Attack Trees for Robust and Secure Design

Attack Trees as Allies in Threat Mitigation

The ability to anticipate and proactively mitigate potential threats has become the holy grail for many organizations. In that pursuit many organizations turn to practices such as threat modeling, which I’ve written about before. While threat modeling can be a powerful tool in the organization’s toolchest, it can be time consuming and difficult to perform rapidly. Another option in the toolchest is creating attack trees.

Attack trees are a specific graphical representation within the broader context of threat modeling. They focus on illustrating potential threat scenarios in a hierarchical manner, breaking down from a primary malicious activity into sub-goals and strategies employed by adversaries. These attack trees function as a graphical interpretation providing an early view of attack paths and establishing themselves as a critical part of identifying threats early in the development life cycle.

Distinguishing factors between threat modeling and attack trees

Scope and methodology are a big factor in differentiating between threat modeling and attack trees. The scope of threat modeling is expansive, as it engages in a thorough examination of not just the components in a system, but also those that send or receive data to the system. This means that that threat modeler must analyze data flow, system architecture, business processes, and potential entry points susceptible to malicious exploitation. Threat modeling, therefore, adopts a holistic perspective, addressing security from a system-wide viewpoint. As you can tell, this can be an expansive and laborious task.

On the other hand, attack trees assume a more focused role by directing attention to specific attack scenarios and their hierarchical components. While threat modeling provides a panoramic view of security, attack trees specialize in visualizing the intricacies of targeted attack paths. This narrower focus enables a more detailed representation of specific threats and gives the modeler the ability to illustrate the sequential steps an adversary might take to achieve their desired outcome.

In terms of methodology, threat modeling and attack trees diverge in their approaches. Threat modeling often employs work sessions or meetings that bring together various stakeholders, while attack trees can function as a specific tool within an overall process. Though purpose-built tools can be used to create attack trees, they don’t have to be. A simple diagramming tool can work. And though attack trees and threat modeling can be separate, they are (and should be) used in tandem to assist one another (more on this later). The hierarchical representation of attack trees aids in understanding the sequential progression of an attack in the broader context of threat modeling. This contributes valuable insights into specific vulnerabilities and potential exploits.

Insight and Adaptive Defense

Most attacks by adversaries are not simplistic. They are often a series of failed or missing controls, a bit of luck, and some ingenuity. This is hard to capture in a broad threat model, but where attack trees can shine. At the apex of the attack tree lies the primary malicious activity or goal that an attacker seeks to achieve (ie access sensitive data on a cloud endpoint). This top-level goal then branches into various sub-goals, representing the sequential steps an adversary might take to accomplish the overarching objective. Each sub-goal further unfolds into specific strategies, tactics, or vulnerabilities that could be exploited. The hierarchical anatomy offers a comprehensive and granular understanding of the potential attack vectors, enabling cybersecurity professionals to address vulnerabilities at multiple levels. During the creation of the hierarchy, the modeler can add mitigations along the way, which they themselves might be open to attack.  The process continues.

The strength of attack trees lies not only in their visual representation but also in the tactical insights they provide. By breaking down the attack scenarios into hierarchical components, the modelers gain a nuanced understanding of potential weak points and critical junctures within a workflow. This insight allows for the formulation of targeted and tactical defenses, ensuring that security measures are tailored to address specific elements of the attack tree.

Additionally attack trees are adaptable to evolving threats. As the cybersecurity landscape shifts and new vulnerabilities emerge, attack trees can be updated and refined to incorporate the latest insights. This dynamic nature aligns seamlessly with the changing tactics employed by adversaries, providing cybersecurity professionals with a framework for continuous improvement.

Example attack tree

You can create an attack tree quite simply with a very basic scenario where an attacker attempts unauthorized access to a user’s online banking account. In this scenario, I’m using Deciduous to create the attack tree, but as I stated, you can use a simple diagraming tool as well. However, Deciduous does a fabulous job of simplifying the drawing of a diagram.

The basic scenario is:

Primary Malicious Goal: Access a user’s bank account

  • Goal 1: Obtain User Credentials
    • Strategy 1.1: Phishing Attack
    • Strategy 1.2: Brute Force Attack

In this case we can show that and attackers end game is to gain access to the users bank account. The organization would implement the mitigations of two-factor authentication and account lockout after 3 failed attempts. Pretty simple, right? Well as you can probably start to see, this can become much more expansive covering multiple attacks and mitigations. It’s the cat-and-mouse game that we play in cybersecurity.

Using attack trees in threat modeling

One benefit of threat modeling and attack trees is that they can go together like peanut butter and jelly (or peanut butter and chocolate, whichever you prefer). Imagine a scenario where you have threat modeled your system and architecture, and your team identifies a particular workflow that is critical to the organization. You may want to dive deeper into the specific attack paths for that critical workflow to either identify the appropriate mitigations or ensure that all of the possible and known attack paths have been captured.

Adventurous organizations may even want to create an attack tree for each of the attack paths in a given threat model.

However, it is important to recognize that both threat modeling and attack trees are iterative processes. As the system evolves or new information becomes available the threat model would need to be revised, which should require the attack tree to be updated as well. This can occur not just when new attacks and techniques are identified, but also when the architecture or design of the system changes.

Learning more

There is plenty more to learn about attack tress, specifically how they can leverage frameworks like MITRE ATT&CK to help identify tactics, techniques, and procedures (TTP) to inform your threat model and attack tress.

If you want to learn more, please check out this course on Udemy taught by Derek Fisher: