News About John X. Wang

Attack Tree and Attack Net for Penetration Testing

  • Dec 04, 2019 |

    Penetration testing involves teams who conduct technical and process hacks. Web application penetration testing, for example, involves the enlistment of hackers who see how and where they can accomplish an infiltration. Within the Software Development Life Cycle (SDLC), penetration testing is vital to discover vulnerabilities and gives teams across an organization an accurate measurement of an organization’s security posture. The cybersecurity posture of an organization refers to its overall strength in securing against outside threats to attack surface vulnerabilities.

    Penetration testers will try to break into an application – whether in testing or production. Once completed, penetration testing provides the information and documentation to prove to regulatory bodies that an enterprise is taking steps to achieve a secure environment. Every pen test is different based on the individuals performing it, their approaches, mindsets, capabilities plus tools involved.

    Why Are Penetration Tests Important?

    Penetration tests not only send a message that an organization is doing what they can to ensure the security of their private and confidential data. It also helps DevSecOps teams to better understand the dynamic of hacks, including how bad actors can compromise an IT ecosystem’s attack surface.

    Pen testing services help security teams to identify areas for improvement and prioritize threat mitigation strategies. Penetration testing can yield surprising results and can help organizations to better understand the different attack vectors that can compromise data. For example, within a web application security testing exercise, pen testers will find as many ways to attack the various parts of the application. This will provide SDLC teams with a vulnerability perspective that is more about the attacker’s point-of-view – think like a hacker, if you will.

    Penetration Attack Tree Model Oriented to Attack Resistance Test

    Security testing and penetration testing are guided by the threat model. A good threat model is a blueprint for a penetration test. Additionally, relevant Techniques, Tactics and Procedures (TTPs) and/or targeting data available from threat intelligence must be included in testing activities.

    • Attack model is the foundation for organizing and implementing attacks against the target system in Attack Resistance Test.

    • By redefining the node of the attack tree model and describing the relation of the attack tree nodes, we build a penetration attack tree model which can describe, organize, classify, manage and schedule the attacks for Attack Resistance Test.

    • We can design a penetration attack system whose attack scheme is the instance of the model application.

    Alternative to Attack Tree: Attack Net Penetration Testing

    The modeling of penetration testing as a Petri net is surprisingly useful. It retains key advantages of the flaw hypothesis and attack tree approaches while providing some new benefits. Penetration testing is a critical step in the development of any secure product or system. While many current businesses define penetration testing as the application of automated network vulnerability scanners to an operational site, true penetration testing is much more than that. Penetration testing stresses not only the operation, but also the implementation and design of a product or system.

    The development of penetration testing is a combination of art and science. The effectiveness of penetration testing depends on the skill and experience of the testers. Penetration testers need firm grounding in the first principles of information security but they also need an almost encylopedic knowledge of product or system trivia that have little apparent relationship to principles. Penetration testing also requires a special kind of insight that cannot be systematized.

    In spite of this, there are widely used process models for penetration testing. Penetration testers that follow these models are more effective in their use of resources. Penetration testing process models are structured around some paradigm that organizes the discovery of potential attacks on the live system. In this paper we describe a new process model for penetration testing that uses the Petri net as its paradigm. Surprisingly, this approach provides increased structure to flaw generation activities, without restricting the free range of inquiry. This technique is particularly useful for organizing penetration testing by means of distributed or cooperative attacks. It also has the nice properties of easily depicting both refinement of specific attacks and attack alternatives in a manner similar to attack trees.

    The attack net approach to penetration testing is a departure from both the flaw hypothesis model and the attack tree model; however, it retains the essential benefits of both. Any penetration testing process is unavoidably dependent upon the flaw hypothesis process model. Any valid penetration testing process model will retain many of its features and so does the attack net model.

    Nevertheless, the attack net penetration testing process brings more discipline to the brainstorming activity without restricting the free range of ideas in any way. Attack nets also provide the alternatives and refinement of the attack tree approach.

    Attack nets provide a graphical means of showing how a collection of flaws may be combined to achieve a significant system penetration. This is important since an attack net can make full use of hypothetical flaws. Attack nets can model more sophisticated attacks that may combine several flaws, none of which is a threat by itself. The ability to use discovered transitions (i.e. security relevant commands) to connect subnets allows penetration teams to communicate easily about the cumulative effects of several minor flaws.

    The separation of penetration test commands or events from the attack states or objectives also increases the descriptive power of this approach. The basic notion of an initial security relevant state, the hostile test input, and the resulting security state is captured by the minimal Petri net representation.

    In addition to specifying composition or refinement, attack nets can also model choices. The use of disjunctive transitions allows the movement of some tokens while other places are empty, thus modeling vulnerabilities that could be exploited in several ways or alternative attacks on a single goal.


    This threat assessment’s results led to significant enhancements to this environment’s infrastructure security controls, modified key operational processes and triggered penetration testing activities to determine the presence and magnitude of potential flaws in specific components. Beyond this, it enabled an informed decision on risk management at the executive level regarding the threat and attack vector.

    See More
    Computer Game Development, Computer Science & Engineering, Engineering - Electrical, Engineering - General, Engineering - Industrial & Manufacturing, Homeland Security, Information Technology, Web, Web2