creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/building-patch-tuesday-response-process/SKILL.md
T

8.5 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license
name description domain subdomain tags version author license
building-patch-tuesday-response-process Establish a structured operational process to triage, test, and deploy Microsoft Patch Tuesday security updates within risk-based remediation SLAs. cybersecurity vulnerability-management
patch-management
patch-tuesday
microsoft
wsus
sccm
vulnerability-remediation
windows-update
1.0 mahipal MIT

Building Patch Tuesday Response Process

Overview

Microsoft releases security updates on the second Tuesday of each month ("Patch Tuesday"), addressing vulnerabilities across Windows, Office, Exchange, SQL Server, Azure services, and other products. In 2025, Microsoft patched over 1,129 vulnerabilities across the year -- an 11.9% increase from 2024 -- making a structured response process critical. The leading risk types include elevation of privilege (49%), remote code execution (34%), and information disclosure (7%). This skill covers building a repeatable Patch Tuesday response workflow from initial advisory review through testing, deployment, and validation.

Prerequisites

  • Access to Microsoft Security Response Center (MSRC) update guide
  • Vulnerability management platform (Qualys VMDR, Rapid7, Tenable)
  • Patch deployment infrastructure (WSUS, SCCM/MECM, Intune, or third-party)
  • Test environment mirroring production configurations
  • Change management process (ITIL-based or equivalent)
  • Communication channels for cross-team coordination

Core Concepts

Patch Tuesday Timeline

Day Activity Owner
T+0 (Tuesday 10 AM PT) Microsoft releases patches and advisories Microsoft
T+0 (Tuesday afternoon) Security team reviews advisories and triages Security Ops
T+1 (Wednesday) Qualys/vendor scan signatures updated VM Platform
T+1-T+2 Emergency patches deployed for zero-days IT Operations
T+2-T+5 Test patches in staging environment QA/IT Ops
T+5-T+7 Deploy to Pilot group (5-10% of fleet) IT Operations
T+7-T+14 Deploy to Production Ring 1 (servers) IT Operations
T+14-T+21 Deploy to Production Ring 2 (workstations) IT Operations
T+21-T+30 Validation scanning and compliance reporting Security Ops

Patch Categorization Framework

Category Criteria Response SLA
Zero-Day / Exploited Active exploitation confirmed, CISA KEV listed 24-48 hours
Critical RCE CVSS >= 9.0, remote code execution, no auth required 3-5 days
Critical with Exploit Public exploit code or EPSS > 0.7 7 days
High Severity CVSS 7.0-8.9, privilege escalation 14 days
Medium Severity CVSS 4.0-6.9 30 days
Low / Informational CVSS < 4.0, defense-in-depth Next maintenance window

Microsoft Product Categories to Monitor

Category Products Risk Level
Windows OS Windows 10, 11, Server 2016-2025 Critical
Exchange Server Exchange 2016, 2019, Online Critical
SQL Server SQL 2016-2022 High
Office Suite Microsoft 365, Office 2019-2024 High
.NET Framework .NET 4.x, .NET 6-9 Medium
Azure Services Azure AD, Entra ID, Azure Stack High
Edge/Browser Edge Chromium, IE mode Medium
Development Tools Visual Studio, VS Code Low

Implementation Steps

Step 1: Pre-Patch Tuesday Preparation (Monday before)

Preparation Checklist:
  [ ] Confirm WSUS/SCCM sync schedules are active
  [ ] Verify test environment is available and current
  [ ] Review outstanding patches from previous month
  [ ] Confirm monitoring dashboards are operational
  [ ] Pre-stage communication templates
  [ ] Ensure rollback procedures are documented
  [ ] Verify backup jobs ran successfully on critical servers

Step 2: Day-of Triage (Patch Tuesday)

Triage Process:
  1. Monitor MSRC Update Guide (https://msrc.microsoft.com/update-guide)
  2. Review Microsoft Security Blog for advisory summaries
  3. Cross-reference with CISA KEV additions (same day)
  4. Check vendor advisories (Qualys, Rapid7, CrowdStrike analysis)
  5. Identify zero-day and actively exploited vulnerabilities
  6. Classify each CVE by severity and applicability
  7. Determine deployment rings and timeline for each patch
  8. Submit emergency change request for zero-day patches
  9. Communicate triage results to IT Operations and management

