cybersecurity-analyst

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Cybersecurity Analyst Skill

网络安全分析师技能

Purpose

目标

Analyze events through the disciplinary lens of cybersecurity, applying rigorous security frameworks (CIA triad, defense-in-depth, zero-trust), threat modeling methodologies (STRIDE, PASTA, VAST), attack surface analysis, and industry standards (NIST, ISO 27001, MITRE ATT&CK) to understand security risks, identify vulnerabilities, assess threat actors and attack vectors, evaluate defensive controls, and recommend risk mitigation strategies.

从网络安全专业视角分析各类事件，应用严谨的安全框架（CIA三元组、纵深防御、零信任）、威胁建模方法论（STRIDE、PASTA、VAST）、攻击面分析以及行业标准（NIST、ISO 27001、MITRE ATT&CK），以理解安全风险、识别漏洞、评估威胁主体与攻击向量、评估防御控制措施，并提出风险缓解策略建议。

When to Use This Skill

适用场景

Security Incident Analysis: Investigate breaches, data leaks, ransomware attacks, insider threats
Vulnerability Assessment: Identify weaknesses in systems, applications, networks, processes
Threat Modeling: Analyze potential attack vectors and threat actors for new systems or changes
Security Architecture Review: Evaluate design decisions for security implications and gaps
Risk Assessment: Quantify and prioritize security risks using frameworks like CVSS, FAIR
Compliance Analysis: Assess adherence to security standards (SOC 2, PCI-DSS, HIPAA, GDPR)
Incident Response Planning: Design detection, containment, eradication, and recovery strategies
Security Posture Evaluation: Assess overall defensive capabilities and maturity
Code Security Review: Identify security vulnerabilities in software implementations

安全事件分析：调查数据泄露、勒索软件攻击、内部威胁等安全事件
漏洞评估：识别系统、应用、网络、流程中的弱点
威胁建模：针对新系统或系统变更，分析潜在攻击向量与威胁主体
安全架构评审：评估设计决策的安全影响与缺口
风险评估：使用CVSS、FAIR等框架量化并优先处理安全风险
合规性分析：评估是否符合SOC 2、PCI-DSS、HIPAA、GDPR等安全标准
事件响应规划：设计检测、遏制、根除与恢复策略
安全态势评估：评估整体防御能力与成熟度
代码安全评审：识别软件实现中的安全漏洞

Core Philosophy: Security Thinking

核心理念：安全思维

Cybersecurity analysis rests on fundamental principles:

Defense in Depth: No single security control is perfect. Layer multiple independent controls so compromise of one doesn't compromise the whole system.

Assume Breach: Modern security assumes attackers will penetrate perimeter defenses. Design systems to minimize damage and enable detection when (not if) breach occurs.

Least Privilege: Grant minimum access necessary for legitimate function. Every excess permission is an opportunity for exploitation.

Zero Trust: Never trust, always verify. Verify explicitly, use least privilege access, and assume breach regardless of network location.

Security by Design: Security cannot be bolted on afterward. It must be fundamental to architecture and implementation from the beginning.

CIA Triad: Security protects three properties—Confidentiality (only authorized access), Integrity (only authorized modification), Availability (accessible when needed).

Threat-Informed Defense: Base defensive priorities on understanding of actual threat actors, their capabilities, motivations, and tactics (threat intelligence).

Risk-Based Approach: Perfect security is impossible. Prioritize security investments based on risk (likelihood × impact) to maximize security per dollar spent.

网络安全分析基于以下基本原则：

纵深防御：没有任何单一安全控制是完美的。部署多层独立控制措施，确保某一层被攻破不会导致整个系统沦陷。

假设已被攻破：现代安全理念假设攻击者会突破外围防御。设计系统时需将损害降至最低，并在（而非如果）被攻破时能够检测到。

最小权限：仅授予完成合法功能所需的最小权限。每一项额外权限都是潜在的被利用机会。

零信任：永不信任，始终验证。无论网络位置如何，都要明确验证、使用最小权限访问，并假设已被攻破。

设计时内置安全：安全不能事后附加。必须从一开始就成为架构与实现的核心部分。

CIA三元组：安全保护三大属性——保密性（仅授权主体可访问）、完整性（仅授权主体可修改）、可用性（授权主体需要时可访问）。

威胁驱动防御：基于对实际威胁主体、其能力、动机与战术（威胁情报）的理解，确定防御优先级。

基于风险的方法：完美的安全是不可能的。基于风险（可能性×影响）优先分配安全投资，以最大化每一分钱的安全回报。

Theoretical Foundations (Expandable)

理论基础（可扩展）

Foundation 1: CIA Triad (Classic Security Model)

基础1：CIA三元组（经典安全模型）

Components:

Confidentiality: Information accessible only to authorized entities

Protection mechanisms: Encryption, access controls, authentication
Threats: Eavesdropping, data theft, unauthorized disclosure
Example violations: Data breach, password theft, insider leak

Integrity: Information modifiable only by authorized entities in authorized ways

Protection mechanisms: Hashing, digital signatures, access controls, version control
Threats: Tampering, unauthorized modification, malware
Example violations: Database manipulation, man-in-the-middle attacks, ransomware encryption

Availability: Information and systems accessible when needed by authorized entities

Protection mechanisms: Redundancy, backups, DDoS mitigation, incident response
Threats: Denial of service, ransomware, system destruction
Example violations: DDoS attacks, ransomware, infrastructure failures

Extensions:

Authenticity: Verified identity of entities and origin of information
Non-repudiation: Cannot deny taking action
Accountability: Actions traceable to entities

Application: Every security analysis should identify which aspects of CIA triad are at risk and how controls protect each.

Sources:

组成部分：

保密性：信息仅对授权主体可见

保护机制：加密、访问控制、身份认证
威胁：窃听、数据盗窃、未授权披露
违规示例：数据泄露、密码被盗、内部人员泄密

完整性：信息仅能被授权主体以授权方式修改

保护机制：哈希、数字签名、访问控制、版本控制
威胁：篡改、未授权修改、恶意软件
违规示例：数据库操纵、中间人攻击、勒索软件加密

可用性：信息与系统在授权主体需要时可访问

保护机制：冗余、备份、DDoS缓解、事件响应
威胁：拒绝服务、勒索软件、系统破坏
违规示例：DDoS攻击、勒索软件、基础设施故障

扩展属性：

真实性：验证主体身份与信息来源
不可否认性：无法否认已执行的操作
可问责性：操作可追溯至具体主体

应用：每一次安全分析都应明确CIA三元组中哪些属性面临风险，以及控制措施如何保护这些属性。

参考来源：

Foundation 2: Defense in Depth (Layered Security)

基础2：纵深防御（分层安全）

Principle: Deploy multiple layers of security controls so compromise of one layer doesn't compromise entire system.

Historical Origin: Military defensive strategy—multiple concentric perimeter defenses

Security Layers:

Physical: Facility access controls, locked server rooms
Network: Firewalls, network segmentation, IDS/IPS
Host: Endpoint protection, host firewalls, patch management
Application: Input validation, secure coding, authentication
Data: Encryption at rest and in transit, DLP, tokenization
Human: Security awareness training, phishing simulation

Key Insight: Redundancy is not waste—it's resilience. Even if attacker bypasses firewall, they still face authentication, authorization, monitoring, encryption, and detection controls.

Application: Security architecture should have multiple independent defensive layers protecting critical assets.

Limitation: Can create complexity and false sense of security if layers are not maintained or are interdependent.

Sources:

原则：部署多层安全控制措施，确保某一层被攻破不会导致整个系统沦陷。

历史起源：军事防御策略——多层同心圆外围防御

安全层级：

物理层：设施访问控制、上锁的服务器机房
网络层：防火墙、网络分段、IDS/IPS
主机层：终端保护、主机防火墙、补丁管理
应用层：输入验证、安全编码、身份认证
数据层：静态与传输加密、DLP、令牌化
人员层：安全意识培训、钓鱼模拟

核心见解：冗余不是浪费——而是韧性。即使攻击者绕过防火墙，他们仍需面对身份认证、授权、监控、加密与检测控制。

应用：安全架构应为关键资产部署多层独立防御措施。

局限性：如果各层未得到维护或相互依赖，可能会增加复杂性并产生虚假的安全感。

参考来源：

Foundation 3: Zero Trust Architecture

基础3：零信任架构

Core Principle: "Never trust, always verify" regardless of network location

Contrast with Perimeter Model: Traditional security assumed internal network is trusted ("castle and moat"). Zero trust assumes no network location is trusted.

Key Tenets (NIST SP 800-207):

Verify explicitly: Always authenticate and authorize based on all available data points
Least privilege access: Limit user access with Just-In-Time and Just-Enough-Access
Assume breach: Minimize blast radius and segment access; verify end-to-end encryption

Components:

Identity-centric security: Identity becomes new perimeter
Micro-segmentation: Network divided into small zones with separate controls
Continuous verification: Authentication and authorization are continuous, not one-time
Data-centric: Protect data itself, not just perimeter around it

Drivers:

Cloud adoption (no clear perimeter)
Remote work (users outside traditional perimeter)
Sophisticated attacks (perimeter breaches common)

Application: Modern security architectures should be designed with zero trust principles, especially for cloud and hybrid environments.

Sources:

核心原则：无论网络位置如何，“永不信任，始终验证”

与传统 perimeter 模型的对比：传统安全假设内部网络是可信的（“城堡与护城河”）。零信任则假设任何网络位置都不可信。

核心原则（NIST SP 800-207）：

明确验证：始终基于所有可用数据点进行身份认证与授权
最小权限访问：使用Just-In-Time与Just-Enough-Access限制用户访问
假设已被攻破：最小化影响范围并分段访问；验证端到端加密

组成部分：

以身份为中心的安全：身份成为新的边界
微分段：网络被划分为多个小区域，各区域有独立控制措施
持续验证：身份认证与授权是持续的，而非一次性的
以数据为中心：保护数据本身，而非仅保护数据周围的边界

驱动因素：

云 adoption（无明确边界）
远程办公（用户位于传统边界之外）
复杂攻击（边界突破屡见不鲜）

应用：现代安全架构应遵循零信任原则，尤其是云与混合环境。

参考来源：

Foundation 4: Threat Modeling

基础4：威胁建模

Definition: Structured approach to identify and prioritize potential threats to a system

Purpose: Proactively identify security issues during design phase when fixes are cheapest

Benefits:

Find vulnerabilities before implementation
Prioritize security work
Communicate risks to stakeholders
Guide security testing

Common Methodologies:

STRIDE (Microsoft):

Spoofing identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege

PASTA (Process for Attack Simulation and Threat Analysis):

Seven-stage risk-centric methodology
Aligns business objectives with technical requirements

VAST (Visual, Agile, and Simple Threat modeling):

Scalable for agile development
Two types: application threat models and operational threat models

Application: Use threat modeling for new features, architecture changes, or security reviews.

