XeniCore

The Diamond Model of Intrusion Analysis

Table of Contents

The Diamond Model of Intrusion Analysis is a scientific framework that enhances cybersecurity analysts’ understanding of cyber intrusions by establishing a comprehensive approach to analyzing, documenting, and linking adversary activities. Developed in 2013 by intelligence researchers Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, the Diamond Model provides a structured methodology that helps analysts think systematically about intrusions and develop a deeper understanding of adversary behavior patterns.

Unlike linear models that focus primarily on attack sequences, the Diamond Model emphasizes the relationships between four core elements of any cyber intrusion, forming a diamond-shaped structure that reveals critical intelligence and analytic opportunities. For security professionals transitioning from tactical defense to strategic threat intelligence, this model offers a powerful conceptual framework that transforms isolated security incidents into meaningful, actionable intelligence.

Core Elements of the Diamond Model

The Diamond Model consists of four primary vertices that represent the fundamental components of any cyber intrusion:

<image>

1. Adversary

The adversary vertex represents the threat actor conducting the malicious activity:

  • Definition: Any entity (individual, group, or organization) responsible for launching an attack against a victim.
  • Attributes: Can include identities, organizational structure, motivations, capabilities, past activities, and infrastructure used.
  • Intelligence Value: Understanding adversaries enables prediction of future activities, attribution of incidents, and development of strategic countermeasures.

2. Capability

The capability vertex refers to the tools, techniques, and procedures (TTPs) used by the adversary:

  • Definition: The means by which an adversary conducts an attack, including malware, exploits, and methodologies.
  • Attributes: Includes attack vectors, vulnerabilities exploited, malware functionality, command and control mechanisms, and persistence methods.
  • Intelligence Value: Analyzing capabilities helps identify adversary skill levels, resources, and potential future attack scenarios.

3. Infrastructure

The infrastructure vertex encompasses the physical and logical systems used to deliver capabilities:

  • Definition: The physical or virtual communication structures that serve as the delivery mechanism and command and control for an adversary’s operations.
  • Attributes: IP addresses, domains, email addresses, drop sites, proxies, botnets, and compromised third-party infrastructure.
  • Intelligence Value: Infrastructure analysis often provides the most tangible evidence of adversary operations and opportunities for detection and disruption.

4. Victim

The victim vertex represents the target of the adversary’s operations:

  • Definition: The organization, system, or individual being attacked.
  • Attributes: Includes targeted assets, vulnerabilities, sector, value to the adversary, and impact of compromise.
  • Intelligence Value: Understanding victimology reveals adversary targeting patterns, intentions, and potential future targets.

Meta-Features

Beyond the four core elements, the Diamond Model includes several meta-features that provide additional context and analytical depth:

1. Social-Political Component

  • Definition: The human element behind the intrusion, including motivation, intent, and socio-political considerations.
  • Examples: Financial gain, espionage, hacktivism, or warfare.
  • Analytical Value: Helps explain the “why” behind attacks and can reveal strategic objectives.

2. Technology Component

  • Definition: The technological aspects that facilitate the intrusion.
  • Examples: Vulnerabilities, protocols, software/hardware configurations.
  • Analytical Value: Informs defensive strategies and vulnerability management priorities.

3. Timestamp

  • Definition: Temporal information associated with the activity.
  • Examples: When the infrastructure was active, when the capability was deployed, etc.
  • Analytical Value: Essential for understanding the sequence of events, campaign timelines, and adversary patterns over time.

4. Result

  • Definition: The outcome of the intrusion activity.
  • Examples: Data exfiltration, system compromise, denial of service.
  • Analytical Value: Helps measure impact and adversary success rates.

5. Direction

  • Definition: The orientation of the relationship between vertices.
  • Examples: Adversary → Victim (indicating who initiated the action).
  • Analytical Value: Clarifies the flow of activity and relationships between elements.

6. Methodology

  • Definition: The phases, stages, or steps of an intrusion.
  • Examples: Reconnaissance, initial access, lateral movement, exfiltration.
  • Analytical Value: Provides context about where in the attack lifecycle a particular activity occurred.

Practical Applications of the Diamond Model

Threat Intelligence Development

The Diamond Model excels at transforming isolated indicators into comprehensive threat intelligence:

  1. Event Clustering: By identifying shared elements across multiple diamonds, analysts can group related activities into campaigns.
  2. Activity Threads: Connected diamond events that share key attributes reveal adversary campaigns and operational patterns.
  3. Activity-Attack Graphs: Diamond events can be mapped to show the progression of attacks, revealing tactics, techniques, and procedures (TTPs).

Operational Uses

Security teams can apply the Diamond Model in various operational contexts:

  1. Incident Response: Structuring incident data according to the Diamond Model helps identify related events and potential next steps by the adversary.
  2. Threat Hunting: Using known diamond elements to search for undiscovered compromises or adversary activity.
  3. Risk Assessment: Analyzing historical diamonds to identify common vulnerabilities and attack patterns against your organization or sector.
  4. Course of Action Development: Determining the most effective defensive strategies based on diamond analysis.

Strategic Applications

The Diamond Model also supports strategic security functions:

  1. Resource Allocation: Prioritizing security investments based on observed adversary capabilities and infrastructure.
  2. Prediction: Anticipating potential future targets and attack methods based on adversary patterns.
  3. Attribution: Building a more comprehensive understanding of adversary identities and characteristics.
  4. Stakeholder Communication: Providing a structured framework for communicating threat intelligence to executives and partners.

Advanced Analytical Techniques

Pivoting

One of the most powerful analytical techniques using the Diamond Model is pivoting:

  1. Definition: Moving from one vertex to another to discover related activity or expand knowledge.
  2. Example: Starting with a known piece of infrastructure (e.g., a C2 domain), an analyst can pivot to identify other victims communicating with that infrastructure.
  3. Methodology:
    • Infrastructure → Victim: Identify all systems communicating with malicious infrastructure
    • Capability → Adversary: Link capabilities to known threat actors
    • Adversary → Infrastructure: Discover additional infrastructure operated by the same adversary
    • Victim → Capability: Identify attack techniques used against similar victims

Activity Threads

Activity threads connect multiple diamond events that share key elements:

  1. Definition: A series of related intrusion events linked by common attributes.
  2. Analytical Value: Reveals patterns, campaign progression, and the full scope of adversary operations.
  3. Implementation: Create visual or database linkages between diamonds sharing common elements.

Confidence Scoring

The Diamond Model incorporates analytic confidence scoring:

  1. Definition: A measure of certainty in the attribution and relationships depicted in a diamond.
  2. Methodology: Each vertex and edge can be assigned a confidence level (high, medium, low) based on the reliability of the source and the analyst’s judgment.
  3. Application: Helps prioritize response actions and identify intelligence gaps requiring further investigation

Integration with Other Frameworks

The Diamond Model can be integrated with other cybersecurity frameworks to enhance analysis:

MITRE ATT&CK

  1. Complementary Focus: The Diamond Model provides the relationship structure, while ATT&CK provides detailed tactics and techniques.
  2. Integration Approach: Map ATT&CK techniques to the Capability vertex and infrastructure types to the Infrastructure vertex.
  3. Analytical Value: This combination enables mapping of adversary behaviors across the full attack lifecycle while maintaining relationship context.

Cyber Kill Chain

  1. Relationship: Diamond events can be mapped to specific phases of the Kill Chain.
  2. Implementation: Add a kill chain phase attribute to each diamond to track progression through the attack lifecycle.
  3. Benefits: Provides temporal context to diamond events and helps identify where defensive efforts should focus.

F3EAD (Find, Fix, Finish, Exploit, Analyze, Disseminate)

  1. Operational Integration: The Diamond Model supports the intelligence aspects of the F3EAD process.
  2. Application: Use diamond analysis in the “Find” phase to identify adversary elements, and in the “Analyze” phase to develop comprehensive understanding.

