Diamond Model in Cyber Threat Intelligence

Diamond Model Features & Meta-Features

  • Adversary: intruder/attacker
  • Capabilities: adversary’s tools and/or techniques
  • Infrastructure: physical and/or logical resources used by adversary
  • Victim: organization or system hit by adversary
Diamond Model of Intrusion Analysis (from paper)
  • Timestamp: date and time intrusion event occurred
  • Phase: which event, in the chain of events, is represented by this particular model
  • Result: outcome of intrusion (e.g., success, failure, or unknown; or confidentiality compromised, integrity compromised, and/or availability compromised)
  • Direction: how event moved through network or host (e.g., Victim-to-Infrastructure, Adversary-to-Infrastructure, Bidirectional)
  • Methodology: category of event (e.g., spearphishing, port scan)
  • Resources: elements required for intrusion (e.g., particular software, hardware, knowledge, funds, facilities, access)
  • Social-political: relationship between adversary and victim, based on victim’s needs and aspirations
  • Technology: tech involved in adversary’s capabilities and use of infrastructure

Using the Diamond Model for CTI

Diamond Model activity-attack graph (from paper)

Activity group steps

  1. Analytic problem: define the question you’re trying to answer (e.g., “What’s the adversary’s intent?”)
  2. Feature selection: define the event features and adversary processes you’ll use for classification and clustering
  3. Creation: create activity groups from events and activity threads
  4. Growth: integrate new events into activity groups
  5. Analysis: analyze activity groups to answer analytic problem from step 1
  6. Redefinition: redefined activity groups as needed, as adversaries change

Additional Resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner

580 Followers

Cyber threat intelligence (CTI), OSINT, & cybersecurity enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.