What is the Attack Trees Threat modeling method
Attack tree (threat tree) is a graphical formalism used to structure, model and analyze potential attacks. It starts with a security threat, modeled as its root, representing the attacker's top level goal. It divides into subgoals through logical gates, modeling how successful the attack steps may be. Basic attack steps are presented as leaves on the tree. It includes so-called ‘and-gates’ (when the attacker has to deliver successful attacks in all child nodes) and ‘or-gates’ (when the attacker must succeed in at least one child node) and usually starts with the attacker’s goal, after that helping to enumerate all possible ways to achieve it. If there are a number of trees for various attacks, they can interconnect, sharing the same ‘subtree’.
The Attack-defense tree is an example of an attack tree or may become its extension with defensive measures (or countermeasures) included, which shows a model of multistage attacks along with safeguards. Countermeasures prevent a possible attacker from reaching the goal, and the tree represents the interaction between an attacker and a defender.
How is an Attack Tree built?
A project-specific Attack tree (or several trees) is built in several steps, the same regardless of whether the tree is intended for one or multiple projects. These are:
- Deciding on a representation. At this stage the specialist chooses the type of a tree (AND or OR) and its presentation.
- Root node creation. This phase is the real start of creating an AT. The root node can be a goal or a component to prompt the analysis. The former variant helps to consider the ways an attacker is taking to achieve their goal. As for the graphical realization, it is advised to draw them within the grid, which an eye can track linearly.
- Subnodes creation. The next step in the creation of the tree. The subnodes can relate to each other also in AND or OR way. They help to iterate on the trees to make each tree fit a particular situation. Common structures for the first-level subnodes include ‘attacking a system’ (by physical access or subverting either a person or software), ‘the way of attacking a system’ (using people, process or technology) and ‘attacking a project’ during design, production, distribution or usage.
- Considering completeness. At this stage completeness of attack trees is checked, to see if any additional components or even additional trees are needed. They can be also checked for quality by iterating over the nodes and looking for any other possible ways to reach the goal. The main question is, if there is any other way that the attack can succeed?’
- Tree pruning. At this stage every node of the tree is checked to consider if the action in each of them is prevented or duplicative. If the attack is prevented, the nodes are indicated as requiring no further analysis. Nodes are better marked to make it clear that the attacks were considered.
- Presentation check. The final stage of AT creation is presentation. Keeping in mind that a tree may be ‘branchy’ it may be broken into a number of small ones with a top level subnote as a root node of a ‘subtree’ and adding a ‘context tree’ to show overall relations. The tree should be easy to track and equivalent level subnodes should show on a single line, because the deeper the tree is read, the more challenging the process becomes. There are two ways of representing an AT:
- A free-form (human-viewable form) without any specific technical structure.
- A structured representation (includes various types or metadata to facilitate program analysis)
How are ‘attack trees’ used?
The attack elicitation task is to iterate over each node in the tree and consider if that issue or its variant impacts your system. There are three purposes to use attack trees:
- for the developer’s own project (to detect possible threats to the project they are working on)
- for someone else’s project
- combined variant (when a developer creates trees to test their own project, which other developers can use later, too)
It’s always useful if there is a tree, relevant to the system/project in question and can be used right away. If there is none, a new tree must be created for the particular situation.