Attack trees: because intelligent adversaries are all the rage

Recently I had an interesting conversation around incident response (IR) and preparedness for incidents. For some reason conversation centred around attack trees and how they can be used to better the information security posture of the company.

My take on it is that attack trees are great for the security mindset that puts prevention first, second, and third and detection and response equal distant fourth. They’re not so good in the world where non-agent failure happens and your response to it defines how much damage the organisation wears in the end.

Engineering has tools like Failure Mode and Effects analysis (FMEA), Fault Tree Analysis (FTA), etc. that take a holistic view and focus on the undesired outcomes, a significantly shorter list than focusing on what an intelligent (not necessarily 100% rational) adversary will do. By focusing on the threat, and an intelligent threat at that, attack trees steer attention and funding away from more common failures that happen as a product of garden variety negligence, ignorance, poor planning or just plain old bad luck.

Even worse, focusing solely on potential attack vectors means that too much time and effort is spent on preventing bad things from happening - which works just as well in information security as it does in the real world: when was the last time a provable major disaster was successfully prevented? Exactly.

Attack Trees with plenty of leaves


  • Only goes to the attack phase;
  • Does not take into consideration the chance of success (assumes success);
  • Only as good as the skills and knowledge of the person creating attack trees;
  • Does not take into consideration non-agent failures;
  • Takes resources away from more holistic approaches.


  • Methodical approach to list majority of attack vectors (theoretical);
  • Forces analysis of the attack vectors, improving the knowledge of the defenders;
  • Improves awareness of the attack vectors.

*If you’re subject to the same laws of finite resources and resource optimisation like the rest of us, do yourself and your organisation a favour and spend (40-40-20 ratio usually works well):

  • just enough on prevention to stop common threats;
  • two thirds of the rest of the resources on detecting when your prevention controls failed; and
  • a third of the rest of the resources on responding to those failures.

Keep in mind that response involves the full spectrum from initial reaction through post-event review to dissemination and inculcation of lessons learnt.