A Guide to the Diamond Model of Intrusion Analysis

A Guide to the Diamond Model of Intrusion Analysis

SBN

In a world where cyberattacks cripple organizations every 39 seconds, the accuracy, efficiency, and speed of incident response become critical factors in protecting digital assets and infrastructure. Additionally, to ensure that similar attacks don't succeed in the future, the threat response strategy needs to shift from a purely tactical approach to strategic mitigation that synthesizes, correlates, and documents threat intelligence against various infrastructural parameters. This is where the Diamond Model of Intrusion Analysis comes into the picture. It is a simple yet powerful model to authenticate and trace cyber threats using cognitive and mathematical reasoning.

This blog will dive deep into the model, uncover its strengths and weaknesses, and discuss other approaches that security teams can deploy to manage cyber-attacks and threat response.

The Diamond Model of Intrusion Analysis

Developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, the Diamond Model of Intrusion Analysis visualizes the relationship between the attackers, victims, and the underlying infrastructure during a threat incident using the four vertices of a diamond where each point depicts a core component of the attack.

The four vertices include:

Claroty

  1. The Adversary: The actor responsible for leveraging a capability against the victim to attain one or many goals. Otherwise known as the bad actor, or hacker in cybersecurity incidents.
  2. Capability: The tools, techniques, and procedures the adversary uses to attack the victim. This could be phishing attacks, brand impersonations, typosquatting, etc.
  3. Infrastructure: The physical and logical communication channels the adversary uses to deliver, deploy, and control their capability. In cybersecurity incidents, this could be employee emails, website domains, or fake app store postings to name a few.
  4. Victim: Organizations, people, and other assets against which the adversary has launched the campaign to exploit their vulnerabilities. Oftentimes in cybersecurity attacks, this is sensitive information like PII (personally identifiable information) or financial account info.

There are eight meta-features, or sub-components, of the diamond model:

  1. Timestamp: The date and time of the event.
  2. Phase: The different events or phases that make up the attack.
  3. Result: How successful has the adversary been in their operations?
  4. Direction: The direction of the adversary's activity determines the placement of detection mechanisms.
  5. Methodology: The general class of the activity taking place.
  6. Resources: One or more external resources on which the event depends.
  7. Technology: The technology enabling the infrastructure and capability of the adversary.
  8. Socio-political: The relationship between the victim and the adversary that defines the attack’s intent.

An example of The Diamond Model of Intrusion Analysis

The FIN8 attacks in 2021, targeting organizations in the financial, hospitality and entertainment space with a goal of financial gain, were a diamond event.

The adversary (FIN8) used infrastructure (PowerShell scripts) to deploy a capability (Sardonic Backdoor) while attacking victims (financial institutions).

Advantages of the Diamond Model of Intrusion Analysis

The Diamond Model of Intrusion Analysis is not just meant to outline cybersecurity attacks in a clear way, but also is a tool for organizations to quickly break down large amounts of attack surface data and combat larger, enterprise risks at the source.

Here is a breakdown of the advantages of using the Diamond Model of Intrusion Analysis:

  1. IOCs, or Indicators of Compromise, must be enriched with contextual underpinning, connecting them to other attack elements. The Diamond Model of Intrusion Analysis enhances the quality of these indicators and expands their range of applicability.
  2. Pivot opportunities become easier to identify with more effective analytics and insightful analytical questions.
  3. The analytical process becomes significantly more rigorous through hypothesis generation, documentation, and testing, increasing efficiency and accuracy across the whole chain.
  4. The flexibility of the model allows it to integrate with almost all the planning frameworks, enabling security personnel to develop logical courses of action and impactful mitigation strategies.
  5. The model formalizes the principles upon which new concepts of cyber analysis can be built and developed further.
  6. Gaps in threat intelligence can be quickly mapped to corresponding external resource requirements using the diamond model.
  7. The model can be used to collate already-established threat classification and intrusion detection research, making it much easier to relate it to the analytics process. This factor simplifies real-time event characterization.
  8. The model forms the bedrock of cyber activity ontologies, taxonomies, threat intelligence sharing protocols, and knowledge management.

Other cybersecurity models for intrusion analysis

The Diamond Model of Intrusion Analysis is one of three popular models that most security teams use. The Diamond Model explained above is a little more common than the other two, the Cyber Kill Chain and the MITRE ATT&CK Model. Let's look at how they work.

Lockheed Martin Cyber Kill Chain

First published in 2011, the Cyber Kill Chain is credited with bringing homogeneity and standardization to the cybersecurity industry. It outlines the typical seven steps that an attacker takes during an intrusion.

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and control
  7. Actions on objectives

The linearity of the approach is both a strength and weakness of this model. While it does allow operators to get more clarity, it also oversimplifies situations and leads to hasty, incomplete conclusions.

These disadvantages can be overcome by combining the linear Kill Chain model with the Diamond Model to build a visual attack graph that displays a richer, detailed depiction of an intrusion that allows for unexpected or gaps in the attack.

The MITRE ATT&CK Model

Also known as the Adversarial Tactics, Techniques, and Common Knowledge Model, it has become one of the most popular approaches adopted by modern-day applications to map out specific TTPs to each of the ten steps.

  1. Initial access
  2. Execution
  3. Persistence
  4. Privilege escalation
  5. Defense evasion
  6. Credential access
  7. Discovery
  8. Lateral movement
  9. Collection
  10. Command and control

This model makes it easier to identify common TTPs and IOCs that future cyberattacks might employ. The ability to predict vulnerabilities and potential threats makes it a valuable tool for developing pre-emptive mitigation strategies.

Efficiently defending against digital threats

The peculiarities of the Diamond Model give it a unique capability to protect digital infrastructure. Scrutinizing victimology and generating unforeseen links between the attacker, their abilities, and the victim's infrastructure enables security teams to identify noise and the corresponding pivoting activity.

Applying the Diamond Model of Intrusion Analysis within security operations empowers cybersecurity analysts with better tools to identify relationships between key digital risk components and create activity groups. These groups can be tracked to follow each hacker step closely during an attack. While this does make intrusion detection much more efficient, it also masks the potential weaknesses of the Diamond Model of Intrusion Analysis, one of which is the tedious, time-consuming process of manual analysis.

The rapidly evolving digital landscape has led to newer, more evasive, quick, and damaging cyber threats. Manual mitigation alone cannot prevent cybercrimes such as phishing, brand impersonation, and typosquatting. These new-age digital threats require an AI-powered automated detection, analysis, and remediation solution like Bolster.

Bolster is a robust digital risk protection tool that continuously monitors domains, social media, app stores, and the dark web using its proprietary AI platform, and automatically takes down threats efficiently, without any manual intervention.

To learn more about Bolster's AI-driven threat monitoring and takedown solution and learn how to highlight efficiency in your cybersecurity program, book a demo today.