Attack tree

Last updated September 25, 2023

Attack trees are conceptual diagrams showing how an asset, or target, might be attacked.^[1] Attack trees have been used in a variety of applications. In the field of information technology, they have been used to describe threats on computer systems and possible attacks to realize those threats. However, their use is not restricted to the analysis of conventional information systems. They are widely used in the fields of defense and aerospace for the analysis of threats against tamper resistant electronics systems (e.g., avionics on military aircraft).^[2] Attack trees are increasingly being applied to computer control systems (especially relating to the electric power grid).^[3] Attack trees have also been used to understand threats to physical systems.

Some of the earliest descriptions of attack trees are found in papers and articles by Bruce Schneier,^[4] when he was CTO of Counterpane Internet Security. Schneier was clearly involved in the development of attack tree concepts and was instrumental in publicizing them. However, the attributions in some of the early publicly available papers on attack trees^[5] also suggest the involvement of the National Security Agency in the initial development.

Attack trees are very similar, if not identical, to threat trees. Threat trees were developed by Jonathan Weiss of Bell Laboratories to comply with guidance in MIL STD 1785^[6] for AT&T's work on Command and Control for federal applications, and were first described in his paper in 1982.^[7] This work was later discussed in 1994 by Edward Amoroso.^[8]

Basic

Attack trees are multi-leveled diagrams consisting of one root, leaves, and children. From the bottom up, child nodes are conditions which must be satisfied to make the direct parent node true; when the root is satisfied, the attack is complete. Each node may be satisfied only by its direct child nodes.

A node may be the child of another node; in such a case, it becomes logical that multiple steps must be taken to carry out an attack. For example, consider classroom computers which are secured to the desks. To steal one, the securing cable must be cut or the lock unlocked. The lock may be unlocked by picking or by obtaining the key. The key may be obtained by threatening a key holder, bribing a keyholder, or taking it from where it is stored (e.g. under a mousemat). Thus a four level attack tree can be drawn, of which one path is (Bribe Keyholder, Obtain Key, Unlock Lock, Steal Computer).

An attack described in a node may require one or more of many attacks described in child nodes to be satisfied. Our above condition shows only OR conditions; however, an AND condition can be created, for example, by assuming an electronic alarm which must be disabled if and only if the cable will be cut. Rather than making this task a child node of cutting the lock, both tasks can simply reach a summing junction. Thus the path ((Disable Alarm, Cut Cable), Steal Computer) is created.

Attack trees are related to the established fault tree formalism.^[9] Fault tree methodology employs boolean expressions to gate conditions when parent nodes are satisfied by leaf nodes. By including a priori probabilities with each node, it is possible to perform calculate probabilities with higher nodes using Bayes Rule. However, in reality accurate probability estimates are either unavailable or too expensive to gather. With respect to computer security with active participants (i.e., attackers), the probability distribution of events are probably not independent nor uniformly distributed, hence, naive Bayesian analysis is unsuitable.

Since the Bayesian analytic techniques used in fault tree analysis cannot legitimately be applied to attack trees, analysts instead use other techniques^[10]^[11] to determine which attacks will be preferred by a particular attacker. These may involve comparing the attacker's capabilities (time, money, skill, equipment) with the resource requirements of the specified attack. Attacks which are near or beyond the attacker's ability to perform are less preferred than attacks that are perceived as cheap and easy. The degree to which an attack satisfies the adversary's objectives also affects the attacker's choices. Attacks that are both within the adversary's capabilities, and which satisfy their goals, are more likely than those that do not.

Examination

Attack trees can become large and complex, especially when dealing with specific attacks. A full attack tree may contain hundreds or thousands of different paths all leading to completion of the attack. Even so, these trees are very useful for determining what threats exist and how to deal with them.

Attack trees can lend themselves to defining an information assurance strategy. It is important to consider, however, that implementing policy to execute this strategy changes the attack tree. For example, computer viruses may be protected against by refusing the system administrator access to directly modify existing programs and program folders, instead requiring a package manager be used. This adds to the attack tree the possibility of design flaws or exploits in the package manager.

