Time
4 hours
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
Hello, guys. And welcome back to the cyber credit Intelligence frame Lois model. We're going to start where we left off, and that is with the diamond model.
00:09
In the last video, we were able to see and understand the diamond model capabilities and how they're supposed to be used.
00:16
The current concept surrounded model, and it's great flexibility told information about attacks, Attackers and so on.
00:24
In this episode, we will dive into detail with every part of the model and develop it further. This way we can understand what information should be considered and how it should be connected.
00:38
Okay, we're going to start with the adversary figure into Table Diamond motto.
00:43
Surgical to Drone in its diamond model. It states that an adversary is the actor organization responsible for utilizing a capability against the victim to achieve their intent.
00:56
Adversary knowledge is generally elusive, and this feature is likely to be empty for most events, at least at the time of discover
01:06
there exists a set off adversary insiders, outsiders, individuals, groups and organizations which, sick to compromise computer systems or networks, Toaff ordered a daring tent and satisfy their needs
01:19
the majority of the time when analyzing the technical aspects of an event, we simply refer to the adversary operator as the adversary. However, the distinction between the adversary, operator and customer is important to understand
01:34
intent attribution adaptability and persistence by helping to frame the relationship between an adversary and victim pair.
01:44
The adversary operator is the actual hacker or person conducting the intrusion activity.
01:49
The adversary customer stands to benefit from the activity conducted in Indian Christian.
01:57
It may be the same as the adversary operator or it may be a separate person or group.
02:02
Now, every service adversary customer could at different times are simultaneously the direct different operators, each with their own capabilities and infrastructure
02:15
to a common victim carrying out common or separate goals. To contrast alone, adversary operator may have access to fewer capabilities and infrastructure points to carry out their activities while also lacking the ability to bypass simple mitigation,
02:31
company sense of the motivations and researched enough of that. This Eric operator and their customer, if it exists as a separate entity, will assist in measuring the true threat and risk to the big team, resulting in Maur effective mitigation.
02:47
The capability feature describes the tool on or techniques of the adversary used in the event.
02:54
The flexibility of the model allows the capability to be described in sufficient fidelity
03:00
Win 10 for capability to be broadly understood and include all means to effect the victim from the most manual unsophisticated methods to the most sophisticated out of major techniques.
03:14
A common term that has been used several times through this curse is common and control, or C too.
03:21
If you haven't looked for this term yet, it's time for me to explain it in this curse.
03:25
Such surgery after your own defines common and control as the exercise off authority and direction off gratis assets by a commander.
03:36
Interesting analysis. This means the channels, communication structures, same L's protocols and content to or from the adversary intended to cause an effect progressing the adversary towards achieving their goals.
03:51
While common and control can take many forms, it is ultimately determined by the capability in years,
03:58
in terms of analytic pivoting, the one we're reviewing, the last medium and Annalise people's over common and Control discovering communication between infrastructure and victims. Therefore, for the purposes off, her model comin and control is best understood as a soft feature off a capability.
04:17
The infrastructure feature describes the physical and neurological communication structures the adversary uses to the liver capability. Maintain control of capabilities and effect results from the big Tim
04:31
as we would the other features. The infrastructure can be assessed specific or broad as necessary. Examples include
04:39
Inter Turn Prosek, All I I P addresses
04:42
domain names, email addresses, Morse code flashes from a phones. Boys may light watch from across the street.
04:49
Use be devices found in parking lot and inserted into a workstation are the compromising an emanation from hardware being collected by a nearby listening post.
05:00
We find the following infrastructure role
05:03
to be reasonable for most impression and analyses purposes.
05:09
There are three types of infrastructure. This one's wien, the infrastructure type one, which is fully control or owned by the adversary, or which they may be physically in proximity.
05:20
They infrastructure type tomb, which is controlled by an weeding, are on waiting intermediary.
05:27
Typically, this is infrastructure the victim will see as the adversary
05:31
it serves to office. Cates. The region and attribution of the activity
05:35
