mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 14:09:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,64 @@
|
||||
# Standards and References - SSVC Vulnerability Triage
|
||||
|
||||
## Primary Standards
|
||||
|
||||
### CISA SSVC Framework
|
||||
- **Source**: Cybersecurity and Infrastructure Security Agency (CISA)
|
||||
- **URL**: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
|
||||
- **Version**: SSVC v2.0 (2022 revision by CISA with SEI)
|
||||
- **Purpose**: Provides a decision-tree methodology for vulnerability prioritization based on five decision points specific to the stakeholder's context
|
||||
|
||||
### CERT/CC SSVC Original Research
|
||||
- **Source**: Carnegie Mellon University Software Engineering Institute
|
||||
- **URL**: https://certcc.github.io/SSVC/
|
||||
- **Publication**: "Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization" (2019)
|
||||
- **Authors**: Jonathan Spring, Eric Hatleback, Allen Householder, Art Manion, Deana Shick
|
||||
- **DOI**: https://doi.org/10.1184/R1/12124386
|
||||
|
||||
### CVSS v3.1 and v4.0
|
||||
- **Source**: Forum of Incident Response and Security Teams (FIRST)
|
||||
- **URL**: https://www.first.org/cvss/
|
||||
- **CVSS v3.1 Specification**: https://www.first.org/cvss/v3.1/specification-document
|
||||
- **CVSS v4.0 Specification**: https://www.first.org/cvss/v4.0/specification-document
|
||||
- **Relevance**: SSVC complements CVSS by adding contextual decision points beyond base score severity
|
||||
|
||||
### EPSS - Exploit Prediction Scoring System
|
||||
- **Source**: FIRST EPSS Special Interest Group
|
||||
- **URL**: https://www.first.org/epss/
|
||||
- **API Endpoint**: https://api.first.org/data/v1/epss
|
||||
- **Model Documentation**: https://www.first.org/epss/model
|
||||
- **Relevance**: EPSS probability scores inform the exploitation status decision point in SSVC
|
||||
|
||||
## Regulatory and Compliance Context
|
||||
|
||||
### CISA Binding Operational Directive 22-01
|
||||
- **Title**: Reducing the Significant Risk of Known Exploited Vulnerabilities
|
||||
- **URL**: https://www.cisa.gov/binding-operational-directive-22-01
|
||||
- **Relevance**: Mandates federal agencies to remediate KEV-listed vulnerabilities within specified timeframes; SSVC aligns remediation priorities with BOD 22-01 requirements
|
||||
|
||||
### NIST SP 800-40 Rev 4
|
||||
- **Title**: Guide to Enterprise Patch Management Planning
|
||||
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
|
||||
- **Relevance**: Provides organizational context for patch management decisions that SSVC informs
|
||||
|
||||
### NIST Cybersecurity Framework (CSF) 2.0
|
||||
- **Function**: IDENTIFY (ID.RA - Risk Assessment)
|
||||
- **URL**: https://www.nist.gov/cyberframework
|
||||
- **Relevance**: SSVC directly supports the risk assessment category for vulnerability prioritization
|
||||
|
||||
## Data Sources
|
||||
|
||||
### CISA Known Exploited Vulnerabilities (KEV) Catalog
|
||||
- **URL**: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
|
||||
- **JSON Feed**: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
|
||||
- **Update Frequency**: Updated as new exploited vulnerabilities are confirmed
|
||||
|
||||
### National Vulnerability Database (NVD)
|
||||
- **URL**: https://nvd.nist.gov/
|
||||
- **API v2**: https://services.nvd.nist.gov/rest/json/cves/2.0
|
||||
- **Relevance**: Provides CVSS scores and vulnerability details used in SSVC decision points
|
||||
|
||||
### MITRE CVE Program
|
||||
- **URL**: https://cve.mitre.org/
|
||||
- **CVE List**: https://www.cve.org/
|
||||
- **Relevance**: CVE identifiers are the primary key for linking vulnerability data across SSVC decision points
|
||||
@@ -0,0 +1,115 @@
|
||||
# Workflows - SSVC Vulnerability Triage
|
||||
|
||||
## Workflow 1: Initial SSVC Triage Pipeline
|
||||
|
||||
### Trigger
|
||||
New vulnerability scan results imported from Nessus, Qualys, OpenVAS, or other scanner.
|
||||
|
||||
### Steps
|
||||
|
||||
1. **Ingest Scan Results**
|
||||
- Parse scanner output (CSV, XML, or JSON format)
|
||||
- Extract CVE identifiers, affected hosts, CVSS vectors, and descriptions
|
||||
- Deduplicate findings by CVE + host combination
|
||||
|
||||
2. **Enrich with External Intelligence**
|
||||
- Query CISA KEV catalog JSON feed for exploitation status
|
||||
- Query FIRST EPSS API for exploitation probability scores
|
||||
- Query NVD API v2 for CVSS v3.1/v4.0 vectors and CWE mappings
|
||||
- Cache API responses to avoid rate limiting (NVD: 5 requests/30s without key, 50/30s with key)
|
||||
|
||||
3. **Evaluate SSVC Decision Points**
|
||||
- **Exploitation**: Map KEV membership to "Active", EPSS > 0.5 to "PoC", otherwise "None"
|
||||
- **Technical Impact**: Parse CVSS vector; if Scope:Changed or CIA all High, mark "Total"
|
||||
- **Automatability**: Network vector + Low complexity + No user interaction = "Yes"
|
||||
- **Mission Prevalence**: Cross-reference affected assets with CMDB criticality tags
|
||||
- **Public Well-Being**: Map asset function to safety impact categories
|
||||
|
||||
4. **Apply Decision Tree**
|
||||
- Walk the CISA SSVC decision tree with evaluated decision points
|
||||
- Assign outcome: Track, Track*, Attend, or Act
|
||||
|
||||
5. **Generate Prioritized Report**
|
||||
- Sort vulnerabilities by SSVC outcome (Act > Attend > Track* > Track)
|
||||
- Within each category, secondary sort by EPSS score descending
|
||||
- Output JSON report and CSV summary for ticketing integration
|
||||
|
||||
## Workflow 2: Continuous SSVC Monitoring
|
||||
|
||||
### Trigger
|
||||
Daily scheduled job (cron or CI/CD pipeline).
|
||||
|
||||
### Steps
|
||||
|
||||
1. **Refresh CISA KEV Catalog**
|
||||
```bash
|
||||
curl -s -o /tmp/kev_catalog.json \
|
||||
"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
|
||||
```
|
||||
|
||||
2. **Check Previously Tracked CVEs Against Updated KEV**
|
||||
- Compare current open vulnerabilities against latest KEV additions
|
||||
- If a previously "Track" or "Track*" CVE appears in KEV, re-evaluate to "Attend" or "Act"
|
||||
|
||||
3. **Refresh EPSS Scores**
|
||||
```bash
|
||||
curl -s "https://api.first.org/data/v1/epss?cve=CVE-2024-3400,CVE-2024-21887" | \
|
||||
python3 -c "import sys,json; print(json.dumps(json.load(sys.stdin)['data'], indent=2))"
|
||||
```
|
||||
|
||||
4. **Update SSVC Outcomes**
|
||||
- Re-run decision tree for all open vulnerabilities with refreshed data
|
||||
- Flag any outcome changes (e.g., Track -> Attend)
|
||||
|
||||
5. **Send Notifications**
|
||||
- Slack/Teams webhook for any new "Act" or "Attend" outcomes
|
||||
- Email digest for "Track*" changes
|
||||
- Update Jira/ServiceNow tickets with new SSVC classification
|
||||
|
||||
## Workflow 3: Asset-Context SSVC Enrichment
|
||||
|
||||
### Trigger
|
||||
New asset onboarded or asset criticality classification updated.
|
||||
|
||||
### Steps
|
||||
|
||||
1. **Import Asset Inventory**
|
||||
- Pull from CMDB (ServiceNow, Snipe-IT, or similar)
|
||||
- Map each asset to mission prevalence category:
|
||||
- Minimal: development, test environments
|
||||
- Support: backup systems, monitoring infrastructure
|
||||
- Essential: production databases, authentication servers, customer-facing apps
|
||||
|
||||
2. **Map Public Well-Being Impact**
|
||||
- Healthcare systems, SCADA/ICS, transportation: Irreversible
|
||||
- Public web services, financial processing: Material
|
||||
- Internal tools, development systems: Minimal
|
||||
|
||||
3. **Re-Evaluate Open Vulnerabilities**
|
||||
- Apply updated asset context to all open vulnerability SSVC evaluations
|
||||
- Generate delta report showing outcome changes
|
||||
|
||||
## Workflow 4: SSVC Metrics and Reporting
|
||||
|
||||
### Trigger
|
||||
Weekly/monthly reporting cycle.
|
||||
|
||||
### Metrics to Track
|
||||
|
||||
| Metric | Calculation | Target |
|
||||
|--------|------------|--------|
|
||||
| Mean Time to Remediate (Act) | Avg days from Act classification to closure | < 2 days |
|
||||
| Mean Time to Remediate (Attend) | Avg days from Attend classification to closure | < 14 days |
|
||||
| SLA Breach Rate | % of vulns not remediated within SLA | < 5% |
|
||||
| Act Backlog | Count of open Act-classified vulnerabilities | 0 |
|
||||
| Attend Backlog | Count of open Attend-classified vulnerabilities | < 10 |
|
||||
| Coverage Rate | % of vulnerabilities processed through SSVC | > 95% |
|
||||
|
||||
### Report Generation
|
||||
```bash
|
||||
python3 scripts/process.py \
|
||||
--mode report \
|
||||
--input ssvc_results.json \
|
||||
--period weekly \
|
||||
--output ssvc_metrics_report.html
|
||||
```
|
||||
Reference in New Issue
Block a user