Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The Diamond Model for Intrusion Analysis - Threat Intelligence


Published on

Read more here:

Read more here:

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • We needed a way to systematically characterize organized threats, consistently track them as they evolve, sort one from another, and then figure out ways to counter them.This doesn’t just work on APT
  • Meta Features are very important for describing the relationships between events, esp in activity threads (incidents)The model accepts unknowns and uncertainty. Uncertainty will be represented as knowledge gaps. Pivoting provides a way to discover unknowns. Uncertainty is allowed through confidence rating of each Edge and each Meta-Feature within the Event. This allows for knowledge gaps, that can be addressed with hypothesis generation to attempt to fill the gaps or activity groupings that group similar activity so that inferences can be made.
  • Live TC Demo as I move through the pivots…The Diamond model provides a powerful framework for Analytic Pivoting in the course of analysis.It is the typically the first, and one of the most powerful, applications analysts will use. It is actually how the Diamond was discovered. Adversaries could be tracked as they change/evolve their infrastructure and capabilities if at least one node of it’s grouped/clustered set of associated nodes (or associated methodologies/sub-graphs)In this pivoting scenario looks the Diamond shown should be seen as a sort of “Hyper-Diamond” as it is a set of grouped events, e.g. Activity Group, vs a single event for simplification.
  • Understanding the Social-Political axis can allow you to predict attack targets and motivations. It can also allow you to make yourself a less attractive target
  • Purple lines represent arcs correlating similar or identical nodes across activity threads/events (Horizontal Correlation). Blue lines are arcs/directed edges representing sequenced, causal relationship between events in an activity thread (Vertical Correlation). Incident 2 has some unknown and allows for hypothesis creationHypothesis generation and testing:
  • Don’t stick on this slide too long other than to point out there are really cool things you can do with machine learning/automated actions based on rules that fire on indicators grouped in a given activity group. This is like Amazon, except with defensive action vs shopping; your APT get’s a custom experience with your defenses based on your knowledge of their past behavior.
  • Feature selection is still an informed art as much it is a science, and is why experience is valuable and data scientists get paid so much. You will go down rabbit holes. Learn from it and crawl back out. Intrusion Set Quiz:If I say there is a group that tends to be the first observed in the wild with the latest 0-day, drop PI, shift to Hydraq/9002 once they gain access, move laterally to target network admin types and then shift to logging in via legitimately via stolen VPN creds to conduct action on objective what group am I talking about?If I say there is a group who appears to originate out of Shanghai, uses a variety of base64/mod-base64 encoded C2 messages on thirdparty website, who am I talking about?Some more…
  • These look familiar right?
  • Single Activity Thread, the set of Activity Threads from an Activity Group, or most comprehensively an Activity-Attack Graph, can be used to populate KILL CHAIN CoA Matrix. Activity Groups with capabilities and infrastructure can better represent the limits of those capabilities for CoA consideration.They can also be weighted in terms of observed favored or tendency of usage by the adversary for the same purpose.
  • Transcript

