Attack Trees

Attack trees were introduced by Schneier [36] as a way of formally analyzing the security of systems and subsystems based on varying attacks. This is basically FTA with the attack goal in place of a fault and basic event probabilities are not failure rates. Schneier’s work is notable because it was the first to apply this approach to the area of information security. The attack goal is the root of the tree and the different ways of accomplishing the attack are the leaves, with connections via AND and OR nodes.

Moore et al, [37] describe and illustrate an approach for documenting attacks on software systems using attack tree information in a structured and reusable form. Analysts can then use the approach to document and identify commonly occurring attack patterns and then modify attack trees to enhance security development.

Most recently, attack trees have been applied to a SCADA communication system [38]. The authors identified eleven attacker goals and associated security vulnerabilities in the specifications and development of typical SCADA systems. The team defined eleven such goals:

1. Gain SCADA System Access 2. Identify MODBUS Device

3. Disrupt Master-Slave Communications 4. Disable Slave

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 85 on 153

6. Write Data to Slave 7. Program Slave 8. Compromise Slave 9. Disable Master 10. Write Data to Master 11. Compromise Master

Each goal was ranked roughly in terms of the potential severity of impact (e.g. reading data from a slave device is likely less serious as compared to writing data to the slave). Figure 7.3 shows these basic relationships and ranking. In addition, the study team defined four Supporting Goals that would likely not be an end goal on their own, but would be often required by an attacker to achieve his or her objectives. Each is used in more than one attacker goal. These include:

− _{Denial of Service Against Networked Device}

− _{Intercept or Modify Data Through Man-in-the-Middle (MITM) Attack}

− _{TCP Sequence Number Attack}

− _{Sniff Traffic}

Figure 7-3 Interrelations and approximate severity of attacker goals [37]

On such basis they suggested best practices for SCADA operators and improvements to the MODBUS standard. Their application was qualitative in that attack tree analysis was

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 86 on 153

used only to identify paths and qualify the severity of impact, probability of detection, and level of difficulty. They did not calculate the probability of an actual attack being successful. A related approach that arose in the computer and information security literature is vulnerability tree analysis. Vulnerability trees are hierarchy trees constructed as a result of the relationship between one vulnerability and another vulnerability and or steps that a threat agent has to carry out to reach the top of the tree [39]. Vulnerability trees help security analysts understand and analyze different attack scenarios that a threat agent might follow to exploit a vulnerability. With this understanding, countermeasures can be taken. The top of the tree is known as the top vulnerability or the parent vulnerability. There are a large number of ways that such a top vulnerability can be exploited. Each of these ways will constitute a branch of the tree. The branches will be constructed by child vulnerabilities. Consequently the child vulnerabilities can be exploited by steps that the threat agent will have to perform in order to get to the parent. Each vulnerability will have to be broken down in a similar way. Normally this will end up in more than one levels of decomposition. When the point is reached where the branches contain only steps, and no child vulnerabilities, then we know that we have reach the lowest level of decomposition (the “step-only” level).

7.3.1 Gain SCADA access attack tree

Attack tree can be seen as a multi-level hierarchical structure based on logical AND and OR operators.

The top node is the ultimate goal with the grouping of different sub goals. The grouping can be composed with a number of attack leaves that are attributed with logic operators “AND” or “OR”. To build an attack tree also vulnerabilities of the system under attack have to be exploited. In [1], three vulnerability indices are introduced: system, scenario, and leaf vulnerabilities, accounting the power system control framework based on existing cyber security conditions.

To evaluate the vulnerability indices in a systematic manner, the following steps are followed:

1. Identify adversary attack objectives.

2. Identify possible security vulnerability and construct the attack tree.

3. Determine the combination of intrusion scenarios with each cyber security condition on each attack leaf.

4. Compute leaf vulnerability with respect to the password enforcement and existing technological implementations, given that the cyber security conditions are determined.

5. Scenario vulnerability can be computed according to the combination of corresponding leaf vulnerability indices.

6. Finally, determine the pivotal attack, i.e., system vulnerability based on scenarios’ vulnerabilities, and improve system security.

Figure: 7.4 illustrates a possible attack tree for a SCADA system [13], where the difficulty to reach each point can be estimated. To reach the main goal (the one in bold) is needed just

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 87 on 153

to reach one of the sub goals (one of the possible choices from 1 to 6). Such sub-goals have different ways to be reached, and all work in recursive way. For each leaf , a label can be set to indicate the difficulty of reaching the related sub goal. For setting the difficulty grade of their father, if the sons are in AND, the difficulty grade of the father is chosen as the max of the difficulty grade of his sons, while in case the sons are in OR , the difficulty grade of the father is chosen as the minimum of the difficulty grade of his sons.

The attack trees are very scalable because different trees can be easily joined to make a bigger tree. The limit of the attack tree approach is twofold , one is that enough knowledge is needed to go in deep details as possible, second one is that the attack tree remains on the paper, but can be supported by automatic tools. The natural evolution is towards the use of Petri nets attack models. Petri nets introduce the concept of attack restoration but reduce the scalability of the related models.

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 88 on 153

Figure 7-4 Attack goal: gain SCADA access

7.3.2 Attack tree tools

Several tools are available even on the commercial site to implement attack trees. A short description of the attack tree provided by Isograph, named AttackTree+, follows.

AttackTree+, through the use of attack tree models, allows the user to model the probability that different attacks will succeed. AttackTree+ also allows users to define indicators that quantify the cost of an attack, the operational difficulty in mounting the attack and any other relevant quantifiable measure that may be of interest.

Questions such as ‘which attacks have the highest probability of success at a low cost to the attacker?’ or ‘which attacks have the highest probability of success with no special equipment required?’ can be answered using AttackTree+.

In AttackTree+, different categories and levels of consequence may also be assigned to nodes in the attack tree. A successful attack may have financial, political, operational and safety consequences. A partially successful attack may have a different level of consequence to a totally successful attack. All these types of consequence measure may be modeled in AttackTree+.