author: | Tim Sonderen |
title: | A Manual for Attack Trees |
company: | Nedap |
keywords: | Security, Attack Trees, Modeling |
topics: | Dependability, security and performance |
committee: |
Ir. P Van Dijk
, Ir. A Dercksen , Andreas Peter , Mariëlle Stoelinga |
end: | July 2019 |
Description
Nowadays attack trees are often used by large organisations to analyse security threats against their systems. Designing such an attack tree requires detailed knowledge regarding attack trees and the systems to be analysed. In many cases this process relies heavily on personal experience and principles. This causes signicant variance between attack trees. In this thesis, guiding principles and building blocks that are used by experts in the eldof attack trees have been analysed in an attempt to further standardise attack trees. This was done by analysing attack trees that have been created in the most prominent papers that regard attack trees. These principles and building blocks were then used to design a model for attack trees that species the structure of an attack tree in more detail, as well as an accompanying manual.
To evaluate it, system experts have been asked to create an attack tree for a semi-realistic case; First with only basic knowledge of attack trees, and thereafter with the help of the manual. The model has proven to improve attack discovery and understandability of the resulting attack trees. Additionally, the results were used to iteratively improve the manual. After this test, the model and manual were used in a real case study for Nedap N.V. and evaluated in a more qualitative manner. Overall, the manual improved the experience of the user. However, the most signicant improvements were made in attack discovery, improved detailing and in the understandability when evaluated by others. The model and manual stimulate attack discovery while simultaneously guiding the user towards creating a well structured attack tree. Besides improvements for the manual creation of attack trees, the model provides opportunities for further automating the creation of attack trees.