creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit - 611 cybersecurity skills across all subdomains

Browse Source
This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/implementing-mitre-attack-coverage-mapping/SKILL.md
+256
View File
@@ -0,0 +1,256 @@
---
name: implementing-mitre-attack-coverage-mapping
description: Implement MITRE ATT&CK coverage mapping to identify detection gaps, prioritize rule development, and measure SOC detection maturity against adversary techniques.
domain: cybersecurity
subdomain: soc-operations
tags: [mitre-attack, detection-coverage, gap-analysis, attack-navigator, soc, detection-engineering]
version: "1.0"
author: mahipal
license: MIT
---
# Implementing MITRE ATT&CK Coverage Mapping
## Overview
MITRE ATT&CK coverage mapping gives SOC teams a structured, adversary-centric lens to evaluate detection capabilities. Enterprise SIEMs on average have detection coverage for only 21% of ATT&CK techniques (2025 CardinalOps report), with 13% of existing rules being non-functional due to misconfigured data sources. Systematic coverage mapping identifies gaps, prioritizes rule development, and tracks detection maturity over time. ATT&CK v18.1 (December 2025) is the latest version.
## Prerequisites
- Access to MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/)
- Inventory of all active SIEM detection rules
- MITRE ATT&CK technique mapping for each detection rule
- Data source inventory (which log sources are ingested)
- Understanding of adversary threat profiles relevant to your industry
## Coverage Mapping Process
### Step 1: Export Current Detection Rules
```spl
# Splunk ES - Export all active correlation searches with MITRE mappings
| rest /services/saved/searches
| search disabled=0 action.correlationsearch.enabled=1
| table title, search, action.notable.param.security_domain,
action.notable.param.severity, action.correlationsearch.annotations
| eval mitre_techniques=mvfilter(match('action.correlationsearch.annotations', "mitre_attack"))
```
```kql
// Microsoft Sentinel - Export analytics rules with MITRE mapping
SecurityAlert
| summarize count() by AlertName, ProductName
| join kind=inner (
resources
| where type == "microsoft.securityinsights/alertrules"
| extend tactics = properties.tactics
) on $left.AlertName == $right.name
```
### Step 2: Build the Coverage Matrix
#### ATT&CK Navigator Layer Format
```json
{
"name": "SOC Detection Coverage - 2025",
"versions": {
"attack": "16",
"navigator": "5.1",
"layer": "4.5"
},
"domain": "enterprise-attack",
"description": "Current detection coverage mapping",
"techniques": [
{
"techniqueID": "T1110",
"tactic": "credential-access",
"color": "#00ff00",
"comment": "2 active rules - Brute Force detection via EventCode 4625",
"score": 75,
"metadata": [
{"name": "rule_count", "value": "2"},
{"name": "data_sources", "value": "Windows Security Log, Linux Auth"},
{"name": "last_validated", "value": "2025-01-15"}
]
},
{
"techniqueID": "T1059.001",
"tactic": "execution",
"color": "#00ff00",
"comment": "3 rules - PowerShell Script Block Logging",
"score": 85
},
{
"techniqueID": "T1055",
"tactic": "defense-evasion",
"color": "#ff0000",
"comment": "NO DETECTION - Requires Sysmon EventCode 8/10",
"score": 0
}
],
"gradient": {
"colors": ["#ff0000", "#ffff00", "#00ff00"],
"minValue": 0,
"maxValue": 100
}
}
```
### Step 3: Score Each Technique
| Score | Color | Meaning | Criteria |
|---|---|---|---|
| 0 | Red | No Detection | No rules, missing data sources |
| 25 | Orange | Minimal | Rule exists but not validated/tested |
| 50 | Yellow | Partial | Rule works but limited coverage |
| 75 | Light Green | Good | Validated rule with good data sources |
| 100 | Green | Excellent | Multiple validated rules, tested with emulation |
### Scoring Criteria Detail
```
Score = Data_Source_Score (0-25) + Rule_Quality_Score (0-25) +
Validation_Score (0-25) + Enrichment_Score (0-25)
