In his book “A Burglar’s Guide to the City”, Geoff Manaugh describes the case of a thief who burgled a whole row of adjoining flats . Instead of breaking into each property from outside, he broke into one and then entered the next one by simply cutting through the relatively weak internal walls. The so-called “drywall” burglar did this again and again until he got to the end of the block, carrying the stolen goods back through his “tunnel” at leisure.
Householders are often advised to upgrade their door and window locks to deter burglars. It’s not so easy to re-fit internal walls in a way that will stop an intruder. If the housebuilders didn’t consider the problem during construction, it may not be feasible to fix it later.
Cybersecurity experts emphasise the importance of applying security principles to the architecture of a system early in its development, at the design and build stages.
In fact, the first principle recommended in the NCSC’s cybersecurity guidance is to establish the context of a system before designing it using IT Architecture . The context includes an understanding of the threat model for the system. The guidance suggests applying appropriate modelling techniques to understand the ways in which an attacker could achieve their objectives and the level of capability such an attack would require.
Security controls can then be mapped to potential attack points to establish confidence in the resilience of the design.
Doing this effectively requires architects and designers to view the system from an attacker’s point of view. In practice this can be difficult, simply because it involves a radical change of mindset.
The “drywall” burglar’s technique succeeded because the house builders and property owners didn’t consider the internal wall construction as a vulnerability that was likely to be exploited by an intruder. Criminals can be very creative when it comes to identifying weak points. At one time or another, many types of standard building features, including sewers, rooftops, air-conditioning ducts, garbage chutes and even wall cavities have all been “re-purposed” as access routes by burglars.
Manaugh, a writer who specialises in architecture and the built environment, regards burglary as an essentially “architectural” crime. It depends on the burglar having an appreciation of a building’s architecture that can be fundamentally different from that of the building’s legitimate users. In his words, burglary is “topology pursued by other means: a new science of the city, proceeding by way of shortcuts, splices and wormholes”. To a burglar, a roof can become an entryway, a wall can become a door and if a corridor doesn’t exist, he can make one.
Cyberattackers apply the same treatment to computer systems and networks. John Lambert, of the Microsoft Threat Intelligence Center, summarises the approach: “Assets are connected to each other by security relationships. Attackers breach a network by landing somewhere in the graph using a technique such as spearphishing, and they hack, finding vulnerable systems by navigating the graph. Who creates this graph? You do.” 
Attackers exploit the security relationships that actually exist between systems, not just the “authorized” paths taken by legitimate users. The graph of connections should be constrained by the IT architecture and changed according to the needs of the enterprise. However, it can also be modified inadvertently or maliciously, for example by installing software containing a vulnerability that can be exploited to gain access to other assets in the network.
One approach is to build your own graphs to help visualise attack paths. A graph allows you to see the routes to potential targets. This produces a view that corresponds to the one an attacker tries to construct by exploring your network. You can then take appropriate actions, for example by breaking connections to reduce the number of attack paths and by hardening the security of key nodes .
Some tools can generate graphs from dependencies that exist in your networks. However, to identify the connections that your organisation actually requires, you will need to compare these with your IT architecture. Solutions such as HOPEX IT Architecture shows not only how your IT assets are connected, but also how those assets support your business.
The Microsoft diagram focuses on users and the access they have to parts of the network. This is different from an Attack Graph which is typically used to model the procedures of an attack itself rather than the system that is the subject of the attack.
The Microsoft article  stresses the importance of understanding the security dependencies that describe the “virtual” topology of the network. For example, a user who has the same password for accounts in different domains creates a path between those domains that can be exploited by an attacker. Breaking the security connections in the graph limits the possible attack paths.
A report to generate a dendrogram to reveal this kind of detail could be quite complex. However, the diagram used here doesn’t have to be a definitive solution. It’s enough to show a dendrogram that can be derived from the architecture, showing nodes and links between HOPEX objects that would be meaningful to readers e.g. connections between IT Server objects.
 Manaugh, G. “A Burglar's Guide to the City” Farrar, Straus and Giroux, 2016
 “Secure design principles - Guides for the design of cyber secure systems” National Cyber Security Centre, Version 1.0, 21 May 2019
 Lambert, J. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” Blog, 26 April 2015
 Budja, A., Brinkmann, F., Aubin, H., Sabberton, J., Finkeisen, J. “3 ways to outsmart attackers by using their own playbook” Microsoft Secure Blog, 21 March 2017