The OWASP project (http://www.owasp.org) is planning on building attack trees for web application threats in UML I believe. XML could be an option as well. You would still need to find the best way to display it but XML gives you a bit more flexibility IMHO. ----- Original Message ----- From: "Kruse, Darren (DEH)" <Kruse.Darren2at_private> To: <pen-testat_private> Sent: Thursday, March 21, 2002 7:00 PM Subject: best tool to draw attack trees ?? > I'm puzzling over what is the best way to draw attack trees. > Attack trees provide a formal, methodical way of describing the security of > systems, based on varying attacks. Basically, you represent attacks against > a system in a tree structure, with the goal as the root node and different > ways of achieving that goal as leaf nodes. > Bruce Schnier's Secrets and Lies - Digital Security in a Networked World > http://www.amazon.com/exec/obidos/ASIN/0471253111/qid=1016671800/sr=8-1/ref= > sr_8_67_1/002-8209990-0206427 , in particular chapter 21 covers Attack Trees > There's also a DDJ article on attack trees > http://www.ddj.com/documents/s=896/ddj9912a/9912a.htm (also by Bruce > Schnier) that covers virtually the same ground as the book. > I'm thinking that it would make a really good motivational tool for > management to see what all the threats are against our systems. > Having a documented attack tree would also help me in identifying what holes > ,and threats I need to worry about RIGHT NOW ! > My first thought was to wade in, and start drawing with Visio - making use > of the layers feature to distinguish between different sets of values.. > Possible / Impossible Cost script kiddie tool released ? > etc.. > But does anyone know of a more "closely-suited" tool than Visio ? I've done > a google search on "attack tree" software, and come up blank. > There are cheaper alternatives to Visio - maybe Kivio mp > http://www.thekompany.com/products/kivio/faq.php3 ?? Unfortunately, the KDE > version (Kivio without the mp suffix) doesn't do layers. :-( > Would a web interface be better ? - certainly for navigating between > threats, but how about when you want to see a larger part of the tree ? , or > the whole attack tree ?? > Maybe MS Project ? - it's good at showing inter-related tasks , that have > dependancies and costs, and can output to HTML as well. > How about when I want to add , or share bits of someone else's attack tree ? > It would be cool to be able to download discrete sub-branches, just like you > download additional Snort IDS signatures. > > Darren Kruse CCNP CCDP > WAN/LAN Networking Consultant > Mobile : (+61) 0407 446 399 > mailto://darren_kruseat_private > http://www.geocities.com/darren_kruse > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 15:52:43 PST