BAS Simulations | Controls Tested |
|--------|------------------------|-----------------|
| Initial Access | Phishing payload delivery, exploit public apps | Email gateway, WAF, IPS |
| Execution | PowerShell, WMI, malicious macros | EDR, application control |
| Persistence | Registry run keys, scheduled tasks, services | EDR, SIEM detection rules |
| Privilege Escalation | Token manipulation, UAC bypass | EDR, PAM, SIEM |
| Defense Evasion | Process injection, obfuscation, timestomping | EDR, behavioral analytics |
| Credential Access | Mimikatz, Kerberoasting, LSASS dump | EDR, credential guard |
| Discovery | AD enumeration, network scanning | SIEM, NDR |
| Lateral Movement | PsExec, WMI, RDP, SMB | NDR, microsegmentation |
| Collection | Screen capture, keylogging, email collection | DLP, UEBA |
| Exfiltration | HTTP/DNS exfil, cloud storage upload | DLP, CASB, proxy |
| Command & Control | C2 beaconing, DNS tunneling, encrypted channels | NGFW, proxy, NDR |
### Security Control Validation Score
```
Control Effectiveness = (Attacks Prevented + Attacks Detected) / Total Attacks Simulated * 100
Example:
Total simulations: 500
Prevented (blocked): 350
Detected (alerted): 100
Missed (no action): 50
Prevention Rate: 350/500 = 70%
Detection Rate: 100/500 = 20%
Overall Score: 450/500 = 90%
Gap Rate: 50/500 = 10%
```
## Implementation Steps
### Step 1: Deploy BAS Platform Components
```
Architecture:
Management Console (Cloud SaaS):
- Central orchestration and reporting
- Attack scenario library management
- MITRE ATT&CK mapping dashboard
Simulation Agents:
- Attacker Agent: Simulates threat actor behavior
- Target Agent: Receives simulated attacks
- Network Agent: Tests network-level controls
Deploy agents across zones:
- Corporate network (workstations)
- DMZ (web servers)
- Data center (critical servers)
- Cloud environments (AWS/Azure/GCP)
- Remote/VPN segment
```
### Step 2: Configure Attack Scenarios
```yaml
# Example BAS scenario configuration
scenario:
name: "APT29 (Cozy Bear) Full Kill Chain"
threat_group: APT29
mitre_attack_techniques:
- T1566.001 # Spearphishing Attachment
- T1059.001 # PowerShell Execution
- T1547.001 # Registry Run Key Persistence
- T1003.001 # LSASS Memory Credential Dump
- T1021.002 # SMB/Windows Admin Shares
- T1071.001 # Web Protocol C2
- T1048.003 # DNS Exfiltration
phases:
- name: "Initial Access"
actions:
- deliver_phishing_payload:
type: office_macro
target: email_gateway
variants: [docm, xlsm, ppam]
- name: "Execution & Persistence"
actions:
- execute_powershell:
encoded: true
amsi_bypass: true
- create_scheduled_task:
technique: T1053.005
- name: "Credential Access"
actions:
- dump_lsass:
method: [procdump, comsvcs, nanodump]
- name: "Lateral Movement"
actions:
- psexec_lateral:
target: internal_server
- wmi_lateral:
target: file_server
- name: "Exfiltration"
actions:
- dns_exfiltration:
data_size: 10MB
encoding: base64
```
### Step 3: Map Results to Security Controls
```python
def map_bas_results_to_controls(simulation_results):
"""Map BAS results to security control effectiveness."""
