Attack Tree Construction

1---2name: attack-tree-construction3description: Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders.4---5 6# Attack Tree Construction7 8Systematic attack path visualization and analysis.9 10## When to Use This Skill11 12- Visualizing complex attack scenarios13- Identifying defense gaps and priorities14- Communicating risks to stakeholders15- Planning defensive investments16- Penetration test planning17- Security architecture review18 19## Core Concepts20 21### 1. Attack Tree Structure22 23```24                    [Root Goal]25                         |26            ┌────────────┴────────────┐27            │                         │28       [Sub-goal 1]              [Sub-goal 2]29       (OR node)                 (AND node)30            │                         │31      ┌─────┴─────┐             ┌─────┴─────┐32      │           │             │           │33   [Attack]   [Attack]      [Attack]   [Attack]34    (leaf)     (leaf)        (leaf)     (leaf)35```36 37### 2. Node Types38 39| Type     | Symbol    | Description             |40| -------- | --------- | ----------------------- |41| **OR**   | Oval      | Any child achieves goal |42| **AND**  | Rectangle | All children required   |43| **Leaf** | Box       | Atomic attack step      |44 45### 3. Attack Attributes46 47| Attribute     | Description             | Values             |48| ------------- | ----------------------- | ------------------ |49| **Cost**      | Resources needed        | $, $$, $$$         |50| **Time**      | Duration to execute     | Hours, Days, Weeks |51| **Skill**     | Expertise required      | Low, Medium, High  |52| **Detection** | Likelihood of detection | Low, Medium, High  |53 54## Templates55 56### Template 1: Attack Tree Data Model57 58```python59from dataclasses import dataclass, field60from enum import Enum61from typing import List, Dict, Optional, Union62import json63 64class NodeType(Enum):65    OR = "or"66    AND = "and"67    LEAF = "leaf"68 69 70class Difficulty(Enum):71    TRIVIAL = 172    LOW = 273    MEDIUM = 374    HIGH = 475    EXPERT = 576 77 78class Cost(Enum):79    FREE = 080    LOW = 181    MEDIUM = 282    HIGH = 383    VERY_HIGH = 484 85 86class DetectionRisk(Enum):87    NONE = 088    LOW = 189    MEDIUM = 290    HIGH = 391    CERTAIN = 492 93 94@dataclass95class AttackAttributes:96    difficulty: Difficulty = Difficulty.MEDIUM97    cost: Cost = Cost.MEDIUM98    detection_risk: DetectionRisk = DetectionRisk.MEDIUM99    time_hours: float = 8.0100    requires_insider: bool = False101    requires_physical: bool = False102 103 104@dataclass105class AttackNode:106    id: str107    name: str108    description: str109    node_type: NodeType110    attributes: AttackAttributes = field(default_factory=AttackAttributes)111    children: List['AttackNode'] = field(default_factory=list)112    mitigations: List[str] = field(default_factory=list)113    cve_refs: List[str] = field(default_factory=list)114 115    def add_child(self, child: 'AttackNode') -> None:116        self.children.append(child)117 118    def calculate_path_difficulty(self) -> float:119        """Calculate aggregate difficulty for this path."""120        if self.node_type == NodeType.LEAF:121            return self.attributes.difficulty.value122 123        if not self.children:124            return 0125 126        child_difficulties = [c.calculate_path_difficulty() for c in self.children]127 128        if self.node_type == NodeType.OR:129            return min(child_difficulties)130        else:  # AND131            return max(child_difficulties)132 133    def calculate_path_cost(self) -> float:134        """Calculate aggregate cost for this path."""135        if self.node_type == NodeType.LEAF:136            return self.attributes.cost.value137 138        if not self.children:139            return 0140 141        child_costs = [c.calculate_path_cost() for c in self.children]142 143        if self.node_type == NodeType.OR:144            return min(child_costs)145        else:  # AND146            return sum(child_costs)147 148    def to_dict(self) -> Dict:149        """Convert to dictionary for serialization."""150        return {151            "id": self.id,152            "name": self.name,153            "description": self.description,154            "type": self.node_type.value,155            "attributes": {156                "difficulty": self.attributes.difficulty.name,157                "cost": self.attributes.cost.name,158                "detection_risk": self.attributes.detection_risk.name,159                "time_hours": self.attributes.time_hours,160            },161            "mitigations": self.mitigations,162            "children": [c.to_dict() for c in self.children]163        }164 165 166@dataclass167class AttackTree:168    name: str169    description: str170    root: AttackNode171    version: str = "1.0"172 173    def find_easiest_path(self) -> List[AttackNode]:174        """Find the path with lowest difficulty."""175        return self._find_path(self.root, minimize="difficulty")176 177    def find_cheapest_path(self) -> List[AttackNode]:178        """Find the path with lowest cost."""179        return self._find_path(self.root, minimize="cost")180 181    def find_stealthiest_path(self) -> List[AttackNode]:182        """Find the path with lowest detection risk."""183        return self._find_path(self.root, minimize="detection")184 185    def _find_path(186        self,187        node: AttackNode,188        minimize: str189    ) -> List[AttackNode]:190        """Recursive path finding."""191        if node.node_type == NodeType.LEAF:192            return [node]193 194        if not node.children:195            return [node]196 197        if node.node_type == NodeType.OR:198            # Pick the best child path199            best_path = None200            best_score = float('inf')201 202            for child in node.children:203                child_path = self._find_path(child, minimize)204                score = self._path_score(child_path, minimize)205                if score < best_score:206                    best_score = score207                    best_path = child_path208 209            return [node] + (best_path or [])210        else:  # AND211            # Must traverse all children212            path = [node]213            for child in node.children:214                path.extend(self._find_path(child, minimize))215            return path216 217    def _path_score(self, path: List[AttackNode], metric: str) -> float:218        """Calculate score for a path."""219        if metric == "difficulty":220            return sum(n.attributes.difficulty.value for n in path if n.node_type == NodeType.LEAF)221        elif metric == "cost":222            return sum(n.attributes.cost.value for n in path if n.node_type == NodeType.LEAF)223        elif metric == "detection":224            return sum(n.attributes.detection_risk.value for n in path if n.node_type == NodeType.LEAF)225        return 0226 227    def get_all_leaf_attacks(self) -> List[AttackNode]:228        """Get all leaf attack nodes."""229        leaves = []230        self._collect_leaves(self.root, leaves)231        return leaves232 233    def _collect_leaves(self, node: AttackNode, leaves: List[AttackNode]) -> None:234        if node.node_type == NodeType.LEAF:235            leaves.append(node)236        for child in node.children:237            self._collect_leaves(child, leaves)238 239    def get_unmitigated_attacks(self) -> List[AttackNode]:240        """Find attacks without mitigations."""241        return [n for n in self.get_all_leaf_attacks() if not n.mitigations]242 243    def export_json(self) -> str:244        """Export tree to JSON."""245        return json.dumps({246            "name": self.name,247            "description": self.description,248            "version": self.version,249            "root": self.root.to_dict()250        }, indent=2)251```252 253### Template 2: Attack Tree Builder254 255```python256class AttackTreeBuilder:257    """Fluent builder for attack trees."""258 259    def __init__(self, name: str, description: str):260        self.name = name261        self.description = description262        self._node_stack: List[AttackNode] = []263        self._root: Optional[AttackNode] = None264 265    def goal(self, id: str, name: str, description: str = "") -> 'AttackTreeBuilder':266        """Set the root goal (OR node by default)."""267        self._root = AttackNode(268            id=id,269            name=name,270            description=description,271            node_type=NodeType.OR272        )273        self._node_stack = [self._root]274        return self275 276    def or_node(self, id: str, name: str, description: str = "") -> 'AttackTreeBuilder':277        """Add an OR sub-goal."""278        node = AttackNode(279            id=id,280            name=name,281            description=description,282            node_type=NodeType.OR283        )284        self._current().add_child(node)285        self._node_stack.append(node)286        return self287 288    def and_node(self, id: str, name: str, description: str = "") -> 'AttackTreeBuilder':289        """Add an AND sub-goal (all children required)."""290        node = AttackNode(291            id=id,292            name=name,293            