Diamond Model

The Diamond Model of Intrusion Analysis is a framework for analyzing cyber intrusions and adversary activity. Developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, it provides a structured approach to understanding and characterizing cyber events. It moves beyond simple indicators of compromise (IOCs) to focus on the relationships between key elements of an intrusion.

The model proposes that every intrusion event can be represented as a "diamond" shape, composed of four core features and their relationships:

1. Adversary: This represents the threat actor behind the intrusion. It focuses on understanding who they are, their motivations (e.g., financial gain, espionage, hacktivism), capabilities (e.g., level of sophistication, resources), intent, and organizational structure. The adversary can be an individual, a criminal group, a nation-state, or an insider threat. Understanding the adversary helps in predicting their next moves and tailoring defensive strategies.

2. Capability: This refers to the adversary's tools and techniques to execute the intrusion. It encompasses the malware, exploits, custom scripts, attack infrastructure (e.g., C2 servers, phishing domains), and methodologies (e.g., social engineering, privilege escalation techniques) that the adversary employs. This aspect considers the specific artifacts and the broader set of methods and resources an adversary has at their disposal.

3. Infrastructure: This is the physical and logical communication structure the adversary uses to deliver a capability, maintain control, and exfiltrate data. It includes:

   • Physical Infrastructure: Actual servers, IP addresses, domains, hosting providers, and network routes.

   • Logical Infrastructure: URIs, cryptographic keys, and virtual hosts that enable communication.

   • This component also covers the victim's infrastructure that the adversary might compromise or use as a stepping stone.

4. Victim: This represents the target of the intrusion. It's not just the organization or individual, but also the specific assets, systems, data, and even the personas within the victim environment that are targeted. Understanding the victim's characteristics (e.g., industry, defensive posture, vulnerabilities) helps identify why they were targeted and what the adversary sought to achieve.

Relationships and Meta-Features:

The power of the Diamond Model lies in the relationships between these four core features:

• Each intrusion event requires a combination of an adversary using a capability through an infrastructure against a victim. These four features are interdependent; an intrusion event cannot occur if one is missing.

• The model also incorporates meta-features that provide additional context to the event:

  • Timestamp: The time and date of the intrusion event.

  • Phase: The stage of the intrusion kill chain (e.g., reconnaissance, exploitation, persistence, exfiltration).

  • Result: The outcome of the intrusion (e.g., data exfiltration, system compromise, denial of service).

  • Direction: The direction of the attack (e.g., adversary to victim, victim to infrastructure).

  • Methodology: The general attack category (e.g., phishing, DDoS, malware).

  • Resources: The resources an adversary has committed to the operation (e.g., time, money, personnel).

How it's Used in Cybersecurity:

The Diamond Model is used for:

• Incident Response: Provides a framework for analyzing and documenting security incidents, helping responders understand the full scope of an attack.

• Threat Intelligence: Enables richer threat intelligence by characterizing adversaries, their tools, and their infrastructure, allowing organizations to move beyond simple IOCs to more actionable intelligence.

• Adversary Tracking: Helps in tracking adversary groups and their campaigns over time by identifying patterns in their capabilities and infrastructure.

• Defensive Strategy Development: By understanding the adversary's complete picture, organizations can develop more effective and targeted defensive strategies, rather than just patching individual vulnerabilities.

• Communication: Provides a common language for security professionals to discuss and analyze intrusions, improving communication within and across organizations.

The Diamond Model provides a systematic way to dissect and understand cyberattacks, enabling a more holistic view of adversary behavior and leading to more informed and effective cybersecurity defenses.

The Diamond Model of Intrusion Analysis focuses on understanding the relationships between the Adversary, Capability, Infrastructure, and Victim. ThreatNG, while not explicitly designed as a Diamond Model analysis tool, provides crucial, granular external intelligence that directly feeds into and enriches each facet of the Diamond Model, particularly from the Victim and Infrastructure perspectives, and indirectly informs the Adversary and Capability aspects.

Here's how ThreatNG's features would help in applying the Diamond Model:

External Discovery

ThreatNG's ability to perform purely external, unauthenticated discovery directly contributes to understanding the Victim's Infrastructure and its exposure to the Adversary. By identifying all public-facing assets, ThreatNG helps map the potential entry points and exposed resources that an adversary might target.

• Example: An organization (Victim) might not be fully aware of all its public-facing subdomains or forgotten cloud instances. ThreatNG would autonomously discover these assets (Infrastructure), like dev-portal.yourcompany.com an exposed AWS S3 bucket, even if they are undocumented. This discovery provides the foundational layer for understanding the full scope of the victim's external attack surface that an adversary could potentially leverage.

External Assessment

ThreatNG's detailed external assessments provide specific insights into the vulnerabilities and susceptibilities of the Victim and their Infrastructure, and infer the potential Capabilities an Adversary might use against them.

• Web Application Hijack Susceptibility: This assessment identifies potential entry points for attackers by analyzing web application components accessible from the outside world.

