Diamond Model Overview Flashcards
Diamond Model
- Systematic method to analyze events in a repeatable way so that threats can be organized, tracked, sorted, and countered.
- It’s a framework by which a SOC team can organize and verify APT and then use that knowledge to thwart malicious adversaries.
- Typically an Adversary uses a Capability over an Infrastructure to Attack a victim.
Adversary
• The entity responsible for conducting an intrusion.
Capability
• A tool or technique that the attacker may use in an event.
Victim
• The target of the attacker.
Infrastructure
The physical or logical communications nodes that the attacker uses to establish and maintain command and control.
Type 1 Infrastructure
• Owned and controlled by the adversary.
Type 2 Infrastructure
- Co-Opted by the adversary, but is owned by a third party that may or may not know the adversary is using the infrastructure.
- The true identity of the adversary is obfuscated
- The Attacker gains access solely for “hopping” through during an attack.
- To the target the attacker would appear as if coming form an intermediary “hop” and cloak the attacker’s true identity.
Service providers
• provides type 1 and type 2 Infrastructure and includes ISPs.
Exploit Kits
- Sets of tools that are utilized to gain access to a targeted host.
- usually automated and target client-side Vulnerabilities
- Usually easy to obtain and use
- Launching pad to deliver payload.
Neutrino
• Targets Java runtime environment, drops Ransomware on target systems.
Magnitude
• Commonly utilized to drop Ransomware on target systems
Angler
Very versatile, utilizes a robust toolkit
Nuclear
Largely targets vulnerable adobe flash Vulnerabilities, largely safe from AV detection.