control_scores = {}
control_mapping = {
"email_gateway": ["T1566.001", "T1566.002", "T1566.003"],
"edr": ["T1059.001", "T1003.001", "T1055", "T1547.001"],
"ngfw": ["T1071.001", "T1071.004", "T1048"],
"siem": ["T1053.005", "T1021.002", "T1087"],
"dlp": ["T1048.003", "T1567", "T1041"],
"ndr": ["T1071", "T1021", "T1040"],
}
for control, techniques in control_mapping.items():
relevant = [r for r in simulation_results
if r["technique_id"] in techniques]
if not relevant:
continue
prevented = sum(1 for r in relevant if r["result"] == "prevented")
detected = sum(1 for r in relevant if r["result"] == "detected")
missed = sum(1 for r in relevant if r["result"] == "missed")
total = len(relevant)
control_scores[control] = {
"total_tests": total,
"prevented": prevented,
"detected": detected,
"missed": missed,
"prevention_rate": round(prevented / total * 100, 1),
"detection_rate": round(detected / total * 100, 1),
"effectiveness": round((prevented + detected) / total * 100, 1),
}
return control_scores
```
### Step 4: Schedule Continuous Validation
```
Validation Schedule:
Daily:
- Malware delivery simulation (email gateway test)
- C2 communication simulation (firewall/proxy test)
- Known ransomware behavior simulation (EDR test)
Weekly:
- Full kill chain simulation (APT scenario)
- Lateral movement simulation (network segmentation test)
- Data exfiltration simulation (DLP test)
Monthly:
- Full MITRE ATT&CK coverage assessment
- New threat group TTP simulation
- Regression testing after security control changes
On-Demand:
- After firewall rule changes
- After EDR policy updates
- After new threat intelligence (zero-day response)
```
## Best Practices
1. Start with known threat group simulations relevant to your industry
2. Always run simulations in safe mode first before enabling full emulation
3. Coordinate with SOC team so they can distinguish BAS traffic from real attacks
4. Use BAS results to prioritize SIEM detection rule development
5. Track control effectiveness scores over time to demonstrate security posture improvement
6. Integrate BAS with ticketing systems to auto-generate remediation tickets for gaps
7. Run validation after every security control change to catch regressions
8. Map all simulations to MITRE ATT&CK for standardized reporting
## Common Pitfalls
- Running BAS without informing the SOC, causing unnecessary incident response
- Testing only prevention and ignoring detection/response validation
- Not acting on BAS findings, leading to persistent security gaps
- Deploying BAS agents only in one network zone, missing cross-zone gaps
- Focusing only on commodity threats instead of APT-relevant scenarios
- Treating BAS as a replacement for penetration testing rather than a complement
## Related Skills
- implementing-attack-path-analysis-with-xm-cyber
- performing-purple-team-exercise
- implementing-siem-use-cases-for-detection
- implementing-threat-modeling-with-mitre-attack
skills/implementing-continuous-security-validation-with-bas/assets/template.md
+24
View File
@@ -0,0 +1,24 @@
# BAS Security Validation Report Template
## Validation Summary
| Field | Value |
|-------|-------|
| Report Date | [YYYY-MM-DD] |
| BAS Platform | [SafeBreach/AttackIQ/Picus/Cymulate] |
| Total Simulations | [N] |
| Overall Effectiveness | [N]% |
| MITRE ATT&CK Coverage | [N]% |
## Control Effectiveness Scores
| Control | Tests | Prevented | Detected | Missed | Effectiveness |
|---------|-------|-----------|----------|--------|---------------|
| EDR | [N] | [N] | [N] | [N] | [N]% |
| Email Gateway | [N] | [N] | [N] | [N] | [N]% |
| NGFW/Proxy | [N] | [N] | [N] | [N] | [N]% |
| SIEM | [N] | [N] | [N] | [N] | [N]% |
| DLP | [N] | [N] | [N] | [N] | [N]% |
## Top Security Gaps
| Technique | Name | Misses | Affected Controls | Remediation |
|-----------|------|--------|-------------------|-------------|
| [T-ID] | [Name] | [N] | [Controls] | [Action] |
skills/implementing-continuous-security-validation-with-bas/references/standards.md
+27
View File
@@ -0,0 +1,27 @@
# Standards and References - Continuous Security Validation with BAS
## BAS Platforms
- SafeBreach: https://www.safebreach.com/
- AttackIQ: https://www.attackiq.com/
- Picus Security: https://www.picussecurity.com/
- Cymulate: https://cymulate.com/
- Pentera: https://pentera.io/
- SCYTHE: https://scythe.io/
## Industry Standards
- **MITRE ATT&CK Framework**: https://attack.mitre.org/
- **Gartner BAS Market Guide**: Breach and Attack Simulation Tools
- **NIST CSF 2.0 DE.CM**: Security Continuous Monitoring
- **CIS Controls v8.1 Control 18**: Penetration Testing
## Gartner Recognition (2024)
- Picus Security: 2024 Customers' Choice for BAS Tools
- Category evolution: BAS -> Adversarial Exposure Validation (2025)
## Key Metrics
| Metric | Description | Target |
|--------|-------------|--------|
| Prevention Rate | % of attacks blocked | > 80% |
| Detection Rate | % of attacks alerted | > 90% (combined) |
| MITRE Coverage | % of techniques tested | > 60% |
| Validation Frequency | How often tests run | Daily/Weekly |
skills/implementing-continuous-security-validation-with-bas/references/workflows.md
+30
View File
@@ -0,0 +1,30 @@
# Workflows - BAS Continuous Security Validation
## Workflow 1: BAS Validation Cycle
```
┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Select Attack│──>│ Execute Safe │──>│ Collect │──>│ Map to │
│ Scenarios │ │ Simulation │ │ Results │ │ Controls │
└──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘
┌─────────────────────────────────────────────────────────┘
v
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Identify │──>│ Create │──>│ Re-Validate │
│ Control Gaps │ │ Remediation │ │ After Fix │
└──────────────┘ └──────────────┘ └──────────────┘
```
## Workflow 2: Post-Change Regression Test
```
Security Control Change (firewall rule, EDR policy, SIEM rule)
v
Trigger BAS regression test for affected technique categories
v
Compare results: before vs after change
├── Improvement: Document and close
└── Regression: Alert security team, rollback if needed
```
skills/implementing-continuous-security-validation-with-bas/scripts/process.py
+140
View File
@@ -0,0 +1,140 @@
#!/usr/bin/env python3
"""
BAS Results Analyzer and Control Effectiveness Calculator
Processes Breach and Attack Simulation results to calculate
security control effectiveness scores and identify gaps.
