Hello, everyone to continue the model on cyber threat intelligence frameworks. So they were going to be talking about the diamond model,
the second framework in our series of treat. So let's get started.
This model was created in 2013 by the now defunct Center for Cyber Trade, Intelligent Analyses and Threat Research.
This model describes that an adversary deploys a capability over some infrastructure against the victim as it is shown on the figure. In right,
these activities are cool events on Earth. The atomic features off these model analysts or machines populated models. Ver Tee's is as events are discovered and detected,
the Vergis is are linked with EJ. Highlighting the natural relationship between the features
by people in across agents With Vergis is analysts exposed more information about adversary operations and discover new capabilities, infrastructure and victims.
The diamond model helps defenders track and attacker the victims the Attackers, capabilities and infrastructure Dan Tucker uses.
Each of the points on the diamond is a people point that the fenders can use during an investigation to connect one aspect of an attack with the others.
Let's put this into perspective, but you see an example.
Let's say you uncover common and control traffic to as a species. I p address
David model will help you people from this initial indicator to find information about the attacker associated with at the I P address, then research the known capabilities off that attacker.
Knowing those capabilities will enable you to respond more quickly and effectively to the incident.
Or imagine that your cyber threat intelligence solution uses the diamond model.
If the board of direct directors as who is launching similar attack against other organizations in your underst industry,
you may be able to quickly finalist of Big Tim's the probable attacker. On a description of that Attackers tactics, techniques and procedures. These will help you decide what defenses need to be, but in place
on event defines discreet time bound, a TV restricted to specific face where an adversary requiring external ist resource is uses a capability and methodology over some infrastructure against a victim with a given result Off course, not all of the features need to be known to create an event.
In almost all cases,
most features are expected to be well known and completed on Lee after the initial discovery, as new fax, I revealed, and more data is, gather it if and feature has an associate ID confidence value.
This value is left purposely purposefully undefined as each model implementation may understand confidence differently. For two, more confidence is likely a function of multiple values, such as the confidence of an analytic conclusion or the accuracy off a data source
as necessary. The confidence value may also be
itemized as a souped opal to better capture day individual elements of confidence.
One of the beat big advantages of the diamond model it is, is it's flexibility and extensive bility.
You cannot defer NATPE. It's often attack under the opera P appropriate point on the diamond to create complex profiles of different attack orbs. All their features, often attack that can be tracking, include
face to know where the attack is.
Remember to cyber kill chain. Yeah, it may be helpful here
to result what the attacker is getting out of the compromise
tree direction. Where is it heading? Is a moderate conficker to move horizontally? Or is it a one target hit
How does he plan to use their capabilities
and five resource is
is it a nice, elated attack or Is there a wider, menacing range of tools behind
or any other actors in full?
All this information is very valuable, but if you don't have it, it want to stop you for completing your model. And that's the great advantage and flexibility of the diamond model.
Now, analytic people using the diamond model can be seen in this. In this image,
One of the most powerful features of the diamond
allows an analyst to exploit the fundamental relationships between features highlighted by edge between the features the discover new knowledge off malicious activity.
As you can see, we can go through every burgess of the model, pivoting according to the activity discovered in each of them. So let's follow along.
First, the victim discovers the matter and its capabilities.
Among these capabilities, a common and control domain is found. This means that a savory sending instruction to the mount where that infected the victim.
Now this domain represents an infrastructure, and it can be translated to the form of an I P address that when car related with further destinations, more victims can be discovered, and also by surfing through the I p address ownership, the adversary can be revealed
these greatly in powers decipher trades intelligence capabilities by providing old information necessary from an attack through multiple potential victims and infrastructure in bulk.
Okay, we're gonna hit the past bottom for a little bit now, Since we went through a lot of information, Phil features lowly reviewed information that we had just discussed about the time on model and think. How can it not only be applied to an organization but to co exist with the past frame word that we review
remember that these frameworks are not mutually exclusive
honor being presented in a way that all of them can benefit from the other's capabilities.
but let's review what we just went through today. We started poking around and I'm on model and got a general idea of how this works
and how attacks can be seen in this model. In the next video, we'll review how each one of these corners of the model work and the challenges that come with an implementation of this model.
That's all for today, Guys, let's catch up in the next video