TL;DR
Attack trees are often stored in simple text formats or XML. There isn’t one standard format, but common options include JSON, YAML, and dedicated attack tree languages like ATT&CK notation. The best choice depends on your tooling and complexity needs.
Understanding Attack Tree Formats
Attack trees represent potential ways an attacker might compromise a system. The file format stores the tree’s structure – nodes (representing attacks or goals) and relationships between them. Here’s how different formats are used:
1. Simple Text Files
For very basic trees, you can use indented text. Each level of indentation represents a child node.
Goal
Attack 1
Sub-attack A
Sub-attack B
Attack 2
This is easy to read but hard for machines to parse reliably. It’s best suited for manual creation and review.
2. JSON (JavaScript Object Notation)
JSON is a popular choice because it’s human-readable and easily parsed by many programming languages.
{
"name": "Goal",
"children": [
{
"name": "Attack 1",
"children": [
{"name": "Sub-attack A"},
{"name": "Sub-attack B"}
]
},
{
"name": "Attack 2"}
]
}You can use Python to read and write JSON attack trees:
import json
with open('attack_tree.json', 'r') as f:
tree = json.load(f)
print(tree['name'])
3. YAML (YAML Ain’t Markup Language)
YAML is another human-readable data serialization format, often preferred for its cleaner syntax than JSON.
name: Goal
children:
- name: Attack 1
children:
- name: Sub-attack A
- name: Sub-attack B
- name: Attack 2Python can also handle YAML:
import yaml
with open('attack_tree.yaml', 'r') as f:
tree = yaml.safe_load(f)
print(tree['name'])
4. ATT&CK Notation
The MITRE ATT&CK framework has its own notation, often represented in JSON or CSV. It’s a structured way to represent tactics and techniques.
While complex, it provides a standardized vocabulary for cyber security attacks.
5. Dedicated Attack Tree Languages
Some tools use custom languages designed specifically for attack trees. These often offer features like cost analysis or probability estimation.
Examples include:
- Warfare: A language and toolset for building and analyzing attack trees
Choosing the Right Format
- Simplicity: For small, manual trees, text or JSON are sufficient.
- Tooling: If you’re using a specific attack tree tool, it likely has a preferred format.
- Complexity: For large, complex trees with detailed analysis requirements (costs, probabilities), consider ATT&CK notation or dedicated languages.
- Interoperability: JSON and YAML are widely supported, making data exchange easier.