Diamond Model

The Diamond Model is composed of four core features: adversary, infrastructure, capability, and victim, and establishes the fundamental atomic element of any intrusion activity.

Adversary

An adversary is an attacker, enemy, cyber threat actor, or hacker who stands behind a cyberattack (an intrusion or breach). In the Diamond Model (DM), adversaries are actors or organizations responsible for utilizing a capability against a victim for malicious intent.

Adversary Operator - The "hacker" or person(s) conducting intrusive activity

Adversary Customer - Entity benefiting from the malicious activity from the intrusion (the hacker or a separate person/group)

Victim

Each cyberattack has a victim which is the adversary's target (an organization, person, target email address, IP address, domain, etc) used as a foothold opportunity. Some victims are not the end goal/target.

Victim Personae - People/orgs being targeted whose assets are being exploited/attacked.

Victim Assets - The attack surface (systems, networks, email addresses, hosts, IP's, social accounts, etc) an adversary directs capabilities

Capability

Capability refers to the skill, tools, and techniques used by an adversary. This highlights their tactics, techniques, and procedures (TTPs) used to attack a victim. This includes all methods varying in sophistication.

Capability Capacity - Vulnerabilities and exposures a capability can use

Adversary Arsenal - Combined capacities of capabilities belonging to an adversary

Infrastructure

Infrastructure is the physical or logical interconnections the adversary uses to deliver or maintain control of one or more capabilities. This is done on software, hardware, IP's, domains, email addresses, or malicious USB devices.

Type 1 Infrastructure - Controlled or owned by adversary

Type 2 Infrastructure - Controlled by an intermediary that is not always aware of it. The victim will see this infrastructure as their adversary which is being used to obfuscate the source and attributiuon of the activity. This includes malware staging servers, malicious domain names, compromised email addresses, etc.

Event Meta Features

These 6 Meta features are not required in the DM but can add valuable information or intelligence.

  • Timestamp - Date/Time of event which can include when it started and stopped. These are essential for help determine patterns for grouping malicious activity.

  • Phase - The phases of an intrusion, attack, or breach come from the Cyber Kill Chain.

  • Result - Although not always known, it is crucial to capture the results and post-conditions of an adversary's operations. These are labeled as success, failure, or unknown. The event results can be related to the CIA triad.

  • Direction - Helps describe host and network-based events representing the direction of the intrusion attack. The Diamond Model of Intrusion Analysis shows seven values for this meta-feature: Victim-to-Infrastructure, Infrastructure-to-Victim, Infrastructure-to-Infrastructure, Adversary-to-Infrastructure, Infrastructure-to-Adversary, Bidirectional or Unknown.

  • Methodology - Allows an analyst to describe the general classification of intrusion (phishing, DDoS, breach, port scan, etc).

  • Resources - An intrusion event needs one or more external satisfied resource to succeed:

    • software (e.g., operating systems, virtualization software, or Metasploit framework)

    • knowledge (e.g., how to use Metasploit to execute the attack and run the exploit)

    • information (e.g., a username/password to masquerade)

    • hardware (e.g., servers, workstations, routers)

    • funds (e.g., money to purchase domains)

    • facilities (e.g., electricity or shelter)

    • access (e.g., a network path from the source host to the victim and vice versa, network access from an Internet Service Provider (ISP)).

What meta-feature does the axiom "Every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result" belong to?

Phase

You can label the event results as "success", "failure", and "unknown". What meta-feature is this related to?

Result

To what meta-feature is this phrase applicable "Every intrusion event requires one or more external resources to be satisfied prior to success"?

Resources

Social-Political Component

Social-Political Component describes the needs and intents of the adversary such as financial gain, hacker community acceptance, hacktivism, or espionage.

Technology Component

Technology Component highlights the relationship between two core features, capability and infrastructure, to describe how the adversary operates and communicates.

Practical Analysis

PreviousUnified Kill ChainNextMITRE

Last updated