Many confuse the purpose of the Diamond Model. Most believe the Diamond Model exists for analysts, but that is an ancillary benefit. Instead, think of the Diamond Model like a model airplane used to study the principles of aerodynamics. It is not an exact copy but rather a good approximation of the full-scale airplane being studied. The model exposes elements to test and study in a controlled environment improving the performance of the plane in an operational environment. The Diamond Model does the same, except for cyber threat analysis.
When describing the Diamond Model to others, I usually start with, “we didn’t create the Diamond Model, we simply expressed some fundamental elements which always existed.” Surprisingly, I learned while writing the Diamond Model how exposing this fundamental nature improved cyber threat intelligence.
The Diamond Model captures this fundamental nature about threats in seven axioms and one corollary. This post will highlight those axioms.
For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result.
What it means: every malicious event contains four necessary elements: an adversary, a victim, a capability, and infrastructure. Using this fundamental nature we can create analytic and detective strategies for finding, following, and mitigating malicious activity.
There exists a set of adversaries (insiders, outsiders, individuals, groups, and organizations) which seek to compromise computer systems or networks to further their intent and satisfy their needs.
What it means: there are bad actors working to compromise computers and networks – and they do it for a reason. Understanding the intent of an adversary helps developing analytic and detective strategies which can create more effective mitigation. For example, if we know that an adversary is driven by financial data, maybe we should focus our efforts on assets that control and hold financial data instead of other places.
Every system, and by extension every victim asset, has vulnerabilities and exposures.
What it means: vulnerabilities and exposures exist in every computer and every network. We must assume assets can (and will) be breached – other express this notion as “assume breach.”
Every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result.
What it means: malicious activity takes place in multiple steps (at least two), and each step must be successful for the next to be successful. One popular implementation of this axiom is the Kill Chain. But, the Kill Chain was not the first to express this notion – another popular phase-based expression is from the classic, Hacking Exposed.
Every intrusion event requires one or more external resources to be satisfied prior to success.
What it means: adversaries don’t exist in a vacuum, they require facilities, network connectivity, access to victim, software, hardware, etc. These resources can also be their vulnerability when exploring mitigation options.
A relationship always exists between the Adversary and their Victim(s) even if distant, fleeting, or indirect.
What it means: exploitation and compromise takes time and effort – adversaries don’t do it for no reason. An adversary targeted and compromised a victim for a reason – maybe they were vulnerable to a botnet port scan because the adversary looks to compromise resources to enlarge the botnet, maybe the victim owns very specific intellectual property of interest to the adversary’s business requirements. There is always a reason and a purpose.
There exists a sub-set of the set of adversaries which have the motivation, resources, and capabilities to sustain malicious effects for a significant length of time against one or more victims while resisting mitigation efforts. Adversary-Victim relationships in this sub-set are called persistent adversary relationships.
What it means: what we call “persistence” (such as in Advanced Persistent Threat) is really an expression of the victim-adversary relationship. Some adversaries need long-term access and sustained operations against a set of victims to achieve their intent. Importantly, just because an adversary is persistent against one victim doesn’t mean they will be against all victims! There is no universal “persistent” adversary. It depends entirely on each relationship at that time.
There exists varying degrees of adversary persistence predicated on the fundamentals of the Adversary-Victim relationship.
What it means: not all persistence is created equal. Some adversary-victim relationships are more persistent than others. Sometime a victim will mitigate a years long intrusion only to be compromised again by the adversary that same week; at other times the adversary will never return.