Creating Vulnerability Assessment Plans

In this recipe, you’ll learn how to harness the power of ChatGPT and the OpenAI API to create comprehensive vulnerability assessment plans using network, system, and business details as input. This recipe is invaluable for both cybersecurity students and beginners looking to familiarize themselves with proper methods and tools for vulnerability assessments, as well as experienced cybersecurity professionals aiming to save time on planning and documentation.

Building upon the skills acquired in Chapter 1, you will delve deeper into establishing the system role of a cybersecurity professional specializing in vulnerability assessments. You’ll learn how to craft effective prompts that generate well-formatted output using Markdown language. This recipe will also expand on the techniques explored in the Enhancing Output with Templates (Application: Threat Report) and Formatting Output as a Table (Application: Security Controls Table) recipes in Chapter 1, enabling you to design prompts that produce the desired output format.

Finally, you’ll discover how to use the OpenAI API and Python to generate a vulnerability assessment plan, and then export it as a Microsoft Word file. This recipe will serve as a practical guide for creating detailed and efficient vulnerability assessment plans using ChatGPT and the OpenAI API.

Getting ready

Before diving into the recipe, you should already have your OpenAI account set up and obtained your API key. If not, revisit Chapter 1 for details. You will also need to be sure you have the following Python libraries installed:

1. python-docx: This library will be used to generate Microsoft Word files. You can install it using the pip install python-docx command.
2. tqdm: This library will be used to display progress bars. You can install it using the pip install tqdm command.

How to do it…

In this section, we will walk you through the process of using ChatGPT to create a comprehensive vulnerability assessment plan tailored to a specific network and organization’s needs. By providing the necessary details and using the given system role and prompt, you will be able to generate a well-structured assessment plan:

1. Begin by logging in to your ChatGPT account and navigating to the ChatGPT web UI.
2. Start a new conversation with ChatGPT by clicking the New chat button.
3. Enter the following prompt to establish a system role:

   You are a cybersecurity professional specializing in vulnerability assessment.

4. Enter the following message text, but replace the placeholders in the { } brackets with the appropriate data of your choice. You can either combine this prompt with the system role or enter it separately as follows:

   Using cybersecurity industry standards and best practices, create a complete and detailed assessment plan (not a penetration test) that includes: Introduction, outline of the process/methodology, tools needed, and a very detailed multi-layered outline of the steps. Provide a thorough and descriptive introduction and as much detail and description as possible throughout the plan. The plan should not be the only assessment of technical vulnerabilities on systems but also policies, procedures, and compliance. It should include the use of scanning tools as well as configuration review, staff interviews, and site walk-around. All recommendations should follow industry standard best practices and methods. The plan should be a minimum of 1500 words.
   Create the plan so that it is specific for the following details:
   Network Size: {Large}
   Number of Nodes: {1000}
   Type of Devices: {Desktops, Laptops, Printers, Routers}
   Specific systems or devices that need to be excluded from the assessment: {None}
   Operating Systems: {Windows 10, MacOS, Linux}
   Network Topology: {Star}
   Access Controls: {Role-based access control}
   Previous Security Incidents: {3 incidents in the last year}
   Compliance Requirements: {HIPAA}
   Business Critical Assets: {Financial data, Personal health information}
   Data Classification: {Highly confidential}
   Goals and objectives of the vulnerability assessment: {To identify and prioritize potential vulnerabilities in the network and provide recommendations for remediation and risk mitigation.}
   Timeline for the vulnerability assessment: {4 weeks{
   Team: {3 cybersecurity professionals, including a vulnerability assessment lead and two security analysts}
   Expected deliverables of the assessment: {A detailed report outlining the results of the vulnerability assessment, including identified vulnerabilities, their criticality, potential impact on the network, and recommendations for remediation and risk mitigation.}
   Audience: {The organization's IT department, senior management, and any external auditors or regulators.}
   Provide the plan using the following format and markdown language:
   #Vulnerability Assessment Plan
   ##Introduction
   Thorough Introduction to the plan including the scope, reasons for doing it, goals and objectives, and summary of the plan
   ##Process/Methodology
   Description and Outline of the process/Methodology
   ##Tools Required
   List of required tools and applications, with their descriptions and reasons needed
   ##Assessment Steps
   Detailed, multi-layered outline of the assessment steps

Hint

If you are performing this in the OpenAI Playground, it is advisable to use Chat mode and enter the role in the System window, and the prompt in the User message window.

