As was shown earlier, pruning can give you a pretty good idea of the attacks an adversary can perform against you. However, there are limitations.
One limitation of simple attack tree pruning is that the outcome of an attacker's attempt to exploit a leaf node vulnerability is boolean; the attacker is either completely able and willing to perform the exploit or they are not. Small errors in exploit costs or resource constraints can yield completely different results. For example, if an attacker is believed to have $1,000 at their disposal, and an attack costs $1,001 then it will be ruled out. It is unlikely that an attacker with $1,000 would not be able to find an additional $1, particularly if the attack would bring a substantial reward.
The simple pruning method examines each resource in isolation. It fails to recognize that an attacker perceives the cost of the attack as the combination of the resources they have to deploy. A more sophisticated approach is required.
The advanced analysis functions now available in SecurITree overcome the limitations of the boolean pruning analysis. First, the analyst defines graphical affinity functions that show the value that each type of threat agent places on a resource and their willingness to part with it. For any given resource requirement the corresponding threat agent function yields a value between 0 and 1, indicating the affinity that threat agent has for the resource. An overall cost for any set of resource requirements is easily calculated by taking the product of the perceived, individual resource costs. Similarly, curves are defined that show how much the attacker values the rewards obtained through the attack. Attacks with superior cost-benefit ratios are more likely to occur. Thus, the likelihood (or propensity) of each attack is easily determined.
Risk also involves the impact on the victim (something that was almost completely ignored in the simple pruning shown earlier). Different victims have different pain tolerances to the losses of resources. An ordinary homeowner would suffer greatly from a $5,000 loss whereas a Fortune 1000 company might hardly notice the impact. SecurITree's advanced analysis defines victim impact curves that provide an estimation of an attack's impact as seen through the victim's eyes. When combined with the probability determined earlier, the risk of each attack is known.
To model the fact that different people do not hold resources at the same value, SecurITree's advanced analysis allows analysts to define 'resource affinity curves' - a curve which defines how willing an attacker is to part with a particular resource.
This particular curve indicates that the attacker is very willing to part with small values of the resource (starting from the left), which quickly drops off, and then levels out. You can compare this to the conventional pruning curve, indicated by a dotted line.
For more information on the theory behind advanced analysis resource affinity curves, please contact Amenaza Technologies to request the "Advanced Analysis" whitepaper.
Before performing advanced analysis, you need to set indicator functions and assign values to all leaf nodes as described in the first demonstration.
Once that is completed, you can begin. Start by clicking Analyze -> Advanced Analysis. The dialog prompting for a name appears. Since Advanced Analysis is used to model both attackers and victims, the name should reflect this by including both. For our Burgle House example, we will use the name "Homeowner vs. Juvenile Delinquent".
After you enter the analysis name, a large window titled Define Indicator Utility Functions will appear. This is where you define the curves, as described earlier. We will take a look at each section of the window in turn.
The first section of the window is used to define Agent Profile values. It is split into two sections; Attacker Resource Constraints (which are behavorial indicators) and Attacker Benefits (impact indicators).
The next section defines the Victim Profile values. This section only contains Victim Impacts (which are impact indicators).
The indicators that have been defined for the tree are grouped this way in order to show how analysis is performed. As will be shown in more detail later:
To define curves for each indicator, click on the Define Curve button. If a curve has already been defined for an indicator the button will read Edit Curve. This will ...
... bring up a window like this. To set the curve, simply drag the blue and green squares and the curve on-screen will follow suit.
The Min X and Max X values are automatically set to the minumum and maximum values found on the tree or are based on the range defined for the indicator. These values can be changed. For instance, if you feel that the attacker can not possibly perform an attack over a value of, say, 1000, enter 1000 as Max X. If you feel that an attacker has absolutely no problems using up to 50 resource points, then you can set Min X to 50. Note that this is generally discouraged - for most situations, the default values give the correct scale.
Once you are finished, hit OK to return to the previous screen.
Back on the Define Indicator Utility Functions window, continue down the window defining each utility function in turn as described above.
If you have any boolean indicators defined, instead of using the Define Curve button, you will be presented with a Define Mapping button instead.
Boolean mappings can best be thought of by asking yourself two questions: If a leaf's boolean value is set to True, can the attacker which I am modeling perform the attack? If a leaf's boolean value is set to False, can the attacker which I am modeling perform the attack?
The screenshot here shows an attacker with no special privileges. When confronted with an attack which requires a breach of trust, he is unable to perform the attack. He can, however, perform attacks which do not need special privileges.
Once you have defined all curves and mappings, hit OK to proceed to the analysis screen.
The main Advanced Analysis screen looks much like the Attack Scenarios screen with some additional columns. In the top portion the scenarios are listed. Clicking on each will show the leaf node attacks in that scenario and the nodes along the path to the root node in the bottom portion of the window.
The top panel shows several columns. First, there is a column for the raw value of each behavioral indicator, along with an F(indicator) column which shows the value after having been run through the utility functions.
After all the behavioral indicator columns, the column Ease of Attack gives the product of the utility function values of all behavioral indicators in one value.
Next, are all the Attacker Benefit impact indicator functions, along with their utility values, in the same manner as the behavioral indicators. The weighted sum of these values are shown in the Desirability column.
The next column, Propensity, combines Ease of Attack and Desirability. This column is essentially a summary of all factors of the adversary - how easy it is to perform the attack, combined with how beneficial it would be.
The Pain Factor column takes into account all of the Victim Impact indicators, such as Damage Cost, to provide a single value for how much an attack will hurt.
Finally, the last column, Risk Metric, combines Pain Factor and Propensity to give a single value of the combined risk for each attack. By sorting on this column, you can find, in ascending order of importance, the list of attacks which could be performed against you.
At this point, you should understand the basic features of advanced analysis and how to perform it. If you want to review the information again, you can hit the Refresh button; if you want to print this demonstration, you can do so using your browser's Print button. Otherwise, please continue on to the next slideshow: Case Study: Burgle House, or return to the main demo page.