Data_Source_Score:
25: All required data sources ingested and parsed
15: Primary data source available
5: Partial data source coverage
0: Required data sources not available
Rule_Quality_Score:
25: Rule uses CIM-compliant queries with proper thresholds
15: Rule works but may generate false positives
5: Basic rule with no tuning
0: No detection rule
Validation_Score:
25: Validated with adversary emulation (Atomic Red Team)
15: Tested with synthetic data
5: Logic reviewed but not tested
0: Not validated
Enrichment_Score:
25: Context-rich with asset, identity, and TI enrichment
15: Basic enrichment (asset lookup)
5: No enrichment
0: N/A (no rule)
```
### Step 4: Identify Priority Gaps
#### Gap Prioritization Framework
```
Priority = Technique_Prevalence x Impact x Feasibility
Technique_Prevalence (0-10):
- Based on MITRE Top Techniques report
- Frequency in your industry's threat landscape
- Observed in recent incidents/breaches
Impact (0-10):
- Damage potential if technique succeeds
- Difficulty of recovery
- Data sensitivity at risk
Feasibility (0-10):
- Data source availability
- Rule complexity
- Engineering effort required
```
#### Top Priority Techniques to Cover (2025)
| Technique | ID | Prevalence | Typical Gap Reason |
|---|---|---|---|
| Command and Scripting Interpreter | T1059 | Very High | Requires script block logging |
| Phishing | T1566 | Very High | Email gateway integration |
| Valid Accounts | T1078 | High | Baseline behavior needed |
| Process Injection | T1055 | High | Requires Sysmon or EDR |
| Lateral Movement (RDP/SMB) | T1021 | High | Network segmentation visibility |
| Scheduled Task/Job | T1053 | High | Event log collection |
| Data Encrypted for Impact | T1486 | High | File system monitoring |
| Ingress Tool Transfer | T1105 | Medium | Network traffic analysis |
### Step 5: Build Detection Roadmap
```
Quarter 1: Close Critical Gaps (Score 0, High Prevalence)
Week 1-2: Enable missing data sources
Week 3-4: Build and test rules for top 5 gap techniques
Week 5-8: Validate with adversary emulation
Week 9-12: Tune and operationalize
Quarter 2: Improve Partial Coverage (Score 25-50)
- Upgrade existing rules with enrichment
- Add secondary detection methods
- Validate with purple team exercises
Quarter 3: Mature Good Coverage (Score 50-75)
- Add behavioral analytics
- Implement detection-as-code pipeline
- Cross-technique correlation rules
Quarter 4: Excellence (Score 75-100)
- Continuous testing with BAS tools
- Automated coverage regression testing
- Red team validation
```
## Automated Coverage Assessment
### Data Source to Technique Mapping
```python
# Map available data sources to detectable techniques
DATA_SOURCE_TECHNIQUE_MAP = {
"Windows Security Event Log": [
"T1110", "T1078", "T1053.005", "T1098", "T1136",
"T1070.001", "T1021.001", "T1543.003"
],
"Sysmon": [
"T1055", "T1059", "T1003", "T1547.001", "T1036",
"T1218", "T1105", "T1071"
],
"Network Traffic (Firewall/IDS)": [
"T1071", "T1048", "T1105", "T1572", "T1090",
"T1571", "T1573"
],
"DNS Logs": [
"T1071.004", "T1568", "T1583.001", "T1048.003"
],
"Email Gateway": [
"T1566.001", "T1566.002", "T1534"
],
"Cloud Audit Logs": [
"T1078.004", "T1537", "T1530", "T1580",
"T1087.004", "T1098.001"
],
}
```
## Reporting Dashboard Queries
### Coverage Summary by Tactic
```spl
| inputlookup mitre_coverage_lookup
| stats avg(score) as avg_score count(eval(score=0)) as no_coverage
count(eval(score>0 AND score<50)) as partial
count(eval(score>=50 AND score<75)) as good
count(eval(score>=75)) as excellent
count as total
by tactic
| eval coverage_pct=round((total - no_coverage) / total * 100, 1)
| sort -coverage_pct
```
## References
- [CyberDefenders - MITRE ATT&CK for SOC & DFIR Analysts](https://cyberdefenders.org/blog/mitre-attack-framework/)
- [MITRE ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/)
- [CardinalOps - SIEM Detection Coverage Report 2025](https://www.helpnetsecurity.com/2025/06/09/siem-detection-coverage/)
