News About John X. Wang

Threat Modeling using Attack Trees

  • Nov 28, 2019 |

    What Are Attack Trees?

    A common practice for studying the risk to a business is based on risk engineering and management principles. I.e., security resources are applied to vulnerabilities that pose the greatest risk to the business. Several processes for identifying and prioritizing risk are proposed in the literature. One of the most effective is threat modeling. Traditional trust modeling thought in academia involved mostly mathematical and theoretical concepts and using computer-security company marketing literature/jargon making it very hard to understand or analyze. This CRC Press News presents a practical, high-level guide to understand the concepts of threat modeling to engineers. Attack Trees are conceptual diagrams of threats on systems and possible attacks to reach those threats.

    Few people truly understand computer security, as illustrated by computer-security company marketing literature that touts "hacker proof software," "triple-DES security," and the like. In truth, unbreakable security is broken all the time, often in ways its designers never imagined. Seemingly strong cryptography gets broken, too. Attacks thought to be beyond the ability of mortal men become commonplace. And as newspapers report security bug after security bug, it becomes increasingly clear that the term "security" doesn't have meaning unless also you know things like

    • "Secure from whom?" or

    • "Secure for how long?"

    Clearly, what we need is a way to model threats against computer systems. If we can understand all the different ways in which a system can be attacked, we can likely design countermeasures to thwart those attacks. And if we can understand who the attackers are -- not to mention their abilities, motivations, and goals -- maybe we can install the proper countermeasures to deal with the real threats.

    Attack trees are conceptual diagrams showing how an asset, or target, might be attacked. Attack trees have been used in a variety of applications. In the field of information technology, they have been used to describe threats on computer systems and possible attacks to realize those threats. However, their use is not restricted to the analysis of conventional information systems.

    • They are widely used in the fields of defense and aerospace for the analysis of threats against tamper resistant electronics systems (e.g., avionics on military aircraft).

    • Attack trees are increasingly being applied to computer control systems (especially relating to the electric power grid ). Attack trees have also been used to understand threats to physical systems.

    Attack Trees: Threat Modeling Diagrams Explained

    With the severity of data breaches and cybercrime escalating, it is now more important than ever to protect the confidential information your business processes. Organizations use attack tree diagrams to better understand their attack surface - the points in technical systems and applications that are vulnerable to cyberattacks. Within the realm of IT risk management, companies visualize security threats in attack tree diagrams to better understand and mitigate risk.

    In an attack tree, the root node is the primary target in the attack against a technical system - there can be no parent node. Leaf nodes make up the parts and passageways that can lead to a data breach.

    • Attack trees are useful tools for IT asset risk management.

    • They can be used to help network security professionals to gain a more comprehensive understanding of specific cyberattacks, and how cyber criminals infiltrate IT systems.

    • Attack trees are also practical for conducting risk audit analysis, helping information security managers to get to the root cause of cyberattacks and prescribe strategies to remove threats.

    Attack trees are hierarchical, graphical diagrams that show how low level hostile activities interact and combine to achieve an adversary's objectives - usually with negative consequences for the victim of the attack.

    Similar to many other types of trees (e.g., decision trees), the diagrams are usually drawn inverted, with the root node at the top of the tree and branches descending from the root.

    • The top or root node represents the attacker's overall goal.

    • The nodes at the lowest levels of the tree (leaf nodes) represent the activities performed by the attacker.

    • Nodes between the leaf nodes and the root node depict intermediate states or attacker sub-goals.

    • Although the attacker may cause harms/damages (and the victim suffer impacts) at any level of the tree, the impacts usually increase at higher levels of the tree.

    Attack Tree Example

    Goal: Gain unauthorized physical access to building


    OR 1. Unlock door with key

    OR 1. Steal Key

    2. Social Engineering

    OR 1. Borrow key

    2. Convince locksmith to unlock door

    2. Pick lock

    3. Break window

    4. Follow authorized individual into building

    OR 1. Act like you belong and follow someone else

    2. Befriend someone authorized outside a building

    3. Appear in need of assistance (such as carrying a large box)

    AND 4. Wear appropriate clothing for the location


    Attack Trees could be used to analyze problems in many different domains including but not limited to

    • Oil/gas pipelines,

    • Chemical Plants,

    • Information Technology,

    • Infrastructure, and

    • Facilities.

    However, applying Attack Trees to analyze problems we are familiar with may be overkill. For instance, attacks which happen frequently (such as house break-ins) are well understood and intuitive.

    • Attack Trees are typically applied for architecture risk analysis and hence may describe attacks for specific protocols that appear in the architecture.

    • An Attack Tree for requirements engineering might start with the risks identified during a preliminary risk analysis and be refined by the analysis of the concept of operations.

    While the generation of an Attack Tree can be done incrementally and be refined by multiple contributors, there is no guarantee of completeness. Often attacker-specific information is a best guess. An Attack Tree can be quite detailed, and that detail increases the cost of both creation and maintenance, particularly for a large system. On the other hand, widely applicable attacks trees could be shared and hence refined by a relatively large collection of experts. However, it should be note that Attack Trees do not necessarily represent all possible attacks. The unrepresented attacks may be more prevalent as engineers deploy larger and more complex systems.

    See More
    Computer Game Development, Computer Science & Engineering, Engineering - Electrical, Engineering - General, Engineering - Industrial & Manufacturing, Information Technology, Web, Web2