From 6038b04162e23fa37e16e9cc651c6c38ee45f468 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Wed, 5 Oct 2022 21:59:03 +0200
Subject: [PATCH] Diamond Model

---
 misc/Diamond Model.md | 62 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 misc/Diamond Model.md

diff --git a/misc/Diamond Model.md b/misc/Diamond Model.md
new file mode 100644
index 0000000..926f134
--- /dev/null
+++ b/misc/Diamond Model.md	
@@ -0,0 +1,62 @@
+# Diamond Model
+
+* [Socinvestigation's article](https://www.socinvestigation.com/threat-intelligence-diamond-model-of-intrusion-analysis/)
+
+## Adversary
+
+Any actor utilizing capability against the victim to achieve a goal
+
+## Capability
+
+Describes TTPs used in the attack. Every capability has a capacity. Adversary Arsenal is the overall capacity of an attacker's capabilities.
+
+## Infrastructure
+
+Physical and logical communication structures the attacker uses to deliver a capability, C2, exfiltration.
+
+* Type 1: Belongs to the adversary
+* Type 2: Is used by the adversary as a proxy from which the attack is send
+* Other Service Providers: Any service used to reach the goal of an adversary
+
+## Victim
+
+The target the adversary exploits. May be a person or a technical system.
+
+## Meta Features
+
+### Timestamp
+
+* Events are logged with timestamps
+
+### Phase
+
+Events happen in succession of multiple steps.
+
+### Result
+
+Approximate or full goal of the adversary.
+
+### Methodology 
+
+Malicious activities are categorized to differentiate the methods of attack
+
+### Resources
+
+All supporting elements an event depends on.
+* Software
+* Hardware
+* Funds
+* Facilities
+* Access
+* Knowledge
+* Information
+
+### Technology and Direction
+
+Connects infrastructure and capabilities.
+
+### Socio-Political
+
+An existing relationshiop between the adversary and the victim
+
+