The Diamond model identifies the key elements of an incident. Depending on the audience, it can be simple and non technical or the complete opposite.

To create the model, note the

  • Adversary: is the ‘who’ behind an incident. This may be an IP address, a domain name, an email address or an actual name

  • Victim: is the ‘where’. Some victims are purposefully selected, others a victim of opportunity.

  • Capability: is the ‘how’ and highlights the adversary’s tactics, techniques, and procedures. The attacker must have some level of capability (e.g. elite hacker skills) or access to capabilities (e.g. ransomware as a service).

  • Infrastructure: is ‘by what means’ because there must be a connection between the attacker and the victim. This connection might be a physical or logical pathway used to deliver a capability or maintain control of one (such as a command & control platform). The pathway may also be used to effect a results from the victim (such as exfiltrate data).


There are also two axes:

  • Social-Political: is the ‘why’ behind an attack (financial gain, espionage, thrill etc.)

  • Technology: which ties the ‘how’ and the ‘what’ together.


Finally, there are optional meta-features that add further detail. Examples, include:

  • Timestamp: the date & time of the event(s).

  • Phases: such as which steps in the Kill Chain have been accomplished

  • Result: such as ‘success’, ‘failure’, or ‘unknown’. Usually this centres on whether an attacker was able to compromise the confidentiality, integrity, or availability of data.

  • Methodology:  a general classification or ‘type’ of attack, e.g. phishing or DDoS.

  • Resources: used to accomplish the incident e.g. hardware, software, funds, knowledge, information, access, facilities etc.

Although not directly part of the model, it is a good idea to express how much confidence one has in the intel such as whether the source and information are reliable.


When recording information there is no specific order to the Diamond Model - just ‘paint the picture’.


Example: In the fall of 2013, the store Target was breached, and credit card and personal information was stolen. A Diamond model for executives might look like this:

Adversary: A Ukrainian hacker, Andrey Hodirevski

Capability: Knowledge of phishing tactics, how to navigate across networks, deploy malware

Victim: Target (whose system were accessed via a 3rd party vendor)

Infrastructure: BlackPoS malware installed on Electronic point of sale machines

Social-Political: Financial gain

Technology: Phishing email loaded with Citadel trojan. Traversed the network and installed BlackPoS trojan on unpatched PoS terminals.



Timestamp: Nov 27 - Dec 18, 2013

Phases: All phases of the Kill Chain were used

Result: Success - 40 million credit cards stolen + Personal data of 70 million customers.

Resources: Citadel Trojan, BlackPoS