It takes only minutes from the first action of an attack with 5 or less steps for an asset to be compromised, according to the 2019 Verizon Data Breach Investigations Report (DBIR). However, it takes days—an average of 279 days—to identify and contain a breach (Ponemon Institute). And the longer it takes to discover the source, the more money the incident ends up costing the organization. Luckily, you can reduce your chance of falling victim to these attacks by proactively anticipating your greatest threats and taking measures to mitigate these.
This blog post breaks down two tools to help you determine just that: your most at-risk data, how this data can be accessed, and the attacker’s motives and abilities. Once you have an understanding of these, it will be much easier to implement countermeasures to protect your organization from those attacks.
I recommend first reading through the DBIR sections pertaining to your industry in order to further your understanding of patterns seen in the principal assets being targeted and the attacker’s motives. This will assist in understanding how to use the two tools: Method-Opportunity-Motive, by Shari and Charles Pfleeger and Attack Trees, as discussed by Bruce Schneier.
Methods are skills, knowledge and tools available to the hacker, which are similar to Tactics, Techniques, and Procedures used by the Military and MITTR. Jose Esteves et. al. wrote, “Although it used to be common for hackers to work independently, few of today’s hackers operate alone. They are often part of an organized hacking group, where they are members providing specialized illegal services….” A hacker’s methods are improved when part of a team, which has a motive and looks for opportunities to attack principle assets.
Opportunities are the amount of time and ability required for an attacker to access their objective. The 2019 DBIR authors’ note, “Defenders fail to stop short paths substantially more often than long paths.” It’s critical to apply the correct controls to assets and to monitor those tools in order to quickly detect threats.
The motive is the reason to attack; for instance, is the attacker trying to access financial information or intellectual property? The 2019 DBIR notes that most attacks are for financial gains or intellectual property (IP), varying by industry.
Using Attack Trees to Visually Detail Method-Opportunity-Motive:
Bruce Schneier (Schneier on Security) provides an analytics tool for systematically reviewing why and how an attack might occur. After defining what assets are most valuable to an attacker (motive), you can identify the attacker’s objective, referred to as the root node in an attack tree. From here, you can look at all the possible actions an attacker might use to compromise the primary assets (method). The most probable and timely method shows the most likely path (opportunity).
I like using divergent and convergent thinking described by Chris Grivas and Gerard Puccio to discover plausible motive, opportunity, and methods used by a potential threat actor. Divergent thinking is the generation of ideas, using techniques like brainstorming. Convergent thinking is the limiting of ideas based on certain criteria. Using this process, you and your security team can generate objectives and then decide which objectives pose the greatest threat. You can then use this process again to determine the possible methods, referred to as leaf nodes, that could be used to access the objective. Then, you can apply values, such as time, to visualize possible opportunities and attack paths.
To further your understanding of how to create an attack tree, let’s look at an example:
1. First, decide what primary assets your company has that an intruder is interested in accessing.
The 2019 DBIR provides some useful categories to determine attack patterns within specific industries. For this example, let’s look at a financial institution. One likely asset that a threat actor is attempting to access is the email server, so this is our root node, or objective. Again, using divergent and convergent thinking can help a team develop and clarify possible objectives.
2. After deciding on the objective, the second step in developing an attack tree is to define methods to access the objective.
The 2019 DBIR describes some likely methods threat actors might use, or you can use divergent and convergent thinking. In the example below, I’ve included some possible methods to access the email server.
3. As you analyze the threat, continue working through the tree and building out the methods to develop specific paths to the asset.
The diagram below shows some potential paths to access and harvest information from the email server, using OR nodes, which are alternative paths, and AND nodes, which require combined activities to achieve the objective (this is represented using ). Note that every method that isn’t an AND node is an OR node.
4. The fourth step is to apply binary values to decide what paths the attack is most likely to follow.
For example, I’m going to use likely (l) and unlikely (u) based on the methods my research has shown is available to the attacking team. Then, use a dotted line to show the all likely paths, which are those in which all methods of the path are assigned a likely value.
5. The fifth step is to apply numeric values to the sub-nodes to decide on what path, specifically, the threat actor might attempt.
I’m going to use minutes in this scenario; however, other values such as associated costs or probability of success could also be used. These are subjective values and will vary amongst teams. Paths with supporting data would provide a more accurate model, but Attack Trees are still useful even without objective data.
In the above example, I have determined the path with the shortest amount of time to be phishing (credential harvesting), assuming the credentials are the same for the user accounts as they are for admin accounts. Since I have already determined that this path is likely and I now know it takes the shortest amount of time, I can determine that this is the most at-risk and likely path to accessing the email server. In this example, the least likely path is stolen credentials.
6. After examining the possible motives, opportunities, and methods, you can decide how you want to protect your assets.
For example, I determined that phishing is likely with the attack tree above, so I might decide to outsource monitoring, detection, and training to a Managed Security Service Provider (MSSP) that can provide this at a lower cost than an in-house staff. I might also consider purchasing software to detect, report, and prevent phishing emails, limiting the possibility of a phishing attempt. If social engineering is determined to be a concern, you could conduct end-user training, look for ways to secure the physical environment (guards, better door locks), or make the work environment more desirable (cafeteria, exercise room, recreation area, etc.)
The models discussed work together to provide ways to determine, analyze, and proactively protect against the greatest threats to your valuable assets. Ultimately, thinking through scenarios using these tools will provide a more thoughtful and cost-effective approach to security.