Diamond Model of Intrusion Analysis
The Diamond Model of Intrusion Analysis breaks down individual events and categorizes them into four nodes. The four main vertices are infrastructure, capability, adversary, and victim.
Infrastructure: An adversary is an organization or threat actor responsible for leveraging a capability against a victim to fulfill its goals.
Capability: The capabilities are tools and techniques used by an adversary in an event.
Adversary: The infrastructure includes the physical or logical communication structures such as IP or e-mail addresses, domain names, and others, employed by an adversary to deliver a capability.
Victim: A victim is a target against whom attacks are initiated, vulnerabilities are exploited, or capabilities are used. It can be organizations, people, or assets, such as target email or IP addresses, domains, and so on.
The Threat Investigations module in CTIX enables you to visualize this information on a canvas. You can associate the threat intel to the diamond model vertices such as adversary, capability, infrastructure, or victim.
This allows you to:
Extract inter-connected knowledge in threat intel and relate them to other incidents, attacks, victims, or attack patterns.
Efficiently aggregate and analyze massive amounts of threat intel data and get a clear picture of how adversaries operate.
Recognize the adversaries’ intent and proactively mitigate cyber threats.
Represent Data Using the Diamond Model of Intrusion Analysis
Using threat investigations you can categorize the threat data into four vertices of the diamond model.
On a Threat Investigation Canvas, select the Diamond sign.
The diamond model displays with its four vertices.
Against any vertex, click the + sign and add Threat Data objects to categorize them.
You can also drag and drop any nodes to any of the four vertices.
Click Save.