Lessons in threat modeling: How attack trees can deliver AppSec by design

As important as threat modeling is to securing applications by design, it is a process that can be time-consuming and arduous for an organization. It’s a grand exercise that requires a thorough examination of the components of a system. That means a threat modeler needs to analyze data flow, system architecture, business processes, and potential entry points susceptible to malicious exploitation.

Derek Fisher, executive director of product security at JPMorgan Chase, wrote in his Security Built blog that threat modeling is a powerful tool that adopts a holistic perspective to address security from a system-wide viewpoint. But he added that it can also be "expansive and laborious."

While threat modeling can be a powerful tool in the organization’s tool chest, it can be time-consuming and difficult to perform rapidly. Another option in the tool chest is creating attack trees.

Derek Fisher

Attack trees focus on hierarchically illustrating potential threat scenarios. They break down a primary malicious activity into sub-goals and strategies employed by adversaries. Attack trees function as a graphical interpretation, providing an early view of attack paths and identifying threats early in the software development lifecycle (SDLC).

The graphical tack taken by attack trees in threat modeling provides a more approachable and easily understood method of understanding how threat actors can breach and exploit a system, noted John Gallagher, vice president of Viakoo Labs.

That is critically important because of the complexity of threat modeling. Think of it as an abstraction layer. Abstraction layers are widely used in computer science to hide intricate details while exposing critical functionality.

John Gallagher

Here's what you need to know about how to use attack trees in threat modeling to develop robust software by design.

Learn more: 10 tips for building an enterprise threat modeling program Why threat modeling is essential for managing SDLC riskSee related Webinar with Matt Rose and Chris Romeo

Make threat modeling more manageable — and effective

The strength of attack trees is that they go beyond graphical representation. They also provide key tactical insights, Fisher said. By breaking down the attack scenarios into hierarchical components, threat modelers gain a nuanced understanding of potential weak points and critical junctures within a workflow. This insight allows for the formulation of targeted and tactical defenses, ensuring that security measures are tailored to address specific elements of the attack tree.

In simpler terms, Fisher explained, threat modeling provides a panoramic view of security while attack trees specialize in visualizing the intricacies of targeted attack paths. The narrower focus enables a more detailed representation of specific threats and gives the modeler the ability to illustrate the sequential steps an adversary might take to achieve their desired outcome, he added.

Chris Romeo, CEO of the threat modeling company Devici, said attack trees provide another vehicle for understanding and visualizing threats.

Attack trees are complementary to threat modeling but differ from the data-flow diagram-led approach. Attack trees themselves will not implement Secure by Design, but they provide a visualization of the challenges to implementation.

Chris Romeo

With attack trees, threat modelers focus on what can go wrong by breaking it down at various levels of abstraction and documenting the contingencies for the threat to become a reality, Romeo said. The piece that practitioners must add is the application of mitigations to the various attacks, he stressed.

Gallagher said three elements provided by attack trees can contribute to making software secure by design: context, priority, and visualization.

Without those elements — especially context — cyber-defenses will take longer to develop and likely will be less effective.

John Gallagher

By assessing the probability of the actions a threat actor might take, developers can prioritize their security efforts and make the most efficient use of their time, Gallagher said.

Attack trees and threat modeling: Better together

Fisher noted that one area that attack trees differ from threat modeling is in how they handle threats. Threat modeling often employs work sessions or meetings that bring together various stakeholders, while attack trees can function as a specific tool within an overall process. Though purpose-built tools can be used to create attack trees, they aren’t essential. A simple diagramming tool such as Deciduous can work, he said.

Although attack trees and threat modeling can be used separately, Fisher recommends using them in tandem. The hierarchical representation of attack trees aids in understanding the sequential progression of an attack in the broader context of threat modeling.

Gallagher said using attack trees and threat modeling in tandem contributes valuable insights into specific vulnerabilities and potential exploits.

The role of an attack tree is to identify the goals of a threat actor and their possible routes to achieving those goals. This allows modeling based on the context of the overall system. For IoT threats, which are from a tightly coupled system of applications and devices, an attack-tree approach is an essential part of threat modeling.

John Gallagher

Attack trees can also add detail to critical workflows in a threat model, Fisher said. You may want to dive deeper into the specific attack paths for that critical workflow to either identify the appropriate mitigations or ensure that all of the possible and known attack paths have been captured.

No matter the tools, it's follow-through that matters

Most attacks are not simplistic. They are often a series of failed or missing controls, a bit of luck, and some ingenuity. This is hard to capture in a broad threat model, but it’s where attack trees can shine, Fisher said.

As powerful as threat modeling and attack trees can be for organizations, however, Fisher said application security (AppSec) practitioners and developers need to recognize that the methods are powerful only if properly maintained. As a system evolves or new information becomes available, threat models need to be revised, which means attack trees need to be updated as well. This can occur not just when new attacks and techniques are identified, but also when the architecture changes.