Defenders have always tried to anticipate the behavior of their adversaries in order to thwart attacks or reduce the damage they will cause. Historically, this process has been done primarily through intuition. Although it is difficult to identify all of the factors that lead to intuition, it would seem to be based principally on an individual’s experiences, and the ability to extrapolate how those experiences apply to new situations. Obviously the accuracy of the intuition will depend heavily on the breadth of the analyst’s experience and their powers of reasoning. Even if an individual can be found who possesses excellent intuition, it is almost impossible to transfer this knowledge to anyone else, or even to capture and explain the reasoning behind their understanding.
The field of security is not unique in its use of intuition. Most engineering disciplines began in similar fashion. People built bridges, buildings, and other structures for thousands of years without the use of sophisticated analytic techniques. However, mastery of more advanced design processes allowed some societies to build dramatically larger and more complex structures. Modern skyscrapers are certainly an example of this and some claim that ancient Egyptians also used advanced mathematics to create the pyramids. The application of comparable processes to the field of security should likewise provide more effective and elegant defense mechanisms.
Attack trees are a graphical and mathematical construct used to
- Identify potential hostile activities that pose the greatest risk to the defender;
- Determine effective (and cost effective) strategies for reducing the defender’s risk to an acceptable level;
- Describe the potential interactions between the adversary and the defender;
- Provide a communication mechanism for security analysts;
- Capture what is known (facts) and believed (assumptions) about the system and its adversaries, and store the information in a form that can subsequently be retrieved and understood by others.
These qualities make attack trees applicable to security problems in a wide range of fields including: information technology, telecommunications, critical infrastructure, health care, finance, aerospace, intelligence, and defense.
It is desirable to understand whether a potential attack is a valid concern to the defender. One method of making this assessment is to consider each approach for attacking the system with respect to the perpetrator’s capabilities and motivations. Each attack can be analyzed separately with the premise that
IF they want to AND they can THEN they will.
The attacker must have both the capability (the “can”) and the motivation (the “want to”) to carry out a particular attack in order for it to occur.
Capability refers to the adversary possessing sufficient resources to exploit the defender’s vulnerabilities and to overcome the target’s defenses. The amount and type of resources required often differ depending on the particular attack employed by the attacker. Motivation stems from the benefits that the attacker hopes to accomplish by carrying out an attack. That is, the motivation of the adversary is related to their belief that they will gain more value than the resources they will spend to obtain it. Capability and motivation work together to determine the probability of each type of attack.
A notation is needed to succinctly describe the attacks under consideration. One mechanism is the attack tree model.
Attack tree models
Attack tree models are graphical diagrams representing the choices and goals available to an attacker. Attack tree models are a type of mathematical tree and are similar to other decision tree diagrams. They use Boolean AND/OR logic to describe the relationships between possible steps in an attack.
To create an attack tree, an analyst first defines a top level, graphical node that represents the overall objective of the adversary (and what the defender wishes to prevent). There are usually several different approaches the attacker might use to achieve their high-level goal. The distinct approaches are represented in an attack tree by denoting the high-level goal to be a Boolean OR node and placing sub-nodes (children) and/or sub-trees beneath the parent OR.
The diagram below shows alternatives A, B, and C–any of which could be used to achieve the Attacker’s High-Level Goal. That is, the high-level goal can be achieved by performing the activity represented by child A, OR by the activity of child B, OR by activity C (and so forth).
In other cases attaining a goal requires that a sequence of steps (E, F, G, …) all be carried out. This is represented by designating the high-level goal to be an AND node. Achieving the high-level goal requires that the activities represented by child E, child F, child G and so forth all be carried out (as shown below).
Decomposition continues until the model is sufficiently detailed to describe the exact operations that the adversary will need to perform (represented in the diagrams by the gray rectangles known as leaf nodes). Subject matter experts then provide estimates of the resources (money, time, technical ability, etc.) that will be needed to perform the low level operations. Each minimal set of attacker leaf node activities that result in the top level goal being realized represents a particular attack or attack scenario. Associated with each attack scenario is a set of attacker resource requirements, attacker benefits, and the potential damage to the defender. Loosely speaking, this describes how hard the attack will be to perform and how worthwhile it will be for the adversary.
Strictly speaking, an attack tree only describes ways of exploiting vulnerabilities in a defender’s system. While this is interesting, it does not establish which of the vulnerabilities are likely to be exploited. By itself, the attack tree provides little information as to the probability of any given attack. Understanding whether an attack will occur requires that we understand the adversary and their interaction with the system.
Different attacks may be more or less suited to different adversaries. Are they rich or poor, smart or untrained, daring or timid? What types of benefits attract them? Attacks that are beyond the capability of the adversary or that bring few rewards are unlikely to occur. Conversely, attacks with favorable cost-benefit ratios are appealing and more likely to occur. Comparing the attacker’s characteristics with the attack tree model is essential to understanding attack probability.
Analysis would also be incomplete if it did not also take into account the attack’s effect on the defender. Risk is a combination of the probability that an event will occur and the damage that it will cause. Therefore, an estimate of the victim impact is an essential part of understanding risk. The attack tree model can be enhanced to show the impact incurred as the adversary attains each goal in the attack tree model. This allows the analyst to determine the overall impact for each of the attack scenarios identified during the comparison of adversary and system vulnerabilities.
Calculating the probability and victim impact corresponding to each attack scenario allows the defender to identify the attacks that exceed their risk tolerance. Countermeasures can be incorporated into the models and their effect on the adversary’s behavior studied. This makes it possible to know whether a countermeasure will be effective before spending (and possibly wasting) resources to try it out in the real world.
Since attack trees capture and document the factors that were considered by the risk analysts, the trees are effective communication tools and can be used to demonstrate “due diligence.” Their holistic, top-down representation of the security problem lends itself to understanding potential security weaknesses in both physical and electronic systems.
Terrance R. Ingoldsby is a guest to Red Team Journal. He is President of Amenaza Technologies Limited, makers of the SecurITree attack tree modeling software package. Terrance can be reached at 1-888-949-9797 toll free, 1-403-263-7737, or at Terry.Ingoldsby at amenaza dot com. Further information on attack trees is available from the Amenaza Technologies website.