performing-threat-landscape-assessment-for-sector

通过分析威胁行为者定向攻击模式、常见攻击向量和行业特定漏洞,开展行业特定威胁态势评估,为组织风险管理提供决策依据

9 stars

Best use case

performing-threat-landscape-assessment-for-sector is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

通过分析威胁行为者定向攻击模式、常见攻击向量和行业特定漏洞,开展行业特定威胁态势评估,为组织风险管理提供决策依据

Teams using performing-threat-landscape-assessment-for-sector should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/performing-threat-landscape-assessment-for-sector/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/performing-threat-landscape-assessment-for-sector/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/performing-threat-landscape-assessment-for-sector/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How performing-threat-landscape-assessment-for-sector Compares

Feature / Agentperforming-threat-landscape-assessment-for-sectorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

通过分析威胁行为者定向攻击模式、常见攻击向量和行业特定漏洞,开展行业特定威胁态势评估,为组织风险管理提供决策依据

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 执行行业威胁态势评估

## 概述

行业特定威胁态势评估(Threat Landscape Assessment)通过研究哪些威胁行为者针对特定行业、其惯用攻击向量和 TTP(战术、技术和程序,Tactics, Techniques, and Procedures)、常被利用的漏洞、历史事件数据及新兴威胁,分析特定行业垂直领域(医疗、金融服务、能源、政府、制造业)所面临的网络威胁环境。该评估为风险管理、安全投入优先级排序和董事会级汇报提供可落地的情报支持。

## 前置条件

- Python 3.9+,安装 `attackcti`、`requests`、`pandas`、`matplotlib` 库
- 可访问威胁情报源(AlienVault OTX、MISP、厂商报告)
- MITRE ATT&CK 知识库用于 TTP 映射
- 行业 ISAC(信息共享与分析中心,Information Sharing and Analysis Center)会员资格(FS-ISAC、H-ISAC、E-ISAC 等)
- 了解行业特定监管要求

## 核心概念

### 行业定向攻击分析

不同行业面临不同的威胁画像。金融服务面临高级国家级威胁行为者(Lazarus Group)和专注于金融欺诈的网络犯罪组织。医疗行业面临利用紧迫性和遗留系统的勒索软件(Ransomware)组织。能源和关键基础设施面临具有破坏能力的国家级组织(TEMP.Veles、Sandworm)。政府部门面临以间谍活动为目的的 APT(高级持续性威胁,Advanced Persistent Threat)组织(APT29、APT28、Turla)。

### 威胁态势组成要素

全面评估包括:威胁行为者画像(针对该行业的组织)、攻击向量分析(观测到的初始访问方法)、TTP 映射(该行业常见技术)、漏洞态势(常被利用的 CVE)、事件趋势分析(泄露频率、影响、恢复时间)及新兴威胁(新组织、演变技术、供应链风险)。

### 情报来源

行业特定情报来源包括:ISAC、政府公告(CISA、FBI、NSA)、厂商威胁报告(CrowdStrike 年度威胁报告、Mandiant M-Trends、Verizon DBIR),以及行业特定攻击的学术研究。

