Linux Server Security (2nd Edition( [Electronic resources] نسخه متنی

1.3. An Alternative: Attack Trees

Bruce Schneier, author of Applied
Cryptography, has proposed a different method for
analyzing information security risks: attack trees.^[4] An attack
tree, quite simply, is a visual representation of possible attacks
against a given target. The attack goal (target) is called the
root node; the various subgoals necessary to
reach the goal are called leaf nodes.

^[4] Schneier, Bruce. "Attack Trees: Modeling Security
Threats." Dr.
Dobbs' Journal: Dec
1999.

To create an attack tree, you must first define the root node. For
example, one attack objective might be "Steal ABC
Corp.'s Customers' Account
Data." Direct means of achieving this could be as
follows:

Obtain backup tapes from ABC's file server.

Intercept email between ABC Corp. and their customers.

Compromise ABC Corp.'s file server from over the
Internet.

These three subgoals are the leaf nodes immediately below our root
node (Figure 1-3).

Next, for each leaf node, you determine subgoals that achieve that
leaf node's goal. These become the next
"layer" of leaf nodes. This step is
repeated as necessary to achieve the level of detail and complexity
with which you wish to examine the attack. Figure 1-4 shows a simple but more or less complete
attack tree for ABC Corp.

No doubt, you can think of additional plausible leaf nodes at the two
layers in Figure 1-4, and additional layers as
well. Suppose for the purposes of our example, however, that this
environment is well secured against internal threats (which,
incidentally, is seldom the case) and that these are therefore the
most feasible avenues of attack for an outsider.

In this example, we see that backup media are most feasibly obtained
by breaking into the office. Compromising the internal file server
involves hacking through a firewall, but there are three different
avenues to obtain the data via intercepted email. We also see that
while compromising ABC Corp.'s SMTP server is the
best way to attack the firewall, a more direct route to the end goal
is simply to read email passing through the compromised gateway.

This is extremely useful information: if this company is considering
sinking more money into its firewall, it may decide based on this
attack tree that their money and time is better spent securing their
SMTP gateway (although we'll see in Chapter 2 that
it's possible to do both without switching
firewalls). But as useful as it is to see the relationships between
attack goals, we're not done with this tree yet.

After an attack tree has been mapped to the desired level of detail,
you can start quantifying the leaf nodes. For example, you could
attach a
"cost"
figure to each leaf node that represents your guess at what an
attacker would have to spend to achieve that leaf
node's particular goal. By adding the cost figures
in each attack path, you can estimate relative costs of different
attacks. Figure 1-5 shows our example attack tree
with costs added (dotted lines indicate attack paths).

In Figure 1-5, we've decided that
burglary, with its risk of being caught and being sent to jail, is an
expensive attack. Nobody will perform this task for you without
demanding a significant sum. The same is true of bribing a system
administrator at the ISP: even a corruptible ISP employee will be
concerned about losing her job and getting a criminal record.

Hacking is a bit different, however. Hacking through a firewall takes
more skill than the average script kiddie has, and it will take some
time and effort. Therefore, this is an expensive goal. But hacking an
SMTP gateway should be easier, and if one or more remote users can be
identified, the chances are good that the user's
home computer will be easy to compromise. These two goals are
therefore much cheaper.

Based on the cost of hiring the right kind of criminals to perform
these attacks, the most promising attacks in this example are hacking
the SMTP gateway and hacking remote users. ABC Corp., it seems, had
better take a close look at their perimeter network architecture,
their SMTP server's system security, and their
remote-access policies and practices.

Cost, by the way, is not the only type of value you can attach to
leaf nodes. Boolean values such as
"feasible" and
"not feasible" can be used: a
"not feasible" at any point on an
attack path indicates that you can dismiss the chances of an attack
on that path with some safety. Alternatively, you can assign effort
indices, measured in minutes or hours. In short, you can analyze the
same attack tree in any number of ways, creating as detailed a
picture of your vulnerabilities as you need to.

Before we leave the subject of attack-tree threat modeling, I should
mention the importance of considering different types of attackers.
The cost estimates in Figure 1-5 are all based on the assumption that
the attacker will need to hire others to carry out the various tasks.
These costs might be computed very differently if the attacker is
himself a skilled system cracker; in such a case, time estimates for
each node might be more useful.

So, which type of attacker should you model against? As many
different types as you realistically think you need to. One of the
great strengths of this method is how rapidly and easily attack trees
can be created; there's no reason to quit after
doing only one.