To be clear, I don’t want you to raze the Amazon Rainforest here. What I am referring to for this blog post is another visualization technique. Where as DFDs focused on understanding the flow of information through your systems, Attack Trees are another graphical representation to uncover how an attacker might exploit weaknesses in a system to achieve specific malicious objectives.

Weird tree-borne monster getting ready to attack something.
Larry in accounting is tired of being scapegoated as the #1 most common threat vector

The benefit to this approach is that the Attack trees are organized hierarchically, with the root node representing the overall malicious objective or goal of an attacker. This topic will start coming up a lot 😉 Subsequent nodes in the tree represent different steps or tactics the attacker can take to achieve that objective. The leaf nodes of the tree represent the specific attacks or actions an attacker can take to compromise the system or asset. These are the lowest-level nodes in the hierarchy. If the overall goal is to “gain unauthorized access to a server,” the attack tree might have nodes like “exploit a known software vulnerability,” “guess a weak password,” “brute force the password,” and so on.

Each of these nodes could have further sub-nodes, creating a detailed roadmap of potential attack paths. Nodes in an attack tree can be of two logical types:

  • AND Nodes: These represent a condition where multiple sub-tactics must be successful for the attack to progress. They are usually depicted as logical AND gates.
  • OR Nodes: These represent a condition where at least one of the sub-tactics must succeed for the attack to progress. They are typically depicted as logical OR gates.

We can see the general layout in this template here, borrowed from these fine folks. Notice they chose to go left-to-right – again, you choose!

Left-to-right simple attack tree from the fone folks at https://www.hindawi.com/journals/scn/2020/7169720/
If your wondering if knowing all of this might make threat modeling a non-event, you are not wrong!

So what can we do with these trees? By assigning probabilities and impact values to each node, you can estimate the likelihood and potential consequences of different attack scenarios. This helps you prioritize security measures and resources. You can also use attack trees to identify and plan countermeasures to mitigate or prevent potential attacks. By understanding the attack paths, you and your organization can implement security controls appropriate to your threat picture and operate those controls and safeguards effectively. As we see in the figure below, these folks have actually begun to assign costs! That ought to get your C-suite a little more engaged!

A fine picture showing a notional "Steal customer Data" attack tree by the folks at https://www.linuxjournal.com/article/5567
So much for Johnny’s college fund…

Attack trees also serve as valuable documentation tools for security teams and stakeholders. They will help you communicate complex threat scenarios in a structured and easy-to-understand manner, which makes them handy when presenting to non-technical leadership or non-security stakeholders. As with other approaches covered here, threat modeling with attack trees is best a continual and iterative process. As new vulnerabilities are discovered or the system changes, you can update the attack tree to reflect the evolving threat landscape.