The Diamond Model of Intrusion Analysis

Almost every day, you may hear from the news that a company was hacked and the data was leaked.

Most of the attacks happened in passive mode, which means that the companies are not aware of the attack. One of the most efficient ways to detect and respond to any Cyber Threats is to implement some detection and responsive measures.

The three frameworks that are going to be described below, will help you to detect and respond to any threat against your organization.

1. Cyber Kill Chain

The following framework helps the organization to identify the steps used by the attackers to perform an attack.

The framework was developed by Lockheed Martin, the framework is part of the Intelligence Driven Defense model for identification and prevention of cyber intrusions activity.

Cyber Kill Chain® | Lockheed Martin

The framework is divided in 7 steps:

• Reconnaissance: Finding any weakness that can be used to target the organization (Vulnerabilities, looking for details about the target over the network or gathering information about the target)
• Weaponization: After gathering information about the target and finding a weakness, the threat actor tries to leverage it by create a malicious file or programs that will be sent to the target.
• Delivery: Sending the malicious file or program to the target (phishing, drive by download)
• Exploitation: At this stage the threat actor, exploits the vulnerability.
• Installation: The threat actor tris to install a malicious software in order to gain high level privilege.
• Command & Control: Establishing a communication with the target’s system
• Actions on objectives: The threat actor meets his objective (data exfiltration) by exfiltrating

2. MITRE ATT&CK

MITRE ATT&CK is the knowledge base that help different actors to find out the tactics and techniques used by the adversaries to compromise a system.  The framework can be used by anyone without any charge. The framework contains information about mitigation steps to detect any anomaly and protect the infrastructure and any system that might be infected (Enterprise, Mobile, ICT).

MITRE ATT&CK

MITRE ATT&CK is divided in 14 phases to find the tactics and techniques used by the threat actor.

• Reconnaissance
• Resource Development
• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Command and Control
• Exfiltration
• Impact

3. The Diamond Model of Intrusion Analysis

The model consists of 4 models that help you to identify how the intrusion can occur in the infrastructure.

The model helps to find the “who,” “what,” “when,” “where,” “why,” and “how.” Of the attacks in order to detect and mitigate the threat before.

The models:

• Adversary: The attacker or threat actor behind the attack.
• Capabilities: Are the set of skills and tools in the possession of the threat actor
• Victim: The infrastructure, system, individuals targeted by the threat actor
• Infrastructure: Are the software and hardware used by the threat actor to target the victim.
• Social-political – The reason of the attack (financial, espionage, hacktivism)
• Technology – How the threat actor can operate and what technologies the adversary used to operate and communicate.

 In conclusion, the three frameworks described here are very useful to detect and respond to different threat. Without referring to one of the frameworks, it will be very difficult almost not possible to mitigate the threat within your environment. Using them will be a step forward to being resilient against any attack.