The Diamond Model provides a systematic framework for characterizing organized cyber threats by modeling intrusions as a series of interconnected events. It represents intrusions as a graph of events (diamonds) connected by their core features of personas, network assets, malware, and tools. This allows analysts to consistently track threats over time, correlate related incidents, and infer adversary capabilities. The model also incorporates meta-features to provide additional context for understanding threats at different levels, from singular events to coordinated campaigns. By grouping similar intrusion patterns into activity groups, the Diamond Model enables identifying adversary infrastructure and techniques to better counter evolving threats.

1. THE DIAMOND MODEL FOR INTRUSION
ANALYSIS: A PRIMER
Andy Pendergast
© 2014 Cyber Squared Inc.
1

2. BACKGROUND
Why did we make this Diamond thing?
ca. 2006… ZOMG APTz!!!
Chris Betz
As a group of analysts, we needed a systematic,
repeatable way to:
1. characterize organized threats
2. consistently track them as they evolve
3. sort one from another
4. and then figure out ways to counter them.
Serg
© 2014 Cyber Squared Inc.
2

3. CURRENT USAGE
• Cognitive model used by hundreds of Intel, Threat Intel, DFIR analysts
• “Foundational” concepts for emerging cyber ontologies/standards/protocols e.g.
STIX
• Set and Graph theory based model used as the “bones” within systems such as
ThreatConnect
© 2014 Cyber Squared Inc.
3

4. DIAMOND 101:
EVENTS, EDGES, AND META FEATURES
Events=Diamonds
Meta-Features
• Timestamp
• Phase: e.g. Kill-Chain
• Result: Success, Failure, etc.
• Direction: i2v,i2i, a2i, etc
• Methodology: Class of Activity
• Resources: Necessary elements
to carry out the event.
Each Event is characterized by and requires
four Core Features (aka nodes, vertices):
•
•
Badguy Persona: email
addresses, handles, phone #’s
Network Assets
•
•
•
•
Malware
Exploits
Hacker Tools
Stolen Certs
•
•
•
© 2014 Cyber Squared Inc.
•
•
•
Personas
Network Assets
Email Addresses
IP Addresses
Domain Names
Email Addresses
Unknowns and
Uncertainty
Welcome…
4

5. DIAMOND 101:
PIVOTING SCENARIO & DEMO
NOTE: I did not limit myself to observables/indicators
on my network. I left the victim space in the first pivot
to DISCOVER more about the Adversary and his
Capabilities and Infrastructure.
(4) Domain WHOIS
provides registrant
(tommy.bibber1234321@ddd.com)
(2) Malware contains C2 Domain
info.officelatest[.]com
(3) C2 domain
resolves to IP
Address
0606c10388c306f393128237f75e440f
142.91.132.23
(1) Victim Discovers malware:
© 2014 Cyber Squared Inc.
5

6. DIAMOND 121:
EXTENDED DIAMOND
Social-Political Meta-Feature: A
relationship always exists between the
adversary and the victim.
Intent: You can use well defined Activity
Groups to better understand this
relationship and infer Intent.
Social-Political Meta
Feature
Technology Meta-Feature: Represents the
technology connecting & enabling the
capability and infrastructure to operate.
Technology Meta
Feature
© 2014 Cyber Squared Inc.
Analyzing underlying technology w/o
knowledge of specific infrastructure or
capability can reveal malicious activity.
6

7. DIAMOND 101:
ACTIVITY THREADS
Incident 4
Incident 33
Incident
Incident 1
Incident 2
Working with the Cyber Kill-Chain™:
Leveraging the Meta Features
allows grouping of events into
ordered, causal chains of activity
separated by phases.
Vertical Correlation: IR Process of
identifying causal events in an
Activity Thread.
Directed Arcs allow for “looping”
events through phases.
Hypothesis generation is supported
(note the dashed-diamond in
Incident 2).
Threat 2
Threat 1
© 2014 Cyber Squared Inc.
Horizontal Correlation: Correlations
between Activity Threads (Incidents
here) can be made to enable
grouping.
7

