WEBVTT

1
00:00:00.000 --> 00:00:01.652
In this lesson, we will learn

2
00:00:01.652 --> 00:00:05.543
about the Diamond Model of Intrusion Analysis.

3
00:00:05.543 --> 00:00:08.179
The diamond model of intrusion analysis

4
00:00:08.179 --> 00:00:12.630
is a threat modeling framework that dissects cyber incidents

5
00:00:12.630 --> 00:00:16.484
by focusing on four components, the adversary,

6
00:00:16.484 --> 00:00:20.730
infrastructure, capability, and victim.

7
00:00:20.730 --> 00:00:23.490
In the diamond model of intrusion analysis,

8
00:00:23.490 --> 00:00:25.890
these four components are visualized

9
00:00:25.890 --> 00:00:28.181
as the vertices of a diamond.

10
00:00:28.181 --> 00:00:31.890
The adversary component represents the individual

11
00:00:31.890 --> 00:00:35.910
or group behind the attack, including their motives,

12
00:00:35.910 --> 00:00:38.280
resources, and intent.

13
00:00:38.280 --> 00:00:41.760
The infrastructure component refers to the tools,

14
00:00:41.760 --> 00:00:46.350
networks, and other resources used by the adversary

15
00:00:46.350 --> 00:00:48.090
to carry out the attack.

16
00:00:48.090 --> 00:00:51.690
Infrastructure can include command-and-control servers,

17
00:00:51.690 --> 00:00:54.277
malware, or phishing websites.

18
00:00:54.277 --> 00:00:57.150
The capability component encompasses

19
00:00:57.150 --> 00:01:00.390
the specific techniques, tactics and procedures

20
00:01:00.390 --> 00:01:02.437
employed by the adversary.

21
00:01:02.437 --> 00:01:06.960
Capabilities include exploiting a software vulnerability

22
00:01:06.960 --> 00:01:08.670
or deploying malware.

23
00:01:08.670 --> 00:01:13.320
Finally, the victim component is the target of the attack.

24
00:01:13.320 --> 00:01:16.464
The victims include the organization, individuals,

25
00:01:16.464 --> 00:01:20.970
or systems affected along with the specific vulnerabilities

26
00:01:20.970 --> 00:01:22.530
that were exploited.

27
00:01:22.530 --> 00:01:25.170
These four components are interconnected

28
00:01:25.170 --> 00:01:28.020
with each one influencing the others.

29
00:01:28.020 --> 00:01:32.130
Together, they provide a holistic view of the intrusion.

30
00:01:32.130 --> 00:01:34.620
Let's learn more about the diamond model

31
00:01:34.620 --> 00:01:36.780
of intrusion analysis.

32
00:01:36.780 --> 00:01:39.090
The diamond model of intrusion analysis

33
00:01:39.090 --> 00:01:41.010
is a threat modeling framework

34
00:01:41.010 --> 00:01:45.076
that provides a structured way to examine cyber incidents

35
00:01:45.076 --> 00:01:49.304
by focusing on four main components, the adversary,

36
00:01:49.304 --> 00:01:53.430
infrastructure, capability, and victim.

37
00:01:53.430 --> 00:01:56.700
These components are visualized as the four points

38
00:01:56.700 --> 00:01:58.830
of a diamond, each interconnected

39
00:01:58.830 --> 00:02:02.070
to provide a holistic view of an attack.

40
00:02:02.070 --> 00:02:05.910
The adversary represents the individual or group

41
00:02:05.910 --> 00:02:09.360
behind the attack, including their motives,

42
00:02:09.360 --> 00:02:11.940
resources, and intent.

43
00:02:11.940 --> 00:02:14.760
The infrastructure is the network, tools,

44
00:02:14.760 --> 00:02:19.170
or servers the adversary uses to carry out their attack,

45
00:02:19.170 --> 00:02:21.990
such as command-and-control, or C2,

46
00:02:21.990 --> 00:02:24.840
servers or even phishing websites.

47
00:02:24.840 --> 00:02:27.990
Next, capability refers to the TTPs,

48
00:02:27.990 --> 00:02:30.390
which are tactics, techniques, and procedures,

49
00:02:30.390 --> 00:02:33.060
that are used by the attacker,

50
00:02:33.060 --> 00:02:37.680
such as exploiting a vulnerability or deploying malware.

51
00:02:37.680 --> 00:02:41.430
Finally, the victim is the target of the attack,

52
00:02:41.430 --> 00:02:44.490
which could be an organization, an individual,

53
00:02:44.490 --> 00:02:47.670
or specific systems impacted.

54
00:02:47.670 --> 00:02:50.220
This also includes the vulnerabilities

55
00:02:50.220 --> 00:02:51.900
which have been exploited.

56
00:02:51.900 --> 00:02:55.472
Each of these four core components has defined relationships

57
00:02:55.472 --> 00:02:57.780
with other components.

58
00:02:57.780 --> 00:03:02.010
For example, an adversary may use their infrastructure

59
00:03:02.010 --> 00:03:05.700
to deploy a capability against a victim.

60
00:03:05.700 --> 00:03:09.180
This is why the components are labeled as the vertices

61
00:03:09.180 --> 00:03:11.880
of the diamond to show their connections.

62
00:03:11.880 --> 00:03:14.430
Alongside these core components,

63
00:03:14.430 --> 00:03:17.880
the diamond model also includes meta features

64
00:03:17.880 --> 00:03:22.620
that provide additional context and detail to an attack.

65
00:03:22.620 --> 00:03:25.399
Meta features include timestamp,

66
00:03:25.399 --> 00:03:28.740
which indicates when an attack occurred,

67
00:03:28.740 --> 00:03:32.700
phase, which shows the stage of the attack,

68
00:03:32.700 --> 00:03:35.430
result, which describes the outcome

69
00:03:35.430 --> 00:03:38.310
like successful access or data theft,

70
00:03:38.310 --> 00:03:41.220
direction, which is the network path

71
00:03:41.220 --> 00:03:43.487
or connection used in the attack,

72
00:03:43.487 --> 00:03:47.760
methodology, which describes what attack techniques

73
00:03:47.760 --> 00:03:51.120
or tactics were used, and resources,

74
00:03:51.120 --> 00:03:54.120
which are the assets the adversary needed,

75
00:03:54.120 --> 00:03:56.310
like tools or exploits.

76
00:03:56.310 --> 00:03:59.940
Together, these core elements and meta features

77
00:03:59.940 --> 00:04:03.060
offer a detailed picture of an attack.

78
00:04:03.060 --> 00:04:06.090
So to see how the diamond model works,

79
00:04:06.090 --> 00:04:08.730
consider a responsive scenario

80
00:04:08.730 --> 00:04:13.530
where an organization identifies malware on a victim system.

81
00:04:13.530 --> 00:04:16.170
By examining the victim component,

82
00:04:16.170 --> 00:04:19.470
analysts can determine which system was attacked

83
00:04:19.470 --> 00:04:22.200
and what vulnerabilities were exploited.

84
00:04:22.200 --> 00:04:25.430
They then analyze the capability of the malware,

85
00:04:25.430 --> 00:04:30.430
finding that it connects to a specific malicious C2 domain.

86
00:04:30.720 --> 00:04:33.930
Tracing this domain leads to the infrastructure

87
00:04:33.930 --> 00:04:36.694
the attacker used to establish control

88
00:04:36.694 --> 00:04:38.880
of the malware remotely.

89
00:04:38.880 --> 00:04:42.690
Then through further investigation, the security team

90
00:04:42.690 --> 00:04:46.470
might be able to attribute the discovered infrastructure

91
00:04:46.470 --> 00:04:48.277
to a known adversary group

92
00:04:48.277 --> 00:04:51.990
by connecting the command-and-control IP address

93
00:04:51.990 --> 00:04:55.950
to the attacker's identity or prior attack history.

