Word Notes 5.17.22
Ep 100 | 5.17.22

Diamond Model (noun)


Rick Howard: The word is: the Diamond Model.  


Rick Howard: Spelled: Diamond as in the shape of, and model as in a representation to show the construction of something.  


Rick Howard: Definition: A cyber threat intelligence analysis model that defines relationship pairs between four core components in the shape of a diamond of adversary playbook activity across the intrusion kill chain: the adversary, their capability, the infrastructure used or attacked, and the victim. 


Rick Howard: Example, sentence: The Diamond Model allowed security analyst to attribute with high confidence that Sandworm penetrated Ukraine's government networks.  


Rick Howard: Origin and context: Sergio Caltagirone, Andrew Pendergrast, and Christopher Betz, who in 2011, were working for the U S Department of Defense, published their paper, "The Diamond Model of Intrusion Analysis," in which they laid out a methodology to describe how cyber adversaries use their capabilities and infrastructure against victims. 


Rick Howard: The authors were riffing off something called "Attack Trees" originally proposed by cybersecurity luminary and thought leader, Bruce Schneier. Schneier's idea was that attack graphs "attempt to generate all possible attack paths and vulnerabilities for a given set of protected resources to determine the most cost-effective defense and the greatest degree of protection ." It's a terrific idea, but it didn't scale. 


Rick Howard: The Diamond Model authors attempted to formalize a language around cyber incidents, and it was a first step to improve that situation. In their model, they build "activity threads" that combine intelligence and traditional attack graphs into activity-attack graphs by emerging "traditional vulnerability analysis with knowledge of adversary activity." 


Rick Howard: As analysts collect intelligence using the Diamond Model, the kill chain becomes more complete with data for all the incidents. At a certain point, analysts might note that the Diamond Model event for the delivery phase and the Command and Control phase in incident one is remarkably similar to the events captured in incident two. 


Rick Howard: These "activity threads" connect the two incidents together, may indicate that the attacks have originated from the same adversary, and implies a much broader campaign against your network.  


Rick Howard: According to the paper, " The Diamond Model's events can then be correlated across activity threads to identify adversary campaigns, and coalesced into activity groups to identify similar events and threats was share common features." In simpler terms, this process is how we get all of those colorful names that splash across as headlines in the cybersecurity news space. 


Rick Howard: For example, "Chinese APT10 hackers use Zerologon exploits against Japanese orgs."  


Rick Howard: Or, "Ferocious Kitten: six years of covert surveillance in Iran."  


Rick Howard: Or, "The Lazarus Group may have been behind the 2019 attacks of European targets."  


Rick Howard: To be clear, the Diamond Model is not an alternative to the Lockheed Martin kill chain model or the MITRE ATT&CK Framework, it's an enhancement. The Diamond Model's atomic element, the Event, with its four core features, is present at each phase of the intrusion kill. From the Diamond Model paper, "The 'kill chain' provides a highly effective and influential model of adversary operations which directly informs mitigation decisions. Our model integrates their phased approach and compliments kill chain analysis by broadening the perspective which provides needy granularity and the expression of complex relationships amongst intrusion activity." 


Rick Howard: Nerd reference: In 2020, Andy Pendergrast, now working for Threat Connect, gave a presentation about the evolution of the Diamond Model.  


Andy Pendergrast: We look at the diamond as an event. Every Diamond has some time that the event occurred. It has some person that was responsible for the event, the adversary, some capability that they leveraged, be that a piece of malware that explains a certain vulnerability, or a tool, or on that, to move laterally, whatever the case may be. And they have some infrastructure that they used, some point of presence either on the internet or within the victim's network, to carry out that capability or that they carried out that capability on.  


Andy Pendergrast: And then, every event has something that's affected. There's something that's being targeted, and that's the victim. And we can track those as personas and network addresses, email addresses for the victims as well.  


Andy Pendergrast: What we originally used it for was pivoting across each one. So if I could track a capability, if I could have a signature for malware activity, then I might be able to find infrastructure used by the same, or similar groups also using that capability in different places.  


Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.