RE: Attack Trees

From: Yvan Boily (yboily_at_seccuris.com)
Date: 03/03/04

  • Next message: Dean Saxe: "RE: SHA Encryption" 
    To: "'Gulsher Bajwa'" <gulsher_bajwa@yahoo.com>
Date: Wed, 3 Mar 2004 13:48:58 -0600

    I have done some work with attack trees, especially recently as I am
    attempting to integrate attack trees which map known issues into our risk
    metric system that is used to calculate the risks associated with potential
    vulnerabilities and other intangibles.

    When we are conducting a security audit we have used a risk metric system
    that has been very effective to date. We have a table of certain types of
    attacks and associated base metrics. By analyzing the technical difficulty
    and exposure of attacks, and taking into account the value of the assets we
    develop a risk metric that has enabled us to effectivly prioritize issues to
    correct on a network.

    The only area we are finding difficulty is in factoring in exposure to
    attack. We currently have different exposure labels which represent the
    different portions of the network, and scale the modifiers based on the
    difficulty to transit between security points in the network.

    I am in the process of developing a better system for calculating exposure
    and complexity of attacks using threat modeling and attack trees to
    illustrate and communicate these "intangibles". I have found (repeatedly;
    seriously, imagine running into a brick wall, time after time) that
    communicating the exposure and complexity of an attack is difficult. The
    issue is not the inability to accurately represent the risk of a
    vulnerability; the issue is communicating why, using risk metrics, one can
    select an issue to be higher priority.

    In terms of validation of data, depending on the context, there may be no
    real way. If you are building an attack tree based on stricly known
    attacks, then this is fairly easy; download your updates, and fire up your
    scanners. Isolate the false positives, and then map how the vulnerabilities
    can be chained together to compromise the system. When attempting to use
    attack trees to analyze potential weaknesses that are derived from analysis
    of a system it because difficult to validate nodes beyond the node
    classified as a potential issue.

    The real trick in working with attack trees appears when using them with
    risk metrics; I have never been a fan of strict risk metrics to evaluate
    issues. To frequently they are stretched to make an issue seem more severe
    than it really is. By combining the attack tree with risk metrics you
    essentially throw validation out the window because each metric is based on
    estimated data.

    Although I have not yet worked out a mechanism for properly presenting the
    risk metrics without unduly skewing the clients perception of the report, I
    have been able to use threat modeling and attack trees in conjunction with
    our risk metrics to properly illustrate and motivate people to correct
    flaws.

    Yvan Boily
    Information Security Analyst
    Seccuris

    -----Original Message-----
    From: Gulsher Bajwa [mailto:gulsher_bajwa@yahoo.com]
    Sent: Wednesday, March 03, 2004 9:41 AM
    To: security-basics@securityfocus.com
    Subject: Attack Trees

    Hi. Has anyone here used attack trees as a means to assess security? I am
    currently doing a project as part of my masters program at UB. The
    objective is to arrive at the security model that is based on sound metrics.

    Another issue is how does one validate the data that is fed into a model?

    I have looked at a tool called SecurTree that essentially constructs attack
    trees. The company that designed the tool blatantly states that the values
    they assign to the inputs are emperically established.
     That doesn't say too much in terms of validation.

    Also, is there any way to profile an attacker? The objective is to conduct
    a capability analysis of threat agents.

    I am sorry if the above sounds vague. I am fairly new to Security modeling.
    Any guidance will be much appreciated.

    Regards,

    Gulsher

    __________________________________
    Do you Yahoo!?
    Yahoo! Search - Find what youre looking for faster http://search.yahoo.com

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills of an Ethical Hacker to better assess the security of your
    organization.
    Visit us at:
    http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_040303
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
    ----------------------------------------------------------------------------

  • Next message: Dean Saxe: "RE: SHA Encryption"

    Relevant Pages

    • Re: Risk metrics
      ... security management life cycle. ... more objective snapshot of a company's risk posture. ... > traditional risk metrics in pen-tests cannot be ... >> vulnerability works, and if an exploit is in the ...
      (Pen-Test)
    • Re: Risk metrics
      ... We have updated this in OSSTMM 3.0. ... The OSSTMM has pulled out of RISK completely because it is so biased ... New metrics are quantification-based-- facts only from operations used ... > Vulnerability scans and pen tests are a snapshot. ...
      (Pen-Test)
    • Re: best tool to draw attack trees ??
      ... >I'm puzzling over what is the best way to draw attack trees. ... >Bruce Schnier's Secrets and Lies - Digital Security in a Networked World ... >This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
      (Pen-Test)
    • Re: best tool to draw attack trees ??
      ... We looked at Attack Trees at OWASP ages ago. ... >>Bruce Schnier's Secrets and Lies - Digital Security in a Networked World ... >>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
      (Pen-Test)
    • Re: Metrics for automation ...
      ... experimented with creating robust metrics and then gaming them. ... One of the easiest mistakes to make is to count test cases or bugs. ... significance of that risk, the power of the test to reveal the bug, the ... Would we really assess the quality of a car by ...
      (comp.software.testing)