Attack Vector Concept

When modeling an IT architecture for security analysis, you will also need to connect an attacker object somewhere in the model. The attacker can be connected to any object that has an attack step and when connecting the attacker, you will also choose what connection type to use. The spot where the attacker is connected is the attacker’s starting point. This means that securiCAD does not take into account how the attacker managed to reach this starting point. For instance, when connecting the attacker to a network zone with the connection type Compromise, you can think of this as “Suppose that the attacker has managed to intrude this network zone, what impact will that have on the rest of my model?”.

Depending on where the attacker is connected, you will model different “attack scenarios” and since they can also be seen as the “direction” or “course” from where the attacker is coming, we often talk about this as the “attack vector”.

One more thing that also defines the attack vector is the number of resources we estimate our attacker to have when it comes to skills/time/money. securiCAD is considering the attacker to be a very capable attacker, such as a state actor, with large but not unlimited resources. If we want to attenuate this, then we can consider disabling, for instance, the DevelopZeroDay attack step since we might not consider our attacker to have the resources to develop (or acquire) a zero-day exploit, or we consider our architecture/business not being interesting enough for the attacker to spend a zero-day exploit on it.

This module will discuss and give examples of different common attack vectors and what attacker connection they correspond to.