## 实操步骤

### 步骤 1:识别针对该行业的威胁行为者

```python
from attackcti import attack_client
import json

class SectorThreatAssessment:
    SECTOR_GROUPS = {
        "financial": ["FIN7", "FIN8", "FIN11", "Carbanak", "Lazarus Group",
                       "Cobalt Group", "TA505", "GOLD SOUTHFIELD"],
        "healthcare": ["FIN12", "Ryuk", "Conti", "Wizard Spider",
                        "GOLD ULRICK", "Vice Society"],
        "energy": ["TEMP.Veles", "Sandworm Team", "Dragonfly",
                    "XENOTIME", "ERYTHRITE", "Berserk Bear"],
        "government": ["APT29", "APT28", "Turla", "Gamaredon Group",
                        "Mustang Panda", "APT41", "Lazarus Group"],
        "manufacturing": ["APT41", "TEMP.Veles", "Dragonfly",
                           "HEXANE", "MAGNALLIUM"],
        "technology": ["APT41", "Lazarus Group", "APT10",
                        "HAFNIUM", "Winnti Group"],
    }

    def __init__(self, sector):
        self.sector = sector.lower()
        self.lift = attack_client()
        self.groups = self.lift.get_groups()
        self.assessment = {
            "sector": sector,
            "threat_actors": [],
            "common_techniques": {},
            "attack_vectors": {},
            "risk_summary": {},
        }

    def analyze_sector_actors(self):
        """分析已知针对该行业的威胁行为者。"""
        target_groups = self.SECTOR_GROUPS.get(self.sector, [])
        actor_profiles = []

        for group_name in target_groups:
            group = next(
                (g for g in self.groups
                 if g.get("name", "").lower() == group_name.lower()
                 or group_name.lower() in [a.lower() for a in g.get("aliases", [])]),
                None
            )
            if group:
                group_id = ""
                for ref in group.get("external_references", []):
                    if ref.get("source_name") == "mitre-attack":
                        group_id = ref.get("external_id", "")
                        break

                techniques = []
                if group_id:
                    techs = self.lift.get_techniques_used_by_group(group_id)
                    for t in techs:
                        for ref in t.get("external_references", []):
                            if ref.get("source_name") == "mitre-attack":
                                techniques.append({
                                    "id": ref.get("external_id", ""),
                                    "name": t.get("name", ""),
                                })
                                break

                profile = {
                    "name": group.get("name", ""),
                    "aliases": group.get("aliases", []),
                    "description": group.get("description", "")[:300],
                    "attack_id": group_id,
                    "technique_count": len(techniques),
                    "techniques": techniques[:20],
                }
                actor_profiles.append(profile)
                print(f"  [+] {group.get('name')}: {len(techniques)} 个技术")

        self.assessment["threat_actors"] = actor_profiles
        print(f"[+] 已画像 {len(actor_profiles)} 个 {self.sector} 行业威胁行为者")
        return actor_profiles

    def identify_common_techniques(self):
        """找出行业内各威胁行为者最常用的技术。"""
        from collections import Counter
        technique_counter = Counter()

        for actor in self.assessment["threat_actors"]:
            for tech in actor.get("techniques", []):
                technique_counter[f"{tech['id']}:{tech['name']}"] += 1

        common = technique_counter.most_common(20)
        self.assessment["common_techniques"] = [
            {
                "technique": tech.split(":")[0],
                "name": tech.split(":")[1] if ":" in tech else "",
                "actor_count": count,
                "actors_using": [
                    a["name"] for a in self.assessment["threat_actors"]
                    if any(t["id"] == tech.split(":")[0] for t in a.get("techniques", []))
                ],
            }
            for tech, count in common
        ]

        print(f"\n=== {self.sector.upper()} 行业高频技术 ===")
        for entry in self.assessment["common_techniques"][:10]:
            print(f"  {entry['technique']} {entry['name']}: "
                  f"{entry['actor_count']} 个组织使用")

        return self.assessment["common_techniques"]

assessment = SectorThreatAssessment("financial")
assessment.analyze_sector_actors()
assessment.identify_common_techniques()
```

