# Diamond Model

* [Socinvestigation's article](https://www.socinvestigation.com/threat-intelligence-diamond-model-of-intrusion-analysis/)

## Adversary

Any actor utilizing capability against the victim to achieve a goal

## Capability

Describes TTPs used in the attack. Every capability has a capacity. Adversary Arsenal is the overall capacity of an attacker's capabilities.

## Infrastructure

Physical and logical communication structures the attacker uses to deliver a capability, C2, exfiltration.

* Type 1: Belongs to the adversary
* Type 2: Is used by the adversary as a proxy from which the attack is send
* Other Service Providers: Any service used to reach the goal of an adversary

## Victim

The target the adversary exploits. May be a person or a technical system.

## Meta Features

### Timestamp

* Events are logged with timestamps

### Phase

Events happen in succession of multiple steps.

### Result

Approximate or full goal of the adversary.

### Methodology 

Malicious activities are categorized to differentiate the methods of attack

### Resources

All supporting elements an event depends on.
* Software
* Hardware
* Funds
* Facilities
* Access
* Knowledge
* Information

### Technology and Direction

Connects infrastructure and capabilities.

### Socio-Political

An existing relationshiop between the adversary and the victim