Diamond Model

misc/Diamond Model.md

@@ -0,0 +1,62 @@
+# Diamond Model
+
+* [Socinvestigation's article](https://www.socinvestigation.com/threat-intelligence-diamond-model-of-intrusion-analysis/)
+
+## Adversary
+
+Any actor utilizing capability against the victim to achieve a goal
+
+## Capability
+
+Describes TTPs used in the attack. Every capability has a capacity. Adversary Arsenal is the overall capacity of an attacker's capabilities.
+
+## Infrastructure
+
+Physical and logical communication structures the attacker uses to deliver a capability, C2, exfiltration.
+
+* Type 1: Belongs to the adversary
+* Type 2: Is used by the adversary as a proxy from which the attack is send
+* Other Service Providers: Any service used to reach the goal of an adversary
+
+## Victim
+
+The target the adversary exploits. May be a person or a technical system.
+
+## Meta Features
+
+### Timestamp
+
+* Events are logged with timestamps
+
+### Phase
+
+Events happen in succession of multiple steps.
+
+### Result
+
+Approximate or full goal of the adversary.
+
+### Methodology 
+
+Malicious activities are categorized to differentiate the methods of attack
+
+### Resources
+
+All supporting elements an event depends on.
+* Software
+* Hardware
+* Funds
+* Facilities
+* Access
+* Knowledge
+* Information
+
+### Technology and Direction
+
+Connects infrastructure and capabilities.
+
+### Socio-Political
+
+An existing relationshiop between the adversary and the victim
+
+