Security Basics mailing list archives

RE: Attack Trees

From: "Yvan Boily" <yboily () seccuris com>
Date: Wed, 3 Mar 2004 13:48:58 -0600
I have done some work with attack trees, especially recently as I am
attempting to integrate attack trees which map known issues into our risk
metric system that is used to calculate the risks associated with potential
vulnerabilities and other intangibles.  

When we are conducting a security audit we have used a risk metric system
that has been very effective to date.  We have a table of certain types of
attacks and associated base metrics.  By analyzing the technical difficulty
and exposure of attacks, and taking into account the value of the assets we
develop a risk metric that has enabled us to effectivly prioritize issues to
correct on a network.

The only area we are finding difficulty is in factoring in exposure to
attack.  We currently have different exposure labels which represent the
different portions of the network, and scale the modifiers based on the
difficulty to transit between security points in the network.

I am in the process of developing a better system for calculating exposure
and complexity of attacks using threat modeling and attack trees to
illustrate and communicate these "intangibles".  I have found (repeatedly;
seriously, imagine running into a brick wall, time after time) that
communicating the exposure and complexity of an attack is difficult.  The
issue is not the inability to accurately represent the risk of a
vulnerability; the issue is communicating why, using risk metrics, one can
select an issue to be higher priority.

In terms of validation of data, depending on the context, there may be no
real way.  If you are building an attack tree based on stricly known
attacks, then this is fairly easy; download your updates, and fire up your
scanners.  Isolate the false positives, and then map how the vulnerabilities
can be chained together to compromise the system.  When attempting to use
attack trees to analyze potential weaknesses that are derived from analysis
of a system it because difficult to validate nodes beyond the node
classified as a potential issue.

The real trick in working with attack trees appears when using them with
risk metrics; I have never been a fan of strict risk metrics to evaluate
issues.  To frequently they are stretched to make an issue seem more severe
than it really is.  By combining the attack tree with risk metrics you
essentially throw validation out the window because each metric is based on
estimated data.  

Although I have not yet worked out a mechanism for properly presenting the
risk metrics without unduly skewing the clients perception of the report, I
have been able to use threat modeling and attack trees in conjunction with
our risk metrics to properly illustrate and motivate people to correct
flaws.

Yvan Boily
Information Security Analyst
Seccuris 

-----Original Message-----
From: Gulsher Bajwa [mailto:gulsher_bajwa () yahoo com] 
Sent: Wednesday, March 03, 2004 9:41 AM
To: security-basics () securityfocus com
Subject: Attack Trees

Hi.  Has anyone here used attack trees as a means to assess security?  I am
currently doing a project as part of my masters program at UB.  The
objective is to arrive at the security model that is based on sound metrics.


Another issue is how does one validate the data that is fed into a model?

I have looked at a tool called SecurTree that essentially constructs attack
trees.  The company that designed the tool blatantly states that the values
they assign to the inputs are emperically established.
 That doesn't say too much in terms of validation.

Also, is there any way to profile an attacker?  The objective is to conduct
a capability analysis of threat agents.

I am sorry if the above sounds vague.  I am fairly new to Security modeling.
Any guidance will be much appreciated.

Regards,

Gulsher

__________________________________
Do you Yahoo!?
Yahoo! Search - Find what youre looking for faster http://search.yahoo.com

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills of an Ethical Hacker to better assess the security of your
organization. 
Visit us at: 
http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_040303
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
----------------------------------------------------------------------------
Current thread:

Attack Trees Gulsher Bajwa (Mar 03)
- RE: Attack Trees Yvan Boily (Mar 03)