Threat Modeling: Attack Tree Example

 

Using attack trees as part of a threat model - Image created with help from ChatGPT

 

Root Goal:

  • Gain Unauthorized Access to User Bank Accounts

Level 1 (Branch Nodes): High-Level Methods

  1. Exploit Application Vulnerabilities

  2. Social Engineering

  3. Compromise User Devices

Level 2 (Sub-Branch Nodes): Specific Strategies or Vulnerabilities

  1. Exploit Application Vulnerabilities

    • SQL Injection to access the database

    • Cross-Site Scripting (XSS) to steal session cookies

    • Cross-Site Request Forgery (CSRF) to perform unauthorized transactions

  2. Social Engineering

    • Phishing emails to steal login credentials

    • Impersonation calls to customer support to reset user passwords

    • Fake banking websites to capture user login information

  3. Compromise User Devices

    • Malware to log keystrokes (keyloggers)

    • Man-in-the-Middle (MitM) attacks on insecure networks

    • Exploiting vulnerabilities in the user's device operating system

Level 3 (Leaf Nodes): Specific Actions or Conditions

  1. SQL Injection

    • Identify input fields that are not sanitized

    • Craft SQL queries to inject via user input fields

  2. Phishing Emails

    • Design convincing emails mimicking bank communication

    • Include links to fake banking login pages

  3. Malware (Keyloggers)

    • Develop or acquire a keylogging tool

    • Distribute the malware via email attachments or malicious websites

Using the Attack Tree in Threat Modeling

  • Identify Vulnerabilities: The attack tree helps pinpoint specific vulnerabilities, such as unsanitized input fields (for SQL Injection) or the lack of email filtering and awareness (for Phishing).

  • Assess Risks: Each branch and leaf node can be assessed for likelihood and impact, allowing the team to prioritize risks. For example, SQL Injection might be deemed high risk if the application relies heavily on dynamic SQL queries without proper input validation.

  • Develop Mitigation Strategies: Based on the identified risks, the team can propose countermeasures. For SQL Injection, this might include implementing prepared statements and input validation. For Phishing, measures could include employee awareness training and improved email filtering.

  • Review and Update Security Measures: The attack tree also highlights areas for potential security improvements, such as implementing multi-factor authentication (MFA) to mitigate the risk of unauthorized access even if login credentials are compromised.

Conclusion

In this threat modeling session, the attack tree provided a structured way to explore and document potential threats to the online banking application. It facilitated a comprehensive analysis of how an attacker could gain unauthorized access to user accounts, guiding the team in prioritizing and addressing vulnerabilities effectively.