Seeing the Risk Through the Trees
THE FIRST STEP TOWARD SOLVING—or preventing—any crime is to think like the criminals, beginning with what motivates them. When it comes to common thieves, that’s easy; they are motivated by the desire for money. But for violent nonfinancial crimes, understanding the motivation can be far more challenging.
I experienced this firsthand in the early 1990s, while running the Special Investigations Unit for the Ohio Bureau of Criminal Investigation. My team and I were tracking a serial rapist with a fetish for elderly women. He haunted small towns in rural areas, and during more than eight months he claimed 13 victims. We needed to understand our attacker if we wanted to anticipate his next move. To that end, an 18-page questionnaire was developed looking for anything the victims had in common: where they shopped and banked; who provided their lawn service; what clubs they frequented; who their family doctors were.
We used the answers to build an investigative “attack tree” that revealed the commonalities shared by the victims, and provided clues to the attacker’s goal and his modus operandi. Through this process, we were able to solve the case.
Any company can use the same attack tree methodology to mitigate risks, such as a terrorist attack, by thinking like the would-be attacker and anticipating what he or she might do. That information can be used to develop the appropriate countermeasures.
Attack trees are simply a visual display of the answer to the question: How would the criminal commit a crime—whether it’s a theft, a rape, a hack into a computer system, or the planting of a bomb. The branches of the tree illustrate the different scenarios and the steps physically taken to accomplish the task.
Filling Out the Branches
In laying out an attack tree, the overall goal of the attacker is considered the trunk and the steps that he or she would take become the branches. Once a security director has thought of the overall threat and laid out the possible ways it could be carried out, the next step is to assess the probability that it might occur—the level of risk. Ultimately, the risk may be handled in four different ways: accepted, transferred, eliminated, or reduced.
A security professional may determine that the risk is low, and the company may decide to accept it. But a corollary consideration is the consequence of an act; if the act is low probability but high consequence, as is the case with terrorism, that will affect the calculation of whether accepting the risk is a reasonable course of action. Calculating the risk of a terrorist attack is further complicated by the difficulty of obtaining reliable intelligence.
Using attack tree methodologies, our security team at a major utility looked at our potential adversaries with the limited intelligence provided by the U.S. Coast Guard and our own staff. The trunk of the tree—the attackers’ goal—was assumed to be to disrupt power. We then explored methods of attack that could be used against our critical areas to achieve that goal, such as ramming a gate with a vehicle; cutting a fence; approaching by a boat on the river; or posing as a delivery driver to place a vehicle borne improvised explosive device (VBIED) near a critical asset.
We then “pruned” our trees by factoring in the already existing risk-reducing measures, such as intrusion detection systems, lighting, perimeter fencing, and signs. In consultation with government agencies, we assessed the extent to which our measures had sufficiently reduced the risk and whether additional measures were needed.
The pruning process took into account that the trunk, or goal, is to disrupt power. If we look at the branch exploiting a vulnerability of approaching by boat from the water and gaining access to our facility, the next leaf would involve damaging a critical piece of equipment to obtain the result. In order to prune this branch, we installed fencing along the waterway with intrusion detection to alarm to our guard posts in an effort to detect an intrusion along several miles of the channel.
Planting Your Tree
While there are several models and even some software that you can use to help you in the attack tree process, in the beginning, you might want to follow this general rule: the simpler, the better. Start by assembling several members of your team in a room with a whiteboard or flip chart. At the bottom center, draw a box and insert what the goal of a terrorist attack against your company’s facilities might be. For a mall or other public venue, it might simply be to terrorize the population. For a strategic facility, it may be to disrupt services, to contaminate food or water supplies, or to cause economic damage.
Once you have placed the ultimate objective in the bottom box, ask your team the oldest security question known to man: “How would I do that?” For example, if terrorists are the adversary, the overall goal is to kill as many people as possible. As the security director for a mass transit subway, you have to place yourself in the terrorists’ shoes, and build your tree accordingly. If you were the terror cell, how would you accomplish your goal?
In answering the question, you would look at the recent history of events. For example, history has shown that terrorists may choose backpack bombs with cellphone detonators or timing devices; or they might pick suicide bombers, or chemical agents, or perhaps other methods that you and your team could visualize.
Each method becomes a branch. Place those in individual boxes connected to the bottom box and you have begun the formation of your tree. Repeat the steps of asking “how would I do that” over again for each “branch” of your tree, and continue to expand the possibilities. Once you have exhausted your avenues of attack, your tree is completed. You can then create another tree simply by changing the ultimate goal in the bottom box.
Leaves. As one becomes more proficient with the trees, there are several complex formulas, or “leaves,” that can add value. One leaf is the risk tolerance of the attacker. Another is his or her financial capability. These additions play a valuable role as a security team contemplates risk-reduction measures. For example, signs warning of surveillance might give pause to a terrorist who wants to case a utility plant without being detected; they would not deter a suicide bomber.
Pruning the Tree
A completed tree needs “pruning,” or an examination of the potential threats that have been identified and how they might be mitigated by existing or new protective measures. Each branch that starts in row two above the bottom box can be pruned. The thought here is to find logical places on that branch where you could apply—or where you have already put in place—security measures to reduce that risk.
When considering items to prune your tree, look into the box and determine which system makes the most sense from the perspective of cost and applicability.
Cost-effectiveness. Your team should scrutinize whether the deployment of one system could prune several branches of the tree, thus improving the cost-effectiveness of the countermeasures. In the example of the utility facility, our team identified seven ways to gain entry to a site and then complete the overall goal of service disruption. In examining our tree, four of the seven ways to gain entry involved breaching our perimeter fence, by cutting the fence, ramming the gate, cutting the lock at the gate, or climbing over the fence and barbed wire.