One could observe that the most effective way to mitigate a threat on the attack tree is to mitigate it as close to the root as possible. Although this is theoretically sound, it is not usually possible to simply mitigate a threat without other implications to the continued operation of the system. For example, the threat of viruses infecting a Windows system may be largely reduced by using a standard (non-administrator) account and NTFS instead of FAT file system so that normal users are unable to modify the operating system. Implementing this negates any way, foreseen or unforeseen, that a normal user may come to infect the operating system with a virus^{[ citation needed ]}; however, it also requires that users switch to an administrative account to carry out administrative tasks, thus creating a different set of threats on the tree and more operational overhead. Also, users are still able to infect files to which they have write permissions, which may include files and documents.

Systems using cooperative agents that dynamically examine and identify vulnerability chains, creating attack trees, have been built since 2000.^[12]

Attack tree modeling software

Several commercial packages and open source products are available.

Open source

ADTool from University of Luxembourg
AT-AT
Deciduous
Ent
SeaMonster

Commercial

AttackTree+ from Isograph
SecurITree from Amenaza Technologies
RiskTree from 2T Security

Related Research Articles

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cyber security, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Security engineering is the process of incorporating security controls into an information system so that the controls become an integral part of the system’s operational capabilities. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but it has the added dimension of preventing misuse and malicious behavior. Those constraints and restrictions are often asserted as a security policy.

Bruce Schneier is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Center for Internet & Society as of November, 2013. He is a board member of the Electronic Frontier Foundation, Access Now, and The Tor Project; and an advisory board member of Electronic Privacy Information Center and VerifiedVoting.org. He is the author of several books on general security topics, computer security and cryptography and is a squid enthusiast.

In computing, a trusted client is a device or program controlled by the user of a service, but with restrictions designed to prevent its use in ways not authorized by the provider of the service. That is, the client is a device that vendors trust and then sell to the consumers, whom they do not trust. Examples include video games played over a computer network or the Content Scramble System (CSS) in DVDs.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Network security</span> Computer network access control

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

Information leakage happens whenever a system that is designed to be closed to an eavesdropper reveals some information to unauthorized parties nonetheless. In other words: Information leakage occurs when secret information correlates with, or can be correlated with, observable information. For example, when designing an encrypted instant messaging network, a network engineer without the capacity to crack encryption codes could see when messages are transmitted, even if he could not read them.

<span class="mw-page-title-main">Vulnerability (computing)</span> Exploitable weakness in a computer system

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The isolation metaphor is taken from the idea of children who do not play well together, so each is given their own sandbox to play in alone. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

A remote keyless system (RKS), also known as remote keyless entry (RKE) or remote central locking, is an electronic lock that controls access to a building or vehicle by using an electronic remote control (activated by a handheld device or automatically by proximity). RKS largely and quickly superseded keyless entry, a budding technology that restrictively bound locking and locking functions to vehicle-mounted keypads.

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like "Where am I most vulnerable to attack?", "What are the most relevant threats?", and "What do I need to do to safeguard against these threats?".

A zero-day is a vulnerability in a computer system that was previously unknown to its developers or anyone capable of mitigating it. Until the vulnerability is mitigated, threat actors can exploit it. An exploit taking advantage of a zero-day is called a zero-day exploit, or zero-day attack.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Tor, short for The Onion Router, is free and open-source software for enabling anonymous communication. It directs Internet traffic via a free, worldwide, volunteer overlay network that consists of more than seven thousand relays.

<span class="mw-page-title-main">Security information and event management</span> Computer security

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

References

↑ R. Shirey (August 2007). Internet Security Glossary, Version 2. Network Working Group. doi: 10.17487/RFC4949 . RFC 4949.Informational.
↑ U.S. Department of Defense, "Defense Acquisition Guidebook", Section 8.5.3.3
↑ Chee-Wooi Ten, Chen-Ching Liu, Manimaran Govindarasu, Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees, "Archived copy" (PDF). Archived from the original (PDF) on 2010-06-30. Retrieved 2012-04-04.{{cite web}}: CS1 maint: archived copy as title (link)
↑ Schneier, Bruce (December 1999). "Attack Trees". Dr Dobb's Journal, v.24, n.12. Archived from the original on 6 August 2007. Retrieved 2007-08-16.
↑ Chris Salter, O. Sami Saydjari, Bruce Schneier, Jim Wallner, Toward a Secure System Engineering Methodology, "Archived copy" (PDF). Archived (PDF) from the original on 2011-06-23. Retrieved 2012-04-04.{{cite web}}: CS1 maint: archived copy as title (link)
↑ "MIL-STD-1785 SYSTEM SECURITY ENGINEERING PROGRAM". everyspec.com. Retrieved 2023-09-05
↑ "A System Security Engineering Process, 14th National Computer Security Conference, Washington DC" (PDF). Retrieved 2023-03-18.
↑ Amoroso, Edward (1994). Fundamentals of Computer Security . Upper Saddle River: Prentice Hall. ISBN 0-13-108929-3.
↑ "Fault Tree Handbook with Aerospace Applications" (PDF). Archived from the original (PDF) on 2016-12-28. Retrieved 2019-02-26.
↑ Donald L Buckshaw, Gregory S Parnell, Willard L Ulkenholz, Donald L Parks, James M Wallner, O. Sami Saydjari, Mission Oriented Design Analysis of Critical Information Systems, Military Operations Research V10, N2, 2005, ^[permanent dead link ]
↑ Terrance R Ingoldsby, Amenaza Technologies Limited, Attack Tree-based Threat Risk Analysis, A vendor white paper, "Archived copy" (PDF). Archived (PDF) from the original on 2016-03-04. Retrieved 2012-04-09.{{cite web}}: CS1 maint: archived copy as title (link)
↑ "NOOSE - Networked Object-Oriented Security Examiner, 14th Systems Administration Conference (LISA 2000), New Orleans" . Retrieved 2010-04-21.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[rfc4949-1] R. Shirey (August 2007). Internet Security Glossary, Version 2. Network Working Group. doi: 10.17487/RFC4949 . RFC 4949.Informational.

[2] U.S. Department of Defense, "Defense Acquisition Guidebook", Section 8.5.3.3

[3] Chee-Wooi Ten, Chen-Ching Liu, Manimaran Govindarasu, Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees, "Archived copy" (PDF). Archived from the original (PDF) on 2010-06-30. Retrieved 2012-04-04.{{cite web}}: CS1 maint: archived copy as title (link)

[Attack_Trees-4] Schneier, Bruce (December 1999). "Attack Trees". Dr Dobb's Journal, v.24, n.12. Archived from the original on 6 August 2007. Retrieved 2007-08-16.

[5] Chris Salter, O. Sami Saydjari, Bruce Schneier, Jim Wallner, Toward a Secure System Engineering Methodology, "Archived copy" (PDF). Archived (PDF) from the original on 2011-06-23. Retrieved 2012-04-04.{{cite web}}: CS1 maint: archived copy as title (link)

[6] "MIL-STD-1785 SYSTEM SECURITY ENGINEERING PROGRAM". everyspec.com. Retrieved 2023-09-05

[7] "A System Security Engineering Process, 14th National Computer Security Conference, Washington DC" (PDF). Retrieved 2023-03-18.

[Threat_trees-8] Amoroso, Edward (1994). Fundamentals of Computer Security . Upper Saddle River: Prentice Hall. ISBN 0-13-108929-3.

[Fault_Tree_Analysis-9] "Fault Tree Handbook with Aerospace Applications" (PDF). Archived from the original (PDF) on 2016-12-28. Retrieved 2019-02-26.

[10] Donald L Buckshaw, Gregory S Parnell, Willard L Ulkenholz, Donald L Parks, James M Wallner, O. Sami Saydjari, Mission Oriented Design Analysis of Critical Information Systems, Military Operations Research V10, N2, 2005, ^[permanent dead link ]

[11] Terrance R Ingoldsby, Amenaza Technologies Limited, Attack Tree-based Threat Risk Analysis, A vendor white paper, "Archived copy" (PDF). Archived (PDF) from the original on 2016-03-04. Retrieved 2012-04-09.{{cite web}}: CS1 maint: archived copy as title (link)

[NOOSE-12] "NOOSE - Networked Object-Oriented Security Examiner, 14th Systems Administration Conference (LISA 2000), New Orleans" . Retrieved 2010-04-21.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]