| Title | Author | Created | Published | Tags | | ------------- | ---------- | ------------------ | ------------------ | -------------------------------------------- | | Diamond Model | Jon Marien | September 08, 2025 | September 08, 2025 | [[#soc\|#soc]], [[#arcticwolf\|#arcticwolf]] | ![[diamond.png]] # Diamond Model The Diamond Model of Intrusion Analysis was developed by cybersecurity professionals - Sergio Caltagirone, Andrew Pendergast, and Christopher Betz in 2013. As described by its creators, the Diamond Model is composed of four core features: adversary, infrastructure, capability, and victim, and establishes the fundamental atomic element of any intrusion activity. You might have also noticed two additional components or axes of the Diamond Model - Social, Political and Technology; we will go into a little bit more detail about them later in this room. Why is it called a "Diamond Model"? The four core features are edge-connected, representing their underlying relationships and arranged in the shape of a diamond. The Diamond Model carries the essential concepts of intrusion analysis and adversary operations while allowing the flexibility to expand and encompass new ideas and concepts. The model provides various opportunities to integrate intelligence in real-time for network defense, automating correlation across events, classifying events with confidence into adversary campaigns, and forecasting adversary operations while planning and gaming mitigation strategies. The Diamond Model can help you identify the elements of an intrusion. It can also help explain to other people who are non-technical about what happened during an event or any valuable information on the malicious threat actor. --- ## Adversary The Diamond Model of Intrusion Analysis focuses on four main parts: adversary, infrastructure, capability, and victim. **Adversary:** An adversary is the person or group behind a cyberattack. You might also hear terms like attacker, enemy, cyber threat actor, or hacker. According to the model’s creators, an adversary is the actor or organization using a certain capability against a victim to carry out their plan. Initially, information about the adversary is often unknown or incomplete, but investigating an incident, looking at digital evidence (like signatures), and other collected data can help find out who the adversary is. It’s important to understand the difference between an adversary operator and an adversary customer: - **Adversary Operator:** The individual or team actually carrying out the hacking or intrusion. - **Adversary Customer:** The person or group who benefits from the attack. This could be the same as the operator or a separate person or organization. Sometimes, one customer may control many operators, and each operator might use their own capabilities and infrastructure in the attack. Knowing whether you’re dealing with an operator or a customer is important. It can help with understanding the attacker’s intentions, figuring out who’s behind the attack (attribution), and seeing how flexible or persistent the attack might be. During the early stages of a cyberattack, it is usually hard to identify the adversary. However, analyzing evidence from the breach can give clues about who the attacker may be. --- ## Victim A victim is the target of an adversary’s attack. This could be an entire organization, an individual person, a specific email address, an IP address, or a domain. It’s important to distinguish between victim personae (who the people or organizations are) and victim assets (what resources or systems are being targeted), since both serve different purposes in analysis. A victim might be chosen because they present an opportunity for attackers to get a foothold in the organization. In every cyberattack, there is always a victim. For example, if a carefully crafted phishing email is sent to a company and someone clicks the link, that person has become the victim the attacker wanted to target. - **Victim Personae:** This refers to the people or organizations who are the focus of the attack; these can be company names, individuals, industry sectors, job roles, or specific personal interests. - **Victim Assets:** These are the various systems, networks, email addresses, computers, IP addresses, social media accounts, and other things that make up the “attack surface” the adversary is going after. Understanding the difference between victim personae and victim assets helps analysts figure out both who is being targeted and what the attackers are trying to exploit. --- ## Capability Capability refers to the skills, tools, and techniques that an adversary uses during an attack. This includes the attacker’s tactics, techniques, and procedures (often called TTPs). Capabilities can range from very basic methods, such as manually guessing passwords, to advanced techniques like developing custom malware or specialized hacking tools. - **Capability Capacity** is the collection of vulnerabilities and exposures that a specific capability can exploit. - An **Adversary Arsenal** is the full set of capabilities (skills, tools, and techniques) that an attacker has available to them. The total capacity of all these