📘Cisco Certified CyberOps Associate (200-201 CBROPS)
In cybersecurity, an intrusion is any unauthorized attempt to access, manipulate, or damage a network, system, or data. To defend against these intrusions effectively, cybersecurity professionals classify events into categories to understand how attacks happen and how to stop them.
Two commonly used models for this are:
- Cyber Kill Chain Model
- Diamond Model of Intrusion
1. Cyber Kill Chain Model
The Cyber Kill Chain was developed by Lockheed Martin to explain the stages of a cyberattack. It’s like a roadmap of an attack from start to finish. Knowing these stages helps security teams detect, prevent, and respond to intrusions.
The Kill Chain has 7 steps, and intrusion events can be classified depending on which step they belong to:
Stages of the Cyber Kill Chain
- Reconnaissance (Recon)
- The attacker gathers information about the target network or system.
- Examples of intrusion events:
- Network scans to discover open ports.
- Phishing emails to gather employee info.
- Weaponization
- The attacker prepares malicious tools to exploit vulnerabilities.
- Examples:
- Crafting malware or malicious scripts.
- Embedding malicious macros in documents.
- Delivery
- The attacker sends the weapon to the target.
- Examples:
- Email attachments with malware.
- Malicious URLs or drive-by downloads.
- Exploitation
- The attacker exploits a vulnerability to execute code or gain access.
- Examples:
- Exploiting unpatched software.
- Using weak passwords to gain access.
- Installation
- The attacker installs malