The motivation of attackers in attack tree analysis

Master thesis (2015)

Authors

F.A. Van Holsteijn

Contributors

W. Pieters (mentor)

M.P.M. Franssen (mentor)

J. Van den Berg (mentor)

P.H.A.J.M. Van Gelder (mentor)

Programme

Systems Engineering, Policy Analysis and Management () (TU Delft)

Motivation Attack tree Attacker profile Pay-off

To reference this document use:

http://resolver.tudelft.nl/uuid:41044ff2-3aaf-49e9-bcf5-639bbd36d800

More Info

expand_more

Published Date

31-08-2015

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Programme

Systems Engineering, Policy Analysis and Management

Abstract

The number of cyberattacks has been growing over time and is expected to keep growing. In order to prevent such attacks, countermeasures have to be put in place by IT security experts. These IT security experts are however often tied to budgets and do not have a good overview of the threats that are present. It is thus necessary to provide them tools that can help them to decide on how to allocate their resources. One of these tools is the attack tree methodology, which is used to analyse complex attacks that consist of multiple steps. Properties of the overall security of the system are derived by properties of the smaller steps. These properties of the attack are represented in the form of parameters that are allocated to the nodes in the attack tree. Some of these parameters used are however dependent on the type of attacker. In order to be able to reuse the attack tree for analysing it for various types of attackers, the parameters in the attack tree have to be made independent of the attacker. In order to do so, attacker properties are considered separately, which are summarized in attacker profiles. So far, methods have been formed to include the attacker’s resources and the attacker’s skill in the attack tree methodology. The result of the current research is a framework that includes the motivation of the attacker in the attack tree methodology. The framework can be used by IT security experts to analyse the attack tree for variously motivated attackers, without having to update the parameter values. A design science approach is used to design the framework, which starts with the identification of the knowledge gap. The knowledge gap lies in how to include the motivation of the attacker in the attack tree methodology. This motivation is assumed to have an influence on the pay-off an attacker receives from performing an attack. The value that including the motivation in the analysis can bring can be summarized as the following: ? The gains parameter is made independent of the type of attacker ? Various pay-offs are possible for variously motivated attackers ? The gains parameter is made more realistic The framework is ensured to reach this potential added value, by adhering to a list of requirements. This list of requirements is build up from constraints to which the framework must conform and dilemmas for which a design choice has to be made. The resulting framework is mainly based on the method presented by Lenin et al. (2014). Changes to the current method are mainly made to the gains parameter. The gains is no longer a global parameter that is only received by the attacker when reaching the root node. Instead it is possible to include intermediate pay-offs, which means that gains can also be allocated to intermediate nodes. In this way, different gains are possible for different attack paths in the attack tree. The gains can thus be represented in a more fine grained way. Also an opt-out possibility is included to allow attackers to perform attacks to only reach an intermediate node and not the root node of the attack tree. In the current method the pay-off for an attacker was considered to be equal to the gains, which was the same for every type of attacker. This gains was also a single value. In the designed framework the gains has been slit up in five types of gains to deal with the five forms of motivation that an attacker may have, which are financial benefits, causing damage, knowledge gaining, pleasure seeking and gaining notoriety within a community. With the use of weight values, the importance of the various types of gains for an attacker can be represented. By multiplying the gains with the weight values, a pay-off can be calculated for a certain type of attacker. This way various pay-offs are possible for variously motivated attackers. A case study has been described to show the working of the framework on a real world case, which also served as a validation of the framework. In addition an expert opinion has been asked to validate the framework. The main improvement that can be made to the framework by future research is focussed on allocating values to the different types of gains and allocating the weight values for the different types of gains. Also attention could be paid to several dependencies between attack and attacker properties that have not yet been taken into account.

Files

Thesis_Rick_van_Holsteijn.pdf

(pdf | 1.88 Mb)

Scientific_Paper_Rick_van_Hols... (pdf)

(pdf | 0.74 Mb)