Diamond Model
This commit is contained in:
parent
4c3b2c96c2
commit
6038b04162
|
|
@ -0,0 +1,62 @@
|
|||
# Diamond Model
|
||||
|
||||
* [Socinvestigation's article](https://www.socinvestigation.com/threat-intelligence-diamond-model-of-intrusion-analysis/)
|
||||
|
||||
## Adversary
|
||||
|
||||
Any actor utilizing capability against the victim to achieve a goal
|
||||
|
||||
## Capability
|
||||
|
||||
Describes TTPs used in the attack. Every capability has a capacity. Adversary Arsenal is the overall capacity of an attacker's capabilities.
|
||||
|
||||
## Infrastructure
|
||||
|
||||
Physical and logical communication structures the attacker uses to deliver a capability, C2, exfiltration.
|
||||
|
||||
* Type 1: Belongs to the adversary
|
||||
* Type 2: Is used by the adversary as a proxy from which the attack is send
|
||||
* Other Service Providers: Any service used to reach the goal of an adversary
|
||||
|
||||
## Victim
|
||||
|
||||
The target the adversary exploits. May be a person or a technical system.
|
||||
|
||||
## Meta Features
|
||||
|
||||
### Timestamp
|
||||
|
||||
* Events are logged with timestamps
|
||||
|
||||
### Phase
|
||||
|
||||
Events happen in succession of multiple steps.
|
||||
|
||||
### Result
|
||||
|
||||
Approximate or full goal of the adversary.
|
||||
|
||||
### Methodology
|
||||
|
||||
Malicious activities are categorized to differentiate the methods of attack
|
||||
|
||||
### Resources
|
||||
|
||||
All supporting elements an event depends on.
|
||||
* Software
|
||||
* Hardware
|
||||
* Funds
|
||||
* Facilities
|
||||
* Access
|
||||
* Knowledge
|
||||
* Information
|
||||
|
||||
### Technology and Direction
|
||||
|
||||
Connects infrastructure and capabilities.
|
||||
|
||||
### Socio-Political
|
||||
|
||||
An existing relationshiop between the adversary and the victim
|
||||
|
||||
|
||||
Loading…
Reference in New Issue