mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 05:05:16 +03:00
333 lines
12 KiB
Markdown
333 lines
12 KiB
Markdown
---
|
|
name: building-vulnerability-scanning-workflow
|
|
description: >
|
|
Builds a structured vulnerability scanning workflow using tools like Nessus, Qualys, and OpenVAS
|
|
to discover, prioritize, and track remediation of security vulnerabilities across infrastructure.
|
|
Use when SOC teams need to establish recurring vulnerability assessment processes, integrate
|
|
scan results with SIEM alerting, and build remediation tracking dashboards.
|
|
domain: cybersecurity
|
|
subdomain: soc-operations
|
|
tags: [soc, vulnerability-scanning, nessus, qualys, openvas, cvss, remediation, patch-management]
|
|
version: "1.0"
|
|
author: mahipal
|
|
license: MIT
|
|
---
|
|
# Building Vulnerability Scanning Workflow
|
|
|
|
## When to Use
|
|
|
|
Use this skill when:
|
|
- SOC teams need to establish or improve recurring vulnerability scanning programs
|
|
- Scan results require prioritization beyond raw CVSS scores using asset context and threat intelligence
|
|
- Vulnerability data must be integrated into SIEM for correlation with exploitation attempts
|
|
- Remediation tracking needs formalization with SLA-based dashboards and reporting
|
|
|
|
**Do not use** for penetration testing or active exploitation — vulnerability scanning identifies weaknesses, penetration testing validates exploitability.
|
|
|
|
## Prerequisites
|
|
|
|
- Vulnerability scanner (Tenable Nessus Professional, Qualys VMDR, or OpenVAS/Greenbone)
|
|
- Asset inventory with criticality classifications (business-critical, standard, development)
|
|
- Network access from scanner to all target segments (agent-based or network scan)
|
|
- SIEM integration for scan result ingestion and correlation
|
|
- Patch management system (WSUS, SCCM, Intune) for remediation tracking
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Define Scan Scope and Scheduling
|
|
|
|
Create scan policies covering all asset types:
|
|
|
|
**Nessus Scan Configuration (API):**
|
|
```python
|
|
import requests
|
|
|
|
nessus_url = "https://nessus.company.com:8834"
|
|
headers = {"X-ApiKeys": f"accessKey={access_key};secretKey={secret_key}"}
|
|
|
|
# Create scan policy
|
|
policy = {
|
|
"uuid": "advanced",
|
|
"settings": {
|
|
"name": "SOC Weekly Infrastructure Scan",
|
|
"description": "Weekly credentialed scan of all server and workstation segments",
|
|
"scanner_id": 1,
|
|
"policy_id": 0,
|
|
"text_targets": "10.0.0.0/16, 172.16.0.0/12",
|
|
"launch": "WEEKLY",
|
|
"starttime": "20240315T020000",
|
|
"rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=SA",
|
|
"enabled": True
|
|
},
|
|
"credentials": {
|
|
"add": {
|
|
"Host": {
|
|
"Windows": [{
|
|
"domain": "company.local",
|
|
"username": "nessus_svc",
|
|
"password": "SCAN_SERVICE_PASSWORD",
|
|
"auth_method": "Password"
|
|
}],
|
|
"SSH": [{
|
|
"username": "nessus_svc",
|
|
"private_key": "/path/to/nessus_key",
|
|
"auth_method": "public key"
|
|
}]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
response = requests.post(f"{nessus_url}/scans", headers=headers, json=policy, verify=False)
|
|
