Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,64 @@
# Standards and References - SSVC Vulnerability Triage
## Primary Standards
### CISA SSVC Framework
- **Source**: Cybersecurity and Infrastructure Security Agency (CISA)
- **URL**: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
- **Version**: SSVC v2.0 (2022 revision by CISA with SEI)
- **Purpose**: Provides a decision-tree methodology for vulnerability prioritization based on five decision points specific to the stakeholder's context
### CERT/CC SSVC Original Research
- **Source**: Carnegie Mellon University Software Engineering Institute
- **URL**: https://certcc.github.io/SSVC/
- **Publication**: "Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization" (2019)
- **Authors**: Jonathan Spring, Eric Hatleback, Allen Householder, Art Manion, Deana Shick
- **DOI**: https://doi.org/10.1184/R1/12124386
### CVSS v3.1 and v4.0
- **Source**: Forum of Incident Response and Security Teams (FIRST)
- **URL**: https://www.first.org/cvss/
- **CVSS v3.1 Specification**: https://www.first.org/cvss/v3.1/specification-document
- **CVSS v4.0 Specification**: https://www.first.org/cvss/v4.0/specification-document
- **Relevance**: SSVC complements CVSS by adding contextual decision points beyond base score severity
### EPSS - Exploit Prediction Scoring System
- **Source**: FIRST EPSS Special Interest Group
- **URL**: https://www.first.org/epss/
- **API Endpoint**: https://api.first.org/data/v1/epss
- **Model Documentation**: https://www.first.org/epss/model
- **Relevance**: EPSS probability scores inform the exploitation status decision point in SSVC
## Regulatory and Compliance Context
### CISA Binding Operational Directive 22-01
- **Title**: Reducing the Significant Risk of Known Exploited Vulnerabilities
- **URL**: https://www.cisa.gov/binding-operational-directive-22-01
- **Relevance**: Mandates federal agencies to remediate KEV-listed vulnerabilities within specified timeframes; SSVC aligns remediation priorities with BOD 22-01 requirements
### NIST SP 800-40 Rev 4
- **Title**: Guide to Enterprise Patch Management Planning
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
- **Relevance**: Provides organizational context for patch management decisions that SSVC informs
### NIST Cybersecurity Framework (CSF) 2.0
- **Function**: IDENTIFY (ID.RA - Risk Assessment)
- **URL**: https://www.nist.gov/cyberframework
- **Relevance**: SSVC directly supports the risk assessment category for vulnerability prioritization
## Data Sources
### CISA Known Exploited Vulnerabilities (KEV) Catalog
- **URL**: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- **JSON Feed**: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- **Update Frequency**: Updated as new exploited vulnerabilities are confirmed
### National Vulnerability Database (NVD)
- **URL**: https://nvd.nist.gov/
- **API v2**: https://services.nvd.nist.gov/rest/json/cves/2.0
- **Relevance**: Provides CVSS scores and vulnerability details used in SSVC decision points
### MITRE CVE Program
- **URL**: https://cve.mitre.org/
- **CVE List**: https://www.cve.org/
- **Relevance**: CVE identifiers are the primary key for linking vulnerability data across SSVC decision points
@@ -0,0 +1,115 @@
# Workflows - SSVC Vulnerability Triage
## Workflow 1: Initial SSVC Triage Pipeline
### Trigger
New vulnerability scan results imported from Nessus, Qualys, OpenVAS, or other scanner.
### Steps
1. **Ingest Scan Results**
- Parse scanner output (CSV, XML, or JSON format)
- Extract CVE identifiers, affected hosts, CVSS vectors, and descriptions
- Deduplicate findings by CVE + host combination
2. **Enrich with External Intelligence**
- Query CISA KEV catalog JSON feed for exploitation status
- Query FIRST EPSS API for exploitation probability scores
- Query NVD API v2 for CVSS v3.1/v4.0 vectors and CWE mappings
- Cache API responses to avoid rate limiting (NVD: 5 requests/30s without key, 50/30s with key)
3. **Evaluate SSVC Decision Points**
- **Exploitation**: Map KEV membership to "Active", EPSS > 0.5 to "PoC", otherwise "None"
- **Technical Impact**: Parse CVSS vector; if Scope:Changed or CIA all High, mark "Total"
- **Automatability**: Network vector + Low complexity + No user interaction = "Yes"
- **Mission Prevalence**: Cross-reference affected assets with CMDB criticality tags
- **Public Well-Being**: Map asset function to safety impact categories
4. **Apply Decision Tree**
- Walk the CISA SSVC decision tree with evaluated decision points
- Assign outcome: Track, Track*, Attend, or Act
5. **Generate Prioritized Report**
- Sort vulnerabilities by SSVC outcome (Act > Attend > Track* > Track)
- Within each category, secondary sort by EPSS score descending
- Output JSON report and CSV summary for ticketing integration
## Workflow 2: Continuous SSVC Monitoring
### Trigger
Daily scheduled job (cron or CI/CD pipeline).
### Steps
1. **Refresh CISA KEV Catalog**
```bash
curl -s -o /tmp/kev_catalog.json \
"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
```
2. **Check Previously Tracked CVEs Against Updated KEV**
- Compare current open vulnerabilities against latest KEV additions
- If a previously "Track" or "Track*" CVE appears in KEV, re-evaluate to "Attend" or "Act"
3. **Refresh EPSS Scores**
```bash
curl -s "https://api.first.org/data/v1/epss?cve=CVE-2024-3400,CVE-2024-21887" | \
python3 -c "import sys,json; print(json.dumps(json.load(sys.stdin)['data'], indent=2))"
```
4. **Update SSVC Outcomes**
- Re-run decision tree for all open vulnerabilities with refreshed data
- Flag any outcome changes (e.g., Track -> Attend)
5. **Send Notifications**
- Slack/Teams webhook for any new "Act" or "Attend" outcomes
- Email digest for "Track*" changes
- Update Jira/ServiceNow tickets with new SSVC classification
## Workflow 3: Asset-Context SSVC Enrichment
### Trigger
New asset onboarded or asset criticality classification updated.
### Steps
1. **Import Asset Inventory**
- Pull from CMDB (ServiceNow, Snipe-IT, or similar)
- Map each asset to mission prevalence category:
- Minimal: development, test environments
- Support: backup systems, monitoring infrastructure
- Essential: production databases, authentication servers, customer-facing apps
2. **Map Public Well-Being Impact**
- Healthcare systems, SCADA/ICS, transportation: Irreversible
- Public web services, financial processing: Material
- Internal tools, development systems: Minimal
3. **Re-Evaluate Open Vulnerabilities**
- Apply updated asset context to all open vulnerability SSVC evaluations
- Generate delta report showing outcome changes
## Workflow 4: SSVC Metrics and Reporting
### Trigger
Weekly/monthly reporting cycle.
### Metrics to Track
| Metric | Calculation | Target |
|--------|------------|--------|
| Mean Time to Remediate (Act) | Avg days from Act classification to closure | < 2 days |
| Mean Time to Remediate (Attend) | Avg days from Attend classification to closure | < 14 days |
| SLA Breach Rate | % of vulns not remediated within SLA | < 5% |
| Act Backlog | Count of open Act-classified vulnerabilities | 0 |
| Attend Backlog | Count of open Attend-classified vulnerabilities | < 10 |
| Coverage Rate | % of vulnerabilities processed through SSVC | > 95% |
### Report Generation
```bash
python3 scripts/process.py \
--mode report \
--input ssvc_results.json \
--period weekly \
--output ssvc_metrics_report.html
```