### 步骤 2:分析攻击向量和初始访问

```python
def analyze_attack_vectors(assessment):
    """分析该行业常见的初始访问向量。"""
    initial_access_techniques = [
        t for t in assessment.assessment["common_techniques"]
        if t["technique"].startswith("T1566") or t["technique"].startswith("T1190")
        or t["technique"].startswith("T1133") or t["technique"].startswith("T1078")
        or t["technique"].startswith("T1195")
    ]

    # 补充已知的行业特定向量
    sector_vectors = {
        "financial": {
            "primary": ["鱼叉式钓鱼 Spearphishing (T1566)", "利用公网应用 Exploit Public-Facing App (T1190)",
                        "有效账户 Valid Accounts (T1078)", "供应链攻击 Supply Chain Compromise (T1195)"],
            "emerging": ["MFA 疲劳/推送轰炸", "二维码钓鱼(Quishing)",
                         "商业邮件攻击 BEC", "API 密钥窃取"],
        },
        "healthcare": {
            "primary": ["鱼叉式钓鱼 Spearphishing (T1566)", "利用公网应用 Exploit Public-Facing App (T1190)",
                        "外部远程服务 External Remote Services (T1133)", "有效账户 Valid Accounts (T1078)"],
            "emerging": ["IoMT 设备利用", "远程医疗平台攻击",
                         "医疗设备固件攻击", "通过 EHR 供应商的供应链攻击"],
        },
        "energy": {
            "primary": ["鱼叉式钓鱼 Spearphishing (T1566)", "利用公网应用 Exploit Public-Facing App (T1190)",
                        "外部远程服务 External Remote Services (T1133)", "供应链攻击 Supply Chain Compromise (T1195)"],
            "emerging": ["OT/ICS 协议利用", "远程访问 SCADA",
                         "工程师工作站入侵", "供应商 VPN 利用"],
        },
    }

    vectors = sector_vectors.get(assessment.sector, {})
    assessment.assessment["attack_vectors"] = vectors
    return vectors
```

### 步骤 3:生成行业威胁报告

```python
def generate_sector_report(assessment):
    data = assessment.assessment
    report = f"""# {data['sector'].title()} 行业威胁态势评估
生成时间: {__import__('datetime').datetime.now().isoformat()}

## 执行摘要
本评估分析了 {data['sector']} 行业的网络威胁态势,
识别出 {len(data['threat_actors'])} 个活跃威胁组织、其惯用技术
及推荐的防御优先级。

## 威胁行为者摘要
| 行为者 | ATT&CK ID | 技术数量 | 主要关注点 |
|-------|-----------|------------|-----------|
"""
    for actor in data["threat_actors"]:
        report += (f"| {actor['name']} | {actor['attack_id']} "
                   f"| {actor['technique_count']} | {actor['description'][:60]}... |\n")

    report += f"""
## 最常用技术
| 排名 | 技术 | 名称 | 使用的组织 |
|------|-----------|------|-------------|
"""
    for i, tech in enumerate(data.get("common_techniques", [])[:15], 1):
        actors = ", ".join(tech["actors_using"][:3])
        report += f"| {i} | {tech['technique']} | {tech['name']} | {actors} |\n"

    vectors = data.get("attack_vectors", {})
    report += f"""
## 攻击向量
### 主要向量
"""
    for v in vectors.get("primary", []):
        report += f"- {v}\n"
    report += "\n### 新兴向量\n"
    for v in vectors.get("emerging", []):
        report += f"- {v}\n"

    report += """
## 建议
1. 优先为行业定向组织使用的前 10 个技术构建检测能力
2. 以已识别的威胁行为者为蓝本开展威胁驱动型红队演练
3. 加入行业 ISAC 以实现实时威胁共享
4. 针对已识别的初始访问向量实施安全控制
5. 针对行业特定风险审查供应链安全态势
"""
    with open(f"threat_landscape_{data['sector']}.md", "w") as f:
        f.write(report)
    print(f"[+] 行业报告已保存: threat_landscape_{data['sector']}.md")

generate_sector_report(assessment)
```

## 验证标准

- 行业特定威胁行为者已识别并完成画像
- 跨行为者的共同技术已分析排序
- 目标行业的攻击向量已完成映射
- 基于近期情报识别出新兴威胁
- 已生成全面的行业威胁报告
- 建议对安全投入决策具有可操作性

## 参考资料

- [MITRE ATT&CK Groups](https://attack.mitre.org/groups/)
- [Verizon DBIR](https://www.verizon.com/business/resources/reports/dbir/)
- [CrowdStrike Global Threat Report](https://www.crowdstrike.com/global-threat-report/)
- [FS-ISAC Financial Sector](https://www.fsisac.com/)
- [H-ISAC Healthcare Sector](https://h-isac.org/)
- [CyCognito: Threat Intelligence Lifecycle](https://www.cycognito.com/learn/threat-intelligence/)

Related Skills

tracking-threat-actor-infrastructure

9
from killvxk/cybersecurity-skills-zh

威胁行为者基础设施追踪涉及使用被动 DNS、证书透明度日志、Shodan/Censys 扫描、WHOIS 分析和网络指纹技术,对对手控制的 C2 服务器、钓鱼域名和暂存服务器等资产进行监控、映射和持续追踪

profiling-threat-actor-groups

9
from killvxk/cybersecurity-skills-zh

通过聚合 TTP 文档、历史活动数据、工具指纹和来自多个情报源的归因指标,为 APT 组织、犯罪组织和黑客活动组织开发全面的威胁行为者画像。适用于就行业特定威胁向管理层汇报、更新威胁模型假设,或针对特定对手优先部署防御控制措施。当涉及 MITRE ATT&CK 组织、Mandiant APT 画像、CrowdStrike 对手命名或行业特定威胁简报时激活。

performing-yara-rule-development-for-detection

9
from killvxk/cybersecurity-skills-zh

通过识别可执行文件中的唯一字节模式、字符串和行为指标,开发精准的 YARA 恶意软件检测规则,同时将误报率降至最低。

performing-wireless-security-assessment-with-kismet

9
from killvxk/cybersecurity-skills-zh

使用 Kismet 通过被动射频监控进行无线网络安全评估,检测流氓接入点(Rogue AP)、隐藏 SSID、弱加密和未授权客户端。

performing-wireless-network-penetration-test

9
from killvxk/cybersecurity-skills-zh

执行无线网络渗透测试,通过捕获握手包、破解 WPA2/WPA3 密钥、检测流氓接入点以及使用 Aircrack-ng 和相关工具测试无线网络分段,评估 WiFi 安全性。

performing-windows-artifact-analysis-with-eric-zimmerman-tools

9
from killvxk/cybersecurity-skills-zh

使用 Eric Zimmerman 的开源 EZ Tools 套件(包括 KAPE、MFTECmd、PECmd、LECmd、JLECmd 和 Timeline Explorer)执行全面的 Windows 取证制品分析,解析注册表 hive、预取文件、事件日志和文件系统元数据。

performing-wifi-password-cracking-with-aircrack

9
from killvxk/cybersecurity-skills-zh

在授权无线安全评估中捕获 WPA/WPA2 握手包,并使用 aircrack-ng、hashcat 和字典攻击进行离线密码破解, 以评估密码短语强度和无线网络安全状况。

performing-web-cache-poisoning-attack

9
from killvxk/cybersecurity-skills-zh

在授权安全测试期间,通过未纳入缓存键的头部和参数毒化缓存响应,利用 Web 缓存机制向其他用户投递恶意内容。

performing-web-cache-deception-attack

9
from killvxk/cybersecurity-skills-zh

通过利用 CDN 缓存层与源服务器之间的路径规范化差异,执行 Web 缓存欺骗攻击,从而缓存并获取敏感的已认证内容。

performing-web-application-vulnerability-triage

9
from killvxk/cybersecurity-skills-zh

使用 OWASP 风险评级方法论对 DAST/SAST 扫描器的 Web 应用程序漏洞发现进行分类,区分真阳性和假阳性,并确定修复优先级。

performing-web-application-scanning-with-nikto

9
from killvxk/cybersecurity-skills-zh

Nikto 是一款开源 Web 服务器和 Web 应用程序扫描器,可针对超过 7,000 个潜在危险文件/程序进行测试,检查超过 1,250 个服务器的过期版本,并识别超过 270 个服务器的版本特定问题。

performing-web-application-penetration-test

9
from killvxk/cybersecurity-skills-zh

遵循 OWASP Web 安全测试指南(WSTG)方法论,对 Web 应用程序执行系统化安全测试,识别认证、授权、 输入验证、会话管理和业务逻辑中的漏洞。测试人员以 Burp Suite 作为主要拦截代理,结合手动测试技术 发现自动化扫描器遗漏的缺陷。适用于 Web 应用渗透测试、OWASP 测试、应用安全评估或 Web 漏洞测试等请求场景。