What Are Attack Trees?

Attack trees are hierarchical, graphical diagrams that show how low level hostile activities interact and combine to achieve an adversary's objectives - usually with negative consequences for the victim of the attack.

Similar to many other types of trees (e.g., decision trees), the diagrams are usually drawn inverted, with the root node at the top of the tree and branches descending from the root. The top or root node represents the attacker's overall goal. The nodes at the lowest levels of the tree (leaf nodes) represent the activities performed by the attacker. Nodes between the leaf nodes and the root node depict intermediate states or attacker sub-goals. Although the attacker may gain benefits (and the victim suffer impacts) at any level of the tree, the impacts usually increase at higher levels of the tree.

Physically damage cooling pumps tree Non-leaf nodes in an attack tree are designated as either AND or OR nodes, and usually represented by the familiar Boolean Algebra AND/OR shapes. AND nodes represent processes or procedures. All of the activities or states represented by the nodes immediately beneath an AND node must be achieved to attain the goal or state represented by the AND node. OR nodes represent alternatives. If any of the nodes directly beneath an OR are attained then the OR state is also attained.

Attack trees are most commonly used to describe attacks against cyber systems. However, they can also be used to model physical attacks. An example of a tree describing physical attacks on a hypothetical nuclear plant's cooling systems is shown.

Certain combinations of leaf level events will satisfy the tree's AND/OR logic and result in one or more paths leading to the root goal of the tree. These sets of events are known as attack scenarios.

Performing the leaf level attack operations usually requires the adversary to expend resources (time, money, skill, etc.) Different attack scenarios will have different sets of resources costs. Since adversaries differ in their characteristics, some scenarios will be better suited to one adversary and other scenarios to another. The analysis of which scenarios best fit a given adversary is known as capabilities-based analysis. Further analysis can incorporate information about an attacker's goals to assess the desirability of given attacks. The combination of capability and desirability are used to predict the likelihood of given attacks. Factoring in the impact on the victim yields a true assessment of risk. Detailed information on this analysis is provided in the Methodology document available for download here.

Fault trees contributed greatly to the development of attack trees. Fault tree models have long been used to understand random faults due to mother nature, human error and equipment failure. Amenaza has enhanced the classic definition of attack trees to handle both hostile and random threats in the same model.

Amenaza's SecurITree software is capable of performing both attack tree and fault tree analysis.

Go to Attack Tree Origins >

SecurITree - threat modeling without limits