Requirements:
pip install pandas
Usage:
python process.py analyze --csv bas_results.csv --output control_scores.csv
python process.py gaps --csv bas_results.csv --output gaps.csv
python process.py trend --dir results/ --output trend.csv
"""
import argparse
import sys
from collections import defaultdict
from datetime import datetime
from pathlib import Path
import pandas as pd
CONTROL_TECHNIQUE_MAP = {
"email_gateway": ["T1566.001", "T1566.002", "T1566.003"],
"edr": ["T1059.001", "T1059.003", "T1003.001", "T1055", "T1547.001",
"T1053.005", "T1027", "T1140"],
"ngfw_proxy": ["T1071.001", "T1071.004", "T1048.001", "T1048.003",
"T1572", "T1090"],
"siem": ["T1087", "T1018", "T1069", "T1021.002", "T1021.001"],
"dlp": ["T1048", "T1567", "T1041", "T1560"],
"ndr": ["T1071", "T1021", "T1040", "T1046"],
"waf": ["T1190", "T1210"],
"pam": ["T1078", "T1134", "T1098"],
}
def analyze_control_effectiveness(df):
"""Calculate control effectiveness from BAS results."""
scores = []
for control, techniques in CONTROL_TECHNIQUE_MAP.items():
relevant = df[df["technique_id"].isin(techniques)]
if len(relevant) == 0:
continue
total = len(relevant)
prevented = len(relevant[relevant["result"] == "prevented"])
detected = len(relevant[relevant["result"] == "detected"])
missed = len(relevant[relevant["result"] == "missed"])
scores.append({
"control": control,
"total_tests": total,
"prevented": prevented,
"detected": detected,
"missed": missed,
"prevention_rate": round(prevented / total * 100, 1),
"detection_rate": round(detected / total * 100, 1),
"effectiveness": round((prevented + detected) / total * 100, 1),
"gap_rate": round(missed / total * 100, 1),
})
return pd.DataFrame(scores).sort_values("effectiveness", ascending=True)
def identify_gaps(df):
"""Identify attack techniques that bypass all controls."""
missed = df[df["result"] == "missed"].copy()
if len(missed) == 0:
print("[+] No gaps found - all attacks were prevented or detected!")
return pd.DataFrame()
gaps = missed.groupby(["technique_id", "technique_name"]).agg(
miss_count=("result", "count"),
targets=("target", lambda x: ", ".join(x.unique())),
).reset_index().sort_values("miss_count", ascending=False)
return gaps
def print_summary(scores_df, gaps_df):
"""Print analysis summary."""
print(f"\n{'=' * 70}")
print("BAS CONTROL EFFECTIVENESS REPORT")
print(f"{'=' * 70}")
print(f"\nControl Scores:")
for _, row in scores_df.iterrows():
status = "PASS" if row["effectiveness"] >= 80 else "WARN" if row["effectiveness"] >= 60 else "FAIL"
print(f" [{status}] {row['control']:<15} "
f"Effectiveness: {row['effectiveness']}% "
f"(Prevent: {row['prevention_rate']}% | "
f"Detect: {row['detection_rate']}% | "
f"Miss: {row['gap_rate']}%)")
if len(gaps_df) > 0:
print(f"\nTop Security Gaps (attacks that bypass controls):")
for _, row in gaps_df.head(10).iterrows():
print(f" {row['technique_id']}: {row['technique_name']} "
f"({row['miss_count']} misses)")
def main():
parser = argparse.ArgumentParser(description="BAS Results Analyzer")
subparsers = parser.add_subparsers(dest="command")
a_p = subparsers.add_parser("analyze", help="Analyze control effectiveness")
a_p.add_argument("--csv", required=True)
a_p.add_argument("--output", default="control_scores.csv")
g_p = subparsers.add_parser("gaps", help="Identify security gaps")
g_p.add_argument("--csv", required=True)
g_p.add_argument("--output", default="gaps.csv")
args = parser.parse_args()
if not args.command:
parser.print_help()
sys.exit(1)
df = pd.read_csv(args.csv)
if args.command == "analyze":
scores = analyze_control_effectiveness(df)
gaps = identify_gaps(df)
print_summary(scores, gaps)
scores.to_csv(args.output, index=False)
print(f"\n[+] Control scores saved to {args.output}")
elif args.command == "gaps":
gaps = identify_gaps(df)
gaps.to_csv(args.output, index=False)
print(f"[+] {len(gaps)} gaps saved to {args.output}")
if __name__ == "__main__":
main()