Diamond Model in Cyber Threat Intelligence

Diamond Model Features & Meta-Features

The Diamond Model is so named because of the shape formed by the relationships between the 4 core features of an intrusion event:

  • Capabilities: adversary’s tools and/or techniques
  • Infrastructure: physical and/or logical resources used by adversary
  • Victim: organization or system hit by adversary
Diamond Model of Intrusion Analysis (from paper)
  • Phase: which event, in the chain of events, is represented by this particular model
  • Result: outcome of intrusion (e.g., success, failure, or unknown; or confidentiality compromised, integrity compromised, and/or availability compromised)
  • Direction: how event moved through network or host (e.g., Victim-to-Infrastructure, Adversary-to-Infrastructure, Bidirectional)
  • Methodology: category of event (e.g., spearphishing, port scan)
  • Resources: elements required for intrusion (e.g., particular software, hardware, knowledge, funds, facilities, access)
  • Social-political: relationship between adversary and victim, based on victim’s needs and aspirations
  • Technology: tech involved in adversary’s capabilities and use of infrastructure

Using the Diamond Model for CTI

The Diamond Model’s value for CTI analysts is in identifying relationships between events, and in analyzing events to learn about adversary behavior.

Diamond Model activity-attack graph (from paper)

Activity group steps

The original Diamond Model of Intrusion Analysis paper gives these steps for creating and analyzing activity groups:

  1. Feature selection: define the event features and adversary processes you’ll use for classification and clustering
  2. Creation: create activity groups from events and activity threads
  3. Growth: integrate new events into activity groups
  4. Analysis: analyze activity groups to answer analytic problem from step 1
  5. Redefinition: redefined activity groups as needed, as adversaries change

Additional Resources

The Diamond Model of Intrusion Analysis: original paper that introduced the concept (PDF)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store