Stats
Actions
Tags
Triages vulnerabilities using CISA SSVC decision tree framework to prioritize remediation as Track, Track*, Attend, or Act based on exploitation, impact, automatability, prevalence, and public well-being.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:triaging-vulnerabilities-with-ssvc-frameworkThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
利益相关方特定漏洞分类(Stakeholder-Specific Vulnerability Categorization,SSVC)框架由卡内基梅隆大学软件工程研究所(SEI)与 CISA 合作开发,提供一种用于漏洞优先排序的结构化决策树方法。与单独使用 CVSS 不同,SSVC 综合考虑漏洞利用状态、技术影响、可自动化程度、任务普遍性和公共福祉影响,产出以下四种可操作结果之一:**Track(跟踪)**、**Track*(重点跟踪)**、**Attend(关注)** 或 **Act(立即行动)**。
利益相关方特定漏洞分类(Stakeholder-Specific Vulnerability Categorization,SSVC)框架由卡内基梅隆大学软件工程研究所(SEI)与 CISA 合作开发,提供一种用于漏洞优先排序的结构化决策树方法。与单独使用 CVSS 不同,SSVC 综合考虑漏洞利用状态、技术影响、可自动化程度、任务普遍性和公共福祉影响,产出以下四种可操作结果之一:Track(跟踪)、*Track(重点跟踪)**、Attend(关注) 或 Act(立即行动)。
requests、pandas 和 jinja2 库评估当前漏洞利用活动:
# 检查 CVE 是否在 CISA 已知被利用漏洞目录中
curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" | \
python3 -c "import sys,json; data=json.load(sys.stdin); cves=[v['cveID'] for v in data['vulnerabilities']]; print('Active' if 'CVE-2024-3400' in cves else 'Check PoC/None')"
确定被利用后的受损范围:
评估漏洞利用是否可以大规模自动化:
受影响产品在您的环境中的部署范围:
对人身安全和公共福利的潜在后果:
| 结果 | 所需行动 | SLA |
|---|---|---|
| Track(跟踪) | 监控,在正常补丁周期内修复 | 90 天 |
| Track(重点跟踪)* | 密切监控,在下一个补丁窗口优先处理 | 60 天 |
| Attend(关注) | 上报高级管理层,加速修复 | 14 天 |
| Act(立即行动) | 立即应用缓解措施,执行层知晓 | 48 小时 |
import requests
import json
# 获取 CISA KEV 目录
kev_url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
kev_data = requests.get(kev_url).json()
kev_cves = {v['cveID'] for v in kev_data['vulnerabilities']}
# 获取 EPSS 评分以提供情境
epss_url = "https://api.first.org/data/v1/epss"
epss_response = requests.get(epss_url, params={"cve": "CVE-2024-3400"}).json()
def evaluate_exploitation(cve_id, kev_set):
"""根据 CISA KEV 和 EPSS 数据确定漏洞利用状态。"""
if cve_id in kev_set:
return "active"
epss = requests.get(
"https://api.first.org/data/v1/epss",
params={"cve": cve_id}
).json()
if epss.get("data"):
score = float(epss["data"][0].get("epss", 0))
if score > 0.5:
return "poc"
return "none"
def evaluate_technical_impact(cvss_vector):
"""解析 CVSS 向量中的范围和影响指标。"""
if "S:C" in cvss_vector or "C:H/I:H/A:H" in cvss_vector:
return "total"
return "partial"
def evaluate_automatability(cvss_vector, cve_description):
"""检查攻击向量是否基于网络且复杂度低。"""
if "AV:N" in cvss_vector and "AC:L" in cvss_vector and "UI:N" in cvss_vector:
return "yes"
return "no"
def ssvc_decision(exploitation, tech_impact, automatability, mission_prevalence, public_wellbeing):
"""CISA SSVC 决策树实现。"""
if exploitation == "active":
if tech_impact == "total" or automatability == "yes":
return "Act"
if mission_prevalence in ("essential", "support"):
return "Act"
return "Attend"
if exploitation == "poc":
if automatability == "yes" and tech_impact == "total":
return "Attend"
if mission_prevalence == "essential":
return "Attend"
return "Track*"
# exploitation == "none"
if tech_impact == "total" and mission_prevalence == "essential":
return "Track*"
return "Track"
# 对扫描结果运行 SSVC 分类脚本
python3 scripts/process.py --input scan_results.csv --output ssvc_triage_report.json
# 查看摘要
cat ssvc_triage_report.json | python3 -m json.tool | head -50
# 将 Nessus 扫描导出为 CSV,然后处理
python3 scripts/process.py \
--input nessus_export.csv \
--format nessus \
--output ssvc_results.json
# 将 OpenVAS 结果导出为 XML
python3 scripts/process.py \
--input openvas_report.xml \
--format openvas \
--output ssvc_results.json
# 使用已知 CVE 测试 SSVC 决策逻辑
python3 -c "
from scripts.process import ssvc_decision
# CVE-2024-3400 - Palo Alto PAN-OS 命令注入(已列入 KEV)
assert ssvc_decision('active', 'total', 'yes', 'essential', 'material') == 'Act'
# CVE-2024-21887 - Ivanti Connect Secure(PoC 可用)
assert ssvc_decision('poc', 'total', 'yes', 'support', 'minimal') == 'Attend'
print('所有 SSVC 决策测试通过')
"
npx claudepluginhub killvxk/cybersecurity-skills-zhTriages and prioritizes vulnerabilities using CISA's SSVC decision tree framework by assessing exploitation, impact, automatability, prevalence, and well-being impact to output Track/Track*/Attend/Act remediation priorities.
Triages and prioritizes vulnerabilities using CISA's SSVC decision tree framework to produce actionable remediation outcomes such as Track, Attend, or Act.
Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities.