Creating an Attack Tree

Building an Attack Tree Diagram

The process involved in constructing the attack tree for your target system begins with the identification of the goals of possible attacks. Due to the fact that different attacks may contain similar methods, this may result in inter-linked attack trees. The next stage is to identify all possible attack methods that may result in the goals being achieved. These first two stages will produce the top level of the system model.

Each attack may consist of a large number of conditions that need to be met to allow the attack to be successful, or it may simply consist of a single quantifiable event. Therefore, the next step in the construction of the attack tree is to break down each attack into the basic conditions. This will result in a full attack tree structure with every ‘branch’ ending in a single quantifiable event.

Specifying the Frequency of an Attack

Once the structure is complete, it is necessary to specify the likely frequency for each attack. Next, each event probability must be specified. That is to say, how probable each aspect of the attack is to succeed.

In addition to analyzing how likely an attack is to succeed, attack trees can also employ indicators to describe the cost to the attacker, whether any special equipment is needed, etc. A value for each indicator type is assigned to each event.

Modeling the Consequences of an Attack

Finally, AttackTree allows users to define consequences and attach them to any gate within the attack tree. In this way, it is possible to model the consequences of successful attacks on the target system. This is a particularly useful feature when there are many Top Events representing different types of attack, or there are gates in the attack tree representing partial success of an attack.

Screen Shots