1、Decoding Cyber ThreatsA Practical Guide to Using Attack TreesGert-Jan Bruggink&Sherman Chu28 January 2025232233CTI&Decision-Making234Ever been in this situation?Identifying Systemic VulnerabilitiesResponding to an IncidentPrioritizing Security Investment235Sometimes while protecting your business,yo
2、u need to make rapid decisionsWould be real bad if something happened to it.Yeah boss,totally.Why Attack Trees236237Why were Attack Trees created in the first place?Visualize Attack ScenariosThreat ModelingDecision-MakingJonathan Weiss,1982238We love history 1982Conceptualized as threat trees by Jon
3、athan Weiss,Bell laboratories2025Two nerds at CTI conference1999Bruce Schneier publishes attack tree concepts2013Diamond Model of Intrusion incorporates attack tree attributes239Why do they look the way they do?Tree StructureNodes&LeavesRelationships240A decade of CTI taxonomies and frameworks201120
4、132014https:/apps.dtic.mil/sti/tr/pdf/ADA586960.pdf241Combining everything conceptuallyDiamond Model:Structured documentation of attacker procedures and activity threadingMITRE ATT&CK:Standardized tactics&techniquesKill Chain:Truncated attacker sequenceCombining everything practicallyAttack FlowCent
5、er for Threat Informed Defense(direct link to builder)242Exporting into official Attack Tree format243Mermaid Export(.mmd)GraphViz(.dot)Everything JSON,making integration easierPrioritizing Defensive Courses of Actions244245Postulating TTPsKnownKnownsKnownUnknownsBonus:Testing forUnknown Unknown246C
6、onscious decision-making on cutting tiesCOA:We prioritize blocking&detecting delivery-TTPs,severing subsequent attacker actions247Prioritization through actionabilitySource:https:/top-attack-techniques.mitre-engenuity.org/PrevalenceChoke PointActionabilitySignificant(Top)TechniquesSpecific technique