How to use the MITRE ATT&CK® framework and diamond model of intrusion analysis together
What is the diamond model of intrusion analysis?
The Diamond Model of Intrusion Analysis is based upon the premise that every cyberattack consists of an adversary using some capability over infrastructure to attack their victim. These four main features of an attack (adversary, capability, infrastructure and victim) are the vertices of the diamond that gives this model its name.
Imagine an image that shows the Diamond Model. The edges between the four vertices describe relationships between them. For example, there are direct relationships between an adversary’s infrastructure and the victim because the adversary uses their infrastructure to attack the victim. However, in most cases, an adversary and victim never interact directly, so these vertices are not linked.
Beyond the four main features are defined six meta-features that should exist in every event that occurs on a victim’s systems as part of a cyberattack. These provide more context and information about a particular event. During an investigation, certain features and meta-features may be initially unknown, and the attempt to fill these gaps is what drives and guides the investigation.
The Diamond Model’s goal is to help analysts identify a set of events that occurred on their systems. These events can then be organized temporally into “activity threads” that can be compared to identify attacker campaigns.
What are the differences between the diamond model of intrusion analysis and the MITRE ATT&CK framework?
The MITRE ATT&CK ® framework and the Diamond Model of Intrusion Analysis both provide useful tools for analyzing a cybersecurity incident. However, they differ significantly in their goals:
- Diamond Model: The Diamond Model provides a framework and process for identifying groups of related events on an organization’s systems. By identifying events and linking them into activity threads, an analyst gains information regarding what occurred during an attack. By looking at the gaps in their knowledge (i.e. missing features), the analyst identifies where further information is needed.
- MITRE ATT&CK: The MITRE ATT&CK framework outlines the various ways in which an attacker can achieve a particular objective (the Tactics in the various MITRE ATT&CK matrices). This makes it useful for ensuring that incident response and forensic investigation activities are comprehensive and decreases the probability that crucial evidence is overlooked.
What are the similarities between the diamond model of intrusion analysis and the MITRE ATT&CK framework?
The Diamond Model of Intrusion Analysis and the MITRE ATT&CK framework are similar in that they both provide tools and techniques for analyzing a cyberattack.
One major area of overlap is the Capabilities section of the Diamond Model and the MITRE ATT&CK framework. MITRE ATT&CK’s primary purpose is to outline different ways in which an attacker can achieve particular objectives in the cyber attack lifecycle. The methods by which an attacker can and does accomplish these objectives provides hints regarding their capabilities.
How to use the diamond model of intrusion analysis and the MITRE ATT&CK framework to analyze adversary capabilities
MITRE ATT&CK and the Diamond Model are both very focused on the capabilities of an attacker. The reason for this is that capabilities are likely the most unchanging attributes about a particular threat actor.
For example, the Diamond Model also discusses infrastructure, which can be used to link different attack campaigns together and to a particular adversary. However, this infrastructure can also be easily replaced and can present false positives (due to the fact that multiple distinct actors can use the same infrastructure), making it a less than ideal tool for attribution.
An attacker’s capabilities, on the other hand, require significant investment to build and are likely more unchanging. After development of a custom piece of malware, a threat actor is likely to use it across multiple campaigns, providing a more reliable basis for attribution.
This allows the MITRE ATT&CK framework and the Diamond Model to complement each other. The Diamond Model asks the question “What capabilities does an attacker have?”. The MITRE ATT&CK framework provides a list of potential capabilities that an organization could look for in a particular attack. Based upon the capabilities discovered to be used in the attack, it may be possible to identify the adversary with a high probability of a correct attribution (the potential for false flag operations means that no attribution is ever certain).
The MITRE ATT&CK and Diamond Model cyber frameworks are designed to serve different purposes. However, they are complementary and can be used together to improve analysis of a cybersecurity incident.