By placing an intrusion alarm system on the fence, we were able to effectively mitigate all four possible branches. Similarly, if you are working on multiple attack trees simultaneously, you may gain a significant benefit to several trees from deploying a single appropriate system. In deterring terrorist attacks by hardening an asset, you also make it much more difficult for a burglar to gain entry, for example. In the utility sector, the installation of an intrusion detection system at some substations to prevent terrorist attacks also helps prevent copper thieves and vandals from entering the property undetected.
Group think. As you experiment with the use of the attack tree methodology, try breaking your team into several subgroups and assigning each subgroup a different goal for the trunk of each tree. After building out the branches, bring the whole group back together, have each subgroup present its tree, then work on strategies to collectively prune the attack paths by deploying a similar strategy or system.
The value added in these exercises is derived from an enterprise-wide security approach that can be helpful in solidifying objectives—especially in a convergence model where pockets of isolationism and standalone mentalities can exist.
Once you have completed several attack trees with your team and feel comfortable with the process of deploying effective strategies to prune the branches, you may wish to expand your knowledge base and experiment with advanced methodologies.
In traditional risk modeling, consequence and probability are core elements. One can use the same principles to enhance attack tree modeling. Start by examining the overall goal at the trunk and use a standard model to evaluate probability of the event occurring. Use a numeric scale from 1 (very low) to 10 (very high) to estimate the possibility that the mode of attack against an asset will occur in the foreseeable future.
The consequence axis requires a definition as to which score you will apply. It is typical to view consequence in terms of dollars to replace stolen property, lost revenue, capital replacement costs, loss of life, or loss of reputation. If your consequence model is based solely on loss of life and your event is a large theft, your consequence rating may be zero. Conversely, if your model is based on capital replacement costs and your scenario is workplace violence, your score will be very low.
A blended model that factors in both loss of life and a cost estimate for revenue is more useful. Once you have chosen your consequence variable, you can assign it a numeric rating similar to the probability scale. Next, you should go to each box on your tree and label it with the scores for probability (P) and consequence (C). This process will highlight the most probable and severe attacks and will aid you in applying risk reduction strategies in a priority order.
To work with the mature tree further, look at adversaries and attempt to understand their relation to the model. A utility has to protect against sabotage from disgruntled workers and theft of assets for monetary gain, for example, in addition to terrorist attacks. This becomes important as we look at which security systems to deploy and their potential effectiveness.
On several occasions, we were faced with the theft of high-dollar computer equipment stolen from unstaffed remote facilities. By examining the crime scene, a lot can be learned about the thief. How was entry gained? Was a key used at the gate, was the lock cut, or was a chain used to pull the gate off the hinges? How was entry into the building achieved? Was the lock picked or was the door beaten in with a sledgehammer?
After examining these traits, effective strategies can be developed that match the skills of the adversary. A loud alarm might be enough to deter someone who uses a chain and a sledgehammer, while a more sophisticated system may be needed to deter someone with the skills to pick locks.
Based on these details, one can flesh out the attack tree by marking different paths that different adversaries may take, and then deploying tailored strategies to stop them. A simple scenario illustrating this methodology is a company-owned warehouse in an area that has suffered several break-ins. The particular warehouse, which houses electronic components that could be used to make bomb detonators, has not been hit yet, but the company is aware of the threat, and security personnel are debating how to protect against it.
Local police and other security directors representing victimized area businesses have been consulted about any previous crimes in the locale. Important information has been gleaned: There have been three burglaries inside of a month within five miles of the still-virgin warehouse. Each theft involved high-value small electronic devices similar to those in the company’s warehouse. In two instances, the thieves used a torch to cut the hinges on a roof hatch to gain entry, and in one case, they picked the lock on the front door. Each time they exited from the loading dock in the rear.
An attack tree grows rapidly out of such details. The trunk (showing the thief’s goal) is the acquisition of pricey electronic units. Due to the number of incidents in the area, there is a high probability of the warehouse being targeted. The consequence score is up because of the potential dollar loss. Risk is, therefore, red hot.
The tree can be filled out by adding different attack strategies. The thieves are not garden-variety; they used tools to cut their way in from the roof and picked locks, suggesting a certain amount of professional skill.
Other scenarios can be added, such as rocks being thrown through the glass doors in front, or a chain being tied to the bumper of a truck and the door being ripped from its hinges.
Then prune the tree with the necessary risk-reducing measures, such as alarm systems, surveillance cameras, or maybe security guards. The warehouse is now set to be safeguarded, and potential thieves tracked should an incident occur.
A Weakness in the Tree
Looking at attack trees from a homeland security perspective reveals a weakness in the methodology. Sweeping terrorist goals, such as the destruction of the U.S. economy, produce very large trees. More specific and credible scenarios need to be imagined. That can be difficult but it doesn’t mean that the attack tree methodology cannot be adapted to this task. The Nuclear Regulatory Commission, for example, has used scenario-based attack trees for years.
The use of attack trees is by no means the single solution for today’s security environment. However, in the never-ending attempt to manage risk, the use of attack trees can help companies to weed out vulnerabilities and ensure that countermeasures are rooted in solid ground.
Ted Almay is assistant vice president of corporate security at the United Services Automobile Association (USAA). His previous posts included stints as the managing director of security for American Electric Power (AEP), America’s largest electric producer, and superintendent of the Ohio Bureau of Criminal Investigation. He is a member of ASIS.