Attack Tree Analysis

"Defenders have always tried to anticipate the behavior of their adversaries in order to thwart attacks or reduce the damage they will cause. Historically, this process has been done primarily through intuition. Although it is difficult to identify all of the factors that lead to intuition, it would seem to be based principally on an individual’s experiences, and the ability to extrapolate how those experiences apply to new situations. Obviously the accuracy of the intuition will depend heavily on the breadth of the analyst’s experience and their powers of reasoning. Even if an individual can be found who possesses excellent intuition, it is almost impossible to transfer this knowledge to anyone else, or even to capture and explain the reasoning behind their understanding.

The field of security is not unique in its use of intuition. Most engineering disciplines began in similar fashion. People built bridges, buildings, and other structures for thousands of years without the use of sophisticated analytic techniques. However, mastery of more advanced design processes allowed some societies to build dramatically larger and more complex structures. Modern skyscrapers are certainly an example of this and some claim that ancient Egyptians also used advanced mathematics to create the pyramids. The application of comparable processes to the field of security should likewise provide more effective and elegant defense mechanisms.

Attack trees are a graphical and mathematical construct used to

  • Identify potential hostile activities that pose the greatest risk to the defender;
  • Determine effective (and cost effective) strategies for reducing the defender’s risk to an acceptable level;
  • Describe the potential interactions between the adversary and the defender;
  • Provide a communication mechanism for security analysts;
  • Capture what is known (facts) and believed (assumptions) about the system and its adversaries, and store the information in a form that can subsequently be retrieved and understood by others.

These qualities make attack trees applicable to security problems in a wide range of fields including: information technology, telecommunications, critical infrastructure, health care, finance, aerospace, intelligence, and defense."