From the introduction above, we see that the attacker’s starting point is an attack step which we consider has already happened with 100% probability and then we analyze what impact that situation has on our model.
Sometimes, it is more interesting/relevant to also introduce a probability to this initial attack step being successful. We can do that by first defining the starting point of the attack and then tuning objects around it to reflect our estimated probability of the attack to be present at all.
This is easier to explain while looking at the examples below, where we will introduce two ways of attenuating the attack vector presence, or actually it’s possibilities to enter our main model.
Please remember that if you do not introduce attack vector attenuation in the model, the results will show the situation when the modeled attack has already happened and the impact such an attack will have on the modeled architecture. Attack vector attenuation is in that way an extra modeling feature that you can add at a later stage in the analysis.
Updated about 1 year ago