killchain-compendium/misc/Diamond Model.md

63 lines
1.3 KiB
Markdown

# Diamond Model
* [Socinvestigation's article](https://www.socinvestigation.com/threat-intelligence-diamond-model-of-intrusion-analysis/)
## Adversary
Any actor utilizing capability against the victim to achieve a goal
## Capability
Describes TTPs used in the attack. Every capability has a capacity. Adversary Arsenal is the overall capacity of an attacker's capabilities.
## Infrastructure
Physical and logical communication structures the attacker uses to deliver a capability, C2, exfiltration.
* Type 1: Belongs to the adversary
* Type 2: Is used by the adversary as a proxy from which the attack is send
* Other Service Providers: Any service used to reach the goal of an adversary
## Victim
The target the adversary exploits. May be a person or a technical system.
## Meta Features
### Timestamp
* Events are logged with timestamps
### Phase
Events happen in succession of multiple steps.
### Result
Approximate or full goal of the adversary.
### Methodology
Malicious activities are categorized to differentiate the methods of attack
### Resources
All supporting elements an event depends on.
* Software
* Hardware
* Funds
* Facilities
* Access
* Knowledge
* Information
### Technology and Direction
Connects infrastructure and capabilities.
### Socio-Political
An existing relationshiop between the adversary and the victim