When creating an attack tree diagram, first place yourself in the position of a potential hacker. What is your overarching goal? Are you trying to access customer data? Disrupt the flow of business? Place that goal at the top of the tree. This is the “root node.”
Beneath it, break the highest-level goal into a series of forks, or “leaf nodes,” denoting incremental, more manageable objectives and the steps necessary to reach them. Brainstorm the ways you could attain your goal, and add them your tree.
Use “or” nodes to represent the different ways to reach a goal. In the casino heist example, you could rob the casino by raiding the registers at gunpoint or using an insider to steal cash and chips.
“And” nodes are the steps required to achieve each subgoal. In our Ocean’s Eleven scenario, the burglars’ elaborate scheme included a series of steps, all of which were essential to achieving their overall goal: breaching the vault with explosives, disrupting the power to conceal the vault breach, and accessing the vault security codes.
After plotting each avenue of attack, determine the likelihood that these attacks will occur. Each line of attack will require a certain set of resources, such as money, time, or skill. To assess the requirements, assign values to each node, such as whether it is possible, how costly it is, and whether it requires special skills or equipment.