The Diamond Model of Intrusion Analysis

The Diamond Model is a formal analysis framework that aims to study the complex relations inherent to attack activities and incorporates such knowledge to improve the organization’s security posture. It broadens the Cyber Kill Chain by considering the multiple dimensions involved in an intrusion and providing more granularity to analysis and mitigating measures.

The diamond event is the central concept of the model. It’s a “discrete time-bound activity restricted to a specific phase, where an adversary, requiring external resources, uses a capability and a methodology over some infrastructure against a victim with a given result.”

Diamond events have different features, divided into core and meta-features. Both are often unknown at the onset of the intelligence collection and analysis, which is expected since the investigation’s main task is to uncover them. Additionally, the model establishes the features list as effective, although not comprehensive.

Core Features

Core features are essential to define a specific diamond event, and they are represented in the known diamond-shaped figure that gives the model its name. They are adversary, capability, infrastructure, and victim.

The diamond event and its core features. Extracted from Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “The diamond model of intrusion analysis.” Threat Connect 298.0704 (2013): 1–61.

Adversaries are the threat actors themselves. They may be insiders, outsiders, individuals, groups, or organizations “that seek to compromise computer systems/networks to further their intent/objective.” This concept describes two entities: the operator and the client. The former is the actual “hacker,” who performs the computer operations that comprise the attack. The latter is the person who will obtain a benefit with the objective’s completion. The operator and the client may or may not be the same people/entity.

Capability refers to the adversary’s tools, tactics, techniques, and procedures (TTPs) used in the diamond event. It includes the adversary’s arsenal and capability capacity. The first is a specific threat actor’s actual collection of tools and TTPs. At the same time, the second is the sum of all the victim’s vulnerabilities and exposures that the adversary can target with its arsenal. Another critical capability aspect is the adversary’s power to exert control and direction over its capabilities, called Command and Control (C2).

Infrastructure is the physical and logical structure through which an adversary delivers and controls its capabilities. An important distinction is how the threat actor controls the infrastructure’s elements. Type I infrastructure is directly controlled and managed by the adversary, while Type II is provided by a third party (willingly or not). This type can be considered a deception tactic to disrupt attribution since the third party is a proxy to the threat actor, and the victim will see it as the adversary. The most straightforward example of Type II Infrastructure is a botnet. A service provider is an organization that can supply services to both types of infrastructure, again with or without explicit knowledge about the threat actor and its intents.

The victim is the adversary’s target. Its elements are the persona, its assets, and its susceptibilities. The persona is the victim’s public face, like its name, owners, social media presence, and employees. Assets refer to the victim’s attack surface, i.e., the group of potential attack vectors through which the adversary may initially mount an attack. It can be internal (aka, on-premises) or external (i.e., in the cloud) to the organization. The victim’s susceptibilities include all the vulnerabilities and exposures its computer systems present.

Meta-Features

Meta-features are additional but non-essential aspects of a diamond event. They help enrich the analysis with further and potentially valuable details. They are the event’s timestamp, phase, direction, methodology, and resources.

As the name implies, the timestamp is the event’s time/date, and it helps establish the event’s supposed periodicity and lifecycle. The phase corresponds to the attack stage, where the diamond event is located. It can be translated into one of the 7 Cyber Kill Chain’s phases. Direction represents the path from where the event came to where it’s headed. It has seven possible values, namely, from the adversary to the infrastructure (and vice-versa), from victim to infrastructure (and vice-versa), between different infrastructure elements, bidirectional, and unknown. This feature is ideal for network-based attack analysis but can also be helpful for host-based intrusions.

The methodology is the event’s general attack category (e.g., spear phishing, watering-hole, or SYN flood). Resources are the external elements the event depends on to be executed and succeed. They can be the software (e.g., OS, virtualized elements, and hacking tools), hardware (desktops, servers, and network appliances), the network access conditions (i.e., an access path between the adversary network/host and the victim), the funds for personnel, equipment, and domains, the physical locations that house important assets (facilities), and the technical training/know-how (knowledge). Lastly, result is a meta-feature that describes the “post-condition” of a specific attack operation. It may involve compromising one or more of the CIA triad or enabling the following steps to the attack, like lateral movement.

The analyst may consider additional meta-features, like the author, detection methods, and signatures/heuristics. Nevertheless, it’s essential to think about how many parameters are necessary for a sufficiently informative model (i.e., that provides actionable intelligence) without introducing excessive information, which may hinder decision-making.

Socio-Political and Technological Dimensions

It’s possible to expand the model’s analysis by focusing on two dimensions: socio-political (adversary-victim relationship) and technological (capability-infrastructure relationship).

