Diamond Model in Cyber Threat Intelligence

The Diamond Model of Intrusion Analysis is a model for mapping adversary activity. It’s useful for many aspects of InfoSec, including CTI.

Diamond Model Features & Meta-Features

The Diamond Model is so named because of the shape formed by the relationships between the 4 core features of an intrusion event:

• Adversary: intruder/attacker
• Capabilities: adversary’s tools and/or techniques
• Infrastructure: physical and/or logical resources used by adversary
• Victim: organization or system hit by adversary

The adversary uses its capabilities over some infrastructure against a victim.

Diamond Model of Intrusion Analysis (from paper)

Event meta-features provide more info about the event:

• Timestamp: date and time intrusion event occurred
• Phase: which event, in the chain of events, is represented by this particular model
• Result: outcome of intrusion (e.g., success, failure, or unknown; or confidentiality compromised, integrity compromised, and/or availability compromised)
• Direction: how event moved through network or host (e.g., Victim-to-Infrastructure, Adversary-to-Infrastructure, Bidirectional)
• Methodology: category of event (e.g., spearphishing, port scan)
• Resources: elements required for intrusion (e.g., particular software, hardware, knowledge, funds, facilities, access)
• Social-political: relationship between adversary and victim, based on victim’s needs and aspirations
• Technology: tech involved in adversary’s capabilities and use of infrastructure

Diamond Model Axioms

The original Diamond Model paper includes 7 axioms about intrusion events, adversaries, and victims. These are useful to keep in mind when investigating and analyzing adversary activity.

1. “For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result.”
2. “There exists a set of adversaries (insiders, outsiders, individuals, groups, and organizations) which seek to compromise computer systems or networks to further their intent and satisfy their needs.”
3. “Every system, and by extension every victim asset, has vulnerabilities and exposures.”
4. “Every malicious activity contains two or more phases which must be success- fully executed in succession to achieve the desired result.”
5. “Every intrusion event requires one or more external resources to be satisfied prior to success.”
6. “A relationship always exists between the Adversary and their Victim(s) even if distant, fleeting, or indirect.”
7. “There exists a sub-set of the set of adversaries which have the motivation, resources, and capabilities to sustain malicious effects for a significant length of time against one or more victims while resisting mitigation efforts. Adversary-Victim relationships in this sub-set are called persistent adversary relationships.”

Using the Diamond Model for CTI

The Diamond Model’s value for CTI analysts is in identifying relationships between events, and in analyzing events to learn about adversary behavior.

In analytic pivoting, you start with one point on the diamond and pivot to discover and learn more about the other points. For example, learning about a victim can lead to learning more about the adversary’s capabilities and infrastructure.

The Diamond Model isn’t meant to be used to look at an intrusion event as a point in time; it’s meant to track adversaries over time.

An activity thread shows the chain of events and causal relationships between them as the adversary has acted against multiple victims. By correlating events across activity threads, you can identify adversary campaigns. You can also gain a fuller understanding of the adversary’s behavior, which helps plan mitigations.

An activity-attack graph goes beyond historical intel and predicts future paths the adversary could take. This helps you plan mitigations.

Diamond Model activity-attack graph (from paper)

An activity group is a set of events and activity threads that have similar features or processes. Forming an activity group gives you more info to analyze. You can use this info to automatically correlate events, and to plan mitigations. You can also use it to identify the adversary behind events and threads, by observing similar use of capabilities and infrastructure. After identifying and adversary, you can learn more about their TTPs, which can help you plan mitigations.

Activity group steps

The original Diamond Model of Intrusion Analysis paper gives these steps for creating and analyzing activity groups:

1. Analytic problem: define the question you’re trying to answer (e.g., “What’s the adversary’s intent?”)
2. Feature selection: define the event features and adversary processes you’ll use for classification and clustering
3. Creation: create activity groups from events and activity threads
4. Growth: integrate new events into activity groups
5. Analysis: analyze activity groups to answer analytic problem from step 1
6. Redefinition: redefined activity groups as needed, as adversaries change

Additional Resources

The Diamond Model of Intrusion Analysis: original paper that introduced the concept (PDF)