Attack Trees

Attack Trees are a good way to move threat scenarios from the realm of art form to science. Popularized by Bruce Schneier, Attack Trees can be used to map out the various components of a threat scenario (the Vulnerabilities and the threat sources) and organize them into a more easily understood structure. For further background you may want to review:

Attack Trees can be adapted to assist in completing the Threat Scenarios in the Simple Risk Model assessment Tool.

  1. Start with one of the Core Processes within the business identified in the Tool.
  2. Consider significant breaches or control failures that could impact the Process. Each significant breach becomes a "Goal" on the Attack Tree - an event that could lead to a loss.
  3. For each Goal, identify the various Strategies, attacks or methods that would be used to achieve the Goal.
  4. Break down the Strategies by the specific Tactics that would be utilized. Each Tactic should be weighted in terms of Complexity (how much expertise and training would be required to exploit the vulnerability), Cost (the amount of resources and other expenses that would be required as part of the exploit), the Prevalence of the Treat Source (employees, hackers, criminals, etc.) and the potential losses that the Tactic could generate. Those scenarios with the lowest level of complexity and cost along with the highest prevalence of Threat Sources and potential losses should then be included in a more exhaustive Threat Scenario review.

Please refer to a mock-up of a Simple Risk Model Attack Tree form that can be used as part of Threat Scenario reviews.

Note, Attack Trees provide a systematic way to compare existing Threat sources with Vulnerabilities to identify the most likely exploits that Threats would use. Since Attack Trees do not include the Cost side of the risk equation, they should not be relied upon as a single source for a comprehensive risk analysis.

Once the Threat Scenarios are complete, you will have prioritized your controls (which ones are key?), whether the existing controls are effective and efficient and what additional controls are required. The next step is to move from the Assess phase to reviewing and implementing those controls.

©2009 ISRMC, LLC