The former assumes there’s always a relationship between adversary and victim, even if weak or transitory. This knowledge helps understand the adversary’s persistence level against victims, measured through a continuum from fleeting to enduring. Important considerations involve what intent is fulfilled (and how much) by attacking a particular victim and the intrusion’s perceived costs and benefits of initiating and maintaining intrusion activity.

Such reasoning can lead to mitigating measures that aren’t necessarily technological but rely on other areas of knowledge, like psychology, sociology, criminology, politics, and marketing/propaganda. A particular field of interest is victimology, which studies aspects like what makes a victim attractive to specific threat actors, what an adversary’s victims have in common, and if it’s possible to deduce adversary intent from its victims’ cluster. While the Diamond Model’s paper explicitly says the subject is quite complex, it suggests two potentially practical terms for victim types:

• Victims of opportunity: targeted with convenience, i.e., because they were easy targets, with relatively low cost to mount and maintain an attack, and with insignificant losses if the intrusion failed. Falls into the “fleeting” side of the persistence continuum.
• Victim of interest: targeted to fulfill a central intent and with careful and deliberate planning. Valuable enough for the adversary to spend a considerable amount of resources and effort to initiate and maintain an intrusion. They are typically located around the “enduring” side of the persistence continuum.

From this perspective, organizations may implement counter-intelligence tactics to make them less attractive to adversaries. Additionally, victims targeted by a common adversary (or by the same set of adversaries) may cooperate in sharing valuable intelligence to bolster each of their security postures. This concept of shared threat space is one of the principles behind the industry-specific Information Sharing and Analysis Centers (ISACs).

The technological dimension deals with the relationship between capability and infrastructure. It aims to understand and predict misuse or abnormal use of technology solutions, like DNS, network infrastructure, and AI, that can enable potential attacks.

Pivoting

Analytical pivoting is one of the most substantial aspects of the Diamond Model. It involves uncovering new and unknown intrusion feature data from previously obtained information on other diamond event features and one or more extended model dimensions. In other words, it leverages known information through data sources to yield new intrusion features. There are different approaches to pivoting, each associated with a specific diamond core feature or expanded relation.

Example of analytical pivoting. Extracted from Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “The diamond model of intrusion analysis.” Threat Connect 298.0704 (2013): 1–61.

The victim-centered approach starts from a known network and host-based defensive operations (monitoring, detection, and prevention). It aims to discover the adversary’s capabilities being applied and which infrastructure elements are implementing them.

A capability-centered approach focuses on the adversary’s TTPs and which victims they may target. It also seeks to yield clues about the infrastructure necessary to enable such capabilities and the actual threat actor using them. The MITRE ATT&ACK framework is an excellent example of this approach.

Through the infrastructure-centered approach, the analyst investigates which victims came in contact with the intrusion’s infrastructure elements and which capabilities they deliver and control. As with the previous approach, it may help with adversary attribution efforts.

The adversary-centered approach is the most difficult since defenders must monitor threat actors directly. Therefore, it brings forth ethical and legal issues, like “hack-back” approaches, prohibited by specific legislation. Moreover, defenders may expose themselves more easily to threat actors through direct action, a central operational security (OPSEC) problem.

The socio-political approach tries to leverage specific relations between adversaries and victims. It may correlate real-world political events with attack activity, like pro-Tibet protests, the high-profile Stuxnet malware against the Iranian nuclear program, or the attacks on the US Democratic National Committee (DNC). While it doesn’t directly yield new indicators, it helps predict possible adversaries and other probable victims. It can be combined with other approaches (especially victim and adversary-centered) to uncover new data.

Different cyber-attacks were performed against pro-Tibet groups, involving various methodologies, from spear-phishing to supply-chain attacks. Image extracted from: https://therecord.media/tibetans-targeted-in-china-linked-espionage-campaign.

Finally, as noted before, the technological approach aims to obtain new capability and infrastructure indicators by analyzing the potential misuse of technological solutions.

Activity Threads and Groups

Diamond events concatenate into sequences named activity threads. This concept can be considered as a derivation of the Cyber Kill Chain. It considers a more extensive range of attacks since it doesn’t limit analysis to only 7 phases. That way, activity threads consist of at least two linked diamond events, including attacks that don’t use malware, so weaponization, exploitation, and installation aren’t necessarily included, depending on the intrusion.

The CTI team may cluster activity threads with similar features, creating activity groups. Those groups can bring insights for threat actor attribution and give a more in-depth comprehension of adversary campaigns against different victims.

The aim of this post isn’t a detailed analysis of activity threads and groups, but this subject will be further discussed in a future publication.

References

Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “The diamond model of intrusion analysis.” Threat Connect 298.0704 (2013): 1–61.