- [Datadog - Cloud SIEM MITRE ATT&CK Map](https://www.datadoghq.com/blog/cloud-siem-mitre-attack-map/)
- [Picus Security - MITRE ATT&CK Framework Guide](https://www.picussecurity.com/mitre-attack-framework)
skills/implementing-mitre-attack-coverage-mapping/assets/template.md
+44
View File
@@ -0,0 +1,44 @@
# MITRE ATT&CK Coverage Assessment Template
## Assessment Metadata
| Field | Value |
|---|---|
| Organization | |
| Assessment Date | |
| Assessor | |
| ATT&CK Version | v18.1 |
| SIEM Platform | |
| Total Active Rules | |
## Coverage Summary
| Metric | Value |
|---|---|
| Total Techniques Evaluated | |
| Techniques with Detection | |
| Coverage Percentage | |
| Average Detection Score | |
| Critical Gaps (Score 0) | |
## Top 10 Gap Techniques
| Priority | Technique ID | Name | Tactic | Current Score | Remediation Plan |
|---|---|---|---|---|---|
| 1 | | | | | |
| 2 | | | | | |
| 3 | | | | | |
| 4 | | | | | |
| 5 | | | | | |
## Detection Roadmap
### Q1 Goals
- [ ] Close top 5 critical gaps
- [ ] Enable missing data sources for priority techniques
- [ ] Validate top 10 existing rules with adversary emulation
### Q2 Goals
- [ ] Improve partial coverage techniques to score > 75
- [ ] Add enrichment to existing detection rules
- [ ] Implement detection-as-code pipeline
skills/implementing-mitre-attack-coverage-mapping/references/standards.md
+40
View File
@@ -0,0 +1,40 @@
# Standards - MITRE ATT&CK Coverage Mapping
## MITRE ATT&CK Framework
- Current version: v18.1 (December 2025)
- 14 Tactics, 200+ Techniques, 400+ Sub-Techniques
- Domains: Enterprise, Mobile, ICS
### Tactics (Kill Chain Order)
1. Reconnaissance (TA0043)
2. Resource Development (TA0042)
3. Initial Access (TA0001)
4. Execution (TA0002)
5. Persistence (TA0003)
6. Privilege Escalation (TA0004)
7. Defense Evasion (TA0005)
8. Credential Access (TA0006)
9. Discovery (TA0007)
10. Lateral Movement (TA0008)
11. Collection (TA0009)
12. Command and Control (TA0011)
13. Exfiltration (TA0010)
14. Impact (TA0040)
## Detection Maturity Model
| Level | Description |
|---|---|
| L0 | No detection capability for the technique |
| L1 | Basic log collection for relevant data sources |
| L2 | Detection rule deployed but not validated |
| L3 | Validated detection with known false positive rate |
| L4 | Automated testing and continuous validation |
| L5 | Behavioral detection with ML-based anomaly detection |
## Related Frameworks
- MITRE D3FEND (Defensive techniques)
- MITRE ATT&CK Data Sources
- NIST CSF Detection function
- SANS Detection Maturity Level model
skills/implementing-mitre-attack-coverage-mapping/references/workflows.md
+51
View File
@@ -0,0 +1,51 @@
# Workflows - MITRE ATT&CK Coverage Mapping
## Quarterly Coverage Assessment Workflow
```
1. Export all active SIEM detection rules
|
v
2. Map each rule to MITRE ATT&CK technique(s)
|
v
3. Score each technique (0-100)
|
v
4. Generate ATT&CK Navigator heatmap
|
v
5. Identify top 10 gap techniques
|
v
6. Prioritize based on threat landscape
|
v
7. Create detection engineering backlog
|
v
8. Build and deploy new rules
|
v
9. Validate with adversary emulation
|
v
10. Update coverage map
```
## Continuous Improvement Cycle
```
Assess Coverage --> Identify Gaps --> Prioritize -->
Build Rules --> Test Rules --> Deploy --> Validate -->
Measure --> Report --> Repeat
```
## Gap Closure Tracking
| Week | New Rules | Techniques Covered | Coverage Delta |
|---|---|---|---|
| 1 | 3 | T1059, T1055, T1003 | +1.5% |
| 2 | 2 | T1053, T1547 | +1.0% |
| 3 | 3 | T1071, T1105, T1048 | +1.5% |
| 4 | 2 | T1218, T1036 | +1.0% |
skills/implementing-mitre-attack-coverage-mapping/scripts/process.py
+198
View File
@@ -0,0 +1,198 @@
#!/usr/bin/env python3
"""
MITRE ATT&CK Coverage Mapping Tool
Builds and analyzes detection coverage maps against the
MITRE ATT&CK framework for SOC detection gap analysis.
"""
import json
from datetime import datetime
ATTACK_TACTICS = {
"TA0043": "Reconnaissance",
"TA0042": "Resource Development",
"TA0001": "Initial Access",
"TA0002": "Execution",
"TA0003": "Persistence",
"TA0004": "Privilege Escalation",
"TA0005": "Defense Evasion",
"TA0006": "Credential Access",
"TA0007": "Discovery",
"TA0008": "Lateral Movement",
"TA0009": "Collection",
"TA0011": "Command and Control",
"TA0010": "Exfiltration",
"TA0040": "Impact",
}
ENTERPRISE_TECHNIQUES = {
"T1110": {"name": "Brute Force", "tactic": "TA0006", "subtechniques": 4},
"T1059": {"name": "Command and Scripting Interpreter", "tactic": "TA0002", "subtechniques": 9},
"T1078": {"name": "Valid Accounts", "tactic": "TA0005", "subtechniques": 4},
"T1055": {"name": "Process Injection", "tactic": "TA0005", "subtechniques": 15},
"T1021": {"name": "Remote Services", "tactic": "TA0008", "subtechniques": 7},
"T1053": {"name": "Scheduled Task/Job", "tactic": "TA0003", "subtechniques": 6},
"T1566": {"name": "Phishing", "tactic": "TA0001", "subtechniques": 4},
"T1003": {"name": "OS Credential Dumping", "tactic": "TA0006", "subtechniques": 8},
"T1071": {"name": "Application Layer Protocol", "tactic": "TA0011", "subtechniques": 4},
"T1048": {"name": "Exfiltration Over Alternative Protocol", "tactic": "TA0010", "subtechniques": 3},
"T1105": {"name": "Ingress Tool Transfer", "tactic": "TA0011", "subtechniques": 0},
"T1547": {"name": "Boot or Logon Autostart Execution", "tactic": "TA0003", "subtechniques": 15},
"T1036": {"name": "Masquerading", "tactic": "TA0005", "subtechniques": 9},
"T1218": {"name": "System Binary Proxy Execution", "tactic": "TA0005", "subtechniques": 14},
"T1027": {"name": "Obfuscated Files or Information", "tactic": "TA0005", "subtechniques": 12},
"T1486": {"name": "Data Encrypted for Impact", "tactic": "TA0040", "subtechniques": 0},
"T1098": {"name": "Account Manipulation", "tactic": "TA0003", "subtechniques": 6},
"T1070": {"name": "Indicator Removal", "tactic": "TA0005", "subtechniques": 9},
"T1543": {"name": "Create or Modify System Process", "tactic": "TA0003", "subtechniques": 4},
"T1136": {"name": "Create Account", "tactic": "TA0003", "subtechniques": 3},
}
class DetectionRule:
"""Represents a SIEM detection rule with MITRE mapping."""
def __init__(self, name: str, techniques: list, score: int,
data_sources: list, validated: bool = False):
self.name = name
self.techniques = techniques
self.score = score
self.data_sources = data_sources
self.validated = validated
class CoverageMap:
"""MITRE ATT&CK coverage map for detection gap analysis."""
def __init__(self, organization: str):
self.organization = organization
self.rules = []
self.technique_scores = {}
self.generated = datetime.utcnow().isoformat()
def add_rule(self, rule: DetectionRule):
self.rules.append(rule)
for tech_id in rule.techniques:
if tech_id not in self.technique_scores:
self.technique_scores[tech_id] = {"rules": [], "max_score": 0}
self.technique_scores[tech_id]["rules"].append(rule.name)
self.technique_scores[tech_id]["max_score"] = max(
self.technique_scores[tech_id]["max_score"], rule.score
)
def get_coverage_summary(self) -> dict:
total_techniques = len(ENTERPRISE_TECHNIQUES)
covered = sum(1 for t in ENTERPRISE_TECHNIQUES if t in self.technique_scores and self.technique_scores[t]["max_score"] > 0)
no_coverage = total_techniques - covered
scores = [self.technique_scores.get(t, {}).get("max_score", 0) for t in ENTERPRISE_TECHNIQUES]
avg_score = round(sum(scores) / max(1, len(scores)), 1)
return {
"organization": self.organization,
"total_techniques": total_techniques,
"covered": covered,
"no_coverage": no_coverage,
"coverage_pct": round(covered / total_techniques * 100, 1),
"avg_score": avg_score,
"total_rules": len(self.rules),
"generated": self.generated,
