6

I am trying to learn more about attack graphs and how they can be used. I have read a little bit about them from some simple Google searches and believe that they could be a useful tool for work. I would like to know how one could go about creating an attach graph, what use cases they are best suited for, and how to prepare a deliverable with the attach graph with recommendations that I can turn into my boss for further review and analysis.

Any help that you could provide would be greatly appreciated.

AviD
  • 72,138
  • 22
  • 136
  • 218
John
  • 1,009
  • 3
  • 11
  • 16
  • 1
    are you referring to [Attack Trees](http://en.wikipedia.org/wiki/Attack_tree)? (I guess strictly speaking a tree is a subset of a graph, but semantically they just *feel* different...) – AviD Apr 04 '11 at 05:59
  • Besides the wikipedia entry and Bruce Schneier's article, googling also brings a lot of interesting work on the subject. – adamo Apr 04 '11 at 07:05
  • @AviD - I am not sure what the differences are between an attack graph and an attack tree. Any help or understanding of the differences would be appreciated. – John Apr 13 '11 at 14:39
  • Well I've never heard it called an attack graph, only an attack tree. And, judging from the answers, I'm guessing that's what you meant. As far as data structure go, a tree is a kind of a graph, so... – AviD Apr 13 '11 at 16:09
  • Questioner uses "attach graph" twice. I can't edit that to "attack graph" because I'm not sure if it's correct and because it's less than 6 chars. But correct spelling helps search. – DanBeale Aug 10 '11 at 12:54

3 Answers3

5

I suggest the Microsoft Press book titled "Threat Modeling"

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 2
    I agree - but it's not really much of an answer here... Wanna give some highlights? – AviD Apr 05 '11 at 09:51
0

While it's not dedicated entirely to thread models, Microsoft's book on the SDL does a fairly in depth talk on the different types of models.

Steve
  • 15,155
  • 3
  • 37
  • 66
0

Besides the Microsoft book stuff, you may find interest in "The Beauty and the Beast: Vulnerabilities in Red Hat's Packages" which uses Formal Concept Analysis.

adamo
  • 163
  • 9