Following on from his last popular post, Advent IM Consultant, Del Brazil turns his attention to Attack Trees.
Recently the SPF Mandatory Requirement to use the HMG IS 1&2 Technical Risk Assessment methodology was withdrawn and has resulted in organisations being afforded the luxury of identifying and using a more appropriate and manageable risk assessment applicable to their business.
It was well known that the HMG IS 1&2 methodology was somewhat cumbersome resulting in Risk Management Document Set (RMADS) being over 200 pages long. The HMG IS 1 & 2 risk assessment generally produced very technical and jargon filled results which were not very presentable or understandable to stakeholders.
Amongst the plethora of risk assessment methods is the Attack Tree concept which was first developed by Bruce Schneier. This method seeks to highlight any attack by focusing specifically on the root of any attack and what the potential conditions the attacker requires to meet to commission the attack. It is widely used throughout the United States and is a recognised risk assessment method used in defence and aerospace industries for the analysis of threats against computer systems and tamper resistant electronics systems.
Although it is possible to compile/generate an Attack Tree from scratch using some form of document to capture the tree accompanied by a spread sheet to formulate any calculation. The benefits of Attack Trees can only be truly realised through the use of bespoke software which enables the risk assessor to input a number of variables and/or countermeasures.
The Attack Tree method allows the risk assessor to compile various reports and presenting them to stakeholders in a more manageable and/or graphical format. The manipulation of the results/data enables stakeholders and risk assessors to test the potential effectiveness of any proposed countermeasure prior to outlaying any funds or resources in order to defeat or deter any potential attack.
One of the drawbacks to using bespoke software is that the user needs to receive a degree of training to ensure that they have the ability to fully utilise the software. As with all software and training requirements there is an associated cost which has to be considered by the organisation. There is also the danger that the organisation becomes reliant upon a limited number of personnel being trained/familiar in the use of the software resulting in the possibility of a select few individuals within the organisation being able to produce Attack Trees.
A major benefit to using the Attack Tree methodology is that the same risk assessment results can be presented numerous ways to different stakeholders easily highlighting any potential risk to the organisation. This can be either from a perspective of financial loss, likelihood of attack or cost to the attacker etc.
It is the opinion of the author that although the Attack Tree methodology has a great deal to offer and has the potential to be more useful to organisations; however the cost of the software and time taken for individuals to be trained and become familiar with the methodology should be considered before organisations jump into the unknown.
At present there are numerous organisations who are continuing to use the HMG IS 1& 2 methodology to carryout risk assessments. As there is no longer a mandated methodology to be followed it is of the opinion of the author that organisations should consider seeking a more manageable, repeatable, understandable and business orientated methodology.
Currently there is no approved or recommended risk assessment methodology being highlighted by CESG – National Technical Authority for Information Assurance, which is the technical arm of GCHQ; although there is still the potential for CESG to recommend a specific methodology potentially resulting in organisations having to realign themselves to this approved method after investing heavily in Attack Trees. Obviously there is the possibility that the Attack Tree methodology is adopted by CESG and being recognised as the standard for which all HMG systems are to be risk assessed against. At present no decision has been made by CESG on any methodology and there are no timescales for any decision to be made.