63 lines
1.3 KiB
Markdown
63 lines
1.3 KiB
Markdown
|
# Diamond Model
|
||
|
|
|
||
|
|
* [Socinvestigation's article](https://www.socinvestigation.com/threat-intelligence-diamond-model-of-intrusion-analysis/)
|
||
|
|
|
||
|
|
## Adversary
|
||
|
|
|
||
|
|
Any actor utilizing capability against the victim to achieve a goal
|
||
|
|
|
||
|
|
## Capability
|
||
|
|
|
||
|
|
Describes TTPs used in the attack. Every capability has a capacity. Adversary Arsenal is the overall capacity of an attacker's capabilities.
|
||
|
|
|
||
|
|
## Infrastructure
|
||
|
|
|
||
|
|
Physical and logical communication structures the attacker uses to deliver a capability, C2, exfiltration.
|
||
|
|
|
||
|
|
* Type 1: Belongs to the adversary
|
||
|
|
* Type 2: Is used by the adversary as a proxy from which the attack is send
|
||
|
|
* Other Service Providers: Any service used to reach the goal of an adversary
|
||
|
|
|
||
|
|
## Victim
|
||
|
|
|
||
|
|
The target the adversary exploits. May be a person or a technical system.
|
||
|
|
|
||
|
|
## Meta Features
|
||
|
|
|
||
|
|
### Timestamp
|
||
|
|
|
||
|
|
* Events are logged with timestamps
|
||
|
|
|
||
|
|
### Phase
|
||
|
|
|
||
|
|
Events happen in succession of multiple steps.
|
||
|
|
|
||
|
|
### Result
|
||
|
|
|
||
|
|
Approximate or full goal of the adversary.
|
||
|
|
|
||
|
|
### Methodology
|
||
|
|
|
||
|
|
Malicious activities are categorized to differentiate the methods of attack
|
||
|
|
|
||
|
|
### Resources
|
||
|
|
|
||
|
|
All supporting elements an event depends on.
|
||
|
|
* Software
|
||
|
|
* Hardware
|
||
|
|
* Funds
|
||
|
|
* Facilities
|
||
|
|
* Access
|
||
|
|
* Knowledge
|
||
|
|
* Information
|
||
|
|
|
||
|
|
### Technology and Direction
|
||
|
|
|
||
|
|
Connects infrastructure and capabilities.
|
||
|
|
|
||
|
|
### Socio-Political
|
||
|
|
|
||
|
|
An existing relationshiop between the adversary and the victim
|
||
|
|
|
||
|
|
|