The difference between a clever and not so clever person comes down to one’s ability to think. Thinking is something we all do, but not everyone thinks with structure.
Another name for this structured thinking is called a “mental model” and we all use them, but most of us are unconscious of the models we’re using. This unconscious approach is natural, but it’s not very effective. Luckily, there are well-known mental models that have proven to be more effective than others and that’s what we’re chatting about today.
The model we’re going to dive into is specific to cybersecurity, more specifically “intrusion analysis”. So what is “intrusion analysis”? Put simply, it’s when a defender analyzes the who, what, when, why, and how of an attacker on a network/system.
Our model of choice is going to be the Diamond Model, which was created by a few cyber geeks working in the DoD back in 2013. The main reason they decided to create the Diamond model is due to them not being able to accurately track and classify their digital enemies.
Diamond Model 101
Most experienced cyber defenders have certain ways of detecting, analyzing, and preventing attackers, but this knowledge comes from decades of experience. Plus, even with decades of experience, most defenders struggle to effectively and efficiently detect, analyze, and prevent attackers.
This is where the Diamond Model comes into play. The Diamond Model’s sole purpose is to add a little science into the magic that we call “intrusion analysis”. With a more standard and scientific approach to analyzing attackers defenders will have a better chance in this never-ending digital battle.
So what exactly is the “Diamond Model”?
The name says it all… It’s a model shaped like a diamond.
Each point on this diamond represents a “core feature”, which is broken into attackers, victims, infrastructure, and capabilities.
- Attacker: There are mainly two types of attackers – operators and customers. An operator is someone with hands on the keyboard doing the attacking, while the customer is the person funding the attack (attackers can be both).
- Victim: This is the person or company being attacked. The victim can be either the direct target or just a “stepping stone” to the actual victim.
- Infrastructure: Here we’re exploring what our attacker is using (e.g. IP address, domain, email, etc.) and this is broken into two main types as well. Type 1 infrastructure is owned by the attacker, but type 2 is where the attacker is using a victim’s infrastructure, so it’s more difficult to attribute the attack back to them.
- Capability: There are stupid and smart attackers, this core feature helps figure out which kind of attacker we’re dealing with. Depending on the methods, technology, and overall processes we’ll be able to understand more about the attacker’s capabilities.
All of these core features combined are called an “event”.
Similar to network log data, our Diamond Model has “meta-features” that help answer some useful questions, the main meta-features are…
- Timestamps: When did this attack start and stop?
- Phase: At what phase within an attack campaign did this event happen?
- Results: What were the final results of this attack campaign?
- Methodology: What methods were used during this attack (e.g. Syn flood, phishing, port scan)?
- Resources: What resources does this attack have (e.g. software/hardware, knowledge, data, access, funding, etc.)?
Keep in mind that these meta-features are not set in stone and you can create you’re own, adding to the stack of meta-features.
Depending on the nature and size of the victim’s business there could be a well-defined relationship between the attacker and victim, but this is rare for most businesses… We’ll leave that section for the DoD to focus on, but below is a simple diagram showing the main relationship discussed in the paper – “Social-Political”.
Threads, Graphs, and Groups
As a n00b it’s good to practice mapping single “events” within an attack campaign to the Diamond Model, but over time you’ll begin to intuit this mapping. Once you’re used to mapping single “events” to the Diamond Model it’s time to take this a step further, diving into “activity threads”, “activity attack graphs”, and “activity groups”.
Activity Threads
First, we’ll start with “activity threads”, which are simply “events” chained together to create a thread. When an attacker goes about their business, they always take multiple actions to accomplish their end goal. Each action or phase can be seen either in the Kill Chain or MITRE ATT&CK framework. We’ll use the Kill Chain for our example.
As you can see below each diamond is an event and each event is connected through a thing called an “arc”. These arcs are causal relationships between events and can either be guesses (dashed lines) or observations (solid lines).
A key part of mapping an attack thread is understanding the attacker’s common processes. We, humans, love familiarity, routine, and convenience, attackers are no different. Some examples of common habits for attackers could be similar to IP address ranges, domains, software/hardware, or even attack methods.
Below is a generalized example of common processes an attacker could use – they do most of their reconnaissance via Google searches, they email trojanized attachments, exploit local weaknesses, and HTTP posts from a victim’s computer.
Understanding the weaknesses of the human psyche has been a part of our society for centuries with criminal investigations, as well as the advertisement industry.
Once we’ve created our thread we can take this to the next level, by making educated guesses on possible future attacks.
Activity Attack Graphs
An activity attack graph is all possible attack threads overlayed on top of each other based on the attacker’s infrastructure and capabilities.
Below is a simple picture of this.
The main purpose of creating an attack graph that overlays previous attack threads is to “war game” possible future attacks. After mapping all the future possibilities you can prioritize the most probably and impactful defending against what matters most.
Activity Groups
Last we’re going to group similar attackers into “Attack Groups”.
Certain attackers use similar infrastructure, and capabilities, and attack similar victims. By understanding these similarities you’re able to defend against multiple attackers, instead of a specific group.
Diamond Models – IRL
Instead of recreating the wheel, I’m going to link to good examples of the Diamond Model being used in “real-world” use cases.
Until next time my friends!