Case Study: APT29 Campaign Analysis Using the Diamond Model

Background

APT29 (also known as Cozy Bear) is a sophisticated threat actor associated with the Russian Foreign Intelligence Service (SVR). In this case study, we examine how the Diamond Model helps analyze a complex espionage campaign.

Initial Diamond Event

Adversary: APT29 (suspected Russian SVR)
Capability: Spear-phishing with malicious document exploiting CVE-2021-XXXX
Infrastructure: mail-delivery.com (phishing domain), 203.0.113.1 (C2 server)
Victim: Government contractor in defense sector

Expanded Analysis

By applying Diamond Model pivoting techniques, analysts discovered:

  1. Infrastructure Pivot: The C2 server (203.0.113.1) communicated with 12 additional organizations in the defense and energy sectors.
  2. Capability Pivot: The same exploit was used in a separate campaign targeting research institutions but using different infrastructure.
  3. Adversary Pivot: Historical intelligence on APT29 revealed similar targeting patterns and infrastructure setup methodologies.

Activity Thread Development

Multiple diamond events were linked to form an activity thread showing:

  1. Initial access through spear-phishing
  2. Deployment of custom backdoor malware
  3. Lateral movement using stolen credentials
  4. Data exfiltration through encrypted channels

Strategic Insights Gained

The Diamond Model analysis revealed:

  1. Targeting Strategy: APT29 was specifically targeting organizations with access to hypersonic weapons research.
  2. Operational Security: The group used separate infrastructure for each phase of their operation, indicating sophisticated OPSEC.
  3. Adaptability: When initial access failed at some targets, they quickly pivoted to supply chain compromise tactics.

Response Actions Guided by Diamond Analysis

  1. Hunt Operations: Deployed YARA rules for the identified malware across all network segments
  2. Infrastructure Blocking: Blocked all identified C2 domains and IP addresses
  3. Strategic Sharing: Shared sanitized intelligence with industry partners to increase collective defense

Implementation Considerations

Data Requirements

To effectively implement the Diamond Model, organizations need:

  1. Technical Indicators: IP addresses, domains, hashes, network artifacts
  2. Contextual Information: Actor attributions, victim details, timestamps
  3. Relationship Data: Connections between different elements

Tooling Options

Several approaches can support Diamond Model implementation:

  1. Commercial Threat Intelligence Platforms: Many TIPs incorporate Diamond Model concepts and visualization
  2. Open-Source Options: Frameworks like MISP can be adapted to support Diamond Model analysis
  3. Custom Solutions: Graph databases (e.g., Neo4j) can be effective for modeling the relationships central to the Diamond Model

Organizational Considerations

Successfully implementing the Diamond Model requires:

  1. Analytical Training: Ensure analysts understand the model’s concepts and application
  2. Process Integration: Incorporate the model into existing incident response and threat intelligence workflows
  3. Information Sharing Mechanisms: Establish protocols for sharing diamond elements with trusted partners
  4. Documentation Standards: Create consistent templates for recording diamond events

Advanced Concepts: Diamond Model Extensions

The Center for Cyber Intelligence Analysis and Threat Research (CCIATR) Extensions

Researchers have proposed valuable extensions to the original model:

  1. Phase: Mapping to operational phases (e.g., reconnaissance, exploitation, exfiltration)
  2. Quality: A measure of adversary operation sophistication and skill
  3. Strategy: The overarching campaign objectives
  4. Resources: Assets required for the adversary to conduct operations

Activity-Attack Graphs

This extension combines attack graphs with Diamond Model elements:

  1. Definition: A directed graph representing the sequence of diamond events in a campaign
  2. Application: Reveals attack paths, dependencies, and potential intervention points
  3. Analytical Value: Supports predictive analysis and defensive prioritization

Challenges and Limitations

Despite its strengths, the Diamond Model has several challenges:

  1. Data Requirements: Effective implementation requires substantial data across all four vertices
  2. Attribution Difficulty: Definitively identifying adversaries remains challenging in cybersecurity
  3. Complexity Management: Large-scale campaigns can result in complex graphs difficult to analyze
  4. Resource Intensity: Comprehensive diamond analysis requires significant analyst time and expertise

Further Reading

Navigation