This is a bit of an everything and the kitchen sink pull request.
Broadly, these commits deal with how we model unsafe activity performed by the user.
Separate unsafe user action into two components. One that requires the attacker to be reachable from the Application and is more potent. The other does not require reverse reachability but is therefore more complex and requires substantially more effort.
Have unsafe user activity on a system fulfil the physical access requirement of vulnerabilities
Create a separate attack step on Data called Extract that represent the ability of the attacker to obtain the data and associated information as opposed to a regular Read which can represent autonomous tools/code reading the data and using it for further attacks.
Simplify ConnectionRule attack steps. The goal is to have the ConnectionRule asset mostly behave as a virtual asset that specifies connectivity and direction, but not trigger attack steps itself.
Introduce SendData and ReceiveData associations between Data and Application assets. Before Data were represented only as DataInTransit on Application assets and the direction was to be determined from the ConnectionRule assets. This was cumbersome so now Data are DataInTransit over Network assets and sent or received on Application assets.
Simplify unsafe user action by removing the high/low privileges distinction(this is now already covered by the fact that social engineering leads to Assume on the Identity assets associated with the User asset) and removing the forced/unforced dichotomy as well. All unsafe user action is now a result of Attacker actions, which prevents situations where no attack graph from the attacker could be generated. The unforced component was not adding any modelling depth and was therefore entirely removed.
We may wish to evaluate how unsafe user activity on System assets should be modelled as well.
This is a bit of an everything and the kitchen sink pull request.
Broadly, these commits deal with how we model unsafe activity performed by the user.
Data
calledExtract
that represent the ability of the attacker to obtain the data and associated information as opposed to a regularRead
which can represent autonomous tools/code reading the data and using it for further attacks.ConnectionRule
attack steps. The goal is to have theConnectionRule
asset mostly behave as a virtual asset that specifies connectivity and direction, but not trigger attack steps itself.SendData
andReceiveData
associations betweenData
andApplication
assets. BeforeData
were represented only asDataInTransit
onApplication
assets and the direction was to be determined from theConnectionRule
assets. This was cumbersome so nowData
areDataInTransit
overNetwork
assets and sent or received onApplication
assets.Assume
on theIdentity
assets associated with theUser
asset) and removing the forced/unforced dichotomy as well. All unsafe user action is now a result of Attacker actions, which prevents situations where no attack graph from the attacker could be generated. The unforced component was not adding any modelling depth and was therefore entirely removed.We may wish to evaluate how unsafe user activity on
System
assets should be modelled as well.