I'm new to security and I'm trying to create an attack tree based on MITRE ATT&CK techniques. What is unclear, is how I can incorporate some steps that are optional.
For instance, if the attacker's goal is to exfiltrate data, they may or may not need to escalate their privileges (depending on what data they want to exfiltrate, on what account they have access to) before collecting the data and exfiltrating them. Similarly, they may or may not need to connect to a C2 server.
How can an attack tree represent such cases?
