Operational Threat Intelligence - Diamond Model

Video Activity

In this final video in Module 5 we discuss the Diamond Model. The model provides analysts with a simplified visualization of threats. We examine the four corners of the diamond, how the edges function, and the use of meta-data. The four edges of the Diamond Model are: Adversary Capability Victim Infrastructure An example of this model in use is it...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Description

In this final video in Module 5 we discuss the Diamond Model. The model provides analysts with a simplified visualization of threats. We examine the four corners of the diamond, how the edges function, and the use of meta-data. The four edges of the Diamond Model are:

  • Adversary
  • Capability
  • Victim
  • Infrastructure

An example of this model in use is its application to malware. The discovery of an IP address can lead to a command and control server (C2) which may correlate to an adversary. Multiple victims may be an indication of a larger incident. The adversary may have the capability to conceal its presence using spoofing tactics. Threat actors engage in campaigns and can consist of several different types with varying goals. These actors can be cybercriminals, hacktivists, or state-sponsored hackers. Perhaps the most difficult adversary to detect is the privileged insider.

Video Transcription
00:04
Now we see the diamond model
00:06
so you might be familiar with this.
00:08
This is a very simplified way to think about
00:12
intrusion analysis.
00:14
In this example that we have here.
00:16
Diamond has four corners
00:19
the victim, the capability, the adversary and the infrastructure.
00:23
The trick is knowing how the edges of the diamond function. In a typical example, we also see on the left here some metadata information.
00:32
So even though you're gathering lots of data, you should also be thinking about
00:37
the extra details that describe that data.
00:41
For instance, in this example,
00:43
we can see in Step one that malware was discovered by a victim
00:47
or a victim's machine was doing some monitoring.
00:51
Intrusion detection, anti virus would have you.
00:55
So we go from the victim edge to the capability
01:00
and your capability is
01:02
what is the male we're actually doing?
01:03
What is it capable of?
01:06
Reverse engineering of malware is a very deep, separate topic altogether.
01:11
But we can say from a simplified example that this this malware was examined and it contains a demanding, perhaps a domain name
01:19
that relates to the attacker system or
01:23
they've even a command and control server.
01:26
So we go from the capability back to our infrastructure to do some analysis on this information
01:33
and turns out that this domain does resolve to a C to I p address.
01:37
So this is a known command and control server that was may be identified from some previous monitoring,
01:42
and now we can do some correlation. There's new malware, but it's But it's also trying to
01:48
communicate with a known existing sea too, sir.
01:52
Now, more correlation can be done between infrastructure. Go along this attitude back to the victim
01:59
to think about. Okay, we've got proxies, We've got firewalls, We have I. D. P s.
02:04
Let's do some searching for these I p addresses and find out if there's more activity
02:08
and ideally, you would discover questions ideally. But hopefully you would discover
02:15
that there are more victims in the environment.
02:17
More systems are trying to communicate outbound
02:21
through your firewall through your proxy
02:23
to this sea to address
02:25
and the sea to address could be also analyzed
02:29
on its own by running different types of tools to see if it has it that reputation scorer to see if it's been associated with malware in the past.
02:38
There are lots of service is that provide this kind of data for
02:42
cough free sometimes or for paying customers.
02:46
Once we know that
02:47
there are multiple victims now, this becomes a larger type of incident, and maybe more resource is would be applied towards resolving it. That address will now be I analyzed in the fifth stuff
03:00
in order to reveal the adversary.
03:02
Sometimes it can be a little bit tricky, of course, because any adversary that's well skilled in their craft
03:08
would not be using their computer directly on the Internet. That would be going through
03:14
a proxy chain or various anonymous users
03:17
to disguise their original I p address.
03:20
But with enough information and perhaps with the ability to
03:24
get logs from other organizations, you might be able to trace back to the original I P address anyway if it's not been changed too many times.
03:34
This is the the point where that
03:37
the analysis of intrusion really does become the most difficulty figuring out what is the rial
03:42
source address of this information. Oftentimes it's it's very difficult to tell
03:47
because this information is so easy to spoof and therefore the challenge
03:53
is great, and the advantage in this case goes to the intruder, not the defender.
03:58
So
03:59
thinking about this diamond idea and keeping in mind the metadata, we can start to have a mental picture of
04:06
what kind of information is required when an intrusion is detected.
04:11
And what should we do about it As we take each step in the analysis further and further along to finally try to get to revealing the adversary information
04:20
now, we could think a little bit about
04:23
threat actors
04:25
operating in a larger context
04:28
if the if The Threat actor, for instance, is part of the group,
04:32
uh
04:33
like activists, One of the best known activist groups is the anonymous group,
04:38
and
04:39
they are very loosely coupled,
04:42
individuals that are apparently all around the world.
04:46
They really don't appear to have a defined leader.
04:49
They sort of just work together as a group and sort of work things out on their own is first. Who's going to do what
04:58
That makes them very difficult to defend against because
05:02
you can't just us, you know, take a typical approach and say, OK, we're going to
05:08
damage their leadership capability. Therefore the organization will fall apart. That may not happen with a group like this.
05:15
Cyber criminals, on the other hand, are somewhat similar,
05:17
but they're not necessarily hacking foreign agenda. They're usually hacking because the
05:21
heavy way to make money,
05:25
whether it's a
05:27
hacking into a TM machines,
05:30
banking websites, credit card websites
05:33
trying to get key loggers installed on victims machines, they can steal passwords and credentials.
05:39
These are all very common things that your typical several criminal would attempt
05:43
in order to
05:44
line their pockets with someone else's money.
05:47
We also have to think about state sponsored packing
05:50
countries like China, perhaps North Korea, Russia.
05:55
All these countries are occasionally in the news for
05:58
stories
05:59
that I described different types of hacking that's going out,
06:02
and this is a reality of the modern world. We live in that governments
06:08
pack each other looking for information that's useful to promote their own agendas.
06:13
And this is also there serious, because national security secrets could be a steak, and that's
06:18
certainly more important than people just losing money from a bank account.
06:24
One of the most difficult things to defend against in this in this scenario would be the privileged insider
06:30
people that have access. They may already have security clearance and they've got the ability to get into systems and information that
06:39
would be very difficult to do if they were coming from the outside.
06:44
Plus, as a insider, they're aware,
06:46
perhaps, um,
06:47
have the Perhaps they're aware of security controls that might be preventing their access. They might be in charge of those security controls since they are privileged.
06:57
So this opens up a really big Pandora's box of problems
07:02
because now you've got people that are trusted. Perhaps they've got clearances. As I said, it might be high up in an organization union, but yet they have a hidden agenda to work for a competitor or work for another government.
07:15
Or maybe they just want to steal information and sell it.
07:17
And
07:19
the, uh,
07:20
the ways to detect people like this are varied and change
07:26
occasionally. But we think about things like job rotation
07:29
having a separation of duties, dual control and so on.
07:33
This makes it difficult for one single individual to successfully
07:39
accomplish a complicated hack by themselves
07:42
if they've got to involve other people. If they have to collude
07:45
now, the chances of detection will go up because if two people are working on an internal AC,
07:53
there's double the chance that someone's gonna make a mistake or say something or reveal themselves.
07:58
If you've got three people involved, then you triple the odds. And so
08:01
so the advantage starts to slip away, the more people are involved.
08:07
In any case, I hope this gives a nice overview of what operational threat intelligence looks like in some of the considerations that you have to think about as an analyst.
08:16
Thank you, I'll see you in the next month.
Up Next
Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By