Step 3: Scan and Gap Analysis

# Post-Patch-Tuesday scan workflow
def run_patch_tuesday_scan(scanner_api, target_groups):
    """Trigger vulnerability scans after Patch Tuesday updates."""
    for group in target_groups:
        print(f"[*] Scanning {group['name']}...")
        scan_id = scanner_api.launch_scan(
            target=group["targets"],
            template="patch-tuesday-focused",
            credentials=group["creds"]
        )
        print(f"    Scan launched: {scan_id}")

    # Wait for scan completion, then generate report
    results = scanner_api.get_scan_results(scan_id)
    missing_patches = [r for r in results if r["status"] == "missing"]

    # Categorize by Patch Tuesday release
    current_month = [p for p in missing_patches
                     if p["vendor_advisory_date"] >= patch_tuesday_date]

    return {
        "total_missing": len(missing_patches),
        "current_month": len(current_month),
        "zero_day": [p for p in current_month if p.get("actively_exploited")],
        "critical": [p for p in current_month if p["cvss"] >= 9.0],
    }

Step 4: Ring-Based Deployment Strategy

Ring 0 - Emergency (0-48 hours):
    Scope:     Zero-day and actively exploited CVEs only
    Method:    Manual or targeted push (SCCM expedite)
    Targets:   Internet-facing servers, critical infrastructure
    Approval:  Emergency change, verbal CISO approval
    Rollback:  Immediate rollback if service degradation

Ring 1 - Pilot (Day 2-7):
    Scope:     All critical and high patches
    Method:    WSUS/SCCM automatic deployment
    Targets:   IT department machines, test group (5-10%)
    Approval:  Standard change with CAB notification
    Monitoring: 48-hour soak period, check for BSOD, app crashes

Ring 2 - Production Servers (Day 7-14):
    Scope:     All security patches
    Method:    SCCM maintenance windows (off-hours)
    Targets:   Production servers by tier
    Approval:  Standard change with CAB approval
    Monitoring: Application health checks, performance baseline

Ring 3 - Workstations (Day 14-21):
    Scope:     All security patches + quality updates
    Method:    Windows Update for Business / Intune
    Targets:   All managed workstations
    Approval:  Pre-approved standard change
    Monitoring: Help desk ticket monitoring for issues

Ring 4 - Stragglers (Day 21-30):
    Scope:     Catch remaining unpatched systems
    Method:    Forced deployment with restart
    Targets:   Systems that missed prior rings
    Approval:  Compliance-driven enforcement

Step 5: Validation and Reporting

Post-Deployment Validation:
  1. Re-scan environment with updated vulnerability signatures
  2. Compare pre-patch and post-patch scan results
  3. Calculate patch compliance rate per ring and department
  4. Identify failed patches and investigate root causes
  5. Generate compliance report for management review
  6. Update risk register with residual unpatched vulnerabilities
  7. Document exceptions and compensating controls

Best Practices

  1. Subscribe to MSRC notifications and vendor analysis blogs for early intelligence
  2. Maintain a dedicated Patch Tuesday war room or Slack/Teams channel
  3. Always patch zero-day vulnerabilities outside the normal ring schedule
  4. Test patches against critical business applications before broad deployment
  5. Track patch compliance metrics month-over-month for trend analysis
  6. Maintain rollback procedures for every deployment ring
  7. Coordinate with application owners for compatibility testing
  8. Document all exceptions with compensating controls and review dates

Common Pitfalls

  • Deploying all patches simultaneously without ring-based testing
  • Not scanning after patching to validate remediation
  • Treating all patches equally without risk-based prioritization
  • Ignoring cumulative update dependencies causing patch failures
  • Not accounting for server reboot requirements in maintenance windows
  • Failing to communicate patch status to business stakeholders

Related Skills

  • implementing-rapid7-insightvm-for-scanning
  • performing-cve-prioritization-with-kev-catalog
  • implementing-vulnerability-remediation-sla
  • implementing-patch-management-workflow
Reference in New Issue View Git Blame Copy Permalink