ATTACK FLOW

Attack Flow is a standard for graphs in information security. An attack flow is a machine-readable representation of a sequence of actions and assets, plus knowledge properties, joined by relationships.

Attack Flow has 5 parts: Actions, Assets, Properties (Objects/Data) & Relationships, all joined through a Flow.

• Actions are things that happen
• Assets are things that have state changes
• Properties are contextual triples (X -[Property of]-> Y) describing either other ’things’ or data like a hash
• Relationships create the causal and contextual connections
• Flows are the set of Actions, Assets, Properties, and Relationships

When we combine graphs and the 5 parts, we get a flow.

Attack Flow provides the 3 C’s: Causality, Context, and Complexity

• Causality is the causal path from action to asset and asset to action. It’s what caused what
• Context are the properties (both literal properties like description strings and object properties like a ‘person’ (with a name, job title, permissions, etc)) that describe other nodes
• Complexity is the ability to represent complex relationships

You’ll notice the causal path goes action->asset and asset->action. This is intentional. It forces good data modeling, helps represent complex relationships, and makes visualization easier.

This helps solve several data challenges in information security:

• Lots of text -> Broken up into clear parts (nodes) and relationships (edges)
• Structured data has steep learning curve -> Only learn what you need (node-centric search and namespaces for specialized information)
• No focus on relationships -> Relationships are first-class
• Little causality -> Explicit structure for causality
• No context -> Knowledge Graph