Attack Tree File Formats

G5 Cyber Security

2 weeks ago

TL;DR

Attack trees are often stored in simple text formats or XML. There isn’t one standard format, but common options include JSON, YAML, and dedicated attack tree languages like ATT&CK notation. The best choice depends on your tooling and complexity needs.

Understanding Attack Tree Formats

Attack trees represent potential ways an attacker might compromise a system. The file format stores the tree’s structure – nodes (representing attacks or goals) and relationships between them. Here’s how different formats are used:

1. Simple Text Files

For very basic trees, you can use indented text. Each level of indentation represents a child node.

Goal
  Attack 1
    Sub-attack A
    Sub-attack B
  Attack 2

This is easy to read but hard for machines to parse reliably. It’s best suited for manual creation and review.

2. JSON (JavaScript Object Notation)

JSON is a popular choice because it’s human-readable and easily parsed by many programming languages.

{
  "name": "Goal",
  "children": [
    {
      "name": "Attack 1",
      "children": [
        {"name": "Sub-attack A"},
        {"name": "Sub-attack B"}
      ]
    },
    {
      "name": "Attack 2"}
  ]
}

You can use Python to read and write JSON attack trees:

import json

with open('attack_tree.json', 'r') as f:
    tree = json.load(f)

print(tree['name'])

3. YAML (YAML Ain’t Markup Language)

YAML is another human-readable data serialization format, often preferred for its cleaner syntax than JSON.

name: Goal
children:
  - name: Attack 1
    children:
      - name: Sub-attack A
      - name: Sub-attack B
  - name: Attack 2

Python can also handle YAML:

import yaml

with open('attack_tree.yaml', 'r') as f:
    tree = yaml.safe_load(f)

print(tree['name'])

4. ATT&CK Notation

The MITRE ATT&CK framework has its own notation, often represented in JSON or CSV. It’s a structured way to represent tactics and techniques.

While complex, it provides a standardized vocabulary for cyber security attacks.

5. Dedicated Attack Tree Languages

Some tools use custom languages designed specifically for attack trees. These often offer features like cost analysis or probability estimation.

Examples include:

Warfare: A language and toolset for building and analyzing attack trees

Choosing the Right Format

Simplicity: For small, manual trees, text or JSON are sufficient.
Tooling: If you’re using a specific attack tree tool, it likely has a preferred format.
Complexity: For large, complex trees with detailed analysis requirements (costs, probabilities), consider ATT&CK notation or dedicated languages.
Interoperability: JSON and YAML are widely supported, making data exchange easier.