?

In system security, it is important to be able to analytically investigate a system in a provable, quantitative way. Finding system vulnerabilities should not be left up to guess work. Without a verifiable method of demonstrating weak points, efforts to improve security may simply be wasted.

Fault trees are a trusted and well-established method of investigating system reliability. This methodology graphically represents component failure events and how they logically interact to produce a system failure mode. Fault tree can help understand the likelihood of a system failure and the component failure events most likely to contribute to system failure.

While fault trees usually consider random component failures as the inputs to the system, the methodology is flexible enough to consider any failure mode as an input. Likewise, the functional failure of a system is usually considered as the output of the model, but any system failure mode, or adverse occurrence, can be modeled. With a few tweaks, we could consider the inputs to the model as targeted attacks made by a malicious attacker, and the output system failure mode as a breach or compromise of system security. We can thus find the various paths an attacker might use to compromise a system, and which attacks are most likely to succeed.?

"Indicators" are an additional concept often found in attack trees. These values indicate how difficult an attack would be to perform by the attacker. Common indicators include the cost of the attack, if any special or hard-to-obtain equipment is required, and a ranking of the skill required to perform the attack. For any given path to compromise the system, we can calculate how much it will cost the attacker, how difficult it is to perform, if any special equipment is required, etc., and thus determine the simplest attack path to compromise the system.

This can help us discover counter-intuitive features of a system. What we see as the most vulnerable access point to a system, and where we focus most of our security efforts may not in fact be the simplest attack vector. By modeling a system with an attack tree, we can quantify the difficulty and probability of success for each attack, determine our system's most vulnerable weaknesses, and plan our future system security improvements accordingly.

This tutorial will use Isograph's Attack Tree software to introduce the concept of attack trees as a modification of fault trees. We will review basic methodologies common to both fault and attack trees, including the top-down approach to creating a tree and the Boolean algebra used to produce cut sets (failure paths). We will learn how to input quantitative data, such as indicator values and success probability, into our attack tree models. Lastly, we will look at example attack trees, and see where the attack tree analysis tells us an attacker is most likely to succeed, and how difficult this will be. We will also consider how these successful attacks can be mitigated by improved system security.

?