Attack Tree

Attack Tree Goal – The subject of the Threat Scenario, an event that will cause a loss or the overall goal of a criminal.

Strategy – Method used to achieve the Goal or Exploit the Vulnerability

Tactic – How will the Vulnerability be exploited?

Attack Trees can be used to structure a Threat Scenario review. Start with one of the core processes within the business. Then consider significant breaches or control failures that could impact the process. Each significant breach becomes a “Goal” on the Attack Tree – the high level description of an event that could lead to a loss. For each Goal, identify the various Strategies or high level methods that would be used to achieve the Goal. Then break down the Strategies by the specific Tactics that would be utilized. Each Tactic should be weighted in terms of Complexity (how much expertise and training would be required to exploit the vulnerability), Cost (the amount of resources and other expenses that would be required as part of the exploit) and the Prevalence of the Treat Source (employees, hackers, criminals, etc.). Those scenarios with the lowest level of complexity and cost along with the highest prevalence of Threat Sources and potential losses should then be included in a more exhaustive Threat Scenario Review.

For a more thorough discussion of Attack trees, see Bruce Schneier. The next page provides an example Attack Tree. The last page is a blank that can be used to generate Attack Trees.

Complex 1 2 3Cost 1 2 3

Threat:EmployeeHackerCriminalVendor



















http://www.schneier.com/paper-attacktrees-ddj-ft.html

http://www.simpleriskmodel.com/Assess/threat_scenario.html

Attack Tree Steal 1,000+ credit card records (holder name, address, card number, expiration date, security code) from the Bank “X” credit card database

Distribute Bank “X” phishing email on the Internet

Intercept card data on merchant’s system when customer uses credit card

Break into the Bank “X” credit card database

Use Bank “X” employee(s) to obtain the data

Send out phishing email as spam

And - Set-up server to mimic Bank “X” site.

Broadcast email to merchants with Trojan

And - Infect merchant server and intercept data

Identify likely vulnerabilities in network and database

And - Deploy tactics to penetrate network

And - Deploy tactics to penetrate database

Or – Steal back-up tape

Bribe employee(s)

Or - Deceive employees into disclosing data





















Note- Tactics should be identified as “and” or “or” to designate whether all the Tactics must be satisfied to be successful or if the Tactic can stand on its own.

The Goal of this example Attack Tree is to steal more than 1,000 credit card records from Bank ”X”. The Strategies involve phishing, intercepting credit card data from a merchant, breaking into the Bank “X” database and finding Bank “X” employees who will divulge the information. The cheapest and easiest to deploy Tactic is based on social engineering; deceive the Bank “X” employees into handing over the data. However, it will be difficult to use this tactic to obtain large amounts of data as opposed to individual customer records. The most complex and costly attack would be to break into the Bank “X” database. An easier alternative would be to intercept credit card records as they are sent by or stored on vulnerable vendor systems. Another factor that should be considered is the volume of records that could be obtained in a successful attack (the amount of potential losses). The results from social engineering an employee or sending out a phishing email would be limited. Intercepting vendor transmissions would likely generate a higher number. The greatest number would likely come from breaking into the Bank “X” database or stealing a backup tape.

Attack Tree





















Documents

Attack Tree