The Diamond Model of Intrusion Analysis

Although every organization is a potential victim of cyber attacks and espionage, those in certain critical sectors—such as the Federal Government, energy, defense and finance—face daily attacks from highly sophisticated, highly motivated adversaries. Dealing with this threat on a daily basis requires a structured method for analysis.

Having spent years on the front lines against such threats, a former colleague developed such a methodology: The Diamond Model of Intrusion Analysis. This is an extremely effective methodology for organizing and verifying advance persistent threats. For organizations with dedicated SOC teams, implementing a proven intrusion analysis framework is a vital step to being able to first understand and then thwart malicious actors.

Fortunately, the model is freely available for unlimited distribution from the Center for Cyber Security and Intelligence Studies at the University of Maryland.

The first axiom of the model is its foundation: “For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result.” To paraphrase, all active intrusions start from an adversary. The adversary has aims against a particular victim, and uses Tools, Techniques, and Procedures (TTPs) along with tech Infrastructure to launch their attacks. Putting this together defines the intrusion event. This can be represented visually through the Diamond Model: dm

From the SOC level, this should be the basis for grouping and organizing intrusions. Even though in practice, a typical organization does not have the means to make a precise attribution of the malicious actor, grouping intrusion events be accomplished using the other axes of the diamond. This metadata, which should be readily available to competent SOCs—TTPs, infrastructure and the target—can be connected.

For example, if a shared Command and Control (C2) protocol is used after successful spearphishing in two attacks that occurred months apart, it’s likely that they can be grouped together under the same adversary, or Activity Group (as they are known without attribution). If a third attack uses a similar domain name to host exploits and is attempting to access the same information, it would also join the Activity Group.

Using this technique, known as Analytic Pivoting, an adversary’s portfolio—their goals and methods—can be understood, and thus mitigations can be more effectively targeted. Is a particular adversary targeting senior staff through spearphishing? Implement a training regiment. Does the adversary attempt to gain access through a compromised contractor? Make sure those accounts are heavily monitored.

The organization is now actively profiling its adversaries. This is the foundation of the Diamond Model, but there are many more details available in the paper, including the mathematical basis for the theory, attack graph analysis, in-depth definitions, and more examples. Although relatively simple, incorporating the model’s mindset is amazingly effective at understanding threats that are posed against an organization.