description=description,294            node_type=NodeType.AND295        )296        self._current().add_child(node)297        self._node_stack.append(node)298        return self299 300    def attack(301        self,302        id: str,303        name: str,304        description: str = "",305        difficulty: Difficulty = Difficulty.MEDIUM,306        cost: Cost = Cost.MEDIUM,307        detection: DetectionRisk = DetectionRisk.MEDIUM,308        time_hours: float = 8.0,309        mitigations: List[str] = None310    ) -> 'AttackTreeBuilder':311        """Add a leaf attack node."""312        node = AttackNode(313            id=id,314            name=name,315            description=description,316            node_type=NodeType.LEAF,317            attributes=AttackAttributes(318                difficulty=difficulty,319                cost=cost,320                detection_risk=detection,321                time_hours=time_hours322            ),323            mitigations=mitigations or []324        )325        self._current().add_child(node)326        return self327 328    def end(self) -> 'AttackTreeBuilder':329        """Close current node, return to parent."""330        if len(self._node_stack) > 1:331            self._node_stack.pop()332        return self333 334    def build(self) -> AttackTree:335        """Build the attack tree."""336        if not self._root:337            raise ValueError("No root goal defined")338        return AttackTree(339            name=self.name,340            description=self.description,341            root=self._root342        )343 344    def _current(self) -> AttackNode:345        if not self._node_stack:346            raise ValueError("No current node")347        return self._node_stack[-1]348 349 350# Example usage351def build_account_takeover_tree() -> AttackTree:352    """Build attack tree for account takeover scenario."""353    return (354        AttackTreeBuilder("Account Takeover", "Gain unauthorized access to user account")355        .goal("G1", "Take Over User Account")356 357        .or_node("S1", "Steal Credentials")358            .attack(359                "A1", "Phishing Attack",360                difficulty=Difficulty.LOW,361                cost=Cost.LOW,362                detection=DetectionRisk.MEDIUM,363                mitigations=["Security awareness training", "Email filtering"]364            )365            .attack(366                "A2", "Credential Stuffing",367                difficulty=Difficulty.TRIVIAL,368                cost=Cost.LOW,369                detection=DetectionRisk.HIGH,370                mitigations=["Rate limiting", "MFA", "Password breach monitoring"]371            )372            .attack(373                "A3", "Keylogger Malware",374                difficulty=Difficulty.MEDIUM,375                cost=Cost.MEDIUM,376                detection=DetectionRisk.MEDIUM,377                mitigations=["Endpoint protection", "MFA"]378            )379        .end()380 381        .or_node("S2", "Bypass Authentication")382            .attack(383                "A4", "Session Hijacking",384                difficulty=Difficulty.MEDIUM,385                cost=Cost.LOW,386                detection=DetectionRisk.LOW,387                mitigations=["Secure session management", "HTTPS only"]388            )389            .attack(390                "A5", "Authentication Bypass Vulnerability",391                difficulty=Difficulty.HIGH,392                cost=Cost.LOW,393                detection=DetectionRisk.LOW,394                mitigations=["Security testing", "Code review", "WAF"]395            )396        .end()397 398        .or_node("S3", "Social Engineering")399            .and_node("S3.1", "Account Recovery Attack")400                .attack(401                    "A6", "Gather Personal Information",402                    difficulty=Difficulty.LOW,403                    cost=Cost.FREE,404                    detection=DetectionRisk.NONE405                )406                .attack(407                    "A7", "Call Support Desk",408                    difficulty=Difficulty.MEDIUM,409                    cost=Cost.FREE,410                    detection=DetectionRisk.MEDIUM,411                    mitigations=["Support verification procedures", "Security questions"]412                )413            .end()414        .end()415 416        .build()417    )418```419 420### Template 3: Mermaid Diagram Generator421 422```python423class MermaidExporter:424    """Export attack trees to Mermaid diagram format."""425 426    def __init__(self, tree: AttackTree):427        self.tree = tree428        self._lines: List[str] = []429        