It is a model of intrusion analysis built by analysts, asking the simple question, “What is the underlying method to our work?”
The Diamond model establishes the basic atomic element of any intrusion activity, the event, composed of four core features:
-
Adversary
-
Infrastructure
-
Capability
-
Victim
These features are edge-connected representing their underlying relationships and arranged in the shape of a diamond. That's why this model is called Diamond model. And these four features are also called Vertices or nodes, kindly remember this terminology.
It further defines additional meta-features to support higher-level constructs and applies measurement, testability, and repeatability to provide a more comprehensive scientific method of analysis.
-
In its simplest form, the model describes that an adversary deploys a capability over some infrastructure against a victim. These activities are called EVENTS and are the atomic features.
Analysts populate the model’s vertices as events are discovered and detected.
-
The vertices are linked with edges highlighting the natural relationship between the features.
-
By pivoting across edges and within vertices, analysts expose more information about adversary operations and discover new capabilities, infrastructure, and victims.
Thus, analyzing security incidents (or intrusions/activity threads/campaigns/etc) essentially involves piecing together “the Diamond” using bits of information collected about these four facets to understand the threat in its full and proper context.
The above depiction shows you an analyst pivoting using the Diamond Model. One of the most powerful features of the Diamond — pivoting, allows an analyst to exploit the fundamental relationship between features (highlighted by edges between the features) to discover new knowledge of malicious activity.
Subsequent to this analysis is an Activity-Attack Graph, diagrammed above. This chart illustrates the integration of knowledge of actual adversary attack paths with the multitude of hypothetical attack paths that could be taken. Using an activity-attack graph highlights the potential paths of an adversary in the future as well as the preferred paths based on current knowledge.
While the Diamond Model has a modest appearance, it can get quite complicated and in-depth quite quickly. The diamond of a threat actor is not static but is in constant flux as attackers alter their infrastructure and capabilities quite often.
Each feature of the diamond (victim, infrastructure, adversary, capability) is a pivot point that defenders can use during their investigation to connect features of one attack with others.
For example, an attack from a known zero-day attack that requires a unique deployment method would alter the capabilities of an attacker. That's why this could be pivoted to investigate other attacks that used similar methods or the same zero-day attack.
Diamond Model adds value to cyber intelligence through a deep understanding of the infrastructure and capabilities of both victim and adversary.
Attribution of a cyberattack to a threat actor is a complicated procedure that the Diamond Model excels in through all its features (both non-meta and meta). In fact, attribution should not be solely done on the analysis of an adversary’s use of TTPs alone.
TTPs as elaborated in Mitre's ATT&CK Framework, also complement the Diamond model.
-
Hello guys, I have written this post to give you a glimpse of huge value that Diamond models brings to cyber forensics and intrusion detection.
Please leave your thoughts and views in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM