Diamond Model of Intrusion Analysis

Diamond Model Training Course

Diamond Model

Dive deep with the Diamond Model's principal creator and learn how to improve your security analysis and security operations through the application of the Diamond Model.

Download The Whitepaper

Citation Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, “Diamond Model of Intrusion Analysis,” Center for Cyber Threat Intelligence and Threat Research, Hanover, MD, Technical Report ADA586960, 05 July 2013.

Other Resources

What Is The Diamond Model?

The Diamond Model presents a novel concept of intrusion analysis built by analysts, derived from years of experience, asking the simple question, “What is the underlying method to our work?” The model establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim.

The Diamond Model of Intrusion Analysis. An event is shown illustrating the core features of every malicious activity: adversary, victim, capability, and infrastructure. The features are connected based on their underlying relationship.
The Diamond Model of Intrusion Analysis. An event is shown illustrating the core features of every malicious activity: adversary, victim, capability, and infrastructure. The features are connected based on their underlying relationship.

These features are edge-connected representing their underlying relationships and arranged in the shape of a diamond, giving the model its name: the Diamond Model.

It further defines additional meta-features to support higher-level constructs such as linking events together into activity threads and further coalescing events and threads into activity groups.

These elements, the event, thread, and group all contribute to a foundational and comprehensive model of intrusion activity built around analytic processes.  It captures the essential concepts of intrusion analysis and adversary operations while allowing the model flexibility to expand and encompass new ideas and concepts.

The model establishes, for the first time, a formal method applying scientific principles to intrusion analysis – particularly those of measurement, testability, and repeatability – providing a comprehensive method of activity documentation, synthesis, and correlation.

This scientific approach and simplicity produces improvements in analytic effectiveness, efficiency, and accuracy. Ultimately, the model provides opportunities to integrate intelligence in real-time for network defense, automating correlation across events, classifying events with confidence into adversary campaigns, and forecasting adversary operations while planning and gaming mitigation strategies.

Diamond Model Benefits

  • Enables contextual and relationship-rich indicators improving cyber threat intelligence sharing and increasing the range of applicability of indicators
  • Integrates information assurance and cyber threat intelligence through activity-attack graphs
  • Improves analytic efficiency and effectiveness through easier identification of pivot opportunities and a simple conceptual method to generate new analytic questions
  • Enhances analytic accuracy by enabling hypothesis generation, documentation, and testing, thereby applying more rigor to the analytic process
  • Supports course of action development, planning/gaming, and mitigation strategies by integrating easily with almost any planning framework
  • Strengthens cyber analysis tradecraft development by formalizing first principles upon which new concepts can be explored
  • Identifies intelligence gap through a phase-based approach and the inclusion of external resource requirements as a fundamental meta-feature
  • Supports real-time event characterization by mapping the analytic process to well-understood classification and intrusion detection research
  • Establishes the basis of cyber activity ontologies, taxonomies, cyber threat intelligence sharing protocols, and knowledge management