Figure 2.1 shows the system role and user prompt entered into the OpenAI Playground:

Figure 2.1 – OpenAI Playground method

5. Review the generated output from ChatGPT. If the output is satisfactory and meets the requirements, you can proceed to the next step. If not, you can either refine your prompt or rerun the conversation to generate a new output.
6. Once you have obtained the desired output, you can use the generated Markdown to create a well-structured vulnerability assessment plan in your preferred text editor or Markdown viewer.
7. Figure 2.2 shows an example ChatGPT generation of a vulnerability assessment plan using Markdown language formatting:

Figure 2.2 – Example ChatGPT assessment plan output

How it works…

This GPT-assisted vulnerability assessment plan recipe leverages the sophistication of natural language processing (NLP) and machine learning (ML) algorithms to generate a comprehensive and detailed vulnerability assessment plan. By adopting a specific system role and an elaborate user request as a prompt, ChatGPT is able to customize its response to meet the requirements of a seasoned cybersecurity professional who is tasked with assessing an extensive network system.

Here’s a closer look at how this process works:

• System role and detailed prompt: The system role designates ChatGPT as a seasoned cybersecurity professional specializing in vulnerability assessment. The prompt, which serves as the user request, is detailed and outlines the specifics of the assessment plan, from the size of the network and types of devices to the required compliance and the expected deliverables. These inputs provide context and guide ChatGPT’s response, ensuring it is tailored to the complexities and requirements of the vulnerability assessment task.
• NLP and ML: NLP and ML form the bedrock of ChatGPT’s capabilities. It applies these technologies to understand the intricacies of the user request, learn from the patterns, and generate a well-structured vulnerability assessment plan that is detailed, specific, and actionable.
• Knowledge and language understanding capabilities: ChatGPT uses its extensive knowledge base and language understanding capabilities to conform to industry-standard methodologies and best practices. This is particularly important in the rapidly evolving field of cybersecurity, ensuring that the resulting vulnerability assessment plan is up to date and adheres to recognized standards.
• Markdown language output: The use of Markdown language output ensures that the plan is formatted in a consistent and easy-to-read manner. This format can be easily integrated into reports, presentations, and other formal documents, which is crucial when communicating the plan to IT departments, senior management, and external auditors or regulators.
• Streamlining the assessment planning process: The overall advantage of using this GPT-assisted vulnerability assessment plan recipe is that it streamlines the process of creating a comprehensive vulnerability assessment plan. You save time on planning and documentation and can generate a professional-grade assessment plan that aligns with industry standards and is tailored to the specific needs of your organization.

By applying these detailed inputs, you transform ChatGPT into a potential tool that can assist in creating a comprehensive, tailored vulnerability assessment plan. This not only bolsters your cybersecurity efforts but also ensures your resources are utilized effectively in protecting your network systems.

There’s more…

In addition to using ChatGPT to generate a vulnerability assessment plan, you can also use the OpenAI API and Python to automate the process. This approach is particularly useful when you have a large number of network configurations to assess or when you need to generate plans on a recurring basis.

The Python script we will present here reads input data from a text file and uses it to fill in the placeholders in the prompt. The resulting Markdown output can then be used to create a well-structured vulnerability assessment plan.

While the process is similar to the ChatGPT version, the use of the OpenAI API provides additional flexibility and control over the generated content. Let’s dive into the steps involved in the OpenAI API version of the vulnerability assessment plan recipe:

1. Import the necessary libraries and set up the OpenAI API:

   import openai
   from openai import OpenAI
   import os
   from docx import Document
   from tqdm import tqdm
   import threading
   import time
   from datetime import datetime
   # Set up the OpenAI API
   openai.api_key = os.getenv("OPENAI_API_KEY")

   In this section, we import the necessary libraries, such as openai, os, docx, tqdm, threading, time, and datetime. We also set up the OpenAI API by providing the API key.

