Re: best tool to draw attack trees ??

• Previous message: Athanasios Vamvakas: "RE: SQL Injection - retrieving all rows"
• Next in thread: Dug Song: "Re: best tool to draw attack trees ??"
• Reply: Dug Song: "Re: best tool to draw attack trees ??"
• Reply: Mark Curphey: "Re: best tool to draw attack trees ??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 22 Mar 2002 18:22:25 -0800
From: "lit sec" <security@luddites.ca>
To: "'pen-test@securityfocus.com'" <pen-test@securityfocus.com>, "Kruse, Darren (DEH)" <Kruse.Darren2@saugov.sa.gov.au>

Attack Trees, eh?

I've had a look at the Java-based solution over at http://www.amenaza.com/ . Looks like it might suit your needs. Fairly easy to use, and does a hell of a lot more than Visio. Here's a quote: "(Amenza) ...the developers of SecurITree, a risk assesment tool and methodology that can help your organization determine possible threats to your IT systems and how to best ward off these threats."

-Luddites.Canada

---------- Original Message ----------------------------------
From: "Kruse, Darren (DEH)" <Kruse.Darren2@saugov.sa.gov.au>
Date: Fri, 22 Mar 2002 13:30:18 +1030

>I'm puzzling over what is the best way to draw attack trees.
>Attack trees provide a formal, methodical way of describing the security of
>systems, based on varying attacks. Basically, you represent attacks against
>a system in a tree structure, with the goal as the root node and different
>ways of achieving that goal as leaf nodes.
>Bruce Schnier's Secrets and Lies - Digital Security in a Networked World
>http://www.amazon.com/exec/obidos/ASIN/0471253111/qid=1016671800/sr=8-1/ref=
>sr_8_67_1/002-8209990-0206427 , in particular chapter 21 covers Attack Trees
>There's also a DDJ article on attack trees
>http://www.ddj.com/documents/s=896/ddj9912a/9912a.htm (also by Bruce
>Schnier) that covers virtually the same ground as the book.
>I'm thinking that it would make a really good motivational tool for
>management to see what all the threats are against our systems.
>Having a documented attack tree would also help me in identifying what holes
>,and threats I need to worry about RIGHT NOW !
>My first thought was to wade in, and start drawing with Visio - making use
>of the layers feature to distinguish between different sets of values..
>Possible / Impossible Cost script kiddie tool released ?
>etc..
>But does anyone know of a more "closely-suited" tool than Visio ? I've done
>a google search on "attack tree" software, and come up blank.
>There are cheaper alternatives to Visio - maybe Kivio mp
>http://www.thekompany.com/products/kivio/faq.php3 ?? Unfortunately, the KDE
>version (Kivio without the mp suffix) doesn't do layers. :-(
>Would a web interface be better ? - certainly for navigating between
>threats, but how about when you want to see a larger part of the tree ? , or
>the whole attack tree ??
>Maybe MS Project ? - it's good at showing inter-related tasks , that have
>dependancies and costs, and can output to HTML as well.
>How about when I want to add , or share bits of someone else's attack tree ?
>It would be cool to be able to download discrete sub-branches, just like you
>download additional Snort IDS signatures.
>
>Darren Kruse CCNP CCDP
>WAN/LAN Networking Consultant
>Mobile : (+61) 0407 446 399
>mailto://darren_kruse@hotmail.com
>http://www.geocities.com/darren_kruse
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Previous message: Athanasios Vamvakas: "RE: SQL Injection - retrieving all rows"
• Next in thread: Dug Song: "Re: best tool to draw attack trees ??"
• Reply: Dug Song: "Re: best tool to draw attack trees ??"
• Reply: Mark Curphey: "Re: best tool to draw attack trees ??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: best tool to draw attack trees ?? ... We looked at Attack Trees at OWASP ages ago. ... >>Bruce Schnier's Secrets and Lies - Digital Security in a Networked World ... >>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) RE: best tool to draw attack trees ?? ... We looked at Attack Trees at OWASP ages ago. ... >>Bruce Schnier's Secrets and Lies - Digital Security in a Networked World ... For more information on SecurityFocus' SIA service which ... (Pen-Test) Re: best tool to draw attack trees ?? ... represent attack trees in XML and graph them with Graphviz. ... Bruce Schnier's Secrets and Lies - Digital Security in a Networked World ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) RE: Attack Trees ... I have done some work with attack trees, ... When we are conducting a security audit we have used a risk metric system ... attacks and associated base metrics. ... (Security-Basics) RE: SQL ... Subject: SQL ... >> This list is provided by the SecurityFocus Security ... For more information on SecurityFocus' SIA service which ... >This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint