Examining attack tree tools, how do they compare?
A lot of threat modelers make use of attack trees. In this article we dive into two attack tree tools, compare them, and see if they’re worth using. We would like to know the value of using specialized software, how time can be saved and what other benefits could be gotten from the use of these specialized tools. The answer is, as always, ‘it depends’.
We opted to mention and compare two tools in this blog post.
- the JAVA based tool ADTool, created by the University of Luxembourg
- the ‘AT-AT’ tool by Anandarajah Yathuvaran.
These tools were chosen because they were free to use and both work (at least) on the Windows operating system. This way we hope that the largest part of the threat model community can actually run these tools. We opted not to include commercial tools; we feel that a more in-depth study would be needed before we make any statements on the tools you need to pay for.
In the past, we created Attack trees using white boards, spreadsheets, mind map software and drawing software like draw.io. All of these tools work to some extent, but they all have limitations. We are not comparing these tools to the specialized attack tree tools in this article.
In order to judge the specialized tools, we are looking at the following requirements (in no particular order):
- Ease of use. How fast can we learn the tool? How fast can we create an attack tree?
- Ease of update. Attack trees are by their very nature ‘tree like’ and updates often require complete branches to be moved or a level to be added or removed. The speed with which these actions can be done varies a lot.
- We want multiple people to work on the same attack tree at the same time.
- Version control and history. Even though every file can be placed in a version control system, most of the file types do not allow the version control system to easily show differences between versions. This would be a great asset.
- Portability. Can you migrate your data from one tool to another?
Ease of use
Installation of both tools was easy on my Windows system. I already had JAVA installed as a pre-requisite for other tools I’m using on this system. Since the AT-AT tool is only available on Windows we did not try to install the tools on different operating systems, although we assume that the ADTool will also work on an Ubuntu machine. Both tools require you to read the documentation, but in both cases we were able to get started within 15 minutes. The creation of our first attack tree took around 10 minutes in both cases. We opted to use (probably the most famous) example attack tree from Bruce Schneier.
In both tools the use of the text notation (DSL) allows for very quick creation of attack trees. We were able to use this mode after 5 minutes of playing around in each tool. This is one of the main differences with most non-specialized tools.
Ease of update
Moving branches within the trees is fairly easy in the text view, in the graphical view, this was not easily achieved in ADTool. In AT-AT the generated view of the attack tree cannot be edited so all actions are performed in the text window.
Editing and updating attack trees is easy on both tools, once you are fluent with the different notations in the text editor.
The two tools did not allow us to edit an attack tree with multiple people at the same time. To be fair, most other non-specialized tools also lack this functionality.
Version control and history
Both tools allow you to export the attack trees in a text format, this will facilitate the versioning and comparing of attack trees.
The exported files in a Term format for the ADTool or in DSL for the AT-AT tool are text files that are an exact copy of what is in the text windows in both tools.
Neither tool in scope can import the other’s file formats. Some work will be needed should you want to convert one format to another. This is not an insurmountable problem, but it will require time and effort. As far as we know there is no standard way to note down attack trees. The same is true for threat models in general. Until there is a standard to note these things down, this problem will remain and tool creators will be forced to include convertors from and to different formats or leave out this functionality altogether.
The ADTool tool contains several example attack trees. For the AT-At tool you can download several example attack trees from their GitHub repository.
How do these tools compare to non-specialized tools?
We feel that both tools are as easy to set up and learn as non-specialized tools, such as mind mapping and drawing software. The editing and updating of attack trees using a text format help to quickly make changes. We feel these two programs were at least as fast or even faster than other tools we used in the past.
If you are looking for a tool that is only used for attack trees, both tools deliver what we expect. If you need a tool that also creates other types of drawing, these tools are not for you.
Are specialized attack tree tools whorthwhile or not?
It depends. 😊
If you only need to have a visual representation of an attack tree, other non-specialized tools also work and do not require you to learn a new tool. Some of these tools will also be able to export in text-based format for ease of versioning and comparison (e.g. draw.io exports in XML)
If you have read this far, I assume you want to do more with attack trees than to just show them. In that case a specialized tool will always be useful. The selection of the tool will depend on how you work with attack trees. Keep in mind: always choose a tool that supports your process, never adapt your process to fit to a tool.
Attack tree blog post by Bruce Schneier: https://www.schneier.com/academic/archives/1999/12/attack_trees.html