Sources:

定义：识别并优先处理系统潜在威胁的结构化方法

目标：在设计阶段主动识别安全问题，此时修复成本最低

优势：

在实现前发现漏洞
优先处理安全工作
向利益相关者传达风险
指导安全测试

常见方法论：

STRIDE（微软）：

Spoofing（身份伪造）
Tampering（数据篡改）
Repudiation（不可否认性缺失）
Information disclosure（信息泄露）
Denial of service（拒绝服务）
Elevation of privilege（权限提升）

PASTA（攻击模拟与威胁分析流程）：

七阶段风险中心方法论
使业务目标与技术要求保持一致

VAST（可视化、敏捷、简单威胁建模）：

适用于敏捷开发的可扩展方法
两种类型：应用威胁模型与运营威胁模型

应用：针对新功能、架构变更或安全评审使用威胁建模。

参考来源：

Foundation 5: MITRE ATT&CK Framework

基础5：MITRE ATT&CK框架

Description: Knowledge base of adversary tactics and techniques based on real-world observations

Purpose: Understand how attackers operate to inform defense, detection, and threat hunting

Structure:

Tactics: High-level goals (e.g., Initial Access, Execution, Persistence, Privilege Escalation)
Techniques: Ways to achieve tactics (e.g., Phishing, Exploiting Public Applications)
Sub-techniques: Specific implementations
Procedures: Specific attacker behaviors

14 Tactics (Enterprise Matrix):

Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact

Application:

Map defensive controls to ATT&CK techniques
Identify detection gaps
Threat intelligence sharing
Red team/purple team exercises

Value: Common language for describing attacker behavior; basis for threat-informed defense

Sources:

描述：基于真实世界观察的对手战术与技术知识库

目标：理解攻击者的运作方式，为防御、检测与威胁狩猎提供信息

结构：

战术：高层目标（如初始访问、执行、持久化、权限提升）
技术：实现战术的方式（如钓鱼、利用公开应用）
子技术：具体实现
流程：具体攻击者行为

14种战术（企业矩阵）：

侦察
资源开发
初始访问
执行
持久化
权限提升
防御规避
凭证获取
发现
横向移动
收集
命令与控制
数据渗出
影响

应用：

将防御控制措施映射到ATT&CK技术
识别检测缺口
威胁情报共享
红队/紫队演练

价值：描述攻击者行为的通用语言；威胁驱动防御的基础

参考来源：

Core Analytical Frameworks (Expandable)

核心分析框架（可扩展）

Framework 1: Attack Surface Analysis

框架1：攻击面分析

Definition: Identification and assessment of all points where unauthorized user could enter or extract data from system

Components:

Attack Surface Elements:

Network attack surface: Exposed ports, services, protocols
Software attack surface: Applications, APIs, web interfaces
Human attack surface: Users, administrators, social engineering targets
Physical attack surface: Facility access, hardware access

Attack Vectors: Methods attackers use to exploit attack surface

Network-based: Port scanning, protocol exploits, man-in-the-middle
Web-based: SQL injection, XSS, CSRF, authentication bypass
Email-based: Phishing, malicious attachments, credential harvesting
Physical: Theft, unauthorized access, evil maid attacks
Social engineering: Pretexting, baiting, tailgating

Analysis Process:

Enumerate: List all entry points and assets
Classify: Categorize by type and criticality
Assess: Evaluate exploitability and impact
Prioritize: Rank by risk
Reduce: Minimize unnecessary exposure

Metrics:

Number of exposed services
Number of internet-facing applications
Number of privileged accounts
Lines of code exposed to untrusted input

Application: Reducing attack surface is fundamental defensive strategy. Eliminate unnecessary exposure.

Sources:

定义：识别并评估未授权用户可进入系统或提取数据的所有点

组成部分：

攻击面元素：

网络攻击面：暴露的端口、服务、协议
软件攻击面：应用、API、Web界面
人员攻击面：用户、管理员、社会工程目标
物理攻击面：设施访问、硬件访问

攻击向量：攻击者利用攻击面的方法

基于网络：端口扫描、协议利用、中间人攻击
基于Web：SQL注入、XSS、CSRF、身份认证绕过
基于邮件：钓鱼、恶意附件、凭证窃取
物理：盗窃、未授权访问、邪恶女仆攻击
社会工程： pretexting、 baiting、 tailgating

分析流程：

枚举：列出所有入口点与资产
分类：按类型与重要性分类
评估：评估可利用性与影响
优先排序：按风险排序
减少：最小化不必要的暴露

指标：

暴露服务数量
面向互联网的应用数量
特权账户数量
暴露给不可信输入的代码行数

应用：减少攻击面是基础防御策略。消除不必要的暴露。

参考来源：

Framework 2: Risk Assessment Frameworks

框架2：风险评估框架

Purpose: Quantify and prioritize security risks to guide resource allocation

Common Frameworks:

CVSS (Common Vulnerability Scoring System):

Standard for assessing vulnerability severity
Score 0-10 based on exploitability, impact, scope
Base score (intrinsic characteristics) + temporal + environmental scores
Widely used but criticized for not capturing actual risk in specific contexts

FAIR (Factor Analysis of Information Risk):

Quantitative risk framework
Risk = Loss Event Frequency × Loss Magnitude
Enables cost-benefit analysis of security investments
More complex but provides dollar-denominated risk figures

NIST Risk Management Framework (RMF):

Seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
Links security controls to risk management
Used by U.S. federal agencies

Qualitative vs. Quantitative:

Qualitative: High/Medium/Low risk ratings (simpler, faster, subjective)
Quantitative: Numerical risk values (complex, objective, requires data)

Application: Risk assessment informs prioritization. Not all vulnerabilities are equally important—focus on highest risks.

Sources:

目标：量化并优先处理安全风险，以指导资源分配

常见框架：

CVSS（通用漏洞评分系统）：

评估漏洞严重性的标准
基于可利用性、影响、范围给出0-10分
基础分（固有特征）+ 时间分 + 环境分
广泛使用但因未考虑特定环境下的实际风险而受批评

FAIR（信息风险因素分析）：

定量风险框架
风险 = 损失事件频率 × 损失幅度
支持安全投资的成本效益分析
更复杂但可提供以美元计价的风险数值

NIST风险管理框架（RMF）：

七个步骤：准备、分类、选择、实施、评估、授权、监控
将安全控制措施与风险管理关联
被美国联邦机构使用

定性 vs 定量：

定性：高/中/低风险评级（简单、快速、主观）
定量：数值化风险值（复杂、客观、需要数据）

应用：风险评估指导优先级排序。并非所有漏洞都同等重要——聚焦最高风险。

参考来源：

Framework 3: Security Control Frameworks

框架3：安全控制框架

Purpose: Structured set of security controls to achieve security objectives

Major Frameworks:

NIST Cybersecurity Framework:

Five core functions: Identify, Protect, Detect, Respond, Recover
Not prescriptive—flexible for different organizations
Widely adopted across industries and internationally

NIST SP 800-53 (Security and Privacy Controls):

Comprehensive catalog of security controls for federal systems
20 control families (Access Control, Incident Response, etc.)
Detailed implementation guidance

CIS Controls (Center for Internet Security):

18 prioritized security controls
Implementation groups (IG1, IG2, IG3) based on organizational maturity
Actionable and measurable

ISO/IEC 27001:

International standard for information security management systems
14 control domains, 114 controls
Certification available

Application: Use frameworks to:

Ensure comprehensive coverage
Benchmark security posture
Communicate with stakeholders
Meet compliance requirements

Sources:

目标：结构化的安全控制措施集合，以实现安全目标

主要框架：

NIST网络安全框架：

五大核心功能：识别、保护、检测、响应、恢复
非强制性——针对不同组织灵活调整
被各行业与国际广泛采用

NIST SP 800-53（安全与隐私控制措施）：

联邦系统的全面安全控制措施目录
20个控制族（访问控制、事件响应等）
详细实施指南

CIS控制措施（互联网安全中心）：

18项优先安全控制措施
基于组织成熟度的实施组（IG1、IG2、IG3）
可操作、可衡量

ISO/IEC 27001：

信息安全管理系统的国际标准
14个控制域，114项控制措施
可认证

应用：使用框架以：

确保全面覆盖
基准安全态势
与利益相关者沟通
满足合规要求

参考来源：

Framework 4: Incident Response Lifecycle

框架4：事件响应生命周期

Definition: Structured approach to handling security incidents

Standard Model (NIST SP 800-61):

Phase 1: Preparation

Establish IR capability, tools, playbooks
Training and exercises
Communication plans

Phase 2: Detection and Analysis

Monitoring and alerting
Incident classification and prioritization
Initial investigation
Scope determination

Phase 3: Containment, Eradication, and Recovery

Containment: Stop spread (short-term and long-term)
Eradication: Remove threat from environment
Recovery: Restore systems to normal operation

Phase 4: Post-Incident Activity

Lessons learned
Evidence preservation
Incident report
Process improvement

Key Concepts:

Playbooks: Predefined procedures for common incident types
Indicators of Compromise (IoCs): Artifacts indicating malicious activity
Chain of custody: Evidence handling procedures
Communication: Internal and external stakeholders, legal, PR

Metrics:

Mean Time to Detect (MTTD)
Mean Time to Respond (MTTR)
Mean Time to Contain (MTTC)

Application: Effective incident response minimizes damage, reduces recovery time, and captures learning.

