Hey! I am back with a new cycle of threat huting articles special for you. And in this part we are going to look into the basics of The Diamond Model of Intrusion Analysis and what it is about. I’ll try to keep it solely practical and simple.

This thing is pretty popular in jobs requirements and is even implemented inside OpenCTI Platform!

Is this a real thing or yet another empty shell? Let’s dive in!

Core features

The Diamond Model is built around 4 core components called “features”:

Basically, every event (some atomic time-bound activity) in the system should have some of the properties described by these features. And constant keeping in mind of unknown features for events makes you motivated to fill in those knowledge gaps and further hypothesis testing. Let’s dig into each of the core features to understand how they can be represented.

Adversary

Adversary is an actor or some organization which uses their capabilities, resources and infrastructure against the victim (presumably you). This could be an APT-1337 or your crazy ex-boyfriend who has installed backdoor into your laptop while you were in the shower😬

Understanding your adversaries’ motivation and resources could be crucial when mitigating threats. A skilled APT will probably have crazy resources and budget to hash-crack your passwords and develop sofisticated malware, while opportunistic public SSH scanners are easily mitigated using public key authentication and a firewall.

Also there is a Social-Political context here: an Israeli Unit 8200 might not attack their USA allies, though could be actively attacked by Iranian government. This understanding gives you an opportunity to focus your detection efforts only on specific range of techniques instead of trying to cover every single attack☝🏻

Examples of well-known APTs (threat actors) from MalPedia

Examples of well-known APTs (threat actors) from MalPedia

Some worldwide events sometimes could be correlated with cyber-attacks, though one shoule remember that correlation does not imply casuation.

Adversary is usually defined by name of APT / threat actor group. Keep in mind that sometimes there are multiple names of the same actor. It happens because each reasercher tries to claim actor first and sometimes there are contradictions. You can browse threat actor names on MalPedia - great way to keep your adversary knowledge consistent.

Just look at the long “aka” list of Lazarus APT names: APT 38, APT-C-26, APT38, ATK117, ATK3, Andariel, Appleworm, BeagleBoyz, Black Artemis, Bluenoroff, Bureau 121, COPERNICIUM, COVELLITE, Citrine Sleet, DEV-0139, DEV-1222, Dark Seoul, Diamond Sleet, G0032, G0082, Genie Spider, Group 77, Hastati Group, Hidden Cobra, Labyrinth Chollima, Lazarus, Lazarus group, Moonstone Sleet, NICKEL GLADSTONE, NewRomanic Cyber Army Team, Nickel Academy, Operation AppleJeus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Sapphire Sleet, Stardust Chollima, Subgroup: Bluenoroff, TA404, Unit 121, Whois Hacking Team, ZINC, Zinc 😅😅😅

Capability

Okay, now let’s assume we now know who is behind the attack. Certainly, this could be not the case, but I do it on purpose to explain the features🙏

But what can an attacker do? That’s what capability feature is responsible for. Usually you encounter some TTPs and / or specific malware / tools behavior. Good examples would be:

  • password spraying
  • mass spare phishing
  • watering hole techinques
  • cumulative capabilities of implants delivered by specific malware from an attacker

Imagine capability as a whole set of techniques a threat actor could potentially use. This could be often delivered from threat intel reports of various vendors: some of them a just free articles, but some of the reports are sold for a good price such as Kaspersky TIP reporting.

Capabilities could be represented by:

  • observed MD5/SHA256 hashes of malware
  • hashes or some indicators of phishing mails
  • tools used in the attack, i.e. Living Off The Land legitimate binaries (linux, windows)

Infrastructure

This is the easiest for understanding: IPs, domain names, e-mails, URLs - these are very popular IoCs which we use every day. All these could be tied to single infrastructure and even might be associated with one specific adversary in the future🥷🏻

You can lookup those on VirusTotal, SilentPush, Shodan, AbuseIPDB and other adversary intelligence services.

IP reputation check on SilentPush

IP reputation check on SilentPush

We all use infrastructure when doing research and back in the day we even relied on IPs geoinfo. Today almost any adversary can afford a proxy with IP-address of any “whitelisted” country, so blindly relying on country of IP-address is not a very strong signal (as we, threat hunters, say).

Though we still can make use of the IP. For example, if we expect a specific ASN/ISP in our logs than we could watch for new IPs from uncommon ranges. Or we could raise suspicion on IPs which are allocated by hosting providers.

Infrastructure in short-term is a good indicator of specific adversary, though it is not very complicated to change IP or domnain. A much more complicated task for them is to change their tactics / capabilities.

You can see this fact on “Pyramid Of Pain” for cybersec:

IPs and domains are changed easier than tools and TTPs

IPs and domains are changed easier than tools and TTPs

Important note:
Command and control is considered a capability, not an infrastructure.

Though specific C&C IP-address is certainly an infrastructure entity.

Victim

The last but not the least - we, the victim🙂 We could address ourselves with pretty much the same properties as an adversary but from the “good” side:

  • organization name
  • specific targeted person
  • specific targeted asset such as endpoint or server

Understanding potential victims is as important as knowing your adversary. Easy thought here: If we know the victim profile of adversary, we can make assumptions on whether we are going to be targeted or not💡

It’s also good practice to share threat intelligence with organizations that have a similar profile to yours. The Diamond Model describes such subset of victims as “shared threat space”.

This could greatly save us some time and resources by focusing on threats we actually expect to encounter, helping us catch real threats more reliably instead of trying to catch everything and doing it poorly.

What is the point?

So now we have defined the core features: adversary, capabilities, infrastructure, victim. But what is the point? The point is we could use these features to describe a set of events. In some events we have only subset of core features available and that’s okay.

We can now analyse those events under big-picture scenarios such as Social-Political or Capability-Centered and do a so called “Analytic Pivoting” when based on known information we make hypothesis about yet unknown data:

  • Who else could be affected?
  • Are these events relted enough to consider it one adversary?
  • Do we have another machines infected?
  • We see russian strings embedded in malware. Does this mean that malware is developed by russians?

But this will be covered in the next part😉