  • Example: If ThreatNG reports a high "Web Application Hijack Susceptibility" for careers.yourcompany.com due to an outdated job application portal, this directly informs the Victim's vulnerability. It also hints at the Capability an Adversary might use: exploiting known web application flaws.

• Subdomain Takeover Susceptibility: This evaluates the risk by analyzing subdomains, DNS records, and SSL certificate statuses.

  • Example: ThreatNG detecting that oldproject.yourcompany.com is vulnerable to subdomain takeover means an Adversary could potentially claim this Infrastructure and use it for phishing (a Capability) against the Victim's customers, damaging the victim's brand.

• BEC & Phishing Susceptibility: Derived from domain intelligence, email security presence, and compromised credentials on the dark web.

  • Example: If ThreatNG identifies a weak DMARC configuration or compromised employee credentials on the dark web, it suggests a high "BEC & Phishing Susceptibility." This directly impacts the Victim by highlighting their vulnerability to social engineering Capabilities employed by an Adversary for financial gain.

• Data Leak Susceptibility: Based on Cloud/SaaS Exposure, Dark Web Presence, and Domain Intelligence findings.

  • Example: ThreatNG reporting a high "Data Leak Susceptibility" due to an open AWS S3 bucket containing sensitive documents defines a critical vulnerability in the Victim's Infrastructure and hints at the Adversary's Capability to exfiltrate sensitive data.

• Cyber Risk Exposure: Considers certificates, subdomain headers, vulnerabilities, sensitive ports, and code secret exposure.

  • Example: ThreatNG detecting an unpatched vulnerability (e.g., Log4Shell) on an externally exposed server or exposed API keys in a public code repository directly identifies weaknesses in the Victim's Infrastructure. This gives insights into the Capabilities an Adversary might use, such as exploiting known software flaws or using leaked credentials for unauthorized access.

• Supply Chain & Third Party Exposure: Derived from vendor technology enumeration, technology stack, and Cloud/SaaS Exposure.

  • Example: ThreatNG identifying that a critical SaaS provider used by the Victim (e.g., Salesforce or Workday ) has publicly known vulnerabilities or misconfigurations would define a weakness in the Victim's extended Infrastructure. This highlights a potential Capability for an Adversary to target the victim indirectly through their supply chain.

• Mobile App Exposure: Evaluates exposed mobile apps in marketplaces and their contents for credentials and identifiers.

  • Example: If ThreatNG discovers that the Victim's mobile app in a marketplace contains hardcoded AWS access keys, this identifies a critical flaw in the Victim's Capability to secure their applications and offers a direct Capability for an Adversary to compromise their cloud Infrastructure.

• Positive Security Indicators: This indicator identifies and highlights security strengths like WAFs or MFA, validating their effectiveness from an external attacker's perspective.

  • Example: ThreatNG confirming the presence of a robust WAF on a key web application indicates a strong defensive Capability of the Victim's Infrastructure against standard web attack Capabilities of an Adversary. This helps refine the understanding of the victim's defensive posture.

Reporting

ThreatNG's diverse reporting capabilities are essential for documenting and communicating the elements of the Diamond Model, particularly concerning the Victim's vulnerabilities and exposed Infrastructure.

• Prioritized Reports (High, Medium, Low, Informational): These help focus on critical issues.

  • Example: A "High" severity report on an exposed database port indicates a significant vulnerability in the Victim's Infrastructure that an Adversary with database exploitation Capabilities could use. This prioritization aids in understanding the immediate threat.

• Security Ratings, Inventory, and Ransomware Susceptibility reports provide tangible metrics on the Victim's overall security posture related to their external Infrastructure.

• Knowledgebase: Provides risk levels, reasoning, recommendations, and reference links. This helps understand the context and implications of identified vulnerabilities about potential adversary actions and their impact on the victim.

Continuous Monitoring

Continuous monitoring is crucial for tracking changes in the Victim's Infrastructure and identifying new opportunities for an Adversary.

• Example: As the Victim (an organization) expands its digital footprint, new subdomains or cloud services might be deployed. ThreatNG's continuous monitoring would immediately detect these new Infrastructure components. If a misconfiguration (a Capability weakness) inadvertently exposes sensitive data, ThreatNG flags it, allowing the organization to proactively address this exposure before an Adversary can detect and exploit it. This constant vigilance ensures the Diamond Model's components are always up-to-date.

Investigation Modules

ThreatNG's detailed investigation modules allow for deep dives into specific elements of the Diamond Model, primarily focusing on the Victim's Infrastructure and revealing the potential Capabilities and intent of an Adversary.

• Domain Intelligence (DNS, Email, Subdomain, WHOIS Intelligence):

  • Example: If investigating a potential phishing attack (a Capability), the "Email Intelligence" within Domain Intelligence can reveal if the Victim's email Infrastructure (e.g., DMARC, SPF, DKIM records ) is configured weakly, allowing an Adversary to easily spoof emails. This informs the Adversary's capability and how it relates to the Victim's infrastructure weakness.

  • Example: "Subdomain Intelligence" can reveal open ports, technologies (e.g., outdated CMS), or exposed internal IP addresses on the Victim's Infrastructure. This identifies specific weaknesses that map to common Adversary Capabilities for network access or system compromise.