scan_id = response.json()["scan"]["id"]
|
|
print(f"Scan created: ID {scan_id}")
|
|
```
|
|
|
|
**Qualys VMDR Scan via API:**
|
|
```python
|
|
import qualysapi
|
|
|
|
conn = qualysapi.connect(
|
|
hostname="qualysapi.qualys.com",
|
|
username="api_user",
|
|
password="API_PASSWORD"
|
|
)
|
|
|
|
# Launch vulnerability scan
|
|
params = {
|
|
"action": "launch",
|
|
"scan_title": "Weekly_Infrastructure_Scan",
|
|
"ip": "10.0.0.0/16",
|
|
"option_id": "123456", # Scan profile ID
|
|
"iscanner_name": "Internal_Scanner_01",
|
|
"priority": "0"
|
|
}
|
|
|
|
response = conn.request("/api/2.0/fo/scan/", params)
|
|
print(f"Scan launched: {response}")
|
|
```
|
|
|
|
### Step 2: Process and Prioritize Scan Results
|
|
|
|
Download results and apply risk-based prioritization:
|
|
|
|
```python
|
|
import requests
|
|
import csv
|
|
|
|
# Export Nessus results
|
|
response = requests.get(
|
|
f"{nessus_url}/scans/{scan_id}/export",
|
|
headers=headers,
|
|
params={"format": "csv"},
|
|
verify=False
|
|
)
|
|
|
|
# Parse and prioritize
|
|
vulns = []
|
|
reader = csv.DictReader(response.text.splitlines())
|
|
for row in reader:
|
|
cvss = float(row.get("CVSS v3.0 Base Score", 0))
|
|
asset_criticality = get_asset_criticality(row["Host"]) # From asset inventory
|
|
|
|
# Risk-based priority calculation
|
|
risk_score = cvss * asset_criticality_multiplier(asset_criticality)
|
|
|
|
# Boost score if actively exploited (check CISA KEV)
|
|
if row.get("CVE") in cisa_kev_list:
|
|
risk_score *= 1.5
|
|
|
|
vulns.append({
|
|
"host": row["Host"],
|
|
"plugin_name": row["Name"],
|
|
"severity": row["Risk"],
|
|
"cvss": cvss,
|
|
"cve": row.get("CVE", "N/A"),
|
|
"risk_score": round(risk_score, 1),
|
|
"asset_criticality": asset_criticality,
|
|
"kev": row.get("CVE") in cisa_kev_list
|
|
})
|
|
|
|
# Sort by risk score
|
|
vulns.sort(key=lambda x: x["risk_score"], reverse=True)
|
|
```
|
|
|
|
**CISA KEV (Known Exploited Vulnerabilities) Check:**
|
|
```python
|
|
import requests
|
|
|
|
kev_response = requests.get(
|
|
"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
|
|
)
|
|
kev_data = kev_response.json()
|
|
cisa_kev_list = {v["cveID"] for v in kev_data["vulnerabilities"]}
|
|
|
|
# Check if vulnerability is actively exploited
|
|
def is_actively_exploited(cve_id):
|
|
return cve_id in cisa_kev_list
|
|
```
|
|
|
|
### Step 3: Define Remediation SLAs
|
|
|
|
Apply SLA-based remediation timelines:
|
|
|
|
| Priority | CVSS Range | Asset Type | SLA | Examples |
|
|
|----------|-----------|------------|-----|---------|
|
|
| **P1 Critical** | 9.0-10.0 + KEV | All assets | 24 hours | Log4Shell, EternalBlue on prod servers |
|
|
| **P2 High** | 7.0-8.9 or 9.0+ non-KEV | Business-critical | 7 days | RCE without known exploit |
|
|
| **P3 Medium** | 4.0-6.9 | Business-critical | 30 days | Authenticated privilege escalation |
|
|
| **P4 Low** | 0.1-3.9 | Standard | 90 days | Information disclosure, low-impact DoS |
|
|
| **P5 Informational** | 0.0 | Development | Next cycle | Best practice findings, config hardening |
|
|
|
|
### Step 4: Integrate with SIEM for Exploitation Detection
|
|
|
|
Correlate vulnerability scan data with SIEM alerts to detect active exploitation:
