The four core features of an intrusion event are adversary, capability, infrastructure, and victim:
- Adversary – These are the parties responsible for the intrusion.
- Capability – This is a tool or technique that the adversary uses to attack the victim.
- Infrastructure – This is the network path or paths that the adversaries use to establish and maintain command and control over their capabilities.
- Victim – This is the target of the attack. However, a victim might be the target initially and then used as part of the infrastructure to launch other attacks.
The adversary uses capabilities over infrastructure to attack the victim. The model can be interpreted as saying, “The adversary uses the infrastructure to connect to the victim. The adversary develops a capability to exploit the victim.” For example, a capability like malware might be used over the email infrastructure by an adversary to exploit a victim.
Meta-features expand the model slightly to include the following important elements:
- Timestamp – This indicates the start and stop time of an event and is an integral part of grouping malicious activity.
- Phase – This is analogous to steps in the Cyber Kill Chain; malicious activity includes two or more steps executed in succession to achieve the desired result.
- Result – This delineates what the adversary gained from the event. Results can be documented as one or more of the following: confidentiality compromised, integrity compromised, and availability compromised.
- Direction – This indicates the direction of the event across the Diamond Model. These include Adversary-to-Infrastructure, Infrastructure-to-Victim, Victim-to-Infrastructure, and Infrastructure-to-Adversary.
- Methodology – This is used to classify the general type of event, such as port scan, phishing, content delivery attack, syn flood, etc.
- Resources – These are one or more external resources used by the adversary for the intrusion event, such as software, adversary’s knowledge, information (e.g., username/passwords), and assets to carry out the attack (hardware, funds, facilities, network access).
The Diamond Model
Pivoting Across the Diamond Model
Diamond Model Characterization of an Exploit
The Diamond Model and the Cyber Kill Chain
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Fact Check Policy
CRMNAIJA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.