self._node_count = 0430 431    def export(self) -> str:432        """Export tree to Mermaid flowchart."""433        self._lines = ["flowchart TD"]434        self._export_node(self.tree.root, None)435        return "\n".join(self._lines)436 437    def _export_node(self, node: AttackNode, parent_id: Optional[str]) -> str:438        """Recursively export nodes."""439        node_id = f"N{self._node_count}"440        self._node_count += 1441 442        # Node shape based on type443        if node.node_type == NodeType.OR:444            shape = f"{node_id}(({node.name}))"445        elif node.node_type == NodeType.AND:446            shape = f"{node_id}[{node.name}]"447        else:  # LEAF448            # Color based on difficulty449            style = self._get_leaf_style(node)450            shape = f"{node_id}[/{node.name}/]"451            self._lines.append(f"    style {node_id} {style}")452 453        self._lines.append(f"    {shape}")454 455        if parent_id:456            connector = "-->" if node.node_type != NodeType.AND else "==>"457            self._lines.append(f"    {parent_id} {connector} {node_id}")458 459        for child in node.children:460            self._export_node(child, node_id)461 462        return node_id463 464    def _get_leaf_style(self, node: AttackNode) -> str:465        """Get style based on attack attributes."""466        colors = {467            Difficulty.TRIVIAL: "fill:#ff6b6b",  # Red - easy attack468            Difficulty.LOW: "fill:#ffa06b",469            Difficulty.MEDIUM: "fill:#ffd93d",470            Difficulty.HIGH: "fill:#6bcb77",471            Difficulty.EXPERT: "fill:#4d96ff",  # Blue - hard attack472        }473        color = colors.get(node.attributes.difficulty, "fill:#gray")474        return color475 476 477class PlantUMLExporter:478    """Export attack trees to PlantUML format."""479 480    def __init__(self, tree: AttackTree):481        self.tree = tree482 483    def export(self) -> str:484        """Export tree to PlantUML."""485        lines = [486            "@startmindmap",487            f"* {self.tree.name}",488        ]489        self._export_node(self.tree.root, lines, 1)490        lines.append("@endmindmap")491        return "\n".join(lines)492 493    def _export_node(self, node: AttackNode, lines: List[str], depth: int) -> None:494        """Recursively export nodes."""495        prefix = "*" * (depth + 1)496 497        if node.node_type == NodeType.OR:498            marker = "[OR]"499        elif node.node_type == NodeType.AND:500            marker = "[AND]"501        else:502            diff = node.attributes.difficulty.name503            marker = f"<<{diff}>>"504 505        lines.append(f"{prefix} {marker} {node.name}")506 507        for child in node.children:508            self._export_node(child, lines, depth + 1)509```510 511### Template 4: Attack Path Analysis512 513```python514from typing import Set, Tuple515 516class AttackPathAnalyzer:517    """Analyze attack paths and coverage."""518 519    def __init__(self, tree: AttackTree):520        self.tree = tree521 522    def get_all_paths(self) -> List[List[AttackNode]]:523        """Get all possible attack paths."""524        paths = []525        self._collect_paths(self.tree.root, [], paths)526        return paths527 528    def _collect_paths(529        self,530        node: AttackNode,531        current_path: List[AttackNode],532        all_paths: List[List[AttackNode]]533    ) -> None:534        """Recursively collect all paths."""535        current_path = current_path + [node]536 537        if node.node_type == NodeType.LEAF:538            all_paths.append(current_path)539            return540 541        if not node.children:542            all_paths.append(current_path)543            return544 545        if node.node_type == NodeType.OR:546            # Each child is a separate path547            for child in node.children:548                self._collect_paths(child, current_path, all_paths)549        else:  # AND550            # Must combine all children551            child_paths = []552            for child in node.children:553                child_sub_paths = []554                self._collect_paths(child, [], child_sub_paths)555                child_paths.append(child_sub_paths)556 557            # Combine paths from all AND children558            combined = self._combine_and_paths(child_paths)559            for combo in combined:560                all_paths.append(current_path + combo)561 562    def _combine_and_paths(563        self,564        child_paths: List[List[List[AttackNode]]]565    ) -> List[List[AttackNode]]:566        """Combine paths from AND node