While the Cyber Kill Chain focuses on the stages of an attack, and MITRE ATT&CK focuses on the behaviors, the Diamond Model focuses on the relationships.
It is a mathematical approach to CTI, visualizing an event as a diamond with four vertices connected by edges.
The Four Vertices
- Adversary: The bad actor (Who?). This could be a "script kiddie" or a sophisticated APT group.
- Capability: The tools and techniques (How?). This maps directly to TTPs. e.g., A specific exploit kit or malware variant.
- Infrastructure: The physical or logical structures used (Where?). This maps to IOCs like IP addresses, domains, and command-and-control (C2) servers.
- Victim: The target (Who got hit?). This includes the persona, network assets, or email addresses targeted.
The Power of Pivoting
The true strength of this model is pivoting. Analysts use one known vertex to discover unknown vertices.
- Scenario: You detect a specific malware hash (Capability) on a laptop (Victim).
- Pivot 1: You analyze the malware and find it connects to a specific domain (Infrastructure).
- Pivot 2: You research that domain in your Threat Intelligence Platform and see it is registered by an email address associated with Fancy Bear (Adversary).
By moving around the diamond, you turn a single alert into a full attribution and understand the broader campaign.