capabilities makes up the adversary’s arsenal. To carry out a cyberattack, an adversary must have, or be able to access, the necessary capabilities. These might include abilities like writing malware and crafting phishing emails, or simply the resources to buy or rent these tools and services (for example, purchasing malware or “ransomware as a service” from others). *** ## Infrastructure Infrastructure refers to the physical or digital tools and connections an attacker uses to deliver an attack or keep their operations running. This can include both software and hardware. Examples of infrastructure are command and control (C2) centers used to manage attacks, as well as systems for collecting data from victims (like during data exfiltration). Infrastructure can take many forms, including: - IP addresses, - Domain names, - Email addresses, - Even physical tools like a malicious USB drive left for someone to find and use. There are two main types of infrastructure: - **Type 1 Infrastructure:** This is infrastructure directly owned or controlled by the attacker. They set it up themselves and use it to manage their operations. - **Type 2 Infrastructure:** This type is controlled by an intermediary, which could be another person, organization, or a compromised system. Sometimes the intermediary does not even realize their resources are being used by an attacker. Type 2 infrastructure is mainly used to hide the attacker’s real identity and make attacks harder to trace. Examples include malware staging servers, fake domain names, and hacked email accounts. **Service Providers** such as internet service providers, domain registrars, or webmail platforms, play a role in keeping both Type 1 and Type 2 infrastructures running, even if they aren’t aware that they’re helping an attacker. --- ## Event Meta Features ![[image-950.png]] The Diamond Model includes six optional meta-features that you can use to add even more detail to your intrusion analysis. These aren’t required, but they help paint a fuller picture of an attack: - **Timestamp:** This is the exact date and time when the event happened, for example "2021-09-12 02:10:12.136". Recording when each event starts and ends is crucial for spotting patterns and grouping activities. For instance, if a breach happens at 3 a.m. in the U.S., it might hint that the attacker is from another country with a different business schedule. - **Phase:** This describes the different steps or stages in an attack, sometimes called the phases of an intrusion. According to the Diamond Model’s Axiom 4: “Every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result.” This means that cyberattacks are usually made up of several steps that must be completed in order, just like the Cyber Kill Chain. Common phases are: - Reconnaissance, - Weaponization, - Delivery, - Exploitation, - Installation, - Command & Control, - and Actions on Objective. - **Result:** This tells you what happened because of the event. Sometimes, you might not know for sure, but it’s still useful to record. The result can be labeled as “success,” “failure,” or “unknown.” Results can also be tied to the CIA triad—Confidentiality, Integrity, and Availability—showing if any of these were compromised. For example: Confidentiality Compromised (data stolen), Integrity Compromised (data changed), or Availability Compromised (system taken offline). - **Direction:** This shows which way the attack moved between different parts of the system—who communicated with whom. There are seven possible values: Victim-to-Infrastructure, Infrastructure-to-Victim, Infrastructure-to-Infrastructure, Adversary-to-Infrastructure, Infrastructure-to-Adversary, Bidirectional, or Unknown. - **Methodology:** This meta-feature categorizes the general type of attack, like phishing, DDoS, breach, port scan, etc. - **Resources:** Every attack needs certain outside resources to succeed. These can include software (like Metasploit), knowledge (knowing how to use a tool), information (usernames/passwords), hardware (servers, workstations, routers), funding (money for buying domains), facilities (power, physical location), or access (connections over a network). These meta-features help analysts organize, understand, and respond to complex intrusion events much more effectively. --- ## Social-Political The social-political component describes the needs and intent of the adversary, for example, financial gain, gaining acceptance in the hacker community, hacktivism, or espionage. The scenario can be that the victim provides a “product”, for example, computing resources & bandwidth as a zombie in a botnet for crypto mining (producing new cryptocurrencies by solving cryptographic equations through the use of computers) purposes, while the adversary consumes their product or gets financial gain. --- ## Technology The technology meta-feature or component highlights the relationship between the core features: capability and infrastructure. The capability and infrastructure describe how the adversary operates and communicates. A scenario can be a watering-hole attack which is a methodology where the adversary compromises legitimate websites that they believe their targeted victims will visit. ---