children."""567        if not child_paths:568            return [[]]569 570        if len(child_paths) == 1:571            return [path for paths in child_paths for path in paths]572 573        # Cartesian product of all child path combinations574        result = [[]]575        for paths in child_paths:576            new_result = []577            for existing in result:578                for path in paths:579                    new_result.append(existing + path)580            result = new_result581        return result582 583    def calculate_path_metrics(self, path: List[AttackNode]) -> Dict:584        """Calculate metrics for a specific path."""585        leaves = [n for n in path if n.node_type == NodeType.LEAF]586 587        total_difficulty = sum(n.attributes.difficulty.value for n in leaves)588        total_cost = sum(n.attributes.cost.value for n in leaves)589        total_time = sum(n.attributes.time_hours for n in leaves)590        max_detection = max((n.attributes.detection_risk.value for n in leaves), default=0)591 592        return {593            "steps": len(leaves),594            "total_difficulty": total_difficulty,595            "avg_difficulty": total_difficulty / len(leaves) if leaves else 0,596            "total_cost": total_cost,597            "total_time_hours": total_time,598            "max_detection_risk": max_detection,599            "requires_insider": any(n.attributes.requires_insider for n in leaves),600            "requires_physical": any(n.attributes.requires_physical for n in leaves),601        }602 603    def identify_critical_nodes(self) -> List[Tuple[AttackNode, int]]:604        """Find nodes that appear in the most paths."""605        paths = self.get_all_paths()606        node_counts: Dict[str, Tuple[AttackNode, int]] = {}607 608        for path in paths:609            for node in path:610                if node.id not in node_counts:611                    node_counts[node.id] = (node, 0)612                node_counts[node.id] = (node, node_counts[node.id][1] + 1)613 614        return sorted(615            node_counts.values(),616            key=lambda x: x[1],617            reverse=True618        )619 620    def coverage_analysis(self, mitigated_attacks: Set[str]) -> Dict:621        """Analyze how mitigations affect attack coverage."""622        all_paths = self.get_all_paths()623        blocked_paths = []624        open_paths = []625 626        for path in all_paths:627            path_attacks = {n.id for n in path if n.node_type == NodeType.LEAF}628            if path_attacks & mitigated_attacks:629                blocked_paths.append(path)630            else:631                open_paths.append(path)632 633        return {634            "total_paths": len(all_paths),635            "blocked_paths": len(blocked_paths),636            "open_paths": len(open_paths),637            "coverage_percentage": len(blocked_paths) / len(all_paths) * 100 if all_paths else 0,638            "open_path_details": [639                {"path": [n.name for n in p], "metrics": self.calculate_path_metrics(p)}640                for p in open_paths[:5]  # Top 5 open paths641            ]642        }643 644    def prioritize_mitigations(self) -> List[Dict]:645        """Prioritize mitigations by impact."""646        critical_nodes = self.identify_critical_nodes()647        paths = self.get_all_paths()648        total_paths = len(paths)649 650        recommendations = []651        for node, count in critical_nodes:652            if node.node_type == NodeType.LEAF and node.mitigations:653                recommendations.append({654                    "attack": node.name,655                    "attack_id": node.id,656                    "paths_blocked": count,657                    "coverage_impact": count / total_paths * 100,658                    "difficulty": node.attributes.difficulty.name,659                    "mitigations": node.mitigations,660                })661 662        return sorted(recommendations, key=lambda x: x["coverage_impact"], reverse=True)663```664 665## Best Practices666 667### Do's668 669- **Start with clear goals** - Define what attacker wants670- **Be exhaustive** - Consider all attack vectors671- **Attribute attacks** - Cost, skill, and detection672- **Update regularly** - New threats emerge673- **Validate with experts** - Red team review674 675### Don'ts676 677- **Don't oversimplify** - Real attacks are complex678- **Don't ignore dependencies** - AND nodes matter679- **Don't forget insider threats** - Not all attackers are external680- **Don't skip mitigations** - Trees are for defense planning681- **Don't make it static** - Threat landscape evolves