Sources:

定义：处理安全事件的结构化方法

标准模型（NIST SP 800-61）：

阶段1：准备

建立IR能力、工具、剧本
培训与演练
沟通计划

阶段2：检测与分析

监控与告警
事件分类与优先级排序
初步调查
范围确定

阶段3：遏制、根除与恢复

遏制：阻止扩散（短期与长期）
根除：从环境中移除威胁
恢复：将系统恢复至正常运行状态

阶段4：事件后活动

经验总结
证据保存
事件报告
流程改进

核心概念：

剧本：针对常见事件类型的预定义流程
妥协指标（IoCs）：表明恶意活动的人工制品
监管链：证据处理流程
沟通：内部与外部利益相关者、法律、公关

指标：

平均检测时间（MTTD）
平均响应时间（MTTR）
平均遏制时间（MTTC）

应用：有效的事件响应可将损害降至最低、减少恢复时间并获取经验。

参考来源：

Framework 5: Secure Development Lifecycle (SDL)

框架5：安全开发生命周期（SDL）

Purpose: Integrate security into software development process

Microsoft SDL Phases:

Training: Security training for developers
Requirements: Define security requirements and privacy requirements
Design: Threat modeling, attack surface reduction, defense in depth
Implementation: Secure coding standards, code analysis tools
Verification: Security testing (SAST, DAST, penetration testing)
Release: Final security review, incident response plan
Response: Execute incident response plan if vulnerability discovered

Key Practices:

Static Analysis (SAST): Analyze source code for vulnerabilities
Dynamic Analysis (DAST): Test running application
Dependency Scanning: Check third-party libraries for known vulnerabilities
Penetration Testing: Simulate real attacks
Security Champions: Embed security expertise in development teams

OWASP SAMM (Software Assurance Maturity Model):

Maturity model for secure software development
Five business functions: Governance, Design, Implementation, Verification, Operations
Three maturity levels for each function

Application: Security must be integrated throughout development lifecycle, not just at the end.

Sources:

目标：将安全集成到软件开发流程中

微软SDL阶段：

培训：为开发者提供安全培训
需求：定义安全需求与隐私需求
设计：威胁建模、攻击面减少、纵深防御
实现：安全编码标准、代码分析工具
验证：安全测试（SAST、DAST、渗透测试）
发布：最终安全评审、事件响应计划
响应：若发现漏洞则执行事件响应计划

核心实践：

静态分析（SAST）：分析源代码以识别漏洞
动态分析（DAST）：测试运行中的应用
依赖扫描：检查第三方库的已知漏洞
渗透测试：模拟真实攻击
安全冠军：在开发团队中嵌入安全专家

OWASP SAMM（软件保障成熟度模型）：

安全软件开发的成熟度模型
五大业务功能：治理、设计、实现、验证、运营
每个功能有三个成熟度级别

应用：安全必须贯穿整个开发生命周期，而非仅在最后阶段。

参考来源：

Methodological Approaches (Expandable)

方法论（可扩展）

Method 1: Threat Intelligence Analysis

方法1：威胁情报分析

Purpose: Understand adversaries, their capabilities, tactics, and targets to inform defense

Types of Threat Intelligence:

Strategic: High-level trends for executives

APT group activity and motivations
Geopolitical cyber threats
Industry-specific threat landscape

Operational: Campaign-level information for security operations

Current attack campaigns
Threat actor TTPs
Malware families

Tactical: Technical indicators for immediate defense

IP addresses, domains, file hashes
YARA rules, Snort signatures
CVEs being exploited

Analytical Process:

Collection: Gather data from internal sources, threat feeds, OSINT, dark web
Processing: Normalize, correlate, deduplicate
Analysis: Contextualize, attribute, assess intent and capability
Dissemination: Share with relevant teams in actionable format
Feedback: Assess effectiveness and refine

Frameworks:

Diamond Model: Adversary, Capability, Infrastructure, Victim
Kill Chain: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives
MITRE ATT&CK: Map observed techniques to ATT&CK matrix

Application: Threat intelligence enables proactive, threat-informed defense rather than generic security measures.

Sources:

目标：理解对手、其能力、战术与目标，为防御提供信息

威胁情报类型：

战略级：面向高管的高层趋势

APT组织活动与动机
地缘政治网络威胁
行业特定威胁态势

运营级：面向安全运营的战役级信息

当前攻击战役
威胁主体TTPs
恶意软件家族

战术级：面向即时防御的技术指标

IP地址、域名、文件哈希
YARA规则、Snort签名
被利用的CVEs

分析流程：

收集：从内部来源、威胁 feed、OSINT、暗网收集数据
处理：归一化、关联、去重
分析：上下文关联、归因、评估意图与能力
传播：以可操作格式与相关团队共享
反馈：评估有效性并优化

框架：

钻石模型：对手、能力、基础设施、受害者
杀伤链：侦察 → 武器化 → 投递 → 利用 → 安装 → C2 → 目标行动
MITRE ATT&CK：将观察到的技术映射到ATT&CK矩阵

应用：威胁情报实现主动的、威胁驱动的防御，而非通用安全措施。

参考来源：

Method 2: Penetration Testing

方法2：渗透测试

Definition: Authorized simulated attack to evaluate security of systems

Types:

Black Box: No prior knowledge (simulates external attacker)

Gray Box: Partial knowledge (simulates insider or compromised user)

White Box: Full knowledge (comprehensive security assessment)

Phases (Penetration Testing Execution Standard):

Pre-engagement: Scope, rules of engagement, legal agreements
Intelligence gathering: OSINT, network scanning, service enumeration
Threat modeling: Identify potential attack vectors
Vulnerability analysis: Identify exploitable weaknesses
Exploitation: Attempt to exploit vulnerabilities
Post-exploitation: Assess impact, lateral movement, privilege escalation
Reporting: Document findings, demonstrate impact, provide remediation guidance

Specialized Types:

Web application penetration testing: Focus on OWASP Top 10
Network penetration testing: Internal and external network
Social engineering: Phishing, vishing, physical intrusion
Wireless penetration testing: WiFi security assessment

Red Team vs. Penetration Testing:

Penetration testing: Find as many vulnerabilities as possible
Red teaming: Goal-oriented (e.g., access specific data), simulates APT, tests detection and response

Application: Regular penetration testing validates effectiveness of controls and identifies gaps before attackers do.

Sources:

定义：授权的模拟攻击，以评估系统安全性

类型：

黑盒：无先验知识（模拟外部攻击者）

灰盒：部分知识（模拟内部人员或已被攻陷的用户）

白盒：完全知识（全面安全评估）

阶段（渗透测试执行标准）：

预参与：范围、参与规则、法律协议
情报收集：OSINT、网络扫描、服务枚举
威胁建模：识别潜在攻击向量
漏洞分析：识别可利用的弱点
利用：尝试利用漏洞
后利用：评估影响、横向移动、权限提升
报告：记录发现、展示影响、提供修复指导

专业类型：

Web应用渗透测试：聚焦OWASP Top 10
网络渗透测试：内部与外部网络
社会工程：钓鱼、vishing、物理入侵
无线渗透测试：WiFi安全评估

红队 vs 渗透测试：

渗透测试：尽可能多发现漏洞
红队：目标导向（如访问特定数据）、模拟APT、测试检测与响应能力

应用：定期渗透测试验证控制措施的有效性，并在攻击者发现前识别缺口。

参考来源：

Method 3: Security Architecture Review

方法3：安全架构评审

Purpose: Evaluate system design for security properties and identify architectural vulnerabilities

Review Dimensions:

Structural Analysis:

Trust boundaries and data flows
Authentication and authorization architecture
Network segmentation and isolation
Data classification and protection

Threat Modeling:

Apply STRIDE or other methodology
Identify attack trees
Assess mitigations for identified threats

Control Assessment:

Map controls to CIA triad
Evaluate defense-in-depth layers
Identify single points of failure

Compliance Review:

Check against security frameworks (NIST, CIS, ISO)
Regulatory requirements (PCI-DSS, HIPAA, SOC 2)

Technology Assessment:

Cryptographic implementation
Secure protocols
Patch management approach
Secret management

Analysis Questions:

What are trust boundaries?
Where does sensitive data flow?
How is authentication/authorization enforced?
What happens if component X is compromised?
Are security assumptions documented and validated?

Outputs:

Architecture diagrams with security annotations
Threat model
Risk assessment
Remediation recommendations

Application: Architecture review during design phase prevents expensive security issues in production.

目标：评估系统设计的安全属性，识别架构漏洞

评审维度：

结构分析：

信任边界与数据流
身份认证与授权架构
网络分段与隔离
数据分类与保护

威胁建模：

应用STRIDE或其他方法论
识别攻击树
评估已识别威胁的缓解措施

控制措施评估：

将控制措施映射到CIA三元组
评估纵深防御层级
识别单点故障

合规性评审：

对照安全框架（NIST、CIS、ISO）检查
监管要求（PCI-DSS、HIPAA、SOC 2）

技术评估：

加密实现
安全协议
补丁管理方法
密钥管理

分析问题：

信任边界在哪里？
敏感数据流向何处？
身份认证/授权如何实施？
若组件X被攻破会发生什么？
安全假设是否已记录并验证？

输出：

带有安全注释的架构图
威胁模型
风险评估
修复建议

应用：设计阶段的架构评审可防止生产环境中出现昂贵的安全问题。

Method 4: Vulnerability Assessment and Management

方法4：漏洞评估与管理

Purpose: Systematically identify, classify, prioritize, and remediate security weaknesses

Process:

Phase 1: Discovery

Asset inventory (what do we have?)
Vulnerability scanning (automated tools)
Manual security testing
Code review (static analysis)

Phase 2: Assessment

Classify vulnerabilities by type and severity
Assess exploitability (is there exploit code? Is it being exploited?)
Determine impact (what data/systems at risk?)
Calculate risk score (CVSS, contextual factors)

Phase 3: Prioritization

Rank by risk (likelihood × impact)
Consider threat intelligence (is it being exploited in wild?)
Business criticality of affected assets
Remediation complexity

Phase 4: Remediation

Patching (ideal)
Configuration changes
Compensating controls (if patching impossible)
Accept risk (document and approve)

Phase 5: Verification

Rescan to confirm remediation
Update vulnerability database
Track metrics (time to remediate, vulnerability density)

Challenges:

Alert fatigue (too many findings)
False positives
Patching disruption
Legacy systems

Best Practices:

Risk-based prioritization (not just CVSS)
SLA-based remediation (Critical: 7 days, High: 30 days, etc.)
Automate where possible
Track trends and metrics

Application: Continuous vulnerability management is essential hygiene. Can't fix what you don't know about.

Sources:

NIST SP 800-40: Patch and Vulnerability Management

目标：系统地识别、分类、优先处理并修复安全弱点

流程：

阶段1：发现

资产清单（我们拥有什么？）
漏洞扫描（自动化工具）
手动安全测试
代码评审（静态分析）

阶段2：评估

按类型与严重性分类漏洞
评估可利用性（是否有利用代码？是否正在被利用？）
确定影响（哪些数据/系统面临风险？）
计算风险评分（CVSS、上下文因素）

阶段3：优先排序

按风险排序（可能性×影响）
考虑威胁情报（是否在野外被利用？）
受影响资产的业务重要性
修复复杂度

阶段4：修复

补丁（理想方式）
配置变更
补偿控制措施（若无法打补丁）
接受风险（记录并批准）

阶段5：验证

重新扫描以确认修复
更新漏洞数据库
跟踪指标（修复时间、漏洞密度）

挑战：

告警疲劳（发现过多）
误报
打补丁造成的中断
遗留系统

最佳实践：

基于风险的优先排序（而非仅CVSS）
基于SLA的修复（关键：7天，高：30天等）
尽可能自动化
跟踪趋势与指标

应用：持续的漏洞管理是基本安全 hygiene。不知道的漏洞无法修复。

参考来源：

NIST SP 800-40: 补丁与漏洞管理

Method 5: Security Monitoring and Detection Engineering

方法5：安全监控与检测工程

Purpose: Design and operate capabilities to detect malicious activity

Components:

Data Sources:

Network traffic (NetFlow, full packet capture)
Endpoint logs (process creation, file access, registry changes)
Authentication logs (logins, privilege escalation)
Application logs (errors, transactions)
Cloud APIs and audit logs

Detection Mechanisms:

Signature-based: Known malicious patterns (antivirus, IDS signatures)

Pros: Low false positives, fast
Cons: Only detects known threats

Anomaly-based: Deviations from baseline behavior

Pros: Can detect novel attacks
Cons: High false positives, requires tuning

Heuristic-based: Rules based on attacker behavior patterns

Pros: Detects variations of known attacks
Cons: Requires security expertise to create rules

Threat intelligence-based: Match against known IoCs

Pros: Leverages collective knowledge
Cons: Reactive (indicators discovered post-compromise)

Detection Development:

Understand attacker technique (MITRE ATT&CK)
Identify data sources that capture technique
Develop detection logic
Test against true positives and false positives
Tune threshold and logic
Document detection and response procedures
Monitor effectiveness and iterate

SIEM and SOC:

SIEM: Aggregate, correlate, and analyze security logs
SOC: Security Operations Center—team that monitors alerts and responds to incidents

Metrics:

Detection coverage (% of ATT&CK techniques covered)
Alert volume and quality
False positive rate
Mean Time to Detect (MTTD)

Application: You can't respond to what you don't detect. Invest in detection capabilities aligned to threats you face.

Sources:

目标：设计并运营检测恶意活动的能力

组成部分：

数据源：

网络流量（NetFlow、全数据包捕获）
终端日志（进程创建、文件访问、注册表变更）
身份认证日志（登录、权限提升）
应用日志（错误、交易）
云API与审计日志

检测机制：

基于签名：已知恶意模式（杀毒软件、IDS签名）

优点：误报率低、速度快
缺点：仅能检测已知威胁

基于异常：偏离基线行为

优点：可检测新型攻击
缺点：误报率高、需要调优

基于启发式：基于攻击者行为模式的规则

优点：可检测已知攻击的变体
缺点：需要安全专家创建规则

基于威胁情报：匹配已知IoCs

优点：利用集体知识
缺点：被动（指标在被攻陷后才被发现）

检测开发：

理解攻击者技术（MITRE ATT&CK）
识别捕获该技术的数据源
开发检测逻辑
针对真实阳性与误报进行测试
调优阈值与逻辑
记录检测与响应流程
监控有效性并迭代

SIEM与SOC：

SIEM：聚合、关联并分析安全日志
SOC：安全运营中心——监控告警并响应事件的团队

指标：

检测覆盖率（覆盖的ATT&CK技术百分比）
告警数量与质量
误报率
平均检测时间（MTTD）

应用：无法检测到的威胁无法响应。投资与面临的威胁相匹配的检测能力。

参考来源：

Analysis Rubric

分析评估标准

What to Examine

检查内容

Assets and Data:

What sensitive data exists? (PII, credentials, trade secrets, financial data)
Where is it stored, processed, transmitted?
Who has access?
What is business impact if compromised? (confidentiality, integrity, availability)

Attack Surface:

What systems are exposed to internet?
What are entry points for attackers?
What authentication is required?
What third-party dependencies exist?

Threat Actors:

Who might target this? (Nation-states, cybercriminals, hacktivists, insiders)
What are their capabilities and motivations?
What TTPs do they typically use?
What threat intelligence exists?

Vulnerabilities:

Known software vulnerabilities (CVEs)?
Configuration weaknesses?
Architectural security flaws?
Code-level vulnerabilities?
Human vulnerabilities (phishing susceptibility)?

Existing Controls:

What security controls are in place?
Do they follow defense-in-depth principles?
Are they properly configured and maintained?
What detection and response capabilities exist?

资产与数据：

存在哪些敏感数据？（PII、凭证、商业秘密、财务数据）
存储、处理、传输位置在哪里？
谁有权访问？
被攻陷后的业务影响是什么？（保密性、完整性、可用性）

攻击面：

哪些系统暴露在互联网上？
攻击者的入口点是什么？
需要什么身份认证？
存在哪些第三方依赖？

威胁主体：

谁可能针对此目标？（国家、网络罪犯、黑客活动家、内部人员）
他们的能力与动机是什么？
他们通常使用哪些TTPs？
存在哪些威胁情报？

漏洞：

已知软件漏洞（CVEs）？
配置弱点？
架构安全缺陷？
代码级漏洞？
人员漏洞（钓鱼易感性）？

现有控制措施：

已部署哪些安全控制措施？
是否遵循纵深防御原则？
配置与维护是否正确？
存在哪些检测与响应能力？

Questions to Ask

需提出的问题

Threat Questions:

What could go wrong?
What are most likely attack vectors?
What threat actors might target this?
What are their goals and capabilities?
What historical incidents are relevant?

Vulnerability Questions:

What weaknesses exist?
How exploitable are they?
What is impact if exploited?
Are there known exploits or active exploitation?
How quickly can vulnerabilities be remediated?

Control Questions:

What protections are in place?
How effective are they?
What gaps exist in defensive coverage?
Can controls be bypassed?
How will malicious activity be detected?

Risk Questions:

What is likelihood of compromise?
What is potential impact?
What is overall risk level?
How does risk compare to organization's risk appetite?
What risk treatment options exist? (mitigate, accept, transfer, avoid)

Compliance Questions:

What regulations or standards apply?
Are security requirements met?
What evidence demonstrates compliance?
What gaps exist?

威胁相关问题：

可能出现什么问题？
最可能的攻击向量是什么？
哪些威胁主体可能针对此目标？
他们的目标与能力是什么？
哪些历史事件相关？

漏洞相关问题：

存在哪些弱点？
可利用性如何？
被利用后的影响是什么？
是否有已知利用代码或正在被利用？
漏洞修复速度有多快？

控制措施相关问题：

已部署哪些保护措施？
有效性如何？
防御覆盖存在哪些缺口？
控制措施是否可被绕过？
恶意活动将如何被检测到？

风险相关问题：

被攻陷的可能性有多大？
潜在影响是什么？
整体风险级别是什么？
风险与组织的风险承受能力相比如何？
存在哪些风险处理选项？（缓解、接受、转移、避免）

合规相关问题：

适用哪些法规或标准？
是否满足安全要求？
有哪些证据证明合规？
存在哪些缺口？

Factors to Consider

需考虑的因素

Technical Factors:

System architecture and design
Technology stack and versions
Configuration and hardening
Cryptographic implementation
Network topology and segmentation

Organizational Factors:

Security maturity and culture
Available resources and budget
Risk tolerance
Regulatory environment
Business criticality

Threat Landscape:

Current threat actor activity
Emerging attack techniques
Industry-specific threats
Geopolitical factors

Operational Factors:

Patch management processes
Incident response capabilities
Security monitoring and detection
Security awareness and training
Third-party risk management

技术因素：

系统架构与设计
技术栈与版本
配置与加固
加密实现
网络拓扑与分段

组织因素：

安全成熟度与文化
可用资源与预算
风险容忍度
监管环境
业务重要性

威胁态势：

当前威胁主体活动
新兴攻击技术
行业特定威胁
地缘政治因素

运营因素：

补丁管理流程
事件响应能力
安全监控与检测
安全意识与培训
第三方风险管理

Historical Parallels to Consider

需考虑的历史案例

Similar security incidents
Comparable vulnerability exploits
Industry-specific attack patterns
Lessons from major breaches
Evolution of threat actor TTPs

类似安全事件
可比较的漏洞利用
行业特定攻击模式
重大数据泄露的经验教训
威胁主体TTPs的演变

Implications to Explore

需探索的影响

Immediate Security Implications:

Confidentiality: Data breach risk
Integrity: Data tampering or corruption risk
Availability: Service disruption risk
Financial: Ransom, recovery costs, fines

Broader Implications:

Reputation damage
Legal and regulatory consequences
Customer trust erosion
Competitive disadvantage
Systemic risk (if in critical infrastructure)

Strategic Implications:

Security architecture changes needed
Security program maturity gaps
Resource allocation and prioritization
Risk management approach

即时安全影响：

保密性：数据泄露风险
完整性：数据篡改或损坏风险
可用性：服务中断风险
财务：赎金、恢复成本、罚款

更广泛影响：

声誉损害
法律与监管后果
客户信任流失
竞争劣势
系统性风险（若涉及关键基础设施）

战略影响：

需要变更安全架构
安全计划成熟度缺口
资源分配与优先级排序
风险管理方法

Step-by-Step Analysis Process

分步分析流程

Step 1: Define Scope and Context

步骤1：定义范围与上下文

Actions:

Clearly identify system, application, or event being analyzed
Determine boundaries and interfaces
Identify stakeholders and their security requirements
Understand business context and criticality
Gather relevant documentation (architecture diagrams, data flows, policies)

Outputs:

Scope statement
Asset inventory
Stakeholder list
Business context understanding

行动：

明确识别正在分析的系统、应用或事件
确定边界与接口
识别利益相关者及其安全需求
理解业务上下文与重要性
收集相关文档（架构图、数据流、政策）

输出：

范围声明
资产清单
利益相关者列表
业务上下文理解

Step 2: Identify Assets and Data

步骤2：识别资产与数据

Actions:

List critical assets (systems, data, services)
Classify data by sensitivity (public, internal, confidential, restricted)
Map data flows (where data is created, stored, processed, transmitted, destroyed)
Identify crown jewels (most valuable assets)

Outputs:

Asset inventory with criticality ratings
Data classification matrix
Data flow diagrams
Crown jewels list

行动：

列出关键资产（系统、数据、服务）
按敏感度分类数据（公开、内部、机密、受限）
映射数据流（数据创建、存储、处理、传输、销毁的位置）
识别核心资产（最有价值的资产）

输出：

带有重要性评级的资产清单
数据分类矩阵
数据流图
核心资产列表

Step 3: Analyze Attack Surface

步骤3：分析攻击面

Actions:

