Attack trees
Attack trees provide a structured and hierarchical way to collect and document the potential attacks on a given organization, in order to perform threat analysis. Fundamentally, an attack tree allows us to derive the possible ways in which an asset or target could be attacked.
Attack trees have been used in a variety of industries, especially to analyze threats against tamper-resistant electronic systems, and in digital control systems in power grids. This concept can also be extended and utilized for connected industries.
As shown in Figure 2.2, attack trees are multi-level diagrams consisting of one root, and multiple leaf and child nodes. From the bottom up, child nodes are conditions that must be satisfied to make the direct parent node true. Following each path from the bottom up, when the root is satisfied, the attack is complete. Each node may be satisfied only by its direct child nodes:
Attack trees exploit the power of deduction to cover the entire spectrum of attacks and threats that exist in the wild. The deductions can be integrated with other threat models to create a transparent and direct mode of analysis of attacks and attackers.
In traditional cyber incidents, the goals could be identity theft, data exfiltration, denial of service, and so on. However, for use cases involving cyber-physical systems, the goals could involve physical catastrophe "ranging from turning off a light bulb to turning off a human heart" (IOT-SEC). Similarly, new threats and attack flavors for the root nodes also need to be accounted for, due to possible interactions with the physical world.