Capabilities-based Attack Tree Threat Risk Analysis

The attack tree approach represents a major breakthrough in threat risk analysis (TRA). It is based on a very simple premise:

IF they want to AND they can THEN they will.

Every organization has enemies. They may be Internet computer hackers, competitors, dishonest employees, terrorists or even foreign governments. Whether or not your enemies will use a particular attack against you depends on whether they have what it takes to perform the attack. Amenaza calls this wherewithal, "capability". An adversary's capability includes many things - financial resources, technical skill, the ability to acquire the materials needed for an attack and a willingness to accept the consequences of their actions. Different types of attackers have differing amounts of these resources and this constrains the types of attacks they will use.

Attack tree analysis describes the possible attacks against a system in the form of a graphical, mathematical model called an attack tree. The capabilities of motivated attackers are compared with the resources required to perform specific attacks in the model. Attacks that are beyond the adversary's capabilities are low probability. Attacks that are within the adversary's capabilities, and accomplish the attacker's objectives are considered highly likely.

Attack tree models can also contain information about the negative impact an attack will have on the victim. When target impact information is combined with the attack probability analysis described above the result is an estimate of the risks associated with each potential attack. This allows intelligent risk mitigation decisions