HOME

TheInfoList



Click Here for Items Related To - Attack Tree
OR:
Attack Tree on:   [Wikipedia]   [Google]   [Amazon]

Attack trees are conceptual diagrams showing how an asset, or target, might be attacked. Attack trees have been used in a variety of applications. In the field of information technology, they have been used to describe threats on computer systems and possible attacks to realize those threats. However, their use is not restricted to the analysis of conventional information systems. They are widely used in the fields of defense and aerospace for the analysis of threats against tamper resistant electronics systems (e.g., avionics on military aircraft). Attack trees are increasingly being applied to computer control systems (especially relating to the electric
power grid An electrical grid is an interconnected network for electricity delivery from producers to consumers. Electrical grids vary in size and can cover whole countries or continents. It consists of:Kaplan, S. M. (2009). Smart Grid. Electrical Power ...
). Attack trees have also been used to understand threats to physical systems. Some of the earliest descriptions of attack trees are found in papers and articles by
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cente ...
, when he was CTO of Counterpane Internet Security. Schneier was clearly involved in the development of attack tree concepts and was instrumental in publicizing them. However, the attributions in some of the early publicly available papers on attack trees also suggest the involvement of the
National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
in the initial development. Attack trees are very similar, if not identical, to ''threat trees''. Threat trees were discussed in 1994 by Edward Amoroso.


Basic

Attack trees are multi-leveled diagrams consisting of one root, leaves, and children. From the bottom up, ''
child nodes In computer science, a tree is a widely used abstract data type that represents a hierarchical tree structure with a set of connected nodes. Each node in the tree can be connected to many children (depending on the type of tree), but must be con ...
'' are conditions which must be satisfied to make the direct parent ''node'' true; when the ''root'' is satisfied, the attack is complete. Each ''node'' may be satisfied only by its direct ''child nodes''. A ''node'' may be the ''child'' of another node; in such a case, it becomes logical that multiple steps must be taken to carry out an attack. For example, consider classroom computers which are secured to the desks. To steal one, the securing cable must be cut or the lock unlocked. The lock may be unlocked by picking or by obtaining the key. The key may be obtained by threatening a key holder, bribing a keyholder, or taking it from where it is stored (e.g. under a mousemat). Thus a four level attack tree can be drawn, of which one path is (''Bribe Keyholder'', ''Obtain Key'', ''Unlock Lock'', ''Steal Computer''). An attack described in a ''node'' may require one or more of many attacks described in ''child nodes'' to be satisfied. Our above condition shows only ''OR conditions''; however, an ''AND condition'' can be created, for example, by assuming an electronic alarm which must be disabled if and only if the cable will be cut. Rather than making this task a ''child node'' of cutting the lock, both tasks can simply reach a summing junction. Thus the path ((''Disable Alarm'', ''Cut Cable''), ''Steal Computer'') is created. Attack trees are related to the established fault tree formalism. Fault tree
methodology In its most common sense, methodology is the study of research methods. However, the term can also refer to the methods themselves or to the philosophical discussion of associated background assumptions. A method is a structured procedure for bri ...
employs boolean expressions to gate conditions when parent nodes are satisfied by leaf nodes. By including a priori probabilities with each node, it is possible to perform calculate probabilities with higher nodes using
Bayes Rule In probability theory and statistics, Bayes' theorem (alternatively Bayes' law or Bayes' rule), named after Thomas Bayes, describes the probability of an event, based on prior knowledge of conditions that might be related to the event. For examp ...
. However, in reality accurate probability estimates are either unavailable or too expensive to gather. With respect to computer security with active participants (i.e., attackers), the probability distribution of events are probably not independent nor uniformly distributed, hence, naive Bayesian analysis is unsuitable. Since the Bayesian analytic techniques used in fault tree analysis cannot legitimately be applied to attack trees, analysts instead use other techniquesTerrance R Ingoldsby, Amenaza Technologies Limited, Attack Tree-based Threat Risk Analysis, A vendor white paper, to determine which attacks will be preferred by a particular attacker. These may involve comparing the attacker's capabilities (time, money, skill, equipment) with the resource requirements of the specified attack. Attacks which are near or beyond the attacker's ability to perform are less preferred than attacks that are perceived as cheap and easy. The degree to which an attack satisfies the adversary's objectives also affects the attacker's choices. Attacks that are both within the adversary's capabilities, and which satisfy their goals, are more likely than those that do not.


Examination

Attack trees can become large and complex, especially when dealing with specific attacks. A full attack tree may contain hundreds or thousands of different paths all leading to completion of the attack. Even so, these trees are very useful for determining what threats exist and how to deal with them. Attack trees can lend themselves to defining an
information assurance Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, n ...
strategy. It is important to consider, however, that implementing policy to execute this strategy changes the attack tree. For example, computer viruses may be protected against by refusing the system administrator access to directly modify existing programs and program folders, instead requiring a
package manager A package manager or package-management system is a collection of software tools that automates the process of installing, upgrading, configuring, and removing computer programs for a computer in a consistent manner. A package manager deals wi ...
be used. This adds to the attack tree the possibility of design flaws or
exploit Exploit means to take advantage of something (a person, situation, etc.) for one's own end, especially unethically or unjustifiably. Exploit can mean: *Exploitation of natural resources *Exploit (computer security) * Video game exploit *Exploitat ...
s in the package manager. One could observe that the most effective way to mitigate a threat on the attack tree is to mitigate it as close to the ''root'' as possible. Although this is theoretically sound, it is not usually possible to simply mitigate a threat without other implications to the continued operation of the system. For example, the threat of viruses infecting a
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
system may be largely reduced by using a standard (non-administrator) account and
NTFS New Technology File System (NTFS) is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. It superseded File Allocation Table (FAT) as the preferred fil ...
instead of
FAT In nutrition science, nutrition, biology, and chemistry, fat usually means any ester of fatty acids, or a mixture of such chemical compound, compounds, most commonly those that occur in living beings or in food. The term often refers spec ...
file system In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...
so that normal users are unable to modify the operating system. Implementing this negates any way, foreseen or unforeseen, that a normal user may come to infect the operating system with a virus; however, it also requires that users switch to an administrative account to carry out administrative tasks, thus creating a different set of threats on the tree and more operational overhead. Also, users are still able to infect files to which they have write permissions, which may include files and documents. Systems using cooperative agents that dynamically examine and identify
vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
chains, creating attack trees, have been built since 2000.


Attack tree modeling software

Several commercial packages and
open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
products are available.


Open source


ADTool
from University of Luxembourg
AT-AT

Deciduous

Ent

SeaMonster


Commercial


AttackTree+
from Isograph
Secur''IT''ree
from Amenaza Technologies
RiskTree
from 2T Security


See also

*
Computer insecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Computer virus A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a compu ...
*
Fault tree analysis Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined. This analysis method is mainly used in safety engineering and reliability engineering to understand how systems can fail, to identify t ...
*
IT risk Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
*
Threat (computer) In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application. A threat can be either a negative " intentional" event (i.e. hacking: ...
*
Vulnerability (computing) Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...


References

{{DEFAULTSORT:Attack Tree Computer network security