}
def get_tactic_coverage(self) -> dict:
tactic_data = {}
for tactic_id, tactic_name in ATTACK_TACTICS.items():
techniques_in_tactic = [
t for t, info in ENTERPRISE_TECHNIQUES.items()
if info["tactic"] == tactic_id
]
covered = sum(1 for t in techniques_in_tactic if t in self.technique_scores and self.technique_scores[t]["max_score"] > 0)
total = len(techniques_in_tactic)
tactic_data[tactic_name] = {
"total": total,
"covered": covered,
"pct": round(covered / max(1, total) * 100, 1),
}
return tactic_data
def get_gaps(self, min_priority: int = 0) -> list:
gaps = []
for tech_id, info in ENTERPRISE_TECHNIQUES.items():
score = self.technique_scores.get(tech_id, {}).get("max_score", 0)
if score < 50:
gaps.append({
"technique_id": tech_id,
"technique_name": info["name"],
"tactic": ATTACK_TACTICS.get(info["tactic"], "Unknown"),
"current_score": score,
"subtechniques": info["subtechniques"],
"rules_count": len(self.technique_scores.get(tech_id, {}).get("rules", [])),
})
return sorted(gaps, key=lambda x: x["current_score"])
def generate_navigator_layer(self) -> dict:
techniques = []
for tech_id, info in ENTERPRISE_TECHNIQUES.items():
score = self.technique_scores.get(tech_id, {}).get("max_score", 0)
rules = self.technique_scores.get(tech_id, {}).get("rules", [])
color = "#ff0000" if score == 0 else "#ffff00" if score < 50 else "#90ee90" if score < 75 else "#00ff00"
techniques.append({
"techniqueID": tech_id,
"color": color,
"score": score,
"comment": f"{len(rules)} rules: {', '.join(rules[:3])}" if rules else "NO DETECTION",
})
return {
"name": f"{self.organization} - Detection Coverage",
"versions": {"attack": "16", "navigator": "5.1", "layer": "4.5"},
"domain": "enterprise-attack",
"techniques": techniques,
"gradient": {"colors": ["#ff0000", "#ffff00", "#00ff00"], "minValue": 0, "maxValue": 100},
}
if __name__ == "__main__":
cmap = CoverageMap("Example Corp SOC")
rules = [
DetectionRule("Brute Force Detection", ["T1110"], 85, ["Windows Security Log"], True),
DetectionRule("Suspicious PowerShell", ["T1059"], 75, ["PowerShell Script Block"], True),
DetectionRule("New Account Created", ["T1136"], 60, ["Windows Security Log"], False),
DetectionRule("Lateral Movement RDP", ["T1021"], 70, ["Windows Security Log", "Firewall"], True),
DetectionRule("Phishing Email Detected", ["T1566"], 80, ["Email Gateway"], True),
DetectionRule("Credential Dumping", ["T1003"], 50, ["Sysmon"], False),
DetectionRule("Scheduled Task Created", ["T1053"], 65, ["Windows Security Log"], True),
DetectionRule("C2 Beaconing", ["T1071"], 45, ["Firewall", "DNS"], False),
DetectionRule("Data Exfiltration", ["T1048"], 30, ["Firewall"], False),
DetectionRule("Ransomware Encryption", ["T1486"], 40, ["EDR"], False),
]
for rule in rules:
cmap.add_rule(rule)
print("=" * 70)
print("MITRE ATT&CK COVERAGE MAP")
print("=" * 70)
summary = cmap.get_coverage_summary()
print(f"\nOrganization: {summary['organization']}")
print(f"Coverage: {summary['covered']}/{summary['total_techniques']} techniques ({summary['coverage_pct']}%)")
print(f"Average Score: {summary['avg_score']}/100")
print(f"Total Rules: {summary['total_rules']}")
print(f"\n{'Tactic':<30} {'Covered':<10} {'Total':<8} {'Coverage'}")
print("-" * 60)
for tactic, data in cmap.get_tactic_coverage().items():
if data["total"] > 0:
bar = "#" * int(data["pct"] / 5) + "." * (20 - int(data["pct"] / 5))
print(f"{tactic:<30} {data['covered']:<10} {data['total']:<8} [{bar}] {data['pct']}%")
print(f"\nDetection Gaps (Score < 50):")
for gap in cmap.get_gaps():
print(f" [{gap['current_score']:>3}] {gap['technique_id']} - {gap['technique_name']} ({gap['tactic']})")
# Export Navigator layer
layer = cmap.generate_navigator_layer()
print(f"\nATT&CK Navigator Layer exported ({len(layer['techniques'])} techniques)")