How do you start modelling risks using attack trees? This short guide will explain the basic features and how to build your first RiskTree.

Think like an attacker

The first thing to do is determine your attacker goals (also known as bad outcomes). These are the things that an attacker might want to achieve against the asset that you are assessing. Perhaps they will want to steal data or cause financial loss. Maybe they will be seeking to tamper with your data, or damage your reputation. RiskTree is a framework that lets you choose any attacker goals that you choose to model.

RiskTree® Designer

Log in to RiskTree and select New RiskTree, either by clicking the green button or from the Identify and Assess menu. You will see the start page for RiskTree Designer.

Settings

The first thing to do is enter a name for your project. This might be the name of the asset that you are assessing. For now, leave all of the other settings at they are (although you might want to tick the first box to enable the context-sensitive help). You now have a screen with a single node, called Bad outcome 1. There are a few other items on the screen that need explaining before we start to build a tree.

Build your first tree

It’s now time to start building your tree. Decide which bad outcome you are modelling first, and make it the name of the root node. This is done via the node menu, which is accessed by moving the mouse cursor over the name of the node.

Node Menu

Click on Edit node. This opens the node editor box, where you will enter the node name in the first field:

Node Editor

For the root node, you can ignore the remainder of the fields on the form, which we will use later. For now, just click on the Update button.

The next part of the tree needs to be built. There are different approaches that can be taken, but one that works well is to first consider the types of attacker. This will probably depend on the type of asset being assessed. If it’s an IT system that is hosted in the cloud then the attackers could conceivably be:

We can create these as nodes in the tree. Open the node menu on the root node again, and select Add child node. The node editor opens again, and we can enter the name of our first child node: in this case, Hosting company. Again, leave the remainder of the form and click Update. Repeat this for the other four potential attackers. Your tree should now look like this:

First tree

The different staff roles can be added as children from the Staff node. If there are multiple suppliers, these can also be added. Your tree might now look like this:

Tree with Three Levels

The end nodes have orange borders because they are incomplete. In RiskTree, the end nodes represent the risks that we are assessing, and they need to have assessment values applied. These values are set to - by default, hence the six - symbols (separated by slashes) beneath each node name. Of course, the end nodes on the current tree are not actual risks: we need to build the representation of the risks beneath.

Putting on the risks

Let’s consider the risks from the hosting company staff. At this stage try not to think about the controls that will be in place to protect your data – just focus on possible attacks. There might be several that you can think of, for example:

We can then build a structure to represent this under the Hosting company node. This part of the tree could now look like this:

Partial Tree

You can now repeat this process to build up risk structures for every other branch of the tree following the process just described. This can be done as a solo process, if you have enough knowledge of the asset, or it can be developed through running a Risk Discovery Workshop in which a small number of experts contribute their knowledge.

The process tends to work best by considering each branch in turn, rather than jumping back and forth. However, it’s fine to revisit a previous branch if you realize that there is another attack that didn’t come to mind the first time around.

You can move the tree around on the screen by clicking and dragging; the mouse cursor will turn into a four-pointed arrow when the tree can be dragged.

Assessment values

Whilst the completed RiskTree structure has some use – in presenting the risks to the asset in a structure manner – in order to perform a risk assessment, we need to add more data. This is in the form of assessment values. For standard nodes, there are six of these:

Name Range Description
Cost 1-6 The cost to the attacker of carrying out the attack. For example, do they need to purchase equipment or cloud compute capability, or bribe staff?
Complexity 1-6 The complexity of the attack, in terms of knowledge required by the attacker. This could be technical capability, knowledge of the organization or system being attacked, or just the number of steps required to achieve the attack.
Consequences 1-6 How likely is the attacker to be caught, and how severely will they be punished if they are? Will they lose their job (if they are an insider); will they be fined or imprisoned?
Reward 1-6 What reward is there for the attacker? Is there a financial gain, or are they doing it for fun?
Damage 1-9 What is the loss caused to the organization being attacked?
Replay 0-6 How often could the attack be carried out (not necessarily by the same attacker)?

For the values assessed financially, typically Cost, Reward, and Damage, using an order of magnitude scale works best. In other words £1,000 would score a 3, £100,000 is a 5, and £1 billion (for damage) is a 9. Replay should also be order of magnitude, which is why it can be scored as a 0 – this value means that it is a one-off attack. A 6 (millions) would most likely be a phishing campaign or similar.

The key thing to remember when assigning values though, is to keep them relative. Ensure that an attack that is more expensive than another, has a higher cost score, and so on. If you are running a workshop to build the trees, get consensus from workshop attendees and always ensure consistency in scoring. The scores might be subjective, but this matters less when the output is to be a relative ordering of the risks. Also, remember to exclude the effects of any controls that you might have implemented – these will be added in a later step.

As you are adding values, there is likely to be discussion about why a particular score has been chosen. It is important to capture this information so that someone reviewing the assessment can understand the reasoning behind the choice of values. This evidence is stored by clicking on the speech bubble icon to the right of the drop-down for each score. This opens the evidence box:

Add Evidence Meny

You can format the evidence notes using the buttons above the text entry field. Formatting is cleared by clicking on the T× button. When complete, click on the Save evidence button to close the editor. The speech bubble in the button next to the assessment value will become solid to indicate that evidence is held.

Evidence

An intrinsic assessment

Once you start to apply assessment values, a pie chart will appear near to the menu bar showing the completion status of the nodes. This starts off mostly red, but the green increases until all of your end nodes have values (and none have orange borders).

Completion status of the nodes

At this point you can perform the intrinsic risk assessment. Click on the calculator icon in the sidebar and select the level of calculation.

Performing the intrinsic risk assessment Performing the intrinsic risk assessment2

RiskTree will now start the risk calculation process. A progress bar shows how far the calculation has gone. This will disappear once the calculation is complete.

Calculation progress

Information about your risks will now appear in the Risks tab below the RiskTree diagram. The first tab to be shown will be the Risk summary, which provides a concise view of your risks in both a table and a bar chart.

Risk Summary

A more detailed view of each risk is on the Risk table tab. This will list each of the risks, from highest to lowest:

Risk Table Tab

The best way of getting a good overview of the risks levels is to colour the RiskTree by risk level. To do this, you need to change the drop-down above the bar chart to state that the risk colours are required on the end nodes.

Tree coloured depending on risk level

You have now created an intrinsic risk assessment. Most of these risks look scary, but don’t worry: this is because we haven’t looked at the countermeasures yet. The next instalment of this series will cover this topic.