94
00:04:55.950 --> 00:04:58.140
From a proactive perspective,

95
00:04:58.140 --> 00:05:00.443
once the diamond model is mapped out,

96
00:05:00.443 --> 00:05:04.560
defenders can apply the model to break the attack chain

97
00:05:04.560 --> 00:05:07.260
to prevent or stop an attack.

98
00:05:07.260 --> 00:05:11.610
For example, if the initial attack vector was phishing,

99
00:05:11.610 --> 00:05:15.260
focusing defenses on the victim could mean implementing

100
00:05:15.260 --> 00:05:20.220
email filters or user training to prevent intrusion,

101
00:05:20.220 --> 00:05:24.030
or to disrupt the infrastructure, defenders could block

102
00:05:24.030 --> 00:05:27.888
malicious command-and-control IP addresses on the firewall,

103
00:05:27.888 --> 00:05:30.341
preventing the malware from communicating

104
00:05:30.341 --> 00:05:32.910
with the external adversary.

105
00:05:32.910 --> 00:05:35.760
Additionally, by adding a DNS rule,

106
00:05:35.760 --> 00:05:37.680
the organization may redirect

107
00:05:37.680 --> 00:05:41.769
malicious domain connection requests to a secure server,

108
00:05:41.769 --> 00:05:44.730
keeping infected systems isolated

109
00:05:44.730 --> 00:05:47.010
from the attacker's control.

110
00:05:47.010 --> 00:05:50.400
In the end, the diamond model of intrusion analysis

111
00:05:50.400 --> 00:05:54.150
enables defenders to identify multiple points

112
00:05:54.150 --> 00:05:58.020
to apply security measures, focusing resources

113
00:05:58.020 --> 00:06:00.630
where they can be most effective.

114
00:06:00.630 --> 00:06:03.570
By linking each component of the attack,

115
00:06:03.570 --> 00:06:05.552
the diamond model allows analysts

116
00:06:05.552 --> 00:06:08.160
to trace the attack lifecycle

117
00:06:08.160 --> 00:06:11.008
and understand the adversary's methods,

118
00:06:11.008 --> 00:06:14.887
enhancing their ability to respond and reinforcing

119
00:06:14.887 --> 00:06:19.530
the organization's defenses against future threats.

120
00:06:19.530 --> 00:06:24.150
So remember, the diamond model of intrusion analysis

121
00:06:24.150 --> 00:06:27.662
is a framework for examining cyber incidents

122
00:06:27.662 --> 00:06:31.590
by breaking them down into four main components,

123
00:06:31.590 --> 00:06:33.888
the adversary, infrastructure,

124
00:06:33.888 --> 00:06:36.690
capability, and victim.

125
00:06:36.690 --> 00:06:40.620
These components represented as points on a diamond

126
00:06:40.620 --> 00:06:44.308
are interconnected to provide a comprehensive view

127
00:06:44.308 --> 00:06:47.248
of an attack and the relationships

128
00:06:47.248 --> 00:06:50.520
between the components of an attack.

129
00:06:50.520 --> 00:06:53.280
The adversary represents the attacker,

130
00:06:53.280 --> 00:06:56.460
including their motivations and resources,

131
00:06:56.460 --> 00:06:59.161
while the infrastructure are the network tools

132
00:06:59.161 --> 00:07:02.880
that they use, like servers or phishing sites.

133
00:07:02.880 --> 00:07:06.690
Next, the capability includes the specific tactics

134
00:07:06.690 --> 00:07:10.320
and techniques used to carry out the attack.

135
00:07:10.320 --> 00:07:14.070
And finally, the victim is the targeted system,

136
00:07:14.070 --> 00:07:16.410
organization, or person.

137
00:07:16.410 --> 00:07:19.050
By connecting these core components,

138
00:07:19.050 --> 00:07:23.880
security analysts gain insights into how attackers progress

139
00:07:23.880 --> 00:07:28.023
and can identify points to strengthen defenses.