Analysis of Attack Tree Process

When analyzing the security threats to a system the system analyst is forced to rely on an “Ad hoc brainstorming process” (Schneier, 2004, p. 318) to try and conceptualize what purposes an attacker could have in targeting a system and the methods they could use to carry out their attack. The limitation to the ad hoc approach is that the analyst could miss an area of potential vulnerability or even focus available resources on an attack that is extremely unlikely leaving the door wide open for more likely attacks to occur.

The Attack Tree process developed by Bruce Schneier seeks to replace existing ad hoc processes with one that provides a process for evaluating the threats of an attack against a system and what procedures can be put in place to prevent them (p. 318). The process seeks to first identify an attacker’s goal and then analyzes the methods they could use to accomplish their goal so resources are assigned appropriately. In an Attack Trees, attacks against a system are represented by a tree structure with “the goal as the root node and different ways of achieving that goal as leaf nodes” (p. 318).

The Importance of Using an Attack Tree Process

An Attack Tree process is a useful tool to try and analyze the different ways an attacker could achieve their goal. There are several benefits / advantages that can be attributed to a well developed process in the case of Attack Trees you could:

• Create an multi input iterative process: An Attack Tree enables a system analyst to implement a process where people with different backgrounds / skill sets can add their input to help analyze possible threats and what can be done to negate these threats. Since the process is also iterative you can ensure that it is continually improved upon, this is important because it is unlikely that the attackers are not continually improving their methods.
• Capture and reuse the process for future projects: In capturing the information created from a process you could ensure that the next time a system is being developed you will have a repository to look to for reference on potential security threats and methods of dealing with them. Since the system analyst is not working from scratch there is a saving of time and money. In creating and reusing a process you also help ensure consistency and reliability.
• Compute the risk of a type of attack: Different attacks have different probabilities of occurring as well as have different costs associated with them. If an attack is low gain but has a high cost of prevention it won’t be worth it to prevent against it (Buldas, Laud, Priisalu, Saarepera and Willemson, 2006)
• Can be broken down in to multiple pieces: By creating a scalable process you don’t have to have someone who is an expert in every single area instead you could have subject matter experts look at the system and offer their input.

The Latest Developments in Attack Tree Processes

Since Schneier introduced the concept of Attack Trees (1999) several other researchers have worked to fine tune the process. Buldas et al. have offered a more accurate estimate of the probability of an attack and how it in turn influences the cost of preventing against such an attack (2006).

By exploring what sort of profit an attacker could gain from conducting the attack (e.g. stealing a competitors designs) and weighing the profit against the cost of the attack (e.g. going to jail) the system analyst will be able to see if reward is proportional to the risk the attacker takes. If an attacker feels that the reward is not proportional to the risk involved, then the probability of an attack occurring is reduced and in turn the resources required to protect the system from such an attack could be reduced as well.

Practical examples of industries that could benefit from using an Attack Tree methodology have also been outlined. Sommestad, Ekstedt and Nordström (2009) have written a framework for the practical application of using Attack Trees along with other processes to manage the security of power communication systems.

Since power generation is a “cornerstone of society’s critical infrastructure” (Sommestad et al., 2009, p. 1) the protection of the Wide Area Networks that support them is a top priority. However security for such a system is complicated by factors such as; systems of varying age, different levels of criticality and geographical positioning of such systems.

Attack Trees in Relation to My Personally Experience

When I took a course in “Project Management” I read an article “Secrets to Creating the Exclusive Accurate Estimate.” The author mentioned that a project manager should know that a project without risk analysis is useless (Gray, 2001). Before we set up countermeasures to mitigate the risks, we need to know what the threats are. The fundamental concept of an Attack Tree process is to analyze the relation between cause and consequence of malicious attraction. Analyzing the cause and effect of an action is a skill I frequently use to make effective decisions. I list all possible options, analyze the outcome of each option, and estimate the cost I will pay for choosing a particular option. For instance, I would like to eliminate the mice in my apartment. I can use mouse poison, a glue trap, or hire a professional. There are various brands of mouse poisons and glue traps available on the shelves. I might need do some research to analyze their effectiveness and the environmental impact once I used them. Also, if I don’t want to see or dispose of the body of the mouse, the glue trap might not be a good choice. Hiring a professional could be an efficient option, but it might cost me a lot. Based on my budget and other relative factors, I can build up an Attack Tree for my Mouse War and use it to assist me to make the best decision.