type to infrastructure includes some be hosts malware staging service's servers, militias, domain names hopped through points compromise email accounts and so on and so forth.
05:47
Savings providers which wittingly or unwittingly provide service critical for ability off adversary Type one and Type two infrastructure. These will be the definition off our type tree infrastructure. Our savings providers,
06:03
now surgical to drone in its paper, gives a very interesting approach. When the finding a victim, they state that a victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capital capabilities use.
06:19
As with the other features, Alec Tin can be described in whichever way necessary and appropriate on organization a person, our target email address on I p address at the main Exeter. However, it is useful to define the victim persona and their assets separately as they serve different analytic functions.
06:40
The
06:40
temper Sony are useful in non technical analysis. Such a cyber victimology and social political centre approaches, whereas victim and whereas we big team assets are associated with common technical approaches, says such as Bill nervous lady analysis
06:59
victim persona are the people and organizations being targeted whose assets are being exploited and attacked. These include organization names, people, names in industries, Jibril's interests, etcetera,
07:12
victim *** It's Artie Attack Surface and consists of the set of networks systems. Host email night email addresses I p addresses social networking accounts, etcetera,
07:24
against which the adversary, dear, directs their capabilities. Victim assets often exist both inside and outside. Our personas control invisibility but are still available for targeting by another story.
07:38
Common examples of these include Quay Mill accounts and Cloud Based Day that as charge a victim acids can be the end target in one event on then leveraged. As infrastructure in furter events likely type to infrastructure in this way, one must always be where that the up
07:57
upper and target off activity may not necessarily be the big time.
08:03
Adversary capabilities exploited vulnerabilities and exposures defined by the principle that ever system and by extension, every victim assets has wielded a religious and exposures
08:15
to full filter intent. The diamonds models. Flexibility allows these to be defined as a soft feature off the victim.
08:22
This could be described as broadly as lack of future education, costing email born hyperlinks to be click or as a specific as a C V E to feed to the communication requirements of the event
08:35
victim. Susceptibilities is the set of vulnerabilities and exposure's off a victim susceptible to exploitation in the diamond mono. The list of victims susceptible susceptibilities are easily expressed as a soup topple off the victim.
08:50
This information is valuable when compared to capability, capacity and adversary arsenal to determine to determine mitigation options.
09:01
Now record the future makes a great a notation on the challenges with the diable model. The downside is the diamond models require a lot off care and feeding some aspects of the bottle. A special infrastructure change rapidly. If you don't update the diamond, often attacker constantly.
09:18
You run the risk of working with outdated information.
09:22
A nice way to avoid this is the time stamp every update off a diamond model so everybody has visibility into the age of information.
09:31
If the organization doesn't have the time and resources to manage these type of model themselves, they may be able to get updated information from 1/3 party Cyber Threat intelligence provider. Even with these challenges, though, the diamond model can make the jobs of many security people easier By helping get everyone fast
09:50
answers about threats.
09:54
I know that we have studied to frameworks weaken, remark, their benefits and challenges. H one has unanswered questions like
10:03
How different is a cyber kill chain from the diamond model? What capabilities are in place that different in shape? Both of them.
10:11
Also, what benefits can we obtain from the diamond model that the Seaver kill Ching can provide?
10:18
And how can both of them be seen working together? This question will have you asked the information in a better way. Since identifying this aspect is crucial to understand how an implementation would go
10:31
and looking forward in the next video, we will be covering last model discussed as a part of this model, and that is the Mitre attack framework. This framework can be one of the more complex or maybe offer, Warming said. It has a lot of categories to choose from when defining an attacker behavior. So
10:52
be prepared.
10:54
I'll be waiting for you in the next video

Up Next

Intro to Cyber Threat Intelligence

This Cyber Threat Intelligence training introduction series will cover the main definitions and concepts related to the CTI world. Will also explain the units and organization’s areas that will interact with the CTI processes.

Instructed By

Instructor Profile Image
Melinton Navas
Threat Intelligence Manager
Instructor