Enumerate all entry points (APIs, web interfaces, network services, physical access)
Identify trust boundaries (where untrusted input crosses into trusted zones)
Map authentication and authorization points
Identify dependencies (third-party services, libraries, suppliers)

Outputs:

Attack surface map
Trust boundary diagram
Entry point inventory
Dependency list

行动：

枚举所有入口点（API、Web界面、网络服务、物理访问）
识别信任边界（不可信输入进入可信区域的位置）
映射身份认证与授权点
识别依赖项（第三方服务、库、供应商）

输出：

攻击面映射图
信任边界图
入口点清单
依赖项列表

Step 4: Conduct Threat Modeling

步骤4：执行威胁建模

Actions:

Select threat modeling methodology (STRIDE, PASTA, etc.)
Identify potential threat actors and their goals
Enumerate potential attack vectors for each asset
Create attack trees showing attack paths
Map to MITRE ATT&CK techniques

Outputs:

Threat model document
Threat actor profiles
Attack tree diagrams
ATT&CK technique mapping

行动：

选择威胁建模方法论（STRIDE、PASTA等）
识别潜在威胁主体及其目标
枚举每个资产的潜在攻击向量
创建展示攻击路径的攻击树
映射到MITRE ATT&CK技术

输出：

威胁模型文档
威胁主体档案
攻击树图
ATT&CK技术映射

Step 5: Identify Vulnerabilities

步骤5：识别漏洞

Actions:

Review known CVEs for technologies in use
Analyze configuration against security benchmarks (CIS, STIGs)
Review architecture for security design flaws
Consider code-level vulnerabilities (if applicable)
Assess human vulnerabilities (phishing susceptibility, privilege misuse)

Outputs:

Vulnerability inventory
CVSS scores or risk ratings
Configuration gap analysis
Architectural security issues

行动：

审查所用技术的已知CVEs
对照安全基准（CIS、STIGs）分析配置
审查架构中的安全设计缺陷
考虑代码级漏洞（若适用）
评估人员漏洞（钓鱼易感性、权限滥用）

输出：

漏洞清单
CVSS评分或风险评级
配置缺口分析
架构安全问题

Step 6: Assess Existing Controls

步骤6：评估现有控制措施

Actions:

Inventory security controls across all layers (network, host, application, data)
Map controls to threats (which threats do controls mitigate?)
Evaluate control effectiveness (properly configured? maintained? monitored?)
Identify control gaps (threats without adequate mitigation)
Assess detection and response capabilities

Outputs:

Control inventory
Threat-control mapping matrix
Control effectiveness assessment
Detection coverage gaps

行动：

盘点所有层级的安全控制措施（网络、主机、应用、数据）
将控制措施映射到威胁（控制措施缓解哪些威胁？）
评估控制措施有效性（配置正确？维护良好？监控到位？）
识别控制措施缺口（无充分缓解措施的威胁）
评估检测与响应能力

输出：

控制措施清单
威胁-控制措施映射矩阵
控制措施有效性评估
检测覆盖缺口

Step 7: Analyze Risk

步骤7：分析风险

Actions:

For each threat-vulnerability pair, estimate likelihood and impact
Calculate risk scores (qualitative or quantitative)
Prioritize risks
Compare to organizational risk tolerance
Consider risk interdependencies and cascading effects

Outputs:

Risk register
Risk heat map
Prioritized risk list
Risk acceptance recommendations

行动：

针对每个威胁-漏洞对，估计可能性与影响
计算风险评分（定性或定量）
优先处理风险
与组织风险容忍度对比
考虑风险相互依赖与连锁反应

输出：

风险登记册
风险热图
优先处理的风险列表
风险接受建议

Step 8: Evaluate Detection and Response

步骤8：评估检测与响应能力

Actions:

Assess what malicious activities would be detected
Evaluate MTTD (Mean Time to Detect) for various attack scenarios
Review incident response plans and playbooks
Assess incident response team capabilities
Identify gaps in detection or response

Outputs:

Detection coverage assessment
MTTD estimates
IR capability assessment
Detection and response gaps

行动：

评估哪些恶意活动会被检测到
评估不同攻击场景的MTTD（平均检测时间）
审查事件响应计划与剧本
评估事件响应团队能力
识别检测或响应缺口

输出：

检测覆盖评估
MTTD估计
IR能力评估
检测与响应缺口

Step 9: Develop Remediation Recommendations

步骤9：制定修复建议

Actions:

Propose mitigations for identified risks (preventive, detective, corrective)
Prioritize by risk reduction and implementation effort
Consider compensating controls where direct mitigation is impractical
Estimate costs and implementation timelines
Document risk acceptance for risks not mitigated

Outputs:

Remediation roadmap
Prioritized recommendation list
Cost-benefit analysis
Risk acceptance documentation

行动：

针对已识别风险提出缓解措施（预防性、检测性、纠正性）
按风险降低幅度与实施难度优先排序
考虑直接缓解不可行时的补偿控制措施
估计成本与实施时间线
记录未缓解风险的接受情况

输出：

修复路线图
优先处理的建议列表
成本效益分析
风险接受文档

Step 10: Consider Compliance Requirements

步骤10：考虑合规要求

Actions:

Identify applicable regulations and standards
Map controls to compliance requirements
Document evidence of compliance
Identify compliance gaps
Recommend actions to achieve or maintain compliance

Outputs:

Compliance matrix
Gap analysis
Evidence documentation
Compliance remediation plan

行动：

识别适用法规与标准
将控制措施映射到合规要求
记录合规证据
识别合规缺口
提出实现或维持合规的行动建议

输出：

合规矩阵
缺口分析
证据文档
合规修复计划

Step 11: Synthesize and Report

步骤11：综合与报告

Actions:

Summarize key findings for different audiences (executives, technical teams, compliance)
Provide clear risk assessment and recommendations
Include metrics and KPIs
Document assumptions and limitations
Create action plan with owners and timelines

Outputs:

Executive summary
Technical findings report
Remediation roadmap
Compliance summary

行动：

为不同受众（高管、技术团队、合规人员）总结关键发现
提供清晰的风险评估与建议
包含指标与KPI
记录假设与局限性
创建带有负责人与时间线的行动计划

输出：

执行摘要
技术发现报告
修复路线图
合规摘要

Usage Examples

应用示例

Example 1: Security Incident - Ransomware Attack

示例1：安全事件 - 勒索软件攻击

Event: Organization experiences ransomware attack; files encrypted, ransom note demands payment

Analysis:

Step 1 - Scope and Context:

Affected systems: File servers, workstations, backups
Business impact: Operations halted, data unavailable
Critical: Understand ransomware variant, encryption scope, attacker access

Step 2 - Assets:

Crown jewels: Customer database, financial records, intellectual property
Status: Files encrypted, availability compromised

Step 3 - Attack Surface Analysis:

Initial access vector: Likely phishing email or vulnerable RDP endpoint
Lateral movement: SMB, credential theft

Step 4 - Threat Modeling (Post-Incident):

Threat actor: Likely cybercriminal group (financial motivation)
ATT&CK mapping:
- Initial Access: Phishing or Exploit Public-Facing Application
- Execution: User Execution or Exploitation for Client Execution
- Persistence: Registry Run Keys, Scheduled Tasks
- Privilege Escalation: Exploitation for Privilege Escalation
- Credential Access: Credential Dumping
- Lateral Movement: SMB/Windows Admin Shares
- Impact: Data Encrypted for Impact

Step 5 - Vulnerabilities:

Phishing susceptibility (no email filtering, insufficient user training)
Unpatched RDP vulnerabilities
Weak passwords or credential reuse
Inadequate network segmentation (ransomware spread easily)
Backup vulnerabilities (backups also encrypted)

Step 6 - Control Assessment:

Missing: Email security gateway, EDR, MFA
Inadequate: Network segmentation, backup isolation, patch management
Failed: Antivirus didn't detect ransomware

Step 7 - Risk Analysis:

Impact: HIGH (business disruption, data loss, ransom demand, reputation damage)
Likelihood: HIGH (demonstrated—incident occurred)
Residual risk: CRITICAL (without improvements, repeat likely)

Step 8 - Detection and Response:

Detection: Failed until encryption began (no EDR, limited logging)
MTTD: Hours to days (too slow)
Response: No playbook, uncoordinated response
Gaps: No IR team, no communication plan, no legal/PR coordination

Step 9 - Recommendations (Prioritized):

Immediate (Hours to Days):

Isolate affected systems (contain spread)
Identify ransomware variant and check for decryption tools
Engage incident response firm if no internal capability
Do NOT pay ransom immediately (assess alternatives first)
Notify legal, insurance, possibly law enforcement

Short-term (Days to Weeks):

Restore from backups if available and uncompromised
Deploy EDR on all endpoints
Implement MFA for all remote access
Conduct forensic investigation to determine root cause and scope
Develop and test IR playbook

Medium-term (Weeks to Months):

Network segmentation (prevent lateral movement)
Email security gateway (block phishing)
Privileged access management (limit credential theft)
Security awareness training (reduce phishing success)
Backup hardening (air-gapped or immutable backups)

Long-term (Months to Year):

Security maturity assessment and roadmap
24/7 SOC or MDR service
Penetration testing and red team exercises
Comprehensive vulnerability management program

Step 10 - Compliance:

Regulatory notification requirements (GDPR, state breach laws, etc.)
Cyber insurance claim
Document incident for auditors

Step 11 - Synthesis:

Root cause: Combination of phishing/RDP exploit + inadequate detection + weak segmentation + backup vulnerabilities
Key lesson: Defense-in-depth failures—multiple control failures allowed attack to succeed
Priority: Immediate containment and recovery, then build detective and preventive controls
Cost: Ransom demand + downtime + recovery + remediation + reputation damage (potentially millions)

事件：组织遭遇勒索软件攻击；文件被加密，勒索信要求付款

分析：

步骤1 - 范围与上下文：

受影响系统：文件服务器、工作站、备份
业务影响：运营停滞、数据不可用
关键：理解勒索软件变体、加密范围、攻击者访问权限

步骤2 - 资产：

核心资产：客户数据库、财务记录、知识产权
状态：文件被加密、可用性受损

步骤3 - 攻击面分析：

初始访问向量：可能是钓鱼邮件或易受攻击的RDP端点
横向移动：SMB、凭证窃取

步骤4 - 威胁建模（事件后）：

威胁主体：可能是网络犯罪组织（财务动机）
ATT&CK映射：
- 初始访问：钓鱼或利用公开应用
- 执行：用户执行或利用客户端执行
- 持久化：注册表运行项、计划任务
- 权限提升：利用漏洞提升权限
- 凭证获取：凭证转储
- 横向移动：SMB/Windows管理共享
- 影响：数据加密以造成影响

