Skip to main content

Build, analyize and render attack trees

Project description

WIP warning

This is a work in progress, a toy that I've been working on over the weekend. It's on GitHub just as a safe place to save it. It's in a public repo because it's not sensitive but I'm not encouraging anyone to use it :)

Idea

Programatically model trees like those described by Kelly Shortridge, here

The goal is to decouple the model from the view. In reality I'm removing the need for the user to understand Graphviz and introducing a need for them to understand python.

Models differentiate between controls that are imlemented and those that are not; modelling both the current security posture, and a potential (improved) posture.

The renderer.render() function can toggle whether to include unimplemented things in it's graph.

PNG image showing graph created by exampleTree_simpleS3.py

Prerequisites for Installation or Development

Your system needs an installed version of graphviz for rendering to work. On MacOS this can be installed using brew install graphviz

See https://graphviz.org/download/ for other options.

Installation

attacktree is available in PyPI, we recommend installing in a virtualenv

python3 -m venv .venv
source .venv/bin/activate
pip install attacktree

Instructions for running

S3Simple.py is a simple model, containing only a single path in some hypothetical S3 threat model. It can be run simply:

python3 examples/S3Simple.py

S3Complex.py contains some potential blocking mitigations, things the security team might be considering but hasn't implemented yet.

python3 examples/S3Complex.py

Methodology

In messing with this idea, I've found the easiest approach is to map the existing paths out first, without consideration for things you might implement. To see what that looks like checkout examples/S3Simple.py. After this one can either create a new tree with potential mitigations or add them to the existing tree, for examples purposes I chose the former; examples/S3Complex.py.

See Methodology.md for more thoughts on how this might work in practice.

Node types

There are serveral types of node modelled, they're mostly self documenting.

  • Action: An attacker action expected to achieve some result
  • Detect: A detection, a node that represents our (security team) ability to detect that action
  • Block: Our ability to block that action
  • Discovery: Knowledge that an attacker gains through successful completion of an action.

Line types

There are two types of line, solid and dashed (note, these can be changed in style.json).

  • Solid: This path exists today
  • Dashed: This path represents what would happen if we implemented a control that is currently not implemented.

The last line in each of those files is a call to render the tree:

    renderer.render(
        node=root,
        renderUnimplemented=True,
        style=style,
        fname="example_complexS3",
        fout="png"
    )

I imagine that in general usage, we'd just want one model for a specific attacker; not a _simple and a complex one. However, it's very useful to be able to see what those different graphs look like, as the latter models things we could do but are currently unimplemented - for that reason the render() function has a parameter to enable or disable rendering of unimplemented paths. This way you can record everything in one tree (and maybe add that into version control, as a system of record) and render different outputs, one that shows your current reality, and one that shows your potential reality (hopefully improved).

Below is the output of running the _complex example with renderUnimplemented=True, note that if you set this to False the generated graph looks the same as examples/S3Simple.py.py

PNG image showing graph created by examples/S3Complex.py

Development

Instructions for setup

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
deactivate

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

attacktree-0.0.191.tar.gz (10.9 kB view details)

Uploaded Source

Built Distribution

attacktree-0.0.191-py3-none-any.whl (10.8 kB view details)

Uploaded Python 3

File details

Details for the file attacktree-0.0.191.tar.gz.

File metadata

  • Download URL: attacktree-0.0.191.tar.gz
  • Upload date:
  • Size: 10.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.0.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.4

File hashes

Hashes for attacktree-0.0.191.tar.gz
Algorithm Hash digest
SHA256 14cb8a67d531e3d78b30973356817a9533fad466c8ceb7ea5d243afd1e1a7004
MD5 b413953a96e14ecf34429586f1c7cf70
BLAKE2b-256 b6396b48fb6cad3fef8b9e55acfe34075831ee64f60b54a31613f1b64bc12351

See more details on using hashes here.

File details

Details for the file attacktree-0.0.191-py3-none-any.whl.

File metadata

  • Download URL: attacktree-0.0.191-py3-none-any.whl
  • Upload date:
  • Size: 10.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.0.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.4

File hashes

Hashes for attacktree-0.0.191-py3-none-any.whl
Algorithm Hash digest
SHA256 820a774d1069a8802ee8c5f53e5c44ed6124bb3c0970d9c3d6f2083d76e60d76
MD5 8006d5374bda57138d0beb76a45dc414
BLAKE2b-256 2e9d8955d055e8387595bb1384b0adfcbf85c0b9ae14bda90d968521e79dacbf

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page