• Sensitive Code Exposure: Discovers public code repositories and their contents, including credentials, keys, and configuration files.

  • Example: Finding an AWS Access Key ID in a public GitHub repository (exposed Infrastructure) directly identifies a Capability for an Adversary to gain unauthorized access to the Victim's cloud resources, significantly impacting the victim.

• Cloud and SaaS Exposure: Identifies sanctioned/unsanctioned cloud services, impersonations, open exposed buckets, and SaaS implementations.

  • Example: Detecting an "Open Exposed Cloud Bucket" belonging to the Victim reveals a critical flaw in their Infrastructure. This directly informs the Adversary's Capability to access sensitive data, such as customer records (which impacts the Victim).

• Dark Web Presence: Reveals organizational mentions, ransomware events, and compromised credentials.

  • Example: Discovering a large volume of the Victim's compromised employee credentials on the dark web immediately informs the Adversary's Capability to perform account takeovers and social engineering, directly targeting the Victim's employees and internal systems.

Intelligence Repositories (DarCache)

ThreatNG's DarCache intelligence repositories provide crucial, external context that helps characterize the adversary, their capabilities, and the inherent vulnerabilities of the victim's infrastructure.

• Compromised Credentials (DarCache Rupture): Directly informs the Adversary's Capability to gain initial access via credential stuffing or brute-forcing, and targets the Victim's employee accounts.

• Ransomware Groups and Activities (DarCache Ransomware): Tracking over 70 ransomware gangs provides specific threat intelligence about known Adversaries and their typical Capabilities (e.g., specific ransomware strains, common attack vectors) that could target the Victim.

• Vulnerabilities (DarCache Vulnerability): This collection, including NVD, EPSS, KEV, and PoC Exploits, is invaluable for understanding the Capability an Adversary might use against the Victim's Infrastructure.

  • Example: If ThreatNG identifies a vulnerability in the Victim's Infrastructure that is listed in KEV (actively exploited ) and has a high EPSS score (likely to be exploited ), it directly tells you the specific Capability (the exploit) that a likely Adversary is using against that type of Victim's Infrastructure. Linking to PoC exploits provides even more granular detail on the Adversary's Capability.

Complementary Solutions and Synergies

ThreatNG's external focus means it can work synergistically with other cybersecurity solutions to build a more complete Diamond Model for complex intrusions.

• Endpoint Detection and Response (EDR) / Extended Detection and Response (XDR) Solutions:

  • Synergy: ThreatNG identifies the external Victim's exposure and potential Infrastructure weaknesses. EDR/XDR solutions provide deep visibility into the Victim's internal systems, processes, and network activity. Together, they can connect the external attack surface to internal compromise.

  • Example: ThreatNG flags a high "BEC & Phishing Susceptibility" for an organization (Victim) due to a misconfigured email domain. If a phishing email bypasses initial defenses, EDR/XDR can then detect the Adversary's Capability (e.g., a malicious attachment execution or PowerShell script) on an endpoint within the Victim's internal Infrastructure, allowing security teams to see the full attack chain from external exposure to internal compromise.

• Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms:

  • Synergy: ThreatNG provides alerts on external Victim exposure and Infrastructure vulnerabilities. SIEMs correlate this with internal logs and threat intelligence to identify suspicious activity. SOARs can then automate responses.

  • Example: ThreatNG identifies a newly exposed database (Infrastructure) on the internet. This external exposure alert, combined with internal SIEM logs showing unusual login attempts on that database from a foreign IP address (Adversary's Infrastructure), allows a SOAR playbook to automatically block the IP at the perimeter and trigger an investigation. This connects the external view to internal activity, forming a more complete Diamond.

• Internal Vulnerability Scanners/Penetration Testing Tools:

  • Synergy: ThreatNG identifies externally visible vulnerabilities in the Victim's Infrastructure. Internal scanners and pen-test tools can then perform authenticated, deep dives to confirm these vulnerabilities and uncover additional weaknesses not externally visible, enhancing the understanding of the Victim's overall Infrastructure security.

  • Example: ThreatNG identifies an outdated web server (Infrastructure) exposed to the internet. An internal vulnerability scanner can then be directed to perform an authenticated scan of that server, potentially uncovering further internal misconfigurations or specific exploit paths (Capabilities) that an Adversary could use after initial access.

• User and Entity Behavior Analytics (UEBA) Solutions:

  • Synergy: ThreatNG might identify compromised credentials (e.g., from DarCache Rupture) that belong to the Victim's employees. UEBA solutions monitor internal user behavior for anomalies.

  • Example: If ThreatNG reports that a specific user's credentials are found on the dark web, a UEBA solution monitoring the Victim's internal network can then specifically watch for unusual login times, locations, or access patterns from that user's account (Adversary using a Capability against the Victim's internal Infrastructure), thereby helping to detect and contain potential account takeovers.

By integrating ThreatNG's robust external intelligence with other security solutions, organizations can construct a more comprehensive and dynamic Diamond Model of Intrusion Analysis, enabling them to better understand, track, and defend against cyber threats.