Diamond Model
Task 1 : Introduction
What is The Diamond Model?
The Diamond Model of Intrusion Analysis was developed by cybersecurity professionals - Sergio Caltagirone, Andrew Pendergast, and Christopher Betz in 2013.
Task 2 : Adversary
Q&A:
What is the term for a person/group that has the intention to perform malicious actions against cyber resources? Adversary Operator
What is the term of the person or a group that will receive the benefits from the cyberattacks? Adversary Customer
Task 3 : Victim
Q&A:
What is the term that applies to the Diamond Model for organizations or people that are being targeted? Victim Personae
Task 4 : Capability
Q&A
Provide the term for the set of tools or capabilities that belong to an adversary. Adversary Arsenal
Task 5 : Infrastructure
Q&A:
To which type of infrastructure do malicious domains and compromised email accounts belong? Type 2 Infrastructure
What type of infrastructure is most likely owned by an adversary? Type 1 Infrastructure
Task 6 : Event Meta Features
Q&A:
What meta-feature does the axiom “Every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result” belong to? Phase
You can label the event results as “success”, “failure”, and “unknown”. What meta-feature is this related to? Result
To what meta-feature is this phrase applicable “Every intrusion event requires one or more external resources to be satisfied prior to success”? Resources
Task 7 : Social-Political Component
The social-political component describes the needs and intent of the adversary, for example, financial gain, gaining acceptance in the hacker community, hacktivism, or espionage.
The scenario can be that the victim provides a “product”, for example, computing resources & bandwidth as a zombie in a botnet for crypto mining (producing new cryptocurrencies by solving cryptographic equations through the use of computers) purposes, while the adversary consumes their product or gets financial gain.
Task 8 : Technology Component
Technology – the technology meta-feature or component highlights the relationship between the core features: capability and infrastructure. The capability and infrastructure describe how the adversary operates and communicates. A scenario can be a watering-hole attack which is a methodology where the adversary compromises legitimate websites that they believe their targeted victims will visit.
Task 9 : Practice Analysis
Q&A
Complete all eight areas of the diamond. What is the flag that is displayed to you? THM{DIAMOND_MODEL_ATTACK_CHAIN}
Task 10 : Conclusion
We hope you enjoyed this room and will apply the Diamond Model concepts in disrupting threat activity using the Diamond Model and bringing valuable information to your team and business executives (C-Suite), an audience, customer, or client that is not technical.
The Diamond Model is a scientific method to improve the efficiency and accuracy of intrusion analysis. With this in your arsenal, you will have opportunities to leverage real-time intelligence for network defence and predict adversary operations.