THE DIAMOND MODEL
The Diamond model identifies the key elements of an incident. Depending on the audience, it can be simple and non technical or the complete opposite.
To create the model, note the
Adversary: is the ‘who’ behind an incident. This may be an IP address, a domain name, an email address or an actual name
Victim: is the ‘where’. Some victims are purposefully selected, others a victim of opportunity.
Capability: is the ‘how’ and highlights the adversary’s tactics, techniques, and procedures. The attacker must have some level of capability (e.g. elite hacker skills) or access to capabilities (e.g. ransomware as a service).
Infrastructure: is ‘by what means’ because there must be a connection between the attacker and the victim. This connection might be a physical or logical pathway used to deliver a capability or maintain control of one (such as a command & control platform). The pathway may also be used to effect a results from the victim (such as exfiltrate data).
There are also two axes:
Social-Political: is the ‘why’ behind an attack (financial gain, espionage, thrill etc.)
Technology: which ties the ‘how’ and the ‘what’ together.
Finally, there are optional meta-features that add further detail. Examples, include:
Timestamp: the date & time of the event(s).
Phases: such as which steps in the Kill Chain have been accomplished
Result: such as ‘success’, ‘failure’, or ‘unknown’. Usually this centres on whether an attacker was able to compromise the confidentiality, integrity, or availability of data.
Methodology: a general classification or ‘type’ of attack, e.g. phishing or DDoS.
Resources: used to accomplish the incident e.g. hardware, software, funds, knowledge, information, access, facilities etc.
Although not directly part of the model, it is a good idea to express how much confidence one has in the intel such as whether the source and information are reliable.
When recording information there is no specific order to the Diamond Model - just ‘paint the picture’.
Example: In the fall of 2013, the store Target was breached, and credit card and personal information was stolen. A Diamond model for executives might look like this:
Adversary: A Ukrainian hacker, Andrey Hodirevski
Capability: Knowledge of phishing tactics, how to navigate across networks, deploy malware
Victim: Target (whose system were accessed via a 3rd party vendor)
Infrastructure: BlackPoS malware installed on Electronic point of sale machines
Social-Political: Financial gain
Technology: Phishing email loaded with Citadel trojan. Traversed the network and installed BlackPoS trojan on unpatched PoS terminals.
Timestamp: Nov 27 - Dec 18, 2013
Phases: All phases of the Kill Chain were used
Result: Success - 40 million credit cards stolen + Personal data of 70 million customers.
Resources: Citadel Trojan, BlackPoS