What Is the Diamond Model of Intrusion Analysis?
The Diamond Model of Intrusion Analysis is a cybersecurity framework that helps organizations analyze cyber intrusions. The model was first proposed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz in a 2013 U.S. Department of Defense technical report titled “The Diamond Model of Intrusion Analysis” (Caltagirone et al., 2013).
The main objectives of the Diamond Model are to identify specific attackers, understand the tactics, threats, and procedures they use, and more effectively respond to cyber incidents as they occur.
Just as there are four points in a diamond, the Diamond Model has four key components: adversaries, infrastructure, capabilities, and targets. These components also have various links or relationships (such as adversary-victim, adversary-infrastructure, and victim-capability).
Unlike many other cybersecurity frameworks, the Diamond Model heavily focuses on the task of attribution: identifying those responsible for a cyber incident. The Diamond Model is also a highly flexible schema and can be applied to everything from advanced persistent threats (APTs) to ransomware attacks.
How Does the Diamond Model Work?
As mentioned above, there are four main components of the Diamond Model of Intrusion:
- Adversary: The attacker or group responsible for a cyber incident.
- Infrastructure: The technical resources or assets the adversary uses during the attack (e.g., servers, domains, and IP addresses).
- Capability: A method, tool, or technique the adversary uses during the attack (e.g., malware or exploits).
- Victim: The individual or organization the adversary targets during the attack.
There are also various relationships between these components, including:
- Adversary-victim: The interaction between the attacker and target. This relationship concerns questions such as why the attacker selected this target and the attacker’s motivations and objectives.
- Adversary infrastructure: The attacker uses various technical resources and assets. This relationship concerns how the attacker establishes and maintains its cyber operations.
- Victim-infrastructure: The target’s connection to the attacker’s technical resources. This relationship concerns the attacker’s use of various channels, methods, and vectors against the target.
- Victim-capability: The target’s connection to the attacker’s tools and techniques. This relationship concerns specific tactics and attack signatures used against the target.
What Are the Benefits of Using the Diamond Model?
The Diamond Model of Intrusion Analysis offers advantages such as:
- Holistic understanding: The Diamond Model examines the technical aspects of a cyberattack and the human and organizational aspects (in the form of the adversary and victim).
- Structured analysis: The Diamond Model provides a clear, organized way for cybersecurity experts to structure and process data relating to cyber threats and attacks, making it easier to collaborate and share information.
- Incident response and threat intelligence: The Diamond Model offers benefits both for threat intelligence (before an attack) and incident response (after an attack), helping analysts collect and analyze valuable data.
The Diamond Model is particularly skillful at visualizing and understanding complex attack scenarios. By modeling the relationships between adversaries, victims, infrastructure, and capabilities, the Diamond Model helps cyber analysts see how the different elements of a cyberattack interact with and influence each other. The Diamond Model condenses large amounts of data into a simple diagram, making exploring different links and patterns easier.
What Are the Key Attributes Within Each Element of the Diamond Model?
Each element of the Diamond Model possesses different attributes that include valuable additional information. For example, below are some key attributes of the adversary element:
- The adversary’s identity, name, or pseudonym.
- The adversary’s motivations and objectives (e.g., financial gain or corporate espionage).
- The adversary’s technical capabilities, skills, and knowledge.
- The adversary’s tactics, techniques, and procedures (TTPs).
- The adversary’s attribution indicators (pieces of evidence that link the adversary to a particular group, such as code similarities or similar tactics).
Below are some key attributes of the infrastructure element:
- The geographic locations, IP addresses, and domains of servers in the adversary’s command and control infrastructure.
- The communication protocols used (e.g., HTTPS or DNS).
- Domain registration details (e.g., the registration date and name of the registering party).
- The websites or servers hosting malware or phishing scams.
- Abnormal traffic patterns indicating communication with the adversary’s command and control systems.
How Does the Diamond Model Align with Other Cybersecurity Frameworks?
The Diamond Model is notably distinct from other cybersecurity frameworks such as Lockheed Martin’s Cyber Kill Chain or MITRE ATT&CK. However, the main differences between the Diamond Model and other cybersecurity frameworks are as follows:
Diamond Model vs. Cyber Kill Chain: Whereas the Diamond Model concentrates on the relationships between adversaries and victims, the Cyber Kill Chain focuses on the stages of a cyberattack, from surveillance to carrying out the attack’s objectives.
Diamond Model vs. MITRE ATT&CK: Unlike the Diamond Model, the MITRE ATT&CK framework focuses much more on detailing the adversary’s TTPs, mapping specific tactics to defensive strategies.
As a result, the Diamond Model can work in tandem with other frameworks such as MITRE ATT&CK and the Cyber Kill Chain. Each framework focuses on different components or elements of a cyberattack, helping analysts obtain a holistic picture of the incident.
What Are Some Real-World Examples of Using the Diamond Model?
The Diamond Model of Intrusion Analysis has been used effectively in practical, real-world use cases. For example, cybersecurity analysts Meghan Jacquot and Kate Esprit used the Diamond Model to analyze the LAPSUS$ ransomware and hacking group. (Esprit and Jacquot, 2022) They used the framework to collect information about the adversary (LAPSUS$) and its infrastructure, capabilities, and victims:
- Infrastructure: Open-source hacking tools, Telegram, underground forums
- Capabilities: Social engineering, DDoS attacks, stolen certificates, credential dumping, etc.
- Victims: Companies in the telecommunications, software, technology, and gaming industries
The Diamond Model was also used by researchers John Kotheimer, Kyle O’Meara, and Deana Shick at Carnegie Mellon University. In their case study “Using Honeynets and the Diamond Model for ICS Threat Analysis,” these researchers examined how adversaries interacted with industrial control system honeynets (fake networks designed to lure attackers) and mapped these interactions to the different components of the Diamond Model. (Kotheimer et al., 2016)
Learn the Diamond Model of Intrusion Analysis in C|EH
The Diamond Model, a cyber security framework, is a widespread and effective tool for understanding the relationships between the different components of a cyberattack. Cybersecurity experts should be familiar with the Diamond Model and other popular frameworks to analyze and respond to cyber threats and enhance their threat intelligence response capabilities.
EC-Council’s Certified Ethical Hacker (C|EH) program teaches students the ins and outs of attack vectors cyber security frameworks such as the Diamond Model. Throughout 20 comprehensive modules and more than 220 hands-on lab exercises, students gain theoretical —including the Diamond Model of Intrusion Analysis.
Defense Technical Information Center. (2013). The Diamond Model of Intrusion Analysis. https://apps.dtic.mil/sti/citations/ADA586960
Esprit, Kate and Meghan Jacquot. (2022). Relapse of LAPSUS$: A Cyber Threat Intelligence Case Study. https://www.csnp.org/post/relapse-of-lapsus-a-cyber-threat-intelligence-case-study
Kotheimer, John et al. (2016). Using Honeynets and the Diamond Model for ICS Threat Analysis. https://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_454247.pdf
About the Author
David Tidmarsh is a programmer and writer. He’s worked as a software developer at MIT, has a B.A. in history from Yale, and is currently a graduate student in computer science at UT Austin.