8. DIAMOND 201:
CREATING ACTIVITY GROUPS
Activity Group: common/similar malicious events, adversary processes, and threads.
TYPICALLY used initially to identify a common Adversary. But not limited to this.
Some Other Examples:
Trending
Intent Deduction
Adversary Capabilities and Infrastructure
Cross-Capability Identification
Adversary Campaign Knowledge Gap Identification
Automated Mitigation Recommendation
Common Capability Development Deduction
Center of Gravity Identification
© 2014 Cyber Squared Inc.
8

9. DIAMOND 201:
CREATING ACTIVITY GROUPS
Steps to Create an Activity Group
1. Define the Problem
Define the Problem: “I want to define a common adversary behind
2. Feature Selection
events and threats using similarities in infrastructure and capabilities.”
3. Create
4. Grow
5. Analysis
6. Redefine
But watch out
Alice…rabbit
holes
Other ways this may manifest:
What makes APT1 activity APT1?,
What makes Rocra malwareRed October and not someone else?
Does PoisonIvy, PlugX, 9002 = the same APT?
Feature Selection: Define what combination of elements (Ips,
Domains, Malware, Processes) are criteria for grouping and select your
data set(s) to search for this criteria. Criteria can be confidence
weighted.
© 2014 Cyber Squared Inc.
9

10. DIAMOND 201:
CREATING ACTIVITY GROUPS
Create: The feature selection you chose
can be used cognitively for clustering or
it can be applied in a group creation
function.
© 2014 Cyber Squared Inc.
Grow: Once created, the Activity Groups
can be grown by iterating the group
creation function over newly available
data.
10

11. DIAMOND 201:
CREATING ACTIVITY GROUPS
Analysis: Now that we have a healthy Activity Group, growing as things change; I can fill knowledge gaps,
define new problems like:
Trending: How has an adversary’s activity changed over time and what is the current vector to infer future change?
Intent Deduction: What is the intent of the adversary?
Adversary Capabilities and Infrastructure: What is the complete set of observed capabilities and infrastructure of the adversary?
Cross-Capability Identification: Which capabilities have been used by multiple adversaries?
Adversary Campaign Knowledge Gap Identification: What are the organization’s knowledge gaps across an adversary’s campaign?
Automated Mitigation Recommendation: When an event is detected which adversary is behind the event and what action can/should be taken?
Common Capability Development Deduction: Which capabilities show evidence of common authors/developers?
Center of Gravity Identification: Which resources and processes are the most common and critical to an activity and/or campaign?
Or… Redefine: through knowledge learned I may want to go back and revisit my
grouping function.
© 2014 Cyber Squared Inc.
11

12. ADVANCED DIAMOND:
ACTIVITY-ATTACK GRAPHS FOR MITIGATION
Attack Graphs identify and enumerate paths an adversary
could take. They are exhaustive.
Activity Threads define paths an adversary has taken.
If you overlay what could happen with what has happened
you get an Activity-Attack Graph.
Key Benefits:
It highlights attacker preferences alongside possible
alternative paths.
Enable better Mitigation Strategies by mitigating current
threat and taking into account reactions or alternate
adversary tactics.
© 2014 Cyber Squared Inc.
12

13. USE WITH THE CYBER KILL CHAIN™
Highly Complementary, How?
Activity-Attack Graph
Single Activity
Thread
CYBER KILL CHAIN™ Coarse of Action Matrix
Activity Group
Detect Deny
Victim 2
Disrupt Degrade Deceive Destroy
Recon
Delivery
Exploitation
C2
Actions on
Obj
Victim 1
© 2014 Cyber Squared Inc.
13

14. CONCLUSIONS
This is just a
Sergio’s Summary: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond_summary.pdf
primer, learn Full Paper: http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf
Full Paper on DTIC: http://www.dtic.mil/get-tr-doc/pdf?AD=ADA586960
more here:
Also, look out for an upcoming full SANS CTI Course based on the
Diamond and the Kill-Chain.
THANK YOU
Special thanks to Sergio and Chris for being Super Heroes.
Also to the entire Cyber Squared team for their constant support and assistance.
Andy Pendergast, apendergast@threatconnect.com
© 2014 Cyber Squared Inc.
14