Diamond Model in Cyber Threat Intelligence

Diamond Model Features & Meta-Features

  • Adversary: intruder/attacker
  • Capabilities: adversary’s tools and/or techniques
  • Infrastructure: physical and/or logical resources used by adversary
  • Victim: organization or system hit by adversary
Diamond Model of Intrusion Analysis (from paper)
  • Timestamp: date and time intrusion event occurred
  • Phase: which event, in the chain of events, is represented by this particular model
  • Result: outcome of intrusion (e.g., success, failure, or unknown; or confidentiality compromised, integrity compromised, and/or availability compromised)
  • Direction: how event moved through network or host (e.g., Victim-to-Infrastructure, Adversary-to-Infrastructure, Bidirectional)
  • Methodology: category of event (e.g., spearphishing, port scan)
  • Resources: elements required for intrusion (e.g., particular software, hardware, knowledge, funds, facilities, access)
  • Social-political: relationship between adversary and victim, based on victim’s needs and aspirations
  • Technology: tech involved in adversary’s capabilities and use of infrastructure

Using the Diamond Model for CTI

Diamond Model activity-attack graph (from paper)

Activity group steps

  1. Analytic problem: define the question you’re trying to answer (e.g., “What’s the adversary’s intent?”)
  2. Feature selection: define the event features and adversary processes you’ll use for classification and clustering
  3. Creation: create activity groups from events and activity threads
  4. Growth: integrate new events into activity groups
  5. Analysis: analyze activity groups to answer analytic problem from step 1
  6. Redefinition: redefined activity groups as needed, as adversaries change

Additional Resources



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner


Cyber threat intelligence (CTI), OSINT, & cybersecurity enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.