步骤5 - 漏洞：

钓鱼易感性（无邮件过滤、用户培训不足）
未打补丁的RDP漏洞
弱密码或凭证复用
网络分段不足（勒索软件易传播）
备份漏洞（备份也被加密）

步骤6 - 控制措施评估：

缺失：邮件安全网关、EDR、MFA
不足：网络分段、备份隔离、补丁管理
失效：杀毒软件未检测到勒索软件

步骤7 - 风险分析：

影响：高（业务中断、数据丢失、勒索要求、声誉损害）
可能性：高（已发生事件）
残余风险：关键（若不改进，可能重复发生）

步骤8 - 检测与响应：

检测：直到加密开始才发现（无EDR、日志有限）
MTTD：数小时至数天（太慢）
响应：无剧本、响应不协调
缺口：无IR团队、无沟通计划、无法律/公关协调

步骤9 - 建议（优先排序）：

即时（数小时至数天）：

隔离受影响系统（遏制传播）
识别勒索软件变体并查找解密工具
若无内部能力，聘请事件响应公司
不要立即支付赎金（先评估替代方案）
通知法律、保险、可能的执法机构

短期（数天至数周）：

若备份可用且未被攻陷，从备份恢复
在所有端点部署EDR
为所有远程访问实现MFA
进行法医调查以确定根本原因与范围
开发并测试IR剧本

中期（数周至数月）：

网络分段（防止横向移动）
部署邮件安全网关（阻止钓鱼）
特权访问管理（限制凭证窃取）
安全意识培训（降低钓鱼成功率）
备份加固（离线或不可变备份）

长期（数月至一年）：

安全成熟度评估与路线图
24/7 SOC或MDR服务
渗透测试与红队演练
全面漏洞管理计划

步骤10 - 合规：

监管通知要求（GDPR、州数据泄露法等）
网络保险索赔
为审计师记录事件

步骤11 - 综合：

根本原因：钓鱼/RDP利用 + 检测不足 + 分段薄弱 + 备份漏洞的组合
关键教训：纵深防御失效——多个控制措施失效导致攻击成功
优先级：即时遏制与恢复，然后构建检测与预防控制措施
成本：勒索要求 + 停机时间 + 恢复 + 修复 + 声誉损害（可能数百万）

Example 2: Vulnerability Assessment - New Web Application Launch

示例2：漏洞评估 - 新Web应用发布

Event: Organization planning to launch customer-facing web application; pre-launch security review requested

Analysis:

Step 1 - Scope:

Application: E-commerce web application
Users: External customers
Data: PII, payment information, order history
Criticality: HIGH (revenue-generating, customer trust)

Step 2 - Assets:

Customer PII and payment data (confidentiality, integrity critical)
Inventory and pricing data (integrity, availability critical)
Application availability (revenue impact)

Step 3 - Attack Surface:

Web interface (public-facing)
APIs (mobile app, third-party integrations)
Admin portal (internal users)
Payment processor integration
Third-party libraries and dependencies

Step 4 - Threat Modeling (STRIDE):

Spoofing:

Threat: Attacker impersonates user or admin
Mitigations: Strong authentication, MFA, session management

Tampering:

Threat: Attacker modifies prices, orders, or user data
Mitigations: Input validation, authorization checks, integrity controls

Repudiation:

Threat: User denies placing order
Mitigations: Audit logging, transaction signing

Information Disclosure:

Threat: Attacker accesses other users' PII or payment info
Mitigations: Authorization checks, encryption, secure session management

Denial of Service:

Threat: Attacker overwhelms application
Mitigations: Rate limiting, DDoS protection, scalable infrastructure

Elevation of Privilege:

Threat: User gains admin access
Mitigations: Least privilege, secure authorization, privilege separation

Step 5 - Vulnerabilities (OWASP Top 10 Analysis):

Broken Access Control: Check for IDOR vulnerabilities, horizontal/vertical privilege escalation
Cryptographic Failures: Verify encryption at rest and in transit, key management
Injection: Test for SQL injection, XSS, command injection
Insecure Design: Review for security design flaws, threat model gaps
Security Misconfiguration: Check for default credentials, unnecessary features, verbose errors
Vulnerable Components: Scan dependencies for known CVEs
Authentication Failures: Test password policy, session management, MFA
Software/Data Integrity: Verify supply chain security, unsigned updates
Logging Failures: Ensure security events logged, log tampering prevention
SSRF: Test for server-side request forgery vulnerabilities

Step 6 - Control Assessment:

Positive Findings:

TLS 1.3 for all connections
Passwords hashed with bcrypt
Input validation framework in use
Dependency scanning in CI/CD

Gaps Identified:

No MFA for customer accounts
Admin portal not on separate domain/network
Verbose error messages expose stack traces
No rate limiting on API endpoints
Some third-party dependencies have known CVEs
Insufficient authorization checks (IDOR vulnerabilities)
No Web Application Firewall (WAF)

Step 7 - Risk Analysis:

Critical Risks:

IDOR vulnerabilities: HIGH likelihood, HIGH impact (data breach)
Vulnerable dependencies: MEDIUM likelihood, HIGH impact (RCE potential)

High Risks:

No rate limiting: HIGH likelihood, MEDIUM impact (scraping, brute force)
Admin portal on same domain: LOW likelihood, HIGH impact (credential theft)

Medium Risks:

Verbose errors: MEDIUM likelihood, MEDIUM impact (information disclosure)
No MFA: LOW likelihood (for now), HIGH impact (account takeover)

Step 8 - Detection and Response:

Logging: Adequate for authentication and transactions
SIEM integration: Not yet configured
IR playbook: Generic, needs application-specific scenarios
Recommendation: Configure SIEM, create app-specific IR playbook, implement alerting for suspicious patterns

Step 9 - Recommendations (Prioritized by Risk):

Must-Fix Before Launch (Critical):

Fix IDOR vulnerabilities (implement authorization checks)
Update vulnerable dependencies
Remove verbose error messages in production
Implement rate limiting on all endpoints

Should-Fix Before Launch (High):

Deploy WAF with OWASP Core Rule Set
Separate admin portal (different domain, VPN/IP restriction)
Configure SIEM integration and alerting

Post-Launch (Medium):

Implement MFA for customer accounts
Enhance logging (capture more security events)
Conduct penetration testing
Establish bug bounty program

Step 10 - Compliance:

PCI-DSS: Required for payment card data (use tokenization, minimize cardholder data environment)
GDPR/CCPA: Customer data privacy requirements (consent, data minimization, breach notification)
SOC 2: If B2B customers require assurance

Step 11 - Synthesis:

Application has solid foundation (modern crypto, input validation, dependency scanning)
Critical issues must be fixed before launch (IDOR, vulnerable dependencies)
WAF provides defense-in-depth for web threats
Post-launch: Continue testing, bug bounty, security monitoring
Go/No-Go: NO GO until critical issues resolved

事件：组织计划发布面向客户的Web应用；请求发布前安全评审

分析：

步骤1 - 范围：

应用：电商Web应用
用户：外部客户
数据：PII、支付信息、订单历史
重要性：高（产生收入、客户信任）

步骤2 - 资产：

客户PII与支付数据（保密性、完整性至关重要）
库存与定价数据（完整性、可用性至关重要）
应用可用性（影响收入）

步骤3 - 攻击面：

Web界面（面向互联网）
APIs（移动应用、第三方集成）
管理门户（内部用户）
支付处理器集成
第三方库与依赖项

步骤4 - 威胁建模（STRIDE）：

身份伪造：

威胁：攻击者冒充用户或管理员
缓解措施：强身份认证、MFA、会话管理

数据篡改：

威胁：攻击者修改价格、订单或用户数据
缓解措施：输入验证、授权检查、完整性控制

不可否认性缺失：

威胁：用户否认下过订单
缓解措施：审计日志、交易签名

信息泄露：

威胁：攻击者访问其他用户的PII或支付信息
缓解措施：授权检查、加密、安全会话管理

拒绝服务：

威胁：攻击者 overwhelm 应用
缓解措施：速率限制、DDoS保护、可扩展基础设施

权限提升：

威胁：用户获得管理员权限
缓解措施：最小权限、安全授权、权限分离

步骤5 - 漏洞（OWASP Top 10分析）：

访问控制失效：检查IDOR漏洞、水平/垂直权限提升
加密失败：验证静态与传输加密、密钥管理
注入：测试SQL注入、XSS、命令注入
不安全设计：审查安全设计缺陷、威胁模型缺口
安全配置错误：检查默认凭证、不必要功能、详细错误信息
易受攻击的组件：扫描依赖项的已知CVEs
身份认证失败：测试密码策略、会话管理、MFA
软件/数据完整性：验证供应链安全、未签名更新
日志记录失败：确保安全事件被记录、防止日志篡改
SSRF：测试服务器端请求伪造漏洞

步骤6 - 控制措施评估：

正面发现：

所有连接使用TLS 1.3
密码使用bcrypt哈希
使用输入验证框架
CI/CD中进行依赖扫描

识别的缺口：

客户账户无MFA
管理门户未在单独域名/网络
详细错误信息暴露堆栈跟踪
API端点无速率限制
部分第三方依赖项存在已知CVEs
授权检查不足（IDOR漏洞）
无Web应用防火墙（WAF）

步骤7 - 风险分析：

关键风险：

IDOR漏洞：可能性高、影响高（数据泄露）
易受攻击的依赖项：可能性中、影响高（远程代码执行潜力）

高风险：

无速率限制：可能性高、影响中（数据爬取、暴力破解）
管理门户在同一域名：可能性低、影响高（凭证窃取）

中风险：

详细错误信息：可能性中、影响中（信息泄露）
无MFA：可能性低（目前）、影响高（账户接管）

步骤8 - 检测与响应：

日志记录：身份认证与交易日志充足
SIEM集成：尚未配置
IR剧本：通用剧本，需要应用特定场景
建议：配置SIEM、创建应用特定IR剧本、为可疑模式实现告警

步骤9 - 建议（按风险优先排序）：

发布前必须修复（关键）：

修复IDOR漏洞（实现授权检查）
更新易受攻击的依赖项
生产环境移除详细错误信息
所有端点实现速率限制

发布前应修复（高）：

部署带有OWASP核心规则集的WAF
分离管理门户（不同域名、VPN/IP限制）
配置SIEM集成与告警

发布后（中）：

为客户账户实现MFA
增强日志记录（捕获更多安全事件）
进行渗透测试
建立漏洞赏金计划

步骤10 - 合规：

PCI-DSS：支付卡数据必需（使用令牌化、最小化持卡人数据环境）
GDPR/CCPA：客户数据隐私要求（同意、数据最小化、数据泄露通知）
SOC 2：若B2B客户要求保证

