Standards and Guidance
- NIST SP 800-82 Rev. 2 (ICS Security)
- NIST SP 800-154 (Threat Modeling)
- ISA/IEC 62443 Series (Overview)
- NCSC: Threat Modelling
Use standards to anchor scope, control expectations, and terminology. Use attack models to turn that scope into paths you can test.
Intrusion and Behavior Models
The Attack Models Library
This library is a curated starting point. It prioritizes primary sources, widely used knowledge bases, and standards that organizations actually reference. Each item here is useful because it can be mapped into a model, a detection, a control, or a test plan.
How to use this library: start with a model family (tree, graph, technique mapping), then pull the primary sources that define its primitives and data formats. For OT and CPS work, anchor on ICS security standards and protocol specifications, then connect those constraints to ATT&CK technique mappings and observable evidence.
When you are building reusable models, focus on stable structure and explicit assumptions. When you are building site-specific models, emphasize reachability, dependencies, and physics-informed constraints that shape feasibility and impact propagation.
Technique and Tactic Knowledge Bases
MITRE ATT&CK provides a shared vocabulary for adversary behavior. Its ICS matrix extends that vocabulary into industrial environments where the attacker is targeting controllers and processes.
Attack Patterns, Weaknesses, and Vulnerabilities
These three layers form a practical chain: patterns describe how attacks happen, weaknesses describe root causes, and vulnerabilities describe specific instances in products. A mature attack model uses all three.
- CAPEC: Common Attack Pattern Enumeration and Classification
- CWE: Common Weakness Enumeration
- CVE: Common Vulnerabilities and Exposures
- NVD: National Vulnerability Database
- CVSS v3.1 Specification
Representing and Sharing Models
If you want your models to power automation, you need machine readable formats. STIX is commonly used for expressing cyber threat and observable information, and TAXII is used for sharing it between systems.
Attack Trees and Path Analysis
For computed path analysis and design time reasoning, start with the classic references, then move into tooling and domain specific extensions.
Tools and Practice
- Microsoft Threat Modeling Tool
- OWASP Threat Dragon
- CAIRIS
- AttackGraphs
- Attack Modeling
- ATT&CK Navigator
- MITRE ATT&CK
- ATT&CK for ICS
- MITRE D3FEND
- NIST SP 800-82 (ICS security)
- UK NCSC ICS security
- CISA ICS resources
Prefer primary sources. If a blog contradicts a specification, trust the specification.
Collaboration
If you would like to collaborate, share public resources, or discuss integrations for defensive attack modeling, email us and include a short note on how it helps practitioners.