killchain-compendium/misc/Diamond Model.md

1.3 KiB

Diamond Model

Adversary

Any actor utilizing capability against the victim to achieve a goal

Capability

Describes TTPs used in the attack. Every capability has a capacity. Adversary Arsenal is the overall capacity of an attacker's capabilities.

Infrastructure

Physical and logical communication structures the attacker uses to deliver a capability, C2, exfiltration.

  • Type 1: Belongs to the adversary
  • Type 2: Is used by the adversary as a proxy from which the attack is send
  • Other Service Providers: Any service used to reach the goal of an adversary

Victim

The target the adversary exploits. May be a person or a technical system.

Meta Features

Timestamp

  • Events are logged with timestamps

Phase

Events happen in succession of multiple steps.

Result

Approximate or full goal of the adversary.

Methodology

Malicious activities are categorized to differentiate the methods of attack

Resources

All supporting elements an event depends on.

  • Software
  • Hardware
  • Funds
  • Facilities
  • Access
  • Knowledge
  • Information

Technology and Direction

Connects infrastructure and capabilities.

Socio-Political

An existing relationshiop between the adversary and the victim