Practical Threat Analysis and Risk Management

Threat analysis won't make you sleep any better at night, but it will help ensure that the right things keep you awake.
An Alternative: Schneier's Attack Tree Method

Bruce Schneier, author of Applied Cryptography, has proposed a different method for analyzing risk: attack trees. An attack tree, quite simply, is a visual representation of possible attacks against a given target. The attack goal (target) is called the root node; the various subgoals necessary to reach the goal are called leaf nodes.

To create an attack tree, you must first define the root node. For example, one attack objective might be “steal Mommenpop, Inc.'s customers' account data”. Direct means of achieving this could be 1) obtain backup tapes from Mommenpop's fileserver, 2) intercept e-mail between Mommenpop, Inc. and their customers and 3) compromise Mommenpop's fileserver over the Internet. These three subgoals are the leaf nodes immediately below our root node (Figure 4).

Figure 4. Root Node with Three Leaf Nodes

Next, for each leaf node you determine subgoals that will achieve that leaf node's goal, which become the next layer of leaf nodes. This step is repeated as necessary to achieve the level of detail and complexity with which you wish to examine the attack. Figure 5 shows a simple but more-or-less complete attack tree for Mommenpop, Inc.

Figure 5. More-Detailed Attack Tree

No doubt you can think of additional plausible leaf nodes at the two layers shown in Figure 5 and additional layers as well. Suppose for our example, however, that this environment is well secured against internal threats (seldom the case), and that these are the most feasible avenues of attack for an outsider.

We see in this example that backup media are obtained most probably by breaking into the office; compromising the internal fileserver involves hacking in through a firewall, and there are three different avenues to obtain the data via intercepted e-mail. We also see that while compromising Mommenpop, Inc.'s SMTP server is the best way to attack the firewall, a more direct route would simply be to read e-mail passing through the compromised gateway.

This is extremely useful information; if this company is considering sinking more money into its firewall, it may decide that their money and time are better spent securing their SMTP gateway. But as useful as it is to see the relationships between attack goals, we're not done with this tree yet.

After an attack tree has been mapped to the desired level of detail, you can start quantifying the leaf nodes. For example, you could attach a cost figure to each leaf node that represents your guess at the cost of achieving that leaf node's particular goal. By adding cost figures in each attack path, you can estimate relative costs of different attacks. Figure 6 shows our example attack tree with costs added (dotted lines indicate attack paths).

Figure 6. Attack Tree with Cost Estimates

In Figure 6 we've decided that burglary, with its risk of being caught and being sent to jail, is an expensive attack. Nobody will perform this task for you without demanding a significant sum. The same is true of bribing a system administrator at the ISP; even a corruptible ISP employee will be concerned about losing his or her job and getting a criminal record.

Hacking is a bit different, however. While still illegal, it's often perceived as being less risky than burglary. Furthermore, most organizations' computer defenses aren't nearly as difficult to breach as their physical defenses.

Having said that, hacking through a firewall takes more skill than the average script-kiddie possesses and will take some time and effort; therefore, this is an expensive goal. But hacking an SMTP gateway should be easier, and if one or more remote users can be identified, the chances are good that the user's home computer will be easy to compromise. Therefore, these two goals are much cheaper.

Based on the cost of hiring the right kind of criminals to perform these attacks, the most promising attacks in this example are hacking the SMTP gateway and hacking remote users. Mommenpop Inc., it seems, had better take a close look at their perimeter network architecture, SMTP server's system security and remote-access policies and practices.

Cost, by the way, is not the only type of value you can attach to leaf nodes. Boolean values such as feasible and not feasible can be used; a “not feasible” at any point on an attack path indicates that that entire path is infeasible. Alternatively, you can assign effort indices, measured in minutes or hours. In short, you can analyze the same attack tree in any number of ways, creating as detailed a picture of your vulnerabilities as you need to.

The cost estimates in Figure 6 are all based on the assumption that the attacker will need to hire others to carry out the various tasks. These costs might be computed very differently if the attackers themselves are skilled system crackers; in such a case time estimates for each node might be more useful than cost estimates.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Practical Threat Analysis Latest Version - Jan 2008

Zeev Solomonic's picture

I would like to inform you that on January 2008 we released an updated version of Practical Threat Analysis (PTA) Professional Edition tool (1.54 - build 1204). The latest version includes usability enhancements which we hope will increase productivity when building large threat models via the data entry screens. In addition, as of build 1202, PTA Ptofessional can run on Windows Vista Ultimate 32 and 64 bit versions.

PTA Professional Edition is avalilable for free download - I invite you to review the latest version's new features and download the updated software from the following link:

You are also invited to have a look at the updated versions of the PTA for PCI DSS and ISO 27001 freeware security libraries that can be downloaded from the following url:

On this month we are celebrating the third year of the PTA Free Program initiative which enables students, academic researches and independent security consultants to use PTA free-of-charge for their professional missions. Let me take this opportunity to wish you success in your ongoing threat analysis projects and a continuing fruitful use of PTA. We are happy that the Practical Threat Analysis methodology and tool has been found productive by many thousands of professionals world-wide and became the de-facto standard for calculative risk assessment projects.

Feel free to introduce PTA to your professional colleagues and do not hesitate to contact us when the usage period is about to end - we will be happy to send you renewal keys !

Yours Sincerely,

Zeev Solomonik

R&D - PTA Technologies

PTA - Practical Threat Analysis quantitative method

Zeev's picture

Dear colleagues,

I would like to inform you that on November 19, 2005 we released an updated version of PTA Professional (1.51 - build 1190) with major usability improvements. The latest version supports the popular ROSI (Return On Security Investment) quantitative criterion for comparing security solutions.

You are invited to review the latest version's new features and download a free copy of the software from the following link:

PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter, identify threats on an asset-by-asset basis and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.

PTA is free-of-charge for students, researchers, software developers and independent security consultants. Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community.

I'll be happy to have your comments and answer your questions on any issue.


Zeev Solomonik
Chief Technology Officer
PTA Technologies

Practical threat analysis tool for software systems

Adi Amir's picture

I ran into and downloaded a version of PTA (Practical Threat Analysis) tool that implements a calculative threat modeling methodology. They have a free program for students and independent software developers.

The tool enhances Mick Bauer’s ideas. It calculates threats and countermeasures priorities and produces the most effective risk reduction policy which reflects changes in system assets and vulnerabilities. Countermeasures’ priorities are expressed as a function of the system’s assets values, degrees of damage, threats probabilities and degrees of mitigation provided by countermeasures to the threats.

I have found it very productive to explicitly define the contribution of each countermeasure to the mitigation of a threat. They also have a very productive feature that let me mark those countermeasures that are already implemented and see their quantitative affect on reducing the system risk.

I hope this may help someone

Adi Amir