    • 1. THE DIAMOND MODEL FOR INTRUSION ANALYSIS: A PRIMER Andy Pendergast © 2014 Cyber Squared Inc. 1
    • 2. BACKGROUND Why did we make this Diamond thing? ca. 2006… ZOMG APTz!!! Chris Betz As a group of analysts, we needed a systematic, repeatable way to: 1. characterize organized threats 2. consistently track them as they evolve 3. sort one from another 4. and then figure out ways to counter them. Serg © 2014 Cyber Squared Inc. 2
    • 3. CURRENT USAGE • Cognitive model used by hundreds of Intel, Threat Intel, DFIR analysts • “Foundational” concepts for emerging cyber ontologies/standards/protocols e.g. STIX • Set and Graph theory based model used as the “bones” within systems such as ThreatConnect © 2014 Cyber Squared Inc. 3
    • 4. DIAMOND 101: EVENTS, EDGES, AND META FEATURES Events=Diamonds Meta-Features • Timestamp • Phase: e.g. Kill-Chain • Result: Success, Failure, etc. • Direction: i2v,i2i, a2i, etc • Methodology: Class of Activity • Resources: Necessary elements to carry out the event. Each Event is characterized by and requires four Core Features (aka nodes, vertices): • • Badguy Persona: email addresses, handles, phone #’s Network Assets • • • • Malware Exploits Hacker Tools Stolen Certs • • • © 2014 Cyber Squared Inc. • • • Personas Network Assets Email Addresses IP Addresses Domain Names Email Addresses Unknowns and Uncertainty Welcome… 4
    • 5. DIAMOND 101: PIVOTING SCENARIO & DEMO NOTE: I did not limit myself to observables/indicators on my network. I left the victim space in the first pivot to DISCOVER more about the Adversary and his Capabilities and Infrastructure. (4) Domain WHOIS provides registrant ( (2) Malware contains C2 Domain info.officelatest[.]com (3) C2 domain resolves to IP Address 0606c10388c306f393128237f75e440f (1) Victim Discovers malware: © 2014 Cyber Squared Inc. 5
    • 6. DIAMOND 121: EXTENDED DIAMOND Social-Political Meta-Feature: A relationship always exists between the adversary and the victim. Intent: You can use well defined Activity Groups to better understand this relationship and infer Intent. Social-Political Meta Feature Technology Meta-Feature: Represents the technology connecting & enabling the capability and infrastructure to operate. Technology Meta Feature © 2014 Cyber Squared Inc. Analyzing underlying technology w/o knowledge of specific infrastructure or capability can reveal malicious activity. 6
    • 7. DIAMOND 101: ACTIVITY THREADS Incident 4 Incident 33 Incident Incident 1 Incident 2 Working with the Cyber Kill-Chain™: Leveraging the Meta Features allows grouping of events into ordered, causal chains of activity separated by phases. Vertical Correlation: IR Process of identifying causal events in an Activity Thread. Directed Arcs allow for “looping” events through phases. Hypothesis generation is supported (note the dashed-diamond in Incident 2). Threat 2 Threat 1 © 2014 Cyber Squared Inc. Horizontal Correlation: Correlations between Activity Threads (Incidents here) can be made to enable grouping. 7
    • 8. DIAMOND 201: CREATING ACTIVITY GROUPS Activity Group: common/similar malicious events, adversary processes, and threads. TYPICALLY used initially to identify a common Adversary. But not limited to this. Some Other Examples: Trending Intent Deduction Adversary Capabilities and Infrastructure Cross-Capability Identification Adversary Campaign Knowledge Gap Identification Automated Mitigation Recommendation Common Capability Development Deduction Center of Gravity Identification © 2014 Cyber Squared Inc. 8
    • 9. DIAMOND 201: CREATING ACTIVITY GROUPS Steps to Create an Activity Group 1. Define the Problem Define the Problem: “I want to define a common adversary behind 2. Feature Selection events and threats using similarities in infrastructure and capabilities.” 3. Create 4. Grow 5. Analysis 6. Redefine But watch out Alice…rabbit holes Other ways this may manifest: What makes APT1 activity APT1?, What makes Rocra malwareRed October and not someone else? Does PoisonIvy, PlugX, 9002 = the same APT? Feature Selection: Define what combination of elements (Ips, Domains, Malware, Processes) are criteria for grouping and select your data set(s) to search for this criteria. Criteria can be confidence weighted. © 2014 Cyber Squared Inc. 9
    • 10. DIAMOND 201: CREATING ACTIVITY GROUPS Create: The feature selection you chose can be used cognitively for clustering or it can be applied in a group creation function. © 2014 Cyber Squared Inc. Grow: Once created, the Activity Groups can be grown by iterating the group creation function over newly available data. 10
    • 11. DIAMOND 201: CREATING ACTIVITY GROUPS Analysis: Now that we have a healthy Activity Group, growing as things change; I can fill knowledge gaps, define new problems like: Trending: How has an adversary’s activity changed over time and what is the current vector to infer future change? Intent Deduction: What is the intent of the adversary? Adversary Capabilities and Infrastructure: What is the complete set of observed capabilities and infrastructure of the adversary? Cross-Capability Identification: Which capabilities have been used by multiple adversaries? Adversary Campaign Knowledge Gap Identification: What are the organization’s knowledge gaps across an adversary’s campaign? Automated Mitigation Recommendation: When an event is detected which adversary is behind the event and what action can/should be taken? Common Capability Development Deduction: Which capabilities show evidence of common authors/developers? Center of Gravity Identification: Which resources and processes are the most common and critical to an activity and/or campaign? Or… Redefine: through knowledge learned I may want to go back and revisit my grouping function. © 2014 Cyber Squared Inc. 11
    • 12. ADVANCED DIAMOND: ACTIVITY-ATTACK GRAPHS FOR MITIGATION Attack Graphs identify and enumerate paths an adversary could take. They are exhaustive. Activity Threads define paths an adversary has taken. If you overlay what could happen with what has happened you get an Activity-Attack Graph. Key Benefits: It highlights attacker preferences alongside possible alternative paths. Enable better Mitigation Strategies by mitigating current threat and taking into account reactions or alternate adversary tactics. © 2014 Cyber Squared Inc. 12
    • 13. USE WITH THE CYBER KILL CHAIN™ Highly Complementary, How? Activity-Attack Graph Single Activity Thread CYBER KILL CHAIN™ Coarse of Action Matrix Activity Group Detect Deny Victim 2 Disrupt Degrade Deceive Destroy Recon Delivery Exploitation C2 Actions on Obj Victim 1 © 2014 Cyber Squared Inc. 13
    • 14. CONCLUSIONS This is just a Sergio’s Summary: primer, learn Full Paper: Full Paper on DTIC: more here: Also, look out for an upcoming full SANS CTI Course based on the Diamond and the Kill-Chain. THANK YOU Special thanks to Sergio and Chris for being Super Heroes. Also to the entire Cyber Squared team for their constant support and assistance. Andy Pendergast, © 2014 Cyber Squared Inc. 14