How to model digital risk using Attack Flow scenarios

This article is a condensed version from our newsletter https://venation.digital/newsletter and the published system via https://content.venation.digital.

Why Attack Flow?

At Venation , we’ve found that using visualizations is a game-changer for digital risk modeling.

Why this is probably a no-brainers, its still extremely difficult for practitioners to find the right solutions for their audience. Plus it takes courage to start!

That said, the payoff is immense.

We initially had some issues in finding the right solution, but after exploring multiple solutions we landed on Attack Flow and started applying it to real-world scenarios.

We quickly realized its potential to streamline our clients risk management processes.

Here’s why we embraced it, and how you can get started.

Getting started

Here's our considerations

After working with numerous clients and creating countless scenarios, we realized there is no “perfect” visualization tool.

There are some solutions that all fit their specific use cases for their specific audience.

This led us to exploring Attack Flow from the Center for Threat-Informed Defense .

Why Attack Flow works for us:

• Instant integration with attack Building Attack Flow Scenarios
• Low learning curve and easy-to-use interface.
• Online or private setup using Docker.
• Different levels of abstraction, from technical details (STIX) to technique-level elements (MITRE ATT&CK).
• Exports to JSON, GraphViz, and Mermaid, useful for building attack trees.
• Looks great in presentations or reports.

Here's what it looks like:

Building Attack Flow Scenarios

To build a cohesive scenario, you need to understand these three elements:

• Canvas
• Objects (Actions, Conditions, Operators)
• Depth of detail, based on your stakeholder requirements

Basic elements

To build a cohesive scenario using Attack Flow, there's three elements you have to keep in mind:

There's a canvas. You can use this canvas to plot actions and other objects on. You can also export this canvas; either in PNG, JSON or Attack Flow Build.

They use objects (Actions, Conditions, Operators). These represent an action, decision point, or effect, the adversary has in pursuing a specific technique or procedure. These objects also integrates this with MITRE ATT&CK.

Choose your level of (technical) depth. The objects can be deepened further with additional STIX objects. Long story short, they represent a widespread (technical) industry standard that is adopted in many solutions. Interestingly enough, the objects aren't. Its important to note that this is dependent on the demand from your stakeholder. Make sure to bring them into the discussion, so you can effectively determine the right level of (technical) detail.

Building your first scenario

Go to the builder

Here's the direct link to the online builder:

https://center-for-threat-informed-defense.github.io/attack-flow/ui/

You can also use your own local system using Docker.

What to do next

When you have opened the builder (either online or in your own environment using Docker), you will have several options to pursue:

• Recover file: Open a file you where working on (or remove it from the cache).
• Open file: Create a new flow or open an existing flow from your local files.
• Resources: Lookup supporting information.

Once you have created a new canvas to work in, you can right click to open up a menu:

Create → Attack Flow → Action

Next, you want to fill the action with content. Click on the action to highlight it. Fill in the desired details, tailored to the level of detail your (internal) stakeholders are accustomed to. The content will be added automatically.

You can now continue adding additional actions. Just drag a line from element to another element.

One practical tip: they leverage horizontal and vertical lines, it doesn't automatically do line magic (we are raising an item for this via their GitHub).

Continue building out your scenario by adding objects, attributes and links between different objects.

Once you are done, go to the File menu to perform additional actions.

• Save: Downloads the scenario in the *.af (attack flow build) format, so you can open it in the future.
• Save (selection as) image: Saves the scenario as a *.png format, for use in visualizations or presentations. You can also export a selection.
• Publish Attack Flow: Saves the scenario in *.json format, which you can then load into any solution which is able to parse this machine-readable format.

Once you have built and saved these materials, you can work together with your stakeholder to discuss the visual.

Real-world applications

We’ve seen time and again that visualizations such as delivered by Attack Flow greatly improves team collaboration and decision-making.

Visualizing complex attack paths just makes it so much easier to communicate risks across all levels of an organization, from technical teams to executives.

We're providing our newsletter and scenario intelligence subscribers more in-depth content on each of the different examples.

Here’s how different teams can use it in general:

Executives (e.g. CFO, CIO, CISO, Chief Risk)

Despite the technical details, visual scenarios are easy for executives to understand, helping them grasp choke points or critical decisions.

Use these visuals in business cases, executive briefings, or risk assessments.

We're doing this through:

• Adding extracts of the scenario to documents,
• Adding a Markdown file in a central document repository, or
• Printing out the PNG to discuss a campaign physically.

Operations Directors (e.g. Risk Management, Cyber Defense, Adversary Emulation, Incident Response)

Operations teams benefit from Attack Flow by using it for realistic risk assessments based on observed adversary scenarios.

These teams regularly need to traverse between stakeholders that require both more- or less detail, making them truly suited to adopt this approach.

It’s highly effective for purple team exercises, where it improves communication between attackers and defenders.

It also enables the creation of security control overlays, helping teams identify gaps in their defenses and prioritize resources.

Practitioners (e.g. TI Analysts, Red Team, Incident Responders)

For technical practitioners or teams, Attack Flow facilitates the creation of highly detailed, behavior-based threat intelligence products.

Its machine-readable format ensures interoperability across organizations and tools, making it ideal for building the basics for adversary emulation and incident response planning.

After incidents, you can map out how defenses failed and plan after-action reviews.

Practitioners also use it to build threat hunting hypotheses, adding detail as more information is gathered.

Grab our content to transform your risk management approach

We’ve built over 30 scenarios with Attack Flow, turning them into templates that teams can quickly adapt to their needs.

This completely transformed how teams identify and model digital risk.

Combine our content with Attack Flow, and we have your team modeling risk in less than 10 minutes.

We also built a template which is compliant with NIS2, DORA TLPT, and TIBER-EU, making it a versatile tool for regulatory frameworks.

Want to get more detailed usecases?

--> We're sharing more detailed applications and usecases just for our newsletter audience, sign-up via venation.digital/newsletter.

Want to see our content in action?

--> Reach out to our team via venation.digital and we’d be happy to give you a live demo.

Let's make this week count!

GJ

www.venation.digital