How mapping the Ocean’s Eleven heist can make you better at application security testing

Picture a group of thieves planning a major heist at a Las Vegas casino, à la Ocean’s Eleven. To minimize the chances of getting caught red-handed and to maximize the haul, they need to outline each step of their plan.

This is an example of an attack tree diagram—a methodological, graphical representation of an attack from the perspective of the attacker.

Attack trees like this one have been used to identify security vulnerabilities in all types of complex systems, such as supervisory controls and data acquisition (SCADA) networks, biometric systems, and GSM radio access networks.

In your application testing strategy, using attack trees can help you simulate various attack scenarios and make decisions on how best to protect your applications. You’ll be able to pinpoint systems and controls that are most at risk for an attack and construct specific countermeasures more effectively.

How to create an attack tree diagram

When creating an attack tree diagram, first place yourself in the position of a potential hacker. What is your overarching goal? Are you trying to access customer data? Disrupt the flow of business? Place that goal at the top of the tree. This is the “root node.”

Beneath it, break the highest-level goal into a series of forks, or “leaf nodes,” denoting incremental, more manageable objectives and the steps necessary to reach them. Brainstorm the ways you could attain your goal, and add them your tree.

Use “or” nodes to represent the different ways to reach a goal. In the casino heist example, you could rob the casino by raiding the registers at gunpoint or using an insider to steal cash and chips.

“And” nodes are the steps required to achieve each subgoal. In our Ocean’s Eleven scenario, the burglars’ elaborate scheme included a series of steps, all of which were essential to achieving their overall goal: breaching the vault with explosives, disrupting the power to conceal the vault breach, and accessing the vault security codes.

After plotting each avenue of attack, determine the likelihood that these attacks will occur. Each line of attack will require a certain set of resources, such as money, time, or skill. To assess the requirements, assign values to each node, such as whether it is possible, how costly it is, and whether it requires special skills or equipment.

What can you learn from attack trees?

After you create your trees and assign values to each node, you are better prepared to make proactive security decisions. Here are four ways you can use attack trees as part of application security testing to identify, remediate, and prevent security flaws.

1. Discover vulnerabilities to multistep attacks in computer networks and application design. Most organizations use multilayer security to protect their computer networks, which requires attackers to complete a series of steps to reach their goal. Attack trees are invaluable in plotting each step individually. They can help you identify attack paths and thereby consider what security controls are needed.
2. Represent costs for each path along the tree. Attack tree diagrams can help you compute quantitative and qualitative metrics that help you prioritize your defensive measures. For example:
   • Adversary’s viewpoint
     • What is the cost of launching an attack?
     • How long would it take to set up and complete an attack?
     • Which attacks do not require special skills and tools and therefore could be more likely to occur?
     • What is the return on attack? What does the adversary gain from an attack? Are they looking for revenge? Would they be able to access and reuse your valuable IP or sensitive customer data? Could they make purchases by disrupting your e-commerce business logic?
        
   • Defender’s viewpoint
     • Attack impact: Would an attack affect your business continuity or your relationship with customers?
     • Security cost: If systems were breached, would you fail an external security audit or need to pay penalties?
     • Detection: What is the probability of detecting an attack?
     • Mincut: What are the lowest-cost countermeasures to protect a set of critical assets?
        
3. Improve the effectiveness of your testing strategy. Penetration tests collect and synthesize information from various sources to search for gaps in security. However, they are not comprehensive, particularly when automated. They can fail to detect emerging threats and can identify normal or expected behaviors as anomalous or malicious, leaving you with a long list of false positives. Synopsys’ application testing services include a manual approach that incorporates strategic use of attack trees to improve accuracy and save you time and energy.
4. Evaluate the cost and effectiveness of potential defenses. You can turn around the perspective of attack trees by creating defense trees, also called attack countermeasure trees. These include nodes representing countermeasures designed to eliminate or reduce the possibility of attacks. You can use these trees to choose among options for optimized, low-cost defensive measures.