Attack Trees

Following on from his last popular post, Advent IM

Consultant, Del Brazil turns his attention to Attack Trees.
Recently the SPF Mandatory Requirement to use the HMG IS 1&2 Technical Risk
Assessment methodology was withdrawn and has resulted in organisations being
afforded the luxury of identifying and using a more appropriate and manageable risk
assessment applicable to their business.
It was well known that the HMG IS 1&2 methodology was somewhat cumbersome
resulting in Risk Management Document Set (RMADS) being over 200 pages
long. The HMG IS 1 & 2 risk assessment generally produced very technical and jargon
filled results which were not very presentable or understandable to stakeholders.
Amongst the plethora of risk assessment methods is the Attack Tree concept which
was first developed by Bruce Schneier. This method seeks to highlight any attack by
focusing specifically on the root of any attack and what the potential conditions the
attacker requires to meet to commission the attack. It is widely used throughout the
United States and is a recognised risk assessment method used in defence and
aerospace industries for the analysis of threats against computer systems and tamper
resistant electronics systems.
Although it is possible to compile/generate an Attack Tree from scratch using some
form of document to capture the tree accompanied by a spread sheet to formulate
any calculation. The benefits of Attack Trees can only be truly realised through the
use of bespoke software which enables the risk assessor to input a number of
variables and/or countermeasures.

The Attack Tree method allows the risk assessor to compile various reports and
presenting them to stakeholders in a more manageable and/or graphical format. The
manipulation of the results/data enables stakeholders and risk assessors to test the
potential effectiveness of any proposed countermeasure prior to outlaying any funds
or resources in order to defeat or deter any potential attack.

Copyright Advent IM 2015

One of the drawbacks to using bespoke software is that the user needs to receive a
degree of training to ensure that they have the ability to fully utilise the software. As
with all software and training requirements there is an associated cost which has to
be considered by the organisation. There is also the danger that the organisation
becomes reliant upon a limited number of personnel being trained/familiar in the use
of the software resulting in the possibility of a select few individuals within the
organisation being able to produce Attack Trees.
A major benefit to using the Attack Tree methodology is that the same risk
assessment results can be presented numerous ways to different stakeholders easily
highlighting any potential risk to the organisation. This can be either from a
perspective of financial loss, likelihood of attack or cost to the attacker etc.
It is the opinion of the author that although the Attack Tree methodology has a great
deal to offer and has the potential to be more useful to organisations; however the
cost of the software and time taken for individuals to be trained and become familiar
with the methodology should be considered before organisations jump into the
unknown.
At present there are numerous organisations who are continuing to use the HMG IS
1& 2 methodology to carryout risk assessments. As there is no longer a mandated
methodology to be followed it is of the opinion of the author that organisations
should consider seeking a more manageable, repeatable, understandable and
business orientated methodology.
Currently there is no approved or recommended risk assessment methodology being
highlighted by CESG National Technical Authority for Information Assurance, which
is the technical arm of GCHQ; although there is still the potential for CESG to
recommend a specific methodology potentially resulting in organisations having to
realign themselves to this approved method after investing heavily in Attack
Trees. Obviously there is the possibility that the Attack Tree methodology is adopted
by CESG and being recognised as the standard for which all HMG systems are to be
risk assessed against. At present no decision has been made by CESG on any
methodology and there are no timescales for any decision to be made.

Copyright Advent IM 2015