2. Read user input data from a text file:

   def read_user_input_file(file_path: str) -> dict:
       user_data = {}
       with open(file_path, 'r') as file:
           for line in file:
               key, value = line.strip().split(':')
               user_data[key.strip()] = value.strip()
       return user_data
   user_data_file = "assessment_data.txt"
   user_data = read_user_input_file(user_data_file)

   Here, we define a read_user_input_file function that reads the user input data from a text file and stores it in a dictionary. We then call this function with the assessment_data.txt file to obtain the user_data dictionary.

3. Generate a vulnerability assessment plan using the OpenAI API:

Important note

The …' notation signifies that we will fill in this section of code in a later step.

def generate_report(network_size,
                    number_of_nodes,
                    type_of_devices,
                    special_devices,
                    operating_systems,
                    network_topology,
                    access_controls,
                    previous_security_incidents,
                    compliance_requirements,
                    business_critical_assets,
                    data_classification,
                    goals,
                    timeline,
                    team,
                    deliverables,
                    audience: str) -> str:
    # Define the conversation messages
    messages = [ ... ]
    client = OpenAI()
# Call the OpenAI API
response = client.chat.completions.create( ... )
    # Return the generated text
    return response.choices[0].message.content.strip()

In this code block, we define a generate_report function, which takes the user input data and calls the OpenAI API to generate the vulnerability assessment plan. The function returns the generated text.

4. Define the API messages:

   # Define the conversation messages
   messages = [
       {"role": "system", "content": "You are a cybersecurity professional specializing in vulnerability assessment."},
       {"role": "user", "content": f'Using cybersecurity industry standards and best practices, create a complete and detailed assessment plan ... Detailed outline of the assessment steps'}
   ]
   client = OpenAI()
   # Call the OpenAI API
   response = client.chat.completions.create(
       model="gpt-3.5-turbo",
       messages=messages,
       max_tokens=2048,
       n=1,
       stop=None,
       temperature=0.7,
   )
   # Return the generated text
   return return response.choices[0].message.content.strip()

   In the conversation messages, we define two roles: system and user. The system role is used to set the context for the AI model, informing it that it’s a cybersecurity professional specializing in vulnerability assessment. The user role provides the instructions for the AI, which include generating a detailed vulnerability assessment plan based on industry standards, best practices, and user-supplied data.

   The system role helps set the stage for the AI, while the user role guides the AI in its content generation. This approach follows a similar pattern to the ChatGPT UI section we discussed earlier, where we provided an initial message to the AI to set the context.

   For more information on sending API requests and handling responses, please refer to the Sending API Requests and Handling Responses with Python recipe in Chapter 1. This recipe provides a deeper understanding of interacting with the OpenAI API, including how to structure requests and process the generated content.

5. Convert the generated Markdown text to a Word document:

   def markdown_to_docx(markdown_text: str, output_file: str):
       document = Document()
       # Iterate through the lines of the markdown text
       for line in markdown_text.split('\n'):
           # Add headings and paragraphs based on the markdown formatting
           ...
       # Save the Word document
       document.save(output_file)

   The markdown_to_docx function converts the generated Markdown text to a Word document. It iterates through the lines of the Markdown text, adding headings and paragraphs based on the Markdown formatting, and saves the resulting Word document.

6. Display the elapsed time while waiting for the API call:

   def display_elapsed_time():
       start_time = time.time()
       while not api_call_completed:
           elapsed_time = time.time() - start_time
           print(f"\rCommunicating with the API - Elapsed time: {elapsed_time:.2f} seconds", end="")
           time.sleep(1)

   The display_elapsed_time function is used to display the elapsed time while waiting for the API call to complete. It uses a loop to print the elapsed time in seconds.

