A Trip Down the Mineshaft: Understanding the Diamond Model of Intrusion Analysis, Part 4 — Capabilities

Capabilities are the weapons of cyber warfare — tools and techniques the adversary uses to achieve their objective. Diamond recognizes them as an essential ingredient in any cyber intrusion. While it’s important for network defenders to understand who might want to attack their organizations, the more pressing issue is recognizing which of those adversaries are actually capable of doing so, along with the tools and techniques they might use in the process. After all, if we can neutralize the adversary’s capabilities, then we neutralize the threat that the adversary poses to us altogether.

Adversary capabilities fall into two broad categories: tools and techniques. When we think about Diamond, each Event has an overarching goal or objective that the adversary is trying to achieve. Working backward from that goal, techniques can be thought of as “things they do” to achieve that goal/objective, while tools are the “things they use” to carry out those techniques.

If the adversary’s goal is to perform reconnaissance of your network and identify technical vulnerabilities, they might utilize the OpenVAS tool to perform the technique of vulnerability scanning. If their goal is to deliver malware to your network, they could use the Gmail tool to carry out the technique of phishing. If they have already managed to install malware on your network and the goal is now to establish a line of communication back to their command and control (C2) servers, they might utilize their custom malware tool to carry out the technique of establishing that channel over the commonly used HTTP web protocol. It is these tools and techniques that we’re talking about when we reference Capabilities within Diamond.

As I’m sure you can see, identifying the Capabilities in use during any single Event is the main method of understanding what phase in the Attack Chain that Event falls under. That’s why this pillar of the Diamond Event is so critical to understanding and fleshing out as completely as possible. Consequently, a ton of time and effort has been expended within the threat intel community in developing resources to help network defenders fully understand adversary capabilities. The resources I’m talking about are things such as MITRE ATT&CK, Malpedia, VirusTotal, etc.

Diamond points out two important things that we should keep an eye on within the Capability Feature. The first is the Capability Capacity. This is defined as “all of the vulnerabilities and exposures that can be utilized by the individual capability regardless of victim.” Since everyone in the IT world nowadays is intimately familiar with CVEs, think of the Capability Capacity as all of the CVEs that could successfully be targeted by an individual capability (tool or technique). That would be the capacity of that Capability.

The second thing to keep an eye on is the Adversary Arsenal. Diamond tells us the “complete set of capabilities, and therefore the combined capacities of their individual capabilities, is the adversary’s arsenal.” This Adversary Arsenal is the true measure of an adversary’s strength. The more tools and techniques they have in their arsenal, the more ways they can attack us and the more things we have to defend against. MITRE has done an excellent job of cataloging several different Adversary Arsenals on their ATT&CK Groups Page.

So, that’s what Capabilities are all about. Next up, we’ll dive into our third Core Feature of the Diamond Event — Infrastructure.