mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 19:05:17 +03:00
225 lines
8.4 KiB
Markdown
225 lines
8.4 KiB
Markdown
---
|
|
name: performing-endpoint-vulnerability-remediation
|
|
description: >
|
|
Performs vulnerability remediation on endpoints by prioritizing CVEs based on risk scoring,
|
|
deploying patches, applying configuration changes, and validating fixes. Use when remediating
|
|
findings from vulnerability scans, responding to critical CVE advisories, or maintaining
|
|
endpoint compliance with patch management SLAs. Activates for requests involving vulnerability
|
|
remediation, CVE patching, endpoint vulnerability management, or security fix deployment.
|
|
domain: cybersecurity
|
|
subdomain: endpoint-security
|
|
tags: [endpoint, vulnerability-management, patching, CVE, remediation, CVSS]
|
|
version: 1.0.0
|
|
author: mahipal
|
|
license: MIT
|
|
---
|
|
# Performing Endpoint Vulnerability Remediation
|
|
|
|
## When to Use
|
|
|
|
Use this skill when:
|
|
- Remediating vulnerabilities identified by scanners (Nessus, Qualys, Rapid7)
|
|
- Responding to zero-day CVE advisories requiring immediate patching
|
|
- Maintaining compliance with patch management SLAs (critical within 14 days, high within 30 days)
|
|
- Building a prioritized remediation plan from vulnerability scan results
|
|
|
|
**Do not use** this skill for vulnerability scanning itself (use scanning tools) or for application-layer vulnerability remediation (use DevSecOps processes).
|
|
|
|
## Prerequisites
|
|
|
|
- Vulnerability scan results (Nessus, Qualys, or Rapid7 export in CSV/XML format)
|
|
- Patch management platform (WSUS, SCCM, Intune, or third-party like Automox)
|
|
- Administrative access to target endpoints or deployment infrastructure
|
|
- Change management process for production endpoint patching
|
|
- Testing environment for patch validation before production rollout
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Import and Prioritize Vulnerability Findings
|
|
|
|
```
|
|
Priority scoring combines:
|
|
1. CVSS Base Score (0-10)
|
|
2. EPSS (Exploit Prediction Scoring System) - probability of exploitation
|
|
3. CISA KEV (Known Exploited Vulnerabilities) catalog membership
|
|
4. Asset criticality (business impact of affected endpoint)
|
|
5. Network exposure (internet-facing vs. internal)
|
|
|
|
Priority Matrix:
|
|
P1 (Critical - 14 days SLA):
|
|
- CVSS >= 9.0 OR
|
|
- Listed in CISA KEV OR
|
|
- Active exploitation in the wild + CVSS >= 7.0
|
|
|
|
P2 (High - 30 days SLA):
|
|
- CVSS 7.0-8.9 AND
|
|
- EPSS > 0.5 (50% probability of exploitation)
|
|
|
|
P3 (Medium - 60 days SLA):
|
|
- CVSS 4.0-6.9 OR
|
|
- CVSS 7.0-8.9 with EPSS < 0.1
|
|
|
|
P4 (Low - 90 days SLA):
|
|
- CVSS < 4.0 AND
|
|
- No known exploit
|
|
```
|
|
|
|
### Step 2: Identify Remediation Actions
|
|
|
|
For each vulnerability, determine the appropriate remediation:
|
|
|
|
```
|
|
Remediation Types:
|
|
1. Patch: Apply vendor security update (most common)
|
|
2. Configuration change: Modify settings to mitigate (registry, GPO)
|
|
3. Upgrade: Update to newer software version
|
|
4. Workaround: Apply temporary mitigation when patch unavailable
|
|
5. Compensating control: Network segmentation, WAF rule, EDR rule
|
|
6. Accept risk: Document accepted risk with CISO sign-off
|
|
```
|
|
|
|
### Step 3: Deploy Patches via WSUS/SCCM
|
|
|
|
```powershell
|
|
# WSUS: Approve patches for deployment
|
|
# 1. Open WSUS Console
|
|
# 2. Navigate to Updates → Security Updates
|
|
# 3. Approve selected KBs for target computer groups
|
|
|
|
# SCCM: Create Software Update Group
|
|
# 1. Software Library → Software Updates → All Software Updates
|
|
# 2. Select required KBs → Create Software Update Group
|
|
# 3. Deploy to target collection with maintenance window
|
|
|
|
# Intune: Create Windows Update Ring
|
|
# Devices → Windows → Update rings
|
|
# Configure: Quality updates deferral = 0 days (for critical)
|
|
# Feature updates deferral = per policy
|
|
|
|
# PowerShell: Force Windows Update check
|
|
Install-Module PSWindowsUpdate -Force
|
|
Get-WindowsUpdate -KBArticleID "KB5034441" -Install -AcceptAll -AutoReboot
|
|
|
|
# Verify patch installation
|
|
Get-HotFix -Id "KB5034441"
|
|
systeminfo | findstr "KB5034441"
|
|
```
|
|
|
|
### Step 4: Apply Configuration-Based Remediations
|
|
|
|
```powershell
|
|
# Example: Disable SMBv1 (CVE-2017-0144 - EternalBlue)
|
|
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
|
|
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
|
|
|
|
# Example: Disable Print Spooler on non-print servers (CVE-2021-34527 - PrintNightmare)
|
|
Stop-Service -Name Spooler -Force
|
|
Set-Service -Name Spooler -StartupType Disabled
|
|
|
|
# Example: Disable LLMNR (credential theft mitigation)
|
|
# Via GPO: Computer Configuration → Admin Templates → Network → DNS Client
|
|
# Turn off multicast name resolution: Enabled
|
|
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
|
|
-Name EnableMulticast -Value 0 -PropertyType DWORD -Force
|
|
|
|
# Example: Restrict NTLM authentication
|
|
# Via GPO: Security Settings → Local Policies → Security Options
|
|
# Network security: Restrict NTLM: Audit/Deny
|
|
```
|
|
|
|
### Step 5: Handle Zero-Day Vulnerabilities (No Patch Available)
|
|
|
|
```
|
|
When vendor patch is not yet available:
|
|
|
|
1. Check vendor advisory for workarounds
|
|
- Microsoft: https://msrc.microsoft.com/update-guide
|
|
- Adobe: https://helpx.adobe.com/security.html
|
|
- Linux: Distribution security trackers
|
|
|
|
2. Apply temporary mitigations:
|
|
- Disable vulnerable feature/service
|
|
- Deploy EDR detection rule for exploitation attempt
|
|
- Apply network-level blocking (WAF/firewall rules)
|
|
- Restrict access to vulnerable application
|
|
|
|
3. Monitor for patch release:
|
|
- Subscribe to vendor security mailing list
|
|
- Monitor CISA KEV additions
|
|
- Set calendar reminder for next Patch Tuesday
|
|
|
|
4. Document workaround with expiration date
|
|
```
|
|
|
|
### Step 6: Validate Remediation
|
|
|
|
```powershell
|
|
# Re-scan remediated endpoints to confirm vulnerability closure
|
|
# Option 1: Targeted vulnerability scan
|
|
nessuscli scan --target 192.168.1.0/24 --plugin-id 12345
|
|
|
|
# Option 2: PowerShell verification
|
|
# Check specific KB is installed
|
|
$kb = Get-HotFix -Id "KB5034441" -ErrorAction SilentlyContinue
|
|
if ($kb) {
|
|
Write-Host "PASS: KB5034441 installed on $(hostname)" -ForegroundColor Green
|
|
} else {
|
|
Write-Host "FAIL: KB5034441 missing on $(hostname)" -ForegroundColor Red
|
|
}
|
|
|
|
# Check service is disabled
|
|
$svc = Get-Service -Name Spooler
|
|
if ($svc.StartType -eq 'Disabled') {
|
|
Write-Host "PASS: Print Spooler disabled" -ForegroundColor Green
|
|
}
|
|
|
|
# Check registry configuration
|
|
$val = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
|
|
-Name SMB1 -ErrorAction SilentlyContinue
|
|
if ($val.SMB1 -eq 0) {
|
|
Write-Host "PASS: SMBv1 disabled" -ForegroundColor Green
|
|
}
|
|
```
|
|
|
|
### Step 7: Report and Track
|
|
|
|
Generate remediation status report:
|
|
```
|
|
Remediation Metrics:
|
|
- Total vulnerabilities: X
|
|
- Remediated: Y (Z%)
|
|
- Pending (within SLA): A
|
|
- Overdue (past SLA): B
|
|
- Accepted risk: C
|
|
- Mean time to remediate (MTTR): D days
|
|
- SLA compliance rate: E%
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
| Term | Definition |
|
|
|------|-----------|
|
|
| **CVSS** | Common Vulnerability Scoring System; 0-10 severity scale for vulnerabilities |
|
|
| **EPSS** | Exploit Prediction Scoring System; probability (0-1) that a CVE will be exploited in the wild within 30 days |
|
|
| **CISA KEV** | CISA Known Exploited Vulnerabilities catalog; federal mandate to patch these CVEs within specified timeframes |
|
|
| **SLA** | Service Level Agreement for remediation timelines based on vulnerability severity |
|
|
| **MTTR** | Mean Time To Remediate; average days from vulnerability discovery to confirmed fix |
|
|
| **Compensating Control** | Alternative security measure when direct remediation is not feasible |
|
|
|
|
## Tools & Systems
|
|
|
|
- **Nessus/Tenable.io**: Vulnerability scanning and remediation tracking
|
|
- **Qualys VMDR**: Vulnerability management, detection, and response platform
|
|
- **Rapid7 InsightVM**: Vulnerability assessment with live dashboards
|
|
- **WSUS/SCCM/Intune**: Microsoft patch deployment infrastructure
|
|
- **Automox**: Cloud-native patch management for Windows, macOS, Linux
|
|
- **CISA KEV Catalog**: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
|
|
|
|
## Common Pitfalls
|
|
|
|
- **Patching without testing**: Apply patches to a test group first. Some patches cause application compatibility issues or BSOD.
|
|
- **Ignoring EPSS scores**: A CVSS 9.8 vulnerability with EPSS 0.01 may be less urgent than a CVSS 7.5 with EPSS 0.95 (actively exploited).
|
|
- **Not validating remediation**: Deploying a patch does not guarantee installation. Always re-scan to confirm closure.
|
|
- **Excluding critical servers from patching**: Servers that "cannot be rebooted" accumulate critical vulnerabilities. Schedule maintenance windows.
|
|
- **Treating all CVEs equally**: Risk-based prioritization (CVSS + EPSS + asset criticality + exposure) is more effective than patching all criticals first.
|