Call: 1300 422 542

What Are Cyber Attack Trees?

Recently I wrote about Defense in Depth and the importance of layering multiple security controls to reduce the risks any one control failing.

A related idea is to look at a system from the perspective of an attacker trying to get in, and trying to find the possible (and easiest) ways in as sequences of steps.

This idea is alternatively called “attack trees” or “attack paths”, or as “thinking in graphs”. For context – “trees” and “graphs” are essentially “if this, then that” flow charts. Attack trees provide a map for getting from where the attacker is to where they want to be.

The below graph provides an example of an attack tree, with the goal at the top and possible starting points below.

cyber attack tree

(Original by Michael Henriksen, published under MIT license.)


The Defensive Difference

In contrast, typical defensive process is list-based –

In other words, to defend against cyber attacks, the one defending is normally trying to protect everything and cannot cut any corners, but the attacker only has to find the lowest hanging fruit.

This leads to outcomes such as “you have to be successful all the time, attackers only have to be successful once.”

This is not a very positive scenario – can we do something about that?


Changing the Approach

If the optimal attacker’s process is to find the easiest way in, the defensive response should be to remove the easy paths if possible, and make the remaining paths more difficult.

Some of the possible strategies include:

  • Divide systems to prevent “island hopping” between unrelated systems
  • Reduce the number of administrative accounts and use multi-factor authentication for all such users
  • Reconsider “flat network” designs

Doing this requires an in-depth understanding of what your High Value technological assets are and how they can be accessed, and this requires collaboration between business and technology units.

Interested in seeing your low hanging fruit from an attacker’s point of view? Learn more about Penetration Testing.

Share This Post
Share on facebook
Share on linkedin
Share on twitter
Share on email
Subscribe To Our Newsletter
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

More To Explore

In The Media

2 Great Companies Come Together

A sign of further consolidation in the Australian ICT channel as Brisbane’s Azentro buys Adelaide’s Calibre One. The enlarged group, with combined sales of $A35m

Read More »

Find out what our team can do for your business.

Let us know how we can help

Contact Us
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.