Attack Trees: Threat Modeling Diagrams Explained

Understand More with an Attack Tree and Threat Modeling Applications

How to Use Attack Trees to Better
Understand Your Attack Surface

With the severity of data breaches and cybercrime escalating, it is now more important than ever to protect the confidential information your business processes. Organizations use attack tree diagrams to better understand their attack surface - the points in technical systems and applications that are vulnerable to cyberattacks. Within the realm of IT risk management, companies visualize security threats in attack tree diagrams to better understand and mitigate risk. In an attack tree, the root node is the primary target in the attack against a technical system - there can be no parent node. Leaf nodes make up the parts and passageways that can lead to a data breach. Attack trees are useful tools for IT asset risk management. They can be used to help network security professionals to gain a more comprehensive understanding of specific cyberattacks, and how cyber criminals infiltrate IT systems. Attack trees are also practical for conducting risk audit analysis, helping information security managers to get to the root cause of cyberattacks and prescribe strategies to remove threats.

ThreatModeler Attack Tree

What is an Attack Tree?

According to information security professional Bruce Schneier, "Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. Basically, you represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes." Attack trees introduced a whole new way of looking at cyber threats. Attack trees help to conceptualize attack scenarios with clear representations that describe systems plus the possible ways that they can be compromised. Each attack goal forms its own tree, but the nodes on different trees may interact with one another. Besides the obvious surface threat characteristics, infosec managers can finally delve deeper for underlying issues. For example, an IT executive might make the security assumption that managers are following procedures to keep data safe, without effectively knowing the level of knowledge they have on cybersecurity policy and procedures.

Benefits of Attack Tree Modeling

Attack tree modeling can also help to understand the different behaviors of a cyber criminal, such as their: - Motivations - Goals - Capabilities - Weaknesses There are other benefits to using attack tree modeling. Attack trees can be reused and updated. You can combine with other diagrams for a more holistic, enterprise-wide view of your organization's threat profile. Computer security managers can anticipate and control expenditures by playing out "what if" scenarios. The more scenarios you play out, the deeper your understanding of your organization's security. By applying the formal methodology of attack trees, you will better understand the security requirements that you will need to ensure your computer systems are defended.

About Attack Tree Nodes

As explained before, the cyberattacker's goal is considered the root node, while the different ways of achieving a data breach are known as the leaf nodes. When computer security managers conduct fault tree analysis, they apply Boolean logic to review each of the nodes in relationship with one another. Boolean Operators are words that help to describe the relationship between data points, i.e. "or" (inclusive); "and" (exclusive); and "not" (one, but not the other). Attack trees are arranged in hierarchical order, with the lowest priorities at the bottom - e.g., the threat is nonintrusive, legal and has a low success rate. Based on the variables involved, infosec professionals can conduct risk analysis that view the different parts of a security threat and how they directly relate to one another. Attack tree attributes help information security managers to associate certain types of risk to different attacks. Leaf node attribute values "grow" up the tree in order of priority. Attribute values are then calculated by summing up the leaf nodes - in trees and subtrees. While there is no formal, predetermined value for the different types of attributes, with the right knowledge and expertise, IT managers can make their own security cost appraisals.

Build an Attack Tree Automatically

One of the biggest challenges of information security is the output of security exercises in the form of wordy reports. For stakeholders, these are not very easy to read and often seem to be delivered in the form of lists without demonstrating a system or application at a high level. Threat models in themselves take a hybrid approach of being system and asset-centric in the visualization where a viewer sees the system of interconnected components.

ThreatModeler goes a step further. Using the threat model as a source, the Intelligent Threat Engine builds a tree diagram as seen in the figure above that we define as a threat tree. Each threat tree displays a logical, hierarchical representation of a threat and the relation to the underlying attributes of the application or system. Additionally, multiple threat trees, each representing the individual components of an application merged into a single entity, provide a consolidated view of threats to the whole application. This illustrates why a threat exists in the system and the relevant security controls to mitigate those threats.

Still have questions about Threat Trees?

With Threat Trees, you’re able to:

Rapid Visualization

Enables the rapid visualization of individual components in conjunction with all the potential threats and their relevant security controls that should be applied to the component to prevent or mitigate the threat.

Attack Paths and Vectors

Ensures a full understanding of all the attack vectors and the attack path needed for an attacker to succeed.

Security Controls

Assists in determining the adequacy of existing security controls against threats.

Map Security Policies to actions

Provides the ability to map security policies and actions to application components and the courses of mitigation that are available.