7. Write the main function:

   current_datetime = datetime.now().strftime('%Y-%m-%d_%H-%M-%S')
   assessment_name = f"Vuln_ Assessment_Plan_{current_datetime}"
   api_call_completed = False
   elapsed_time_thread = threading.Thread(target=display_elapsed_time)
   elapsed_time_thread.start()
   try:
       # Generate the report using the OpenAI API
       report = generate_report(
       user_data["Network Size"],
       user_data["Number of Nodes"],
       user_data["Type of Devices"],
       user_data["Specific systems or devices that need to be excluded from the assessment"],
       user_data["Operating Systems"],
       user_data["Network Topology"],
       user_data["Access Controls"],
       user_data["Previous Security Incidents"],
       user_data["Compliance Requirements"],
       user_data["Business Critical Assets"],
       user_data["Data Classification"],
       user_data["Goals and objectives of the vulnerability assessment"],
       user_data["Timeline for the vulnerability assessment"],
       user_data["Team"],
       user_data["Expected deliverables of the assessment"],
       user_data["Audience"]
       )
       api_call_completed = True
       elapsed_time_thread.join()
   except Exception as e:
       api_call_completed = True
       elapsed_time_thread.join()
       print(f"\nAn error occurred during the API call: {e}")
       exit()
   # Save the report as a Word document
   docx_output_file = f"{assessment_name}_report.docx"
   # Handle exceptions during the report generation
   try:
       with tqdm(total=1, desc="Generating plan") as pbar:
           markdown_to_docx(report, docx_output_file)
           pbar.update(1)
       print("\nPlan generated successfully!")
   except Exception as e:
       print(f"\nAn error occurred during the plan generation: {e}")

   In the main part of the script, we start by defining an assessment_name function based on the current date and time. We then use threading to display the elapsed time while making the API call. The script calls the generate_report function with the user data as arguments, and upon successful completion, it saves the generated report as a Word document using the markdown_to_docx function. The progress is displayed using the tqdm library. If any errors occur during the API call or report generation, they are displayed to the user.

Hint

You can swap out the chat-3.5-turbo model with the GPT-4 model, if you are a ChatGPT Plus subscriber, for often improved results. In fact, GPT-4 is capable of generating a much longer and more detailed generation and/or document. Just keep in mind that the GPT-4 model is a bit more expensive than the chat-3.5-turbo model.

Here is how the completed script should look:

import openai
from openai import OpenAI
import os
from docx import Document
from tqdm import tqdm
import threading
import time
from datetime import datetime
# Set up the OpenAI API
openai.api_key = os.getenv("OPENAI_API_KEY")
current_datetime = datetime.now().strftime('%Y-%m-%d_%H-%M-%S')
assessment_name = f"Vuln_Assessment_Plan_{current_datetime}"
def read_user_input_file(file_path: str) -> dict:
    user_data = {}
    with open(file_path, 'r') as file:
        for line in file:
            key, value = line.strip().split(':')
            user_data[key.strip()] = value.strip()
    return user_data
user_data_file = "assessment_data.txt"
user_data = read_user_input_file(user_data_file)
# Function to generate a report using the OpenAI API
def generate_report(network_size,
                    number_of_nodes,
                    type_of_devices,
                    special_devices,
                    operating_systems,
                    network_topology,
                    access_controls,
                    previous_security_incidents,
                    compliance_requirements,
                    business_critical_assets,
                    data_classification,
                    goals,
                    timeline,
                    team,
                    deliverables,
                    audience: str) -> str:
    # Define the conversation messages
    messages = [
        {"role": "system", "content": "You are a cybersecurity professional specializing in vulnerability assessment."},
        {"role": "user", "content": f'Using cybersecurity industry standards and best practices, create a complete and detailed assessment plan (not a penetration test) that includes: Introduction, outline of the process/methodology, tools needed, and a very detailed multi-layered outline of the steps. Provide a thorough and descriptive introduction and as much detail and description as possible throughout the plan. The plan should not only assessment of technical vulnerabilities on systems but also policies, procedures, and compliance. It should include the use of scanning tools as well as configuration review, staff interviews, and site walk-around. All recommendations should follow industry standard best practices and methods. The plan should be a minimum of 1500 words.\n\
        Create the plan so that it is specific for the following details:\n\
        Network Size: {network_size}\n\
        Number of Nodes: {number_of_nodes}\n\
        Type of Devices: {type_of_devices}\n\
        Specific systems or devices that need to be excluded from the assessment: {special_devices}\n\
        Operating Systems: {operating_systems}\n\
        Network Topology: {network_topology}\n\
        Access Controls: {access_controls}\n\
        Previous Security Incidents: {previous_security_incidents}\n\
        Compliance Requirements: {compliance_requirements}\n\
        Business Critical Assets: {business_critical_assets}\n\
        Data Classification: {data_classification}\n\
        Goals and objectives of the vulnerability assessment: {goals}\n\
        Timeline for the vulnerability assessment: {timeline}\n\
        Team: {team}\n\
        Expected deliverables of the assessment: {deliverables}\n\
        Audience: {audience}\n\
        Provide the plan using the following format and observe the markdown language:\n\
        #Vulnerability Assessment Plan\n\
        ##Introduction\n\
        Introduction\n\
        ##Process/Methodology\n\
        Outline of the process/Methodology\n\
        ##Tools Required\n\
        List of required tools and applications\n\
        ##Assessment Steps\n\
        Detailed outline of the assessment steps'}
    ]
    client = OpenAI()
    # Call the OpenAI API
    response = client.chat.completions.create(
        model="gpt-3.5-turbo",
        messages=messages,
        max_tokens=2048,
        n=1,
        stop=None,
        temperature=0.7,
    )
    # Return the generated text
    return response.choices[0].message.content.strip()
# Function to convert markdown text to a Word document
def markdown_to_docx(markdown_text: str, output_file: str):
    document = Document()
    # Iterate through the lines of the markdown text
    for line in markdown_text.split('\n'):
        # Add headings based on the markdown heading levels
        if line.startswith('# '):
            document.add_heading(line[2:], level=1)
        elif line.startswith('## '):
            document.add_heading(line[3:], level=2)
        elif line.startswith('### '):
            document.add_heading(line[4:], level=3)
        elif line.startswith('#### '):
            document.add_heading(line[5:], level=4)
        # Add paragraphs for other text
        else:
            document.add_paragraph(line)
    # Save the Word document
    document.save(output_file)
# Function to display elapsed time while waiting for the API call
def display_elapsed_time():
    start_time = time.time()
    while not api_call_completed:
        elapsed_time = time.time() - start_time
        print(f"\rCommunicating with the API - Elapsed time: {elapsed_time:.2f} seconds", end="")
        time.sleep(1)
api_call_completed = False
elapsed_time_thread = threading.Thread(target=display_elapsed_time)
elapsed_time_thread.start()
# Handle exceptions during the API call
try:
    # Generate the report using the OpenAI API
    report = generate_report(
    user_data["Network Size"],
    user_data["Number of Nodes"],
    user_data["Type of Devices"],
    user_data["Specific systems or devices that need to be excluded from the assessment"],
    user_data["Operating Systems"],
    user_data["Network Topology"],
    user_data["Access Controls"],
    user_data["Previous Security Incidents"],
    user_data["Compliance Requirements"],
    user_data["Business Critical Assets"],
    user_data["Data Classification"],
    user_data["Goals and objectives of the vulnerability assessment"],
    user_data["Timeline for the vulnerability assessment"],
    user_data["Team"],
    user_data["Expected deliverables of the assessment"],
    user_data["Audience"]
    )
    api_call_completed = True
    elapsed_time_thread.join()
except Exception as e:
    api_call_completed = True
    elapsed_time_thread.join()
    print(f"\nAn error occurred during the API call: {e}")
    exit()
# Save the report as a Word document
docx_output_file = f"{assessment_name}_report.docx"
# Handle exceptions during the report generation
try:
    with tqdm(total=1, desc="Generating plan") as pbar:
        markdown_to_docx(report, docx_output_file)
        pbar.update(1)
    print("\nPlan generated successfully!")
except Exception as e:
    print(f"\nAn error occurred during the plan generation: {e}")

This script automates the process of generating a vulnerability assessment plan by using the OpenAI API in conjunction with Python. It starts by importing the necessary libraries and setting up the OpenAI API. It then reads user input data from a text file (the file path is stored as a user_data_file string) and then stores this data in a dictionary for easy access.

The core of the script is the function that generates the vulnerability assessment plan. It leverages the OpenAI API to create a detailed report based on the user input data. The conversation with the API is formatted with both system and user roles to guide the generation process effectively.

Once the report is generated, it is converted from Markdown text to a Word document, providing a well-structured, readable output. To provide user feedback during the process, the script includes a function that displays the elapsed time while the API call is being made.

Finally, the script’s main function ties everything together. It initiates the process of generating the report using the OpenAI API, shows the elapsed time during the API call, and finally, converts the generated report to a Word document. If any errors occur during the API call or the document generation, they are handled and displayed to the user.