步骤11 - 综合：

应用有坚实基础（现代加密、输入验证、依赖扫描）
关键问题必须在发布前修复（IDOR、易受攻击的依赖项）
WAF为Web威胁提供纵深防御
发布后：持续测试、漏洞赏金、安全监控
发布/不发布：不发布，直到关键问题解决

Example 3: Security Architecture Review - Cloud Migration

示例3：安全架构评审 - 云迁移

Event: Organization planning to migrate on-premises applications to AWS; security architecture review requested

Analysis:

Step 1 - Scope:

Migration: 50+ applications, mix of web apps, APIs, databases
Target: AWS (IaaS and PaaS services)
Timeline: 12-month migration
Criticality: Mixed (some business-critical applications)

Step 2 - Assets:

Applications and data currently in controlled on-premises environment
Concerns: Data sovereignty, compliance, shared responsibility model

Step 3 - Attack Surface Changes:

Increases: Internet-facing cloud services, cloud management interfaces, broader attack surface
Decreases: Physical access threats
New: Cloud misconfigurations, IAM vulnerabilities, API security

Step 4 - Threat Modeling (Cloud-Specific):

Cloud-Specific Threats:

Account compromise (stolen credentials, phishing)
Misconfigured storage buckets (public S3 buckets)
Overly permissive IAM policies
Insufficient network segmentation (VPC design)
Data exfiltration via cloud APIs
Insider threats (cloud admin abuse)
Supply chain (compromised cloud services or dependencies)

MITRE ATT&CK for Cloud:

Initial Access: Valid accounts, exploit public-facing application
Persistence: Account manipulation, create IAM user
Privilege Escalation: IAM policy manipulation
Defense Evasion: Disable cloud logs
Credential Access: Unsecured credentials in code/config
Discovery: Cloud service discovery
Lateral Movement: Use alternate authentication material
Exfiltration: Transfer data to cloud account

Step 5 - Vulnerabilities (Cloud Context):

Lack of cloud security expertise
On-premises mindset (perimeter-focused, not zero-trust)
Unclear cloud IAM strategy
No cloud configuration management (IaC not used)
No cloud security posture management (CSPM)

Step 6 - Control Assessment (Shared Responsibility Model):

AWS Responsibilities (Security OF the Cloud):

Physical security
Hypervisor security
Network infrastructure

Customer Responsibilities (Security IN the Cloud):

IAM and access control
Data encryption
Network configuration (VPCs, security groups)
Application security
Compliance

Proposed Controls:

Identity and Access Management:

Implement AWS Organizations with SCPs (Service Control Policies)
Enforce MFA for all users
Use IAM roles, not long-term credentials
Principle of least privilege
Regular access reviews

Network Security:

VPC design with public/private subnets
Security groups (stateful firewalls)
NACLs (stateless firewalls)
AWS WAF for web applications
VPC Flow Logs for monitoring

Data Protection:

Encryption at rest (S3, EBS, RDS with KMS)
Encryption in transit (TLS)
S3 bucket policies (block public access)
Data classification and handling

Monitoring and Detection:

AWS CloudTrail (API logging)
AWS GuardDuty (threat detection)
AWS Security Hub (aggregate findings)
AWS Config (configuration compliance)
SIEM integration

Incident Response:

Cloud-specific IR playbooks
Automate response with Lambda
Snapshot and forensics procedures
AWS support engagement plan

Compliance:

AWS Artifact (compliance reports)
AWS Config rules (continuous compliance)
Encryption for HIPAA/PCI-DSS
Data residency (region selection)

Step 7 - Risk Analysis:

High Risks:

Misconfigured S3 buckets (likelihood: high, impact: high - data breach)
Compromised IAM credentials (likelihood: medium, impact: high)
Insufficient monitoring (likelihood: high, impact: medium - delayed detection)

Medium Risks:

Inadequate network segmentation (likelihood: medium, impact: medium)
Lack of cloud expertise (likelihood: high, impact: medium - misconfigurations)

Step 8 - Detection and Response:

Deploy GuardDuty in all regions and accounts
Centralize CloudTrail logs
Configure Security Hub and Config
Create cloud-specific alerts (unusual API calls, IAM changes, public S3 buckets)
Develop cloud incident response playbooks

Step 9 - Recommendations (Cloud Migration Security Roadmap):

Pre-Migration (Month 1-2):

Cloud security training for teams
Design AWS Organizations structure and account strategy
Define IAM strategy and policies
Design VPC architecture and network segmentation
Select and implement CSPM tool
Establish cloud security baseline (CIS AWS Foundations Benchmark)

During Migration (Month 3-12):

Use Infrastructure as Code (Terraform/CloudFormation) for all resources
Automate security checks in CI/CD (SAST, DAST, IaC scanning)
Enforce encryption at rest and in transit
Implement least privilege IAM
Enable all cloud-native security services (GuardDuty, Security Hub, Config, CloudTrail)
Security testing before production deployment

Post-Migration (Ongoing):

Continuous compliance monitoring
Regular IAM access reviews
Cloud security posture assessments
Penetration testing in cloud environment
Tabletop exercises for cloud IR scenarios

Step 10 - Compliance:

Leverage AWS compliance certifications (SOC 2, ISO 27001, PCI-DSS)
Use AWS Artifact for audit evidence
Implement AWS Config rules for continuous compliance
Document shared responsibility matrix

Step 11 - Synthesis:

Cloud security requires different mindset (zero-trust, identity-centric, API-driven)
Shared responsibility model is critical—must secure what AWS doesn't
Major risks: Misconfigurations, IAM vulnerabilities, insufficient monitoring
Opportunities: Cloud-native security services, automation, scalability
Success factors: Training, least privilege, defense-in-depth, monitoring, IaC
Recommendation: Proceed with migration, but implement security roadmap in parallel

事件：组织计划将本地应用迁移到AWS；请求安全架构评审

分析：

步骤1 - 范围：

迁移：50+应用，混合Web应用、API、数据库
目标：AWS（IaaS与PaaS服务）
时间线：12个月迁移
重要性：混合（部分业务关键应用）

步骤2 - 资产：

应用与数据目前在受控本地环境
关注点：数据主权、合规、共享责任模型

步骤3 - 攻击面变化：

增加：面向互联网的云服务、云管理界面、更广泛的攻击面
减少：物理访问威胁
新：云配置错误、IAM漏洞、API安全

步骤4 - 威胁建模（云特定）：

云特定威胁：

账户攻陷（凭证被盗、钓鱼）
配置错误的存储桶（公开S3桶）
过度宽松的IAM策略
网络分段不足（VPC设计）
通过云API的数据渗出
内部威胁（云管理员滥用）
供应链（被攻陷的云服务或依赖项）

MITRE ATT&CK for Cloud：

初始访问：有效账户、利用公开应用
持久化：账户操纵、创建IAM用户
权限提升：IAM策略操纵
防御规避：禁用云日志
凭证获取：代码/配置中的未受保护凭证
发现：云服务发现
横向移动：使用替代身份认证材料
渗出：将数据转移到云账户

步骤5 - 漏洞（云上下文）：

缺乏云安全专业知识
本地思维（聚焦边界，而非零信任）
不清晰的云IAM策略
无云配置管理（未使用IaC）
无云安全态势管理（CSPM）

步骤6 - 控制措施评估（共享责任模型）：

AWS责任（云的安全）：

物理安全
虚拟机监控程序安全
网络基础设施

客户责任（云中的安全）：

IAM与访问控制
数据加密
网络配置（VPC、安全组）
应用安全
合规

提议的控制措施：

身份与访问管理：

实现带有SCPs（服务控制策略）的AWS Organizations
为所有用户强制MFA
使用IAM角色，而非长期凭证
最小权限原则
定期访问评审

网络安全：

带有公有/私有子网的VPC设计
安全组（有状态防火墙）
NACLs（无状态防火墙）
Web应用使用AWS WAF
VPC Flow Logs用于监控

数据保护：

静态加密（S3、EBS、RDS使用KMS）
传输加密（TLS）
S3桶策略（阻止公共访问）
数据分类与处理

监控与检测：

AWS CloudTrail（API日志）
AWS GuardDuty（威胁检测）
AWS Security Hub（聚合发现）
AWS Config（配置合规）
SIEM集成

事件响应：

云特定IR剧本
使用Lambda自动化响应
快照与法医流程
AWS支持参与计划

合规：

AWS Artifact（合规报告）
AWS Config规则（持续合规）
HIPAA/PCI-DSS要求的加密
数据驻留（区域选择）

步骤7 - 风险分析：

高风险：

配置错误的S3桶（可能性：高，影响：高 - 数据泄露）
被攻陷的IAM凭证（可能性：中，影响：高）
监控不足（可能性：高，影响：中 - 检测延迟）

中风险：

网络分段不足（可能性：中，影响：中）
缺乏云专业知识（可能性：高，影响：中 - 配置错误）

步骤8 - 检测与响应：

在所有区域与账户部署GuardDuty
集中化CloudTrail日志
配置Security Hub与Config
创建云特定告警（异常API调用、IAM变更、公开S3桶）
开发云事件响应剧本

步骤9 - 建议（云迁移安全路线图）：

迁移前（第1-2个月）：

为团队提供云安全培训
设计AWS Organizations结构与账户策略
定义IAM策略与政策
设计VPC架构与网络分段
选择并实施CSPM工具
建立云安全基线（CIS AWS基础基准）

迁移期间（第3-12个月）：

对所有资源使用基础设施即代码（Terraform/CloudFormation）
在CI/CD中自动化安全检查（SAST、DAST、IaC扫描）
强制静态与传输加密
实现最小权限IAM
启用所有云原生安全服务（GuardDuty、Security Hub、Config、CloudTrail）
生产部署前进行安全测试

迁移后（持续）：

持续合规监控
定期IAM访问评审
云安全态势评估
云环境渗透测试
云IR场景桌面演练

步骤10 - 合规：

利用AWS合规认证（SOC 2、ISO 27001、PCI-DSS）
使用AWS Artifact获取审计证据
实施AWS Config规则以持续合规
记录共享责任矩阵

步骤11 - 综合：

云安全需要不同思维（零信任、身份中心、API驱动）
共享责任模型至关重要——必须保护AWS未覆盖的部分
主要风险：配置错误、IAM漏洞、监控不足
机遇：云原生安全服务、自动化、可扩展性
成功因素：培训、最小权限、纵深防御、监控、IaC
建议：继续迁移，但并行实施安全路线图

Reference Materials (Expandable)

