Ever since the first security intrusion was discovered, the concept of intrusion analysis came into being. To date, malicious insiders and hackers continue to infiltrate and attack organizations, while security teams work assiduously to detect and prevent their malign intent. Though the questions still remain the same—who, what, when, where, why, and how—the approach to incident response has changed over time. Typically, the answers to these questions allow security teams to address incidents but just the answers aren’t sufficient. They often lack the right approach or model to synthesize, correlate, and document the threat data. In the cybersecurity landscape, there exist several approaches to analyze and monitor the attributes of cyber intrusions by threat actors. One of the popular approaches is the diamond model of intrusion analysis.
The Theory of Diamond Model
The diamond model of intrusion analysis is an approach employed by several information security professionals to authenticate and track cyber threats. According to this approach, every incident can be depicted as a diamond. This methodology underlines the relationships and characteristics of four components of the diamond—adversary, capability, infrastructure, and victim. These four core elements are connected to delineate the relationship between each other which can be analytically examined to further uncover insights and gain knowledge of malicious activities.
An adversary is an organization or threat actor responsible for leveraging a capability against a victim to fulfill its goals.
The capabilities refer to the tools and techniques used by an adversary in an event.
The infrastructure includes the physical or logical communication structures such as IP or e-mail addresses, domain names, and others, employed by an adversary to deliver a capability.
A victim is a target against whom attacks are initiated, vulnerabilities are exploited, or capabilities are used. It can be organizations, people, or assets, such as target email or IP addresses, domains, and so on.
In simpler terms, the diamond model of intrusion analysis illustrates that an “adversary” uses a “capability” over an “infrastructure” against a “victim.” According to the principle of this model, for every intrusion, an adversary moves toward its goals by leveraging capabilities on infrastructures against victims to create an impact. This axiom means that an act of intrusion indicates how the attacker exhibits and employs different capabilities and methodologies over infrastructure against a victim.
How Useful is it for the Security Professionals?
Designed by several renowned security analysts and researchers, the diamond model of intrusion analysis exists as a cognitive model as well as a series of mathematical techniques. The cognitive model allows security professionals to organize immeasurable sets of interrelated logic whereas the series of mathematical techniques enables them to improve strategic decision-making and analytical workflow against the adversary. In the threat intelligence domain, the diamond model of intrusion analysis empowers security analysts to efficiently act upon heaps of incoming data and build definite relationships between existing pieces of threat intelligence. Eventually, security analysts can gain greater clarity in identifying the intentions and targeting tactics of adversaries, discovering proactive measures for emerging cyber threats. The diamond model enables contextual indicators thereby improving threat intelligence sharing and easy integration with other planning frameworks to buttress the development of the course of action, planning, and mitigation strategies. It detects intelligence gaps and lays the foundation for cyber taxonomies, ontologies, protocols of threat intelligence sharing, and knowledge management. Moreover, it allows security teams to enhance analytic precision by facilitating hypothesis generation, testing, and documentation, thereby exerting more accuracy to the analytic process.
Use Cases of the Diamond Model
One of the major use cases of the diamond model is pivoting, which refers to the analytic method of obtaining a data element and exploiting it, in tandem with data sources, to identify other relevant elements. Fundamentally, pivoting is about the analytic task of hypothesis testing. Each aspect of an intrusion produces its own hypotheses which need evidence to nourish, weaken, or alter the hypothesis. The success of pivoting depends on security analysts’ understanding of the relationship between the elements and their capability to exploit data elements and their sources.
Discovering knowledge gaps
Diamond nodes that are not included in the events or the missing events in an activity thread can be connected with the diamond model. This identifies the knowledge gaps and helps focus on incident response and a threat’s infrastructure and capabilities.
The model focuses on several tradecraft concepts of intrusion analysis which are referred to as ‘centered’ approaches. These approaches are centered on a certain feature of the diamond model to detect new malicious activities and expose activities related to the other relevant features. There are six centered approaches—adversary-centered, capability-centered, infrastructure-centered, victim-centered, social-political-centered, and technology centered. The first four focus on the diamond nodes while the remaining two focus on the meta-features of the diamond.
This approach requires direct monitoring of an adversary’s activities to understand their capabilities and infrastructure.
This approach focuses on a specific capability. By focusing on a specific capability, security analysts can identify potential victims and the infrastructure and technologies that support that capability.
This approach looks at an adversary’s infrastructure and helps expose the victims associated with the infrastructure, capabilities managed by the infrastructure, any relevant infrastructure, and probable hints to the adversary.
In this approach, data related to a victim is utilized to gain insights about an adversary. Threat activities launched against a victim disclose an adversary’s infrastructure and capabilities.
This approach leverages the adversary-victim relationship to predict a victim and the adversary likely to attack that victim, or the adversary and who it might attack.
This approach focuses on the misuse or a particular use of technology. It helps in identifying the techniques deployed by an adversary to detect the infrastructure and capabilities that might be used to execute a future attack.
Building activity groups
The diamond model supports the creation, development, and ongoing testing of activity groups. An activity group provides an architecture to answer analytical questions requiring deep activity-related knowledge and supports the growth of mitigation strategies.
Supporting Mitigation Planning
Mitigation planning or course of action development can be accelerated by leveraging the diamond model. This model can be integrated easily into any planning framework. Moreover, the impact of the actions taken against an adversary can be attributed in real-time or gaming scenarios.
The diamond model is a scientific approach that improves the analytic efficiency, effectiveness, and accuracy of intrusion analysis. Primarily, the model provides security teams with the opportunities to leverage real-time intelligence for network defense, the correlation across intrusions, events classification, prediction of adversary operations, and planning mitigation strategies.