“The Diamond Model for Intrusion Analysis” is the product of years worth of research and development by expert security analysts working on some of the toughest cyber security problems. Informally, it is a cognitive model that presents a framework upon which to discover new activity, maximize analytic pivot opportunities, correlate and synthesize new information, and pursue the adversary over time. Formally, it is a mathematical framework allowing the application of game, graph, and clustering theory to improve analysis and decision making.
The Diamond Model for Intrusion Analysis was co-authored by ThreatConnect’s co-founder and EVP of Product Andy Pendergast. ThreatConnect’s overarching goal is to provide actionable intelligence to its users by mapping and tracking threat capability and infrastructure as it evolves to provide focused, high-confidence indicators and signatures for defense.
Data within ThreatConnect is characterized by the four vertices of “The Diamond Model for Intrusion Analysis”: Infrastructure, Capability, Adversary, and Victim. These vertices are applied across both Incidents (events), and Threats (attribution-based activity groups). This provides ThreatConnect a common way of looking at relationships across data within the system. As you provide threat data, the system can make connections between diamond vertices and events to form a lattice of related threat information. Over time the model provides insight into adversary intent by assessing their targeting tactics and actions during incidents.
User input is just a seed in ThreatConnect, we leverage analytic pivoting techniques defined by the Diamond Model to track and correlate new and related indicators. We are constantly adding to the types of data and pivots we make in our Threat Inference Engine (TIE). Over time, using this model the system provides insight into adversary intent by assessing their targeting tactics and actions during incidents.
In ThreatConnect we leverage the Diamond Model’s strengths to:
- Provide contextual and relationship-rich indicators, including robust attributes for formulating and documenting courses of action and defensive strategies.
- Codify Pivot opportunities across different but related indicator types into our platform.
- Enhance analytic accuracy by allowing community defined confidence assessments of analytic conclusions.
- Act as a foundational data structure for future extension to emerging ontologies, taxonomies, and cyber threat sharing protocols.
This paper reviews how The Diamond Model breaks each cyber event into four vertices or nodes. These vertices represent an Adversary, Capability, Infrastructure, and Victim.
Get Asset