Abstract:
Attack trees (ATs) are a popular model-based formalism to perform a security risk assessment. The benefits of using AT are numerous: graphical top-down representation of multi-stage attack scenarios, several analysis frameworks, and many supporting tools. The current practice of constructing an attack tree for a given system is using the rules-of-thumb. Though this process is flexible, in the absence of a template, it is non-standardized. Hence it is tedious and may result in contention between the stakeholders due to individual idiosyncrasies. To address these limitations, in this paper, we develop an AT template. We meticulously design the template by performing a literature survey of the industry-size ATs and extract the meta-categories used to build them. The AT template is then structured into layers by the systematic question-answering methodology of Potts et al. Each successive layer in our template is a refinement of the previous layer, adding more details. We link the AT template to standard threat databases. Thus, our template guides the practitioner on narrowing to the appropriate attack vectors. An important question here is how to keep the AT template flexible, given the diversity of context and system variables. To address the question, we use a feature diagram to represent the AT categories. We used the AT template to gain practical experience over a hypothetical case study of smart meters (not part of the paper). Based on our experience, we suggest future research directions.