The Diamond Model — A Methodology for Analyzing Cyber-Attacks
The Diamond Model helps identify attributes of an intrusion. It analyzes cyber-attacks as it provides a holistic view of an event. This article looks into the core features and components of the Diamond Model and provides related examples.
The Diamond Model is composed of four core features:
1. Adversary
2. Infrastructure
3. Capability
4. Victim
Additional components for The Diamond Model include:
1. Social-Political
2. Technology
Core Feature #1) Adversary
Adversary refers to individuals who launch cyber-attacks. Adversary consists of two groups of individuals, including #1) Adversary Operator and #2) Adversary Customer.
Adversary operators are the persons who launch attacks to gain unauthorized access to cyber resources. For example, hackers who perform SQL injection attacks on a company’s database are the adversary operator.
Adversary customers are individuals who can be benefited from cyber-attacks. They can control a group of adversary operators to launch coordinated attacks on a target. For example, a government may hire operators to perform a cyber-attack on an organization to gain access to valuable information.
Core Feature #2) Victim
Victims are adversary’s targets. They can be cyber resources, individuals, data, etc. Attackers want to gain access to or destroy them. For example, a company’s database is often the adversary’s target.
The term can be subdivided into two categories, including #1) Victim Personae and #2) Victim Assets.
Victim personae often refer to the identity of an individual or organization. Attackers may perform social engineering attacks by gaining knowledge of an employee’s background to exploit its access to a company’s internal resources.
Victim assets are the attack surface, often consisting of multiple systems and resources such as employees’ network accounts and login credentials.
Core Feature #3) Capability
The adversary can use techniques and tools in a cyber-attack. The methods used by attackers refer to Capability. It can be subdivided into two terms, including capability capacity and adversary arsenal. The former refers to the whole set of vulnerabilities that the adversary can deploy. The latter means the capabilities known by an adversary.
Core Feature #4) Infrastructure
Infrastructure is the computing resource that an adversary can use to launch an attack. It can be divided into two types: Type 1 infrastructure is owned by an adversary. Type 2 infrastructure is the resource controlled by an adversary; however, the adversary does not own the resource.
Additional Component: #1) Social-Political
The social-political component creates a justification for launching cyber-attacks. The financial incentive for exploiting cyber resources is one example.
Additional Component: #2) Technology
The interactions between capability and infrastructure are known as the technology employed. For example, an attacker gains unauthorized access to a Type 2 infrastructure and uses phishing techniques to infiltrate an organization.
Case Study: Cyber Attack on the Ukrainian Power Grid
The terminologies explained above can be used to describe the Power Grid outage in Ukraine in 2016. As an example, the attack was coordinated by an adversary customer who stands to benefit from it. The attackers infiltrated the infrastructure by planting malicious code into an MS office document. It demonstrated the adversary operator’s capability of using known exploits on its victim — The Power Grid company.
