mehaase
commented
1 year ago The first example is the correct usage. The AND and OR operators combine multiple inputs to make a logical decision. An operator with a single input edge is not invalid, but it redundant and as a matter of best practice, we should avoid it.
Any node can fan out (i.e. multiple outputs). If an action leads to 2 parallel outcomes, it is valid (and encouraged) to have 2 arrows coming out of the action and connecting to other actions.
Thank you for pointing this out. I will keep this issue open as a reminder to update the Conti flow.
bduhoux
Hi,
We wonder what are the guidelines for using the "OR" operator when constructing an attack flow with parallel attack paths as we have seen two different ways to build an attack flow with this operator.
The first way follows the semantics of the "OR" operator. This means that we should use the "OR" operator only when we reach the end of parallel attack paths (source: https://center-for-threat-informed-defense.github.io/attack-flow/introduction/#operator-objects). Such an example is depicted in the figure just below.
The second way is to add an "OR" operator before starting to split the flow into parallel attack flows, while still having an "OR" operator at the end of these parallel attack flows to combine them again. Such an example is shown in the figure just below and also available in the Conti CISA Alert example (see https://center-for-threat-informed-defense.github.io/attack-flow/ui/?src=..%2fcorpus%2fConti%20CISA%20Alert.afb).
In this alternative, we can assume that the authors just wanted to explicitly emphasize that they have parallel attack flows, right?
So what is the best way to draw parallel attack flows with the "OR" operator?