参考资料（可扩展）

Essential Organizations and Resources

重要组织与资源

NIST (National Institute of Standards and Technology)

NIST（美国国家标准与技术研究院）

Cybersecurity Framework: https://www.nist.gov/cyberframework
SP 800 Series: Security and privacy controls, risk management
National Vulnerability Database (NVD): https://nvd.nist.gov/

网络安全框架：https://www.nist.gov/cyberframework
SP 800系列：安全与隐私控制措施、风险管理
国家漏洞数据库（NVD）：https://nvd.nist.gov/

CISA (Cybersecurity and Infrastructure Security Agency)

CISA（网络安全与基础设施安全局）

Alerts and Advisories: https://www.cisa.gov/topics/cyber-threats-and-advisories
Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Resources: Free tools, training, best practices

告警与建议：https://www.cisa.gov/topics/cyber-threats-and-advisories
已知被利用漏洞目录：https://www.cisa.gov/known-exploited-vulnerabilities-catalog
资源：免费工具、培训、最佳实践

MITRE

ATT&CK Framework: https://attack.mitre.org/
CVE Program: https://www.cve.org/
CAPEC: Common Attack Pattern Enumeration and Classification

ATT&CK框架：https://attack.mitre.org/
CVE计划：https://www.cve.org/
CAPEC：常见攻击模式枚举与分类

OWASP (Open Web Application Security Project)

OWASP（开放Web应用安全项目）

Top 10: https://owasp.org/www-project-top-ten/
Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
Cheat Sheets: https://cheatsheetseries.owasp.org/

Top 10：https://owasp.org/www-project-top-ten/
测试指南：https://owasp.org/www-project-web-security-testing-guide/
** cheat sheets**：https://cheatsheetseries.owasp.org/

SANS Institute

Internet Storm Center: https://isc.sans.edu/
Reading Room: Thousands of security papers
Critical Security Controls: https://www.cisecurity.org/controls

互联网风暴中心：https://isc.sans.edu/
阅览室：数千份安全论文
关键安全控制措施：https://www.cisecurity.org/controls

Key Standards and Frameworks

关键标准与框架

ISO/IEC 27001: Information Security Management System ISO/IEC 27002: Information Security Controls PCI-DSS: Payment Card Industry Data Security Standard HIPAA: Health Insurance Portability and Accountability Act (Security Rule) SOC 2: Service Organization Control 2 (Trust Services Criteria) GDPR: General Data Protection Regulation NIST SP 800-53: Security and Privacy Controls CIS Controls: Center for Internet Security Critical Security Controls FedRAMP: Federal Risk and Authorization Management Program

ISO/IEC 27001：信息安全管理系统 ISO/IEC 27002：信息安全控制措施 PCI-DSS：支付卡行业数据安全标准 HIPAA：健康保险流通与责任法案（安全规则） SOC 2：服务组织控制2（信任服务准则） GDPR：通用数据保护条例 NIST SP 800-53：安全与隐私控制措施 CIS控制措施：互联网安全中心关键安全控制措施 FedRAMP：联邦风险与授权管理计划

Vulnerability Databases

漏洞数据库

National Vulnerability Database (NVD): https://nvd.nist.gov/
CVE: https://www.cve.org/
Exploit-DB: https://www.exploit-db.com/
VulnDB: https://vulndb.cyberriskanalytics.com/

国家漏洞数据库（NVD）：https://nvd.nist.gov/
CVE：https://www.cve.org/
Exploit-DB：https://www.exploit-db.com/
VulnDB：https://vulndb.cyberriskanalytics.com/

Threat Intelligence Sources

威胁情报来源

CISA Alerts: https://www.cisa.gov/news-events/cybersecurity-advisories
US-CERT: https://www.cisa.gov/uscert
Threat Intelligence Platforms: Recorded Future, Mandiant, CrowdStrike
Open Source: AlienVault OTX, MISP, threat feeds

CISA告警：https://www.cisa.gov/news-events/cybersecurity-advisories
US-CERT：https://www.cisa.gov/uscert
威胁情报平台：Recorded Future、Mandiant、CrowdStrike
开源：AlienVault OTX、MISP、威胁feed

Security Tools and Platforms

安全工具与平台

Vulnerability Scanning: Nessus, Qualys, Rapid7 InsightVM SAST: SonarQube, Checkmarx, Veracode DAST: Burp Suite, OWASP ZAP, Acunetix SIEM: Splunk, Elastic, Sentinel, Chronicle EDR: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint CSPM: Prisma Cloud, Wiz, Orca Security

漏洞扫描：Nessus、Qualys、Rapid7 InsightVM SAST：SonarQube、Checkmarx、Veracode DAST：Burp Suite、OWASP ZAP、Acunetix SIEM：Splunk、Elastic、Sentinel、Chronicle EDR：CrowdStrike、SentinelOne、Microsoft Defender for Endpoint CSPM：Prisma Cloud、Wiz、Orca Security

Certifications

认证

CISSP: Certified Information Systems Security Professional
CISM: Certified Information Security Manager
CEH: Certified Ethical Hacker
OSCP: Offensive Security Certified Professional
GCIH: GIAC Certified Incident Handler
Security+: CompTIA Security+

CISSP：注册信息系统安全专家
CISM：注册信息安全经理
CEH：注册道德黑客
OSCP：Offensive Security Certified Professional
GCIH：GIAC注册事件处理师
Security+：CompTIA Security+

Communities and Resources

社区与资源

r/netsec: https://www.reddit.com/r/netsec/
Krebs on Security: https://krebsonsecurity.com/
Schneier on Security: https://www.schneier.com/
Dark Reading: https://www.darkreading.com/
The Hacker News: https://thehackernews.com/

r/netsec：https://www.reddit.com/r/netsec/
Krebs on Security：https://krebsonsecurity.com/
Schneier on Security：https://www.schneier.com/
Dark Reading：https://www.darkreading.com/
The Hacker News：https://thehackernews.com/

Verification Checklist

验证清单

Common Pitfalls to Avoid

需避免的常见陷阱

Pitfall 1: Checklist Compliance Without Risk Context

Problem: Following compliance requirements without understanding actual risks
Solution: Risk-based approach—understand threats and business context, not just checkboxes

Pitfall 2: Perimeter-Only Security

Problem: Assuming network perimeter protects everything inside
Solution: Defense-in-depth and zero-trust—assume breach, protect assets themselves

Pitfall 3: Alert Fatigue and False Positives

Problem: Too many low-quality alerts overwhelm responders
Solution: Tune detections, prioritize high-fidelity alerts, automate response where possible

Pitfall 4: Ignoring Human Element

Problem: Focus only on technical controls, ignore social engineering and insider threats
Solution: Include security awareness, privileged user monitoring, insider threat programs

Pitfall 5: Point-in-Time Assessment

Problem: One-time security review without continuous monitoring
Solution: Continuous security—ongoing monitoring, vulnerability management, threat intelligence

Pitfall 6: Vulnerability Scoring Without Context

Problem: Prioritizing by CVSS alone without considering exploitability or business context
Solution: Risk-based prioritization—consider threat intelligence, exploitability, asset criticality

Pitfall 7: Security as Blocker

Problem: Security seen as obstacle to business objectives
Solution: Enable business securely—balance risk and business value, provide secure alternatives

Pitfall 8: Ignoring Supply Chain and Third Parties

Problem: Focus only on first-party systems, ignore dependencies
Solution: Supply chain risk management—assess third-party security, dependency vulnerabilities

陷阱1：无风险上下文的清单合规

问题：仅遵循合规要求，不理解实际风险
解决方案：基于风险的方法——理解威胁与业务上下文，而非仅勾选框

陷阱2：仅依赖边界安全

问题：假设网络边界可保护内部所有内容
解决方案：纵深防御与零信任——假设已被攻破，保护资产本身

陷阱3：告警疲劳与误报

问题：过多低质量告警淹没响应者
解决方案：调优检测、优先处理高保真告警、尽可能自动化响应

陷阱4：忽视人员因素

问题：仅关注技术控制措施，忽视社会工程与内部威胁
解决方案：包含安全意识培训、特权用户监控、内部威胁计划

陷阱5：一次性评估

问题：仅进行一次安全评审，无持续监控
解决方案：持续安全——持续监控、漏洞管理、威胁情报

陷阱6：无上下文的漏洞评分

问题：仅按CVSS优先排序，不考虑可利用性或业务上下文
解决方案：基于风险的优先排序——考虑威胁情报、可利用性、资产重要性

陷阱7：安全作为障碍

问题：安全被视为业务目标的障碍
解决方案：安全赋能业务——平衡风险与业务价值，提供安全替代方案

陷阱8：忽视供应链与第三方

问题：仅关注自有系统，忽视依赖项
解决方案：供应链风险管理——评估第三方安全、依赖项漏洞

Success Criteria

成功标准

Integration with Other Analysts

与其他分析师的集成

Cybersecurity analysis complements other perspectives:

Computer Scientist: Deep technical understanding of systems and code
Lawyer: Legal implications of breaches, regulatory compliance requirements
Economist: Cost-benefit analysis of security investments, cyber insurance
Psychologist: Human behavior, social engineering, security culture
Political Scientist: Nation-state threats, geopolitical cyber conflict, policy

Cybersecurity is particularly strong on:

Threat modeling and risk assessment
Vulnerability analysis
Defense-in-depth design
Incident detection and response
Compliance and standards

网络安全分析补充其他视角：

计算机科学家：系统与代码的深度技术理解
律师：数据泄露的法律影响、监管合规要求
经济学家：安全投资的成本效益分析、网络保险
心理学家：人类行为、社会工程、安全文化
政治科学家：国家威胁、地缘政治网络冲突、政策

网络安全尤其擅长：

威胁建模与风险评估
漏洞分析
纵深防御设计
事件检测与响应
合规与标准

Continuous Improvement

持续改进

This skill evolves through:

New threat actor TTPs and attack techniques
Emerging vulnerabilities and exploits
Evolution of security technologies and practices
Lessons learned from security incidents
Updates to frameworks and standards
Cross-disciplinary security research

Skill Status: Complete - Comprehensive Cybersecurity Analysis Capability Quality Level: High - Enterprise-grade security analysis with modern frameworks Token Count: ~8,500 words (target 6-10K tokens)

此技能通过以下方式演进：

新威胁主体TTPs与攻击技术
新兴漏洞与利用
安全技术与实践的演变
安全事件的经验教训
框架与标准的更新
跨学科安全研究

技能状态：完成 - 全面网络安全分析能力 质量级别：高 - 企业级安全分析，使用现代框架 令牌计数：约8,500字（目标6-10K令牌）