Python scripts for using mindmup .mup JSON as a medium for developing attack trees.
-
Create an attack tree with mindmup -- legacy version 1 also supported: you can use https://github.com/BenGardiner/legacy-mindmup for offline creation of attack trees.
-
Save the
.muplocally -
Use these scripts to do the following steps (can be done indivdiually or in a batch depending on your workflow).
| Step Description | Script in scripts/ |
|
|---|---|---|
| 0 | normalize the .mup JSON -- useful before comitting to SCM to reduce diff noise |
normalize-json |
| 1 | check the .mup for problems (e.g. duplicate nodes, missing references, missing EVITA:: tags) and strips hidden sections |
checks.py |
| 2 | number the nodes in the .mup, resolving references to nodes in the tree (and undo this) |
add-numbered-ids.py (remove-numbered-ids.py) |
| 3 | resolve any 'in-text' references to nodes | resolve-stdin.py |
| 4 | propagate and calculate the required attack potentials and risks based on the model in the .mup file (and undo this) |
add-evita.py (remove-evita.py) |
| 5 | generate a report from the .mup -- including renderings of the subtrees as images in-line |
generate-descriptions-md-template |
| 6 | generate a risk analysis section for the report from the .mup |
generate-evita-chart.py |
- Publish the report as markdown+images or convert to format of your choice (with e.g.
pandoc)
-
Collaborate on (this was alot better before mindmup 2.0), or otherwise create an attack tree in mindmup.
-
This
.mupfile will serve as the container for the attack trees from objectives through attack vectors to mitigations -- including also descriptive text and weightings for severities and required attack potentials. -
There are some special strings and properties that will be recognized by the processing later:
ANDfor an and-ing operation on subtrees(*)for references to other nodes defined elsewhere in the tree...for nodes unspecified- ```.hidden`` for hiding nodes in the .mup that will not be rendered in the report
Mitigation: <anything>for capturing mitigations to attacks both on attack vectors and mid-tree
-
There are some special 'tags' that should be inserted in the descriptions of the nodes
OBJECTIVE::for classifying a node as an attacker objective, where both attacker motivation and impact on stakeholders is clear alsoRISK_HERE::for specifying a point in the tree where risk should be calculated, if in doubt place these onOBJECTIVE::nodesOUT_OF_SCOPE::for marking a node out-of-scope for this analysis. This node will still need estimated Required Attack Potentials but does not need to have its subtree expanded in detail or any mitigations capturedEVITA:: |S|S|S|S|R|R|R|R|Rfor ascribing estimates of severity (Sfields) and estimates of Required Attack Potential (RAP) (Rfields). These are required onOBJECTIVE::nodes and also for attack vectors. Severities are ascribed toOBJECTIVE::nodes, whereas RAPs are ascribed to attack vectors.SUBTREE::for breaking-up large attack trees into smaller 'snapshots'/'subtrees' when rendered in the report
-
Finally, any free-form text can be put into the node descriptions as markdown (saved as HTML-wrapped markdown). You should include descriptions of any attack vector nodes as well as some justification text of the RAPs ascribed. Similarly for objective nodes, descriptions should be written that explain attacker motivations and justify the severities ascribed.
-
-
download the mindmup
.mupfilee.g. see
examples/steps/0_Compromise (P)RNG Somehow.mup -
normalize the JSON with
normalize-json. This is useful if you are going to commit the mindmup to a SCM as it will minimize line-diffs in the future.e.g.
normalize-json < examples/steps/0_Compromise\ \(P\)RNG\ Somehow.mup > examples/steps/1_Compromise\ \(P\)RNG\ Somehow.mup -
add numbering to the tree with
add-numbered-ids.py- you can later re-number the nodes by running
remove-numbered-ids.pythenadd-numbered-ids.pyagain.
e.g.
add-numbered-ids.py < examples/steps/1_Compromise\ \(P\)RNG\ Somehow.mup examples/steps/2_Compromise\ \(P\)RNG\ Somehow.mup - you can later re-number the nodes by running
-
add calculations of all Required Attack Potentials troughout the tree and estimates of risk as the
RISK_HERE::withadd-evita.py.- you can later re-calculate these by running
remove-evita.pythenadd-evita.pyagain.
e.g.
add-evita.py < examples/steps/0_Compromise\ \(P\)RNG\ Somehow.mup > examples/steps/1_Compromise\ \(P\)RNG\ Somehow.mup - you can later re-calculate these by running
-
generate a template report for the now-numbered tree using
generate-descriptions-md-template. This will create a markdown template and some subtrees snapshot.mupfiles. The template includes inline.pngimages that need to be rendered from those.mupfiles.e.g.
mkdir examples/steps/3_Report && cd examples/steps/3_Report && ../../../generate-descriptions-md-template < ../2_Compromise\ \(P\)RNG\ Somehow.mup > Report.md -
for each of the subtree snapshot
.mupfiles: render a .png file usingrendermup -
add a risk analysis section to the report with
generate-evita-chart.py -
iteratively edit the template, including descriptions, impacts, severities etc. to achieve a draft report
-
publish the markdown+images.
By adding tags to the mindmup text you can structure the attack tree to include attacker objectives with associated severities and attack vectors with associated required attack potentials. Then the scripts will calculate and propagate the required attack potentials up the tree and marry them with the severities to estimate risks. This calculation is performed according to the method detailed in Security requirements for automotive on-board networks based on dark-side scenarios
The 5 scores of Required Attack Parameters are based on the vulnerability assessment section of *Common Methodology for Information Technology Security Evaluation (CEM v3.1)
| Script Name | Description |
|---|---|
forward-references.py |
re-orders the nodes so that all concrete subtrees occur before references to those subtrees |