However, the true value of an Attack Tree lies in its ability to assist people in analyzing factors of vulnerability and estimating the feasibility of practices with more complex circumstances such as the incorporation of a networking system. Moreover since Attack Trees provide a systematic methodology which is traceable and reusable it means that not only will the analyst who developed the Attack Tree process be able to utilize it, but they could also hand down the process to others (Network & Security Technologies, I., 2005). Once a basic template has been completed such as an Attack Tree for a virus attack, this Attack Tree could be reused as a branch in a more complex model. The analyst doesn’t have to rebuild it iteratively.

The Potential of Attack Trees to Impact Business

The IT industry, today, is expanding at an immense rate. Meanwhile, the tricks used by attackers improve at a pace beyond which we can imagine. Not only do businesses that are heavily invested in IT have to evolve to fight these malicious threats, but also all business are supposed to equip themselves with the ability to deal with emerging threats.

Intuition and experience can help a security analyst anticipate a vicious attack and reduce the damage from it (Ingoldsby, T. R., 2009). However, the modes of attack are innovating quickly and both intuition and experience are hard to pass to others. So, business needs a process-based tool such as an Attack Tree to analyze threats. Moreover, Attack Trees could be a bridge to connect an experienced analyst with others (Ingoldsby, T. R., 2009). An analyst created Attack Tree could explain the rationale behind their process and people could learn and extract intelligence from the Attack Trees. As a result of adopting an Attack Tree process, security analysts could build a more efficient communication mechanism.

In addition, one of the features of Attack Trees is reusability, while performing risk-analysis, it is not necessary to re-build a new Attack Tree process. A security analyst just needs to retrieve a comparative already designed Attack Trees process and trim it to fit the new mission. For a business this procedure not only saves time and money, but also helps improves the process. Since we are creating an Attack Tree based on old one, it is a way to accumulate experience to make the new Attack Tree more comprehensive.

Companies no matter if they are IT related or not, are concerned about internet security issues. Some of them will look to an IT consulting firm for advice. Therefore, some IT consulting firms introduce Attack Tree to their clients. You can easily surf their website and acquire the explicit knowledge of Attack Tree, for instance, the website of Amenaza (http://www.amenaza.com/methodology_2.php). Moreover, some companies have developed a unique Threat Risk Analysis (TRA) methodology based on the Attack Tree process (Amenaza Technologies Limited, 2009). Although this could be perceived as an extension of Attack Trees, these consulting firms possess exclusive knowledge of Attack Tree processes which will help them build up their reputation.

Conclusion

Malicious internet attacks happen every day. The best approach to protect yourself is to forecast an attacker’s behavior before the disaster happens. There could be thousands of types of feasibility threats, such as; virus infections, a hacking attack, an internal attack, etc… so we need a methodology to manage the TRA. An Attack Tree could be a powerful tool if it is properly implemented.

References

• Schneier, B. (2004). Secrets and lies: digital security in a networked world. Wiley.
• Buldas, A, Laud, P, Priisalu, J, Saarepera , M, & Willemson, J. (2006). Rational Choice of Security Measures via Multi-Parameter Attack Trees. Critical Information Infrastructures Security, 4347.
• Sommestad, T, Ekstedt, M, & Nordström, L. (2009). modeling security of power communication systems using defense graphs and influence diagrams. IEEE Transactions on Power Delivery, 24(4),
• Schneier, B. (1999). Attack trees. Dr. Dobb’s journal , 24(12),
• Gray, N. S. (2001, August). Secrets to Creating the Exclusive ‘Accurate Estimate’. PM Network, 4.
• Network & Security Technologies, I. (2005). Attack Tree/Threat Modeling Methodology. from http://www.netsectech.com/services/attack_tree_methodology.pdf
• Ingoldsby, T. R. (2009, Jan., 16). Attack Tree Analysis. Red Team, from http://redteamjournal.com/2009/01/attack-tree-analysis/
• Amenaza Technologies Limited. (2009). Amenaza SecurlTree. from http://www.amenaza.com/downloads/docs/SCMagazine20-Nov2009-Amenaza.pdf