From attack trees to red team playbooks¶
Attack trees are lovely things. They sit there on whiteboards looking impressively complete, with their neat branches and their satisfying logical AND/OR gates. They make management feel like security is being taken seriously. They make consultants feel like they’ve delivered value.
They are also completely useless for actually doing anything.
This is not a criticism. Attack trees were never meant to be operational documents. They’re maps, not recipes. They show you the territory; they don’t tell you how to walk through it whilst carrying forty kilos of kit and hoping nobody notices.
Red team playbooks are what happen when you take an attack tree seriously enough to ask “what would this actually look like if someone tried it?”
The answer is usually messier, slower, and more dependent on things going wrong in exactly the right way than the tree suggested:
- Rootways of the World Tree (@Internet)
- What an attack tree is allowed to be
- Selecting an attack chain worth operationalising
- Turning tree nodes into playbook actions
- Recording mess honestly
- Playbook 1: Registry reconnaissance and initial ROA creation
- Playbook 2: ROA scope expansion and validation environment mapping
- Playbook 3: Prefix hijacking with RPKI validation cover
- Control-plane attack chain: summary