Diamond Model of Intrusion Analysis

---

The Diamond Model of Intrusion Analysis is a framework to analyze an intrusion event (E) by exploring the relationships among four core features: adversary, capability, infrastructure, and victim.

• set out in a paper by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz
  • activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
• difficult to apply to manual pen and paper analysis
  • but used to develop automated threat intelligence analysis engines

Diamond Model of Intrusion Analysis

Four Features

• Adversary
  • represents the attacker
• Infrastructure
  • refers to the tools and resources used by the adversary to carry out the intrusion
  • e.g., malware, exploit kits, C&C servers, etc.
• Capability
  • describes the technical skills and aptitude of the adversary
    • e.g., ability to craft advanced techniques to
      • evade detection
      • exploit vulnerabilities
      • persist on target systems
• Victim
  • represents the organization or individual targeted by adversary

How it Works

• the four features are represented by the four vertices of a diamond shape
• each event may also be described by meta-features
  • e.g., date/time, kill chain phase, result, etc.
• each feature is also assigned a confidence level (C)
  • indicates data accuracy or the reliability of a conclusion or assumption assigned to the value by analysis
• each even is defined by tuples
  • additional information about each feature is nested:

E = { {Adversary,C(adversary)},

     {Capability,C(capability)},
     
     {Infrastructure,C(infrastructure)},
     
     {Victim,C(victim)} = {
     
                       {IP,C(ip)},
                       
                       {Port,C(port)},
                       
                       {Process,C(process)}
                       
                      },
                      
     {Timestamp,C(timestamp)},
     
     { ... }
     
   }

• power of the model lies in the ability to pivot along the vertices of the diamond to produce a complete analysis and correlation of the IoCs that represent the event
  
• analyzing the four features can help to better understand the TTPs used by the adversary
  • help to develop effective strategies to defend against future intrusions
• can identify patterns and trends to use in improving defense
• events can be linked into attack graphs and activity threads, graphed along each vertex, representing the paths an adversary could take and those that were taken
• threads can be assigned to activity groups
  • used to represent campaigns by particular adversaries

Attack Graph