|
|
|
|
```spl
|
|
index=vulnerability sourcetype="nessus:scan"
|
|
| eval vuln_key = Host.":".CVE
|
|
| join vuln_key type=left [
|
|
search index=ids_ips sourcetype="snort" OR sourcetype="suricata"
|
|
| eval vuln_key = dest_ip.":".cve_id
|
|
| stats count AS exploit_attempts, latest(_time) AS last_exploit_attempt by vuln_key
|
|
]
|
|
| where isnotnull(exploit_attempts)
|
|
| eval risk = "CRITICAL — Vulnerability being actively exploited"
|
|
| sort - exploit_attempts
|
|
| table Host, CVE, plugin_name, cvss_score, exploit_attempts, last_exploit_attempt, risk
|
|
```
|
|
|
|
**Alert when KEV vulnerabilities are detected on critical assets:**
|
|
```spl
|
|
index=vulnerability sourcetype="nessus:scan" severity="Critical"
|
|
| lookup cisa_kev_lookup.csv cve_id AS CVE OUTPUT kev_status, due_date
|
|
| where kev_status="active"
|
|
| lookup asset_criticality_lookup.csv ip AS Host OUTPUT criticality
|
|
| where criticality IN ("business-critical", "mission-critical")
|
|
| table Host, CVE, plugin_name, cvss_score, kev_status, due_date, criticality
|
|
```
|
|
|
|
### Step 5: Build Remediation Tracking Dashboard
|
|
|
|
**Splunk Dashboard for Vulnerability Metrics:**
|
|
```spl
|
|
-- Open vulnerabilities by severity
|
|
index=vulnerability sourcetype="nessus:scan" status="open"
|
|
| stats count by severity
|
|
| eval order = case(severity="Critical", 1, severity="High", 2, severity="Medium", 3,
|
|
severity="Low", 4, 1=1, 5)
|
|
| sort order
|
|
|
|
-- SLA compliance tracking
|
|
index=vulnerability sourcetype="nessus:scan" status="open"
|
|
| eval sla_days = case(
|
|
severity="Critical", 1,
|
|
severity="High", 7,
|
|
severity="Medium", 30,
|
|
severity="Low", 90
|
|
)
|
|
| eval days_open = round((now() - first_detected) / 86400)
|
|
| eval sla_status = if(days_open > sla_days, "OVERDUE", "Within SLA")
|
|
| stats count by severity, sla_status
|
|
|
|
-- Remediation trend over 90 days
|
|
index=vulnerability sourcetype="nessus:scan"
|
|
| eval is_open = if(status="open", 1, 0)
|
|
| eval is_closed = if(status="fixed", 1, 0)
|
|
| timechart span=1w sum(is_open) AS opened, sum(is_closed) AS remediated
|
|
```
|
|
|
|
### Step 6: Automate Remediation Ticketing
|
|
|
|
Create tickets automatically for high-priority findings:
|
|
|
|
```python
|
|
import requests
|
|
|
|
servicenow_url = "https://company.service-now.com/api/now/table/incident"
|
|
headers = {
|
|
"Content-Type": "application/json",
|
|
"Authorization": f"Bearer {snow_token}"
|
|
}
|
|
|
|
for vuln in vulns:
|
|
if vuln["risk_score"] >= 8.0:
|
|
ticket = {
|
|
"short_description": f"[VULN] {vuln['cve']} — {vuln['plugin_name']} on {vuln['host']}",
|
|
"description": (
|
|
f"Vulnerability: {vuln['plugin_name']}\n"
|
|
f"CVE: {vuln['cve']}\n"
|
|
f"CVSS: {vuln['cvss']}\n"
|
|
f"Host: {vuln['host']}\n"
|
|
f"Asset Criticality: {vuln['asset_criticality']}\n"
|
|
f"CISA KEV: {'YES' if vuln['kev'] else 'NO'}\n"
|
|
f"Risk Score: {vuln['risk_score']}\n"
|
|
f"Remediation SLA: {'24 hours' if vuln['kev'] else '7 days'}"
|
|
),
|
|
"urgency": "1" if vuln["kev"] else "2",
|
|
"impact": "1" if vuln["asset_criticality"] == "business-critical" else "2",
|
|
"assignment_group": "IT Infrastructure",
|
|
"category": "Vulnerability"
|
|
}
|
|
response = requests.post(servicenow_url, headers=headers, json=ticket)
|
|
print(f"Ticket created: {response.json()['result']['number']}")
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
| Term | Definition |
|
|
|------|-----------|
|
|
| **CVSS** | Common Vulnerability Scoring System — standardized severity rating (0-10) for vulnerabilities |
|
|
| **CISA KEV** | Known Exploited Vulnerabilities catalog — CISA-maintained list of vulnerabilities with confirmed active exploitation |
|
|
| **Credentialed Scan** | Vulnerability scan using authenticated access for deeper detection than network-only scanning |
|
|
| **Asset Criticality** | Business impact classification determining remediation priority (mission-critical, business-critical, standard) |
|
|
| **Remediation SLA** | Service Level Agreement defining maximum time allowed to patch vulnerabilities by severity |
|
|
| **EPSS** | Exploit Prediction Scoring System — ML-based probability score predicting likelihood of exploitation |
|
|
|
|
## Tools & Systems
|
|
|
|
- **Tenable Nessus / Tenable.io**: Enterprise vulnerability scanner with 200,000+ plugin checks and compliance auditing
|
|
- **Qualys VMDR**: Cloud-based vulnerability management with asset discovery, prioritization, and patching integration
|
|
- **OpenVAS (Greenbone)**: Open-source vulnerability scanner with community-maintained vulnerability feed
|
|
- **CISA KEV Catalog**: US government maintained list of actively exploited vulnerabilities requiring mandatory remediation
|
|
- **Rapid7 InsightVM**: Vulnerability management platform with live dashboards and remediation project tracking
|
|
|
|
## Common Scenarios
|
|
|
|
- **Zero-Day Response**: New CVE published — run targeted scan for affected software, cross-reference with KEV and exploit databases
|
|
- **Compliance Audit Prep**: Generate PCI DSS or HIPAA vulnerability report showing scan coverage and remediation status
|
|
- **Post-Patch Verification**: Rescan patched systems to confirm vulnerability closure and update tracking dashboard
|
|
- **Network Expansion**: New subnet added to infrastructure — onboard to scan scope with appropriate policy
|
|
- **Third-Party Risk**: Scan externally-facing assets to validate vendor patch compliance before integration
|
|
|
|
## Output Format
|
|
|
|
```
|
|
VULNERABILITY SCAN REPORT — Weekly Summary
|
|
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
Scan Date: 2024-03-16 02:00 UTC
|
|
Scan Scope: 10.0.0.0/16 (1,247 hosts scanned)
|
|
Duration: 4h 23m
|
|
Coverage: 98.7% (16 hosts unreachable)
|
|
|
|
Findings:
|
|
Severity Count New CISA KEV
|
|
Critical 23 5 3
|
|
High 187 34 12
|
|
Medium 892 78 0
|
|
Low 1,456 112 0
|
|
Info 3,891 201 0
|
|
|
|
Top Priority (P1 — 24hr SLA):
|
|
CVE-2024-21762 FortiOS RCE 3 hosts KEV: YES
|
|
CVE-2024-1709 ConnectWise RCE 1 host KEV: YES
|
|
CVE-2024-3400 Palo Alto PAN-OS RCE 2 hosts KEV: YES
|
|
|
|
SLA Compliance:
|
|
Critical: 82% within SLA (4 overdue)
|
|
High: 91% within SLA (17 overdue)
|
|
Medium: 88% within SLA (107 overdue)
|
|
|
|
Tickets Created: 39 (ServiceNow)
|
|
```
|