The Diamond Model of Intrusion Analysis
The Diamond Model of Intrusion Analysis was developed by cybersecurity professionals - Sergio Caltagirone, Andrew Pendergast, and Christopher Betz in 2013. The Diamond Model is composed of four core features: adversary, infrastructure, capability, and victim. Why is it called a "Diamond Model"? The four core features are edge-connected, representing their underlying relationships and arranged in the shape of a diamond. This framework establishes the fundamental atomic element of any intrusion activity. There are two additional components or axes of the Diamond Model - Social, Political and Technology.
This model carries the essential concepts of intrusion analysis and adversary operations while allowing the flexibility to expand and encompass new ideas and concepts. There are various opportunities to integrate intelligence in real-time for network defense, automating correlation across events, classifying events with confidence into adversary campaigns, and forecasting adversary operations while planning and gaming mitigation strategies.
Adversary
Victim
Capability
Infrastructure
Event Meta Features (not required)
Social-Political Component
Technology Component
Adversary
According to the Diamond Model, an adversary is an actor or organization responsible for utilizing a capability against the victim to acheive their intent. It is essential to know the distinction between adversary operator and adversary customer. Knowing this distinction will help you understand intent, attribution, adaptability, and persistence by helping to frame the relationship between an adversary and victim pair. It is difficult to identify an adversary during the first stages of a cyberattack. Utilizing data collected from an incident or breach, signatures, and other relevant information can help you determine who the adversary might be.
Adversary Operator is the “hacker” or person(s) conducting the intrusion activity.
Adversary Customer is the entity that stands to benefit from the activity conducted in the intrusion. It may be the same person who stands behind the adversary operator, or it may be a separate person or group.
Victim
The victim is a target of the adversary. A vixtim can be an organization, person, target, email address, IP address, and domain. It is key to understand the difference between the victim persona and victim assets because they serve different analytic functions.
Victim Personae are the people and organizations being targeted and whose assets are being attacked and exploited. These can be organization names, people’s names, industries, job roles, interests, etc.
Victim Assets are the attack surface and include the set of systems, networks, email addresses, hosts, IP addresses, social networking accounts, etc., to which the adversary will direct their capabilities.
Capability
Capability is the skill, tools, and techniques used by the adversary in the event. The capability highlights the adversary’s tactics, techniques, and procedures (TTPs). The capability can include all techniques used to attack the victims, from the less sophisticated methods, such as manual password guessing, to the most sophisticated techniques, like developing malware or a malicious tool.
Capability Capacity is all of the vulnerabilities and exposures that the individual capability can use.
An Adversary Arsenal is a set of capabilities that belong to an adversary. The combined capacities of an adversary's capabilities make it the adversary's arsenal.
An adversary must have the required capabilities. The capabilities can be malware and phishing email development skills or, at least, access to capabilities, such as acquiring malware or ransomware as a service.
Infrastructure
Infrastructure is the physical or logical interconnections that the adversary uses to deliver a capability or maintain control of capabilities. For example, a command and control centre (C2) and the results from the victim (data exfiltration).
The infrastructure can also be IP addresses, domain names, email addresses, or even a malicious USB device found in the street that is being plugged into a workstation.
Type 1 Infrastructure is the infrastructure controlled or owned by the adversary.
Type 2 Infrastructure is the infrastructure controlled by an intermediary. Sometimes the intermediary might or might not be aware of it. This is the infrastructure that a victim will see as the adversary. Type 2 Infrastructure has the purpose of obfuscating the source and attribution of the activity. Type 2 Infrastructure includes malware staging servers, malicious domain names, compromised email accounts, etc.
Service Providers are organizations that provide services considered critical for the adversary availability of Type 1 and Type 2 Infrastructures, for example, Internet Service Providers, domain registrars, and webmail providers.
Event Meta Features
There are six possible meta-features can be added to the Diamond Model:
Timestamp
Phase
Result
It is crucial to capture the results and post-conditions of an adversary's operations, but sometimes they might not always be known. The event results can be labelled as "success," "failure," or "unknown."
The event results can also be related to the CIA (confidentiality, integrity, and availability) triad, such as Confidentiality Compromised, Integrity Compromised, and Availability Compromised.
Another approach can also be documenting all of the post-conditions resulting from the event, for example, information gathered in the reconnaissance stage or successful passwords/sensitive data exfiltration.
Direction
helps describe host-based and network-based events and represents the direction of the intrusion attack.
The Diamond Model of Intrusion Analysis defines seven potential values for this meta-feature:
Victim-to-Infrastructure
Infrastructure-to-Victim
Infrastructure-to-Infrastructure
Adversary-to-Infrastructure
Infrastructure-to-Adversary
Bidirectional or Unknown
Methodology
allows an analyst to describe the general classification of intrusion, for example, phishing, DDoS, breach, port scan, etc.
Resources
every intrusion event needs one or more external resources to be satisfied to succeed:
software
operating systems, virtualization software, or Metasploit framework
knowledge
how to use Metasploit to execute the attack and run the exploit
information
a username/password to masquerade
hardware
servers, workstations, routers
funds
money to purchase domains
facilities
electricity or shelter
access
a network path from the source host to the victim and vice versa, network access from an Internet Service Provider (ISP)
Social-Political Component
This describes the needs and intent of the adversary. Examples are financial gain, gaining acceptance in the hacker community, hacktivism, or espionage.
Technology Component
This component highlights the relationship between the core features: capability & infrastructure. The capability and infrastructure describe how the adversary operates and communicates. A scenario can be a watering-hole attack which is a methodology where the adversary compromises legitimate websites that they believe their targeted victims will visit.
Wrap-Up
The Diamond Model is a scientific method to improve the efficiency and accuracy of intrusion analysis. This model provides the opportunity to leverage real-time intelligence for network defense and predict adversary operations.