Attack tree
From Wikipedia, the free encyclopedia
Attack trees are conceptual diagrams of threats on systems and possible attacks to reach those threats. The concept was suggested by Bruce Schneier, CIO of Counterpane Internet Security. Attack trees are also occasionally called threat trees.
[edit] Basic
Attack trees are multi-leveled diagrams consisting of one root, leaves, and children. From the bottom up, child nodes are conditions which must be satisfied to make the direct parent leaf true; when the root is satisfied, the attack is complete. Each leaf may be satisfied only by its direct child nodes.
A leaf may be the child of another leaf; in such a case, it becomes logical that multiple steps must be taken to carry out an attack. For example, consider classroom computers which are secured to the desks. To steal one, the securing cable must be cut or the lock unlocked. The lock may be unlocked by picking or by stealing the key. The key may be stolen by threatening, bribing, or distracting a guard. Thus a four level attack tree can be drawn, of which one path is (Bribe Guard,Steal Key,Unlock Lock,Steal Computer).
Note also that each leaf may require one or more of many child nodes to be satisfied. Our above condition shows only OR conditions; however, an AND condition can be created by assuming an electronic alarm which must be disabled if and only if the cable will be cut. Rather than making this task a child node of cutting the lock, both tasks can simply reach a summing junction. Thus the path ((Disable Alarm,Cut Cable),Steal Computer) is created.
[edit] Examination
Attack trees can become largely complex, especially when dealing with specific attacks. A full attack tree may contain hundreds or thousands of different paths all leading to completion of the attack. Even so, these trees are very useful for determining what threats exist and how to deal with them.
Attack trees can lend themselves to defining an information assurance strategy. It is important to consider, however, that implementing policy to execute this strategy changes the attack tree. For example, computer viruses may be protected against by refusing the system administrator access to directly modify existing programs and program folders, instead requiring a package manager be used. This adds to the attack tree the possibility of design flaws or exploits in the package manager.
One could observe that the most effective way to mitigate a threat on the attack tree is to mitigate it as close to the root as possible. Although this is theoretically sound, it is not usually possible to simply mitigate a threat without other implications to the continued operation of the system. For example, the threat of viruses infecting a Windows system may be largely reduced by using NTFS instead of FAT so that normal users are unable to modify installed programs. Implementing this negates any possible way, foreseen or unforeseen, that a normal user may come to infect the system with a virus; however, it also requires that users switch to an administrative account to carry out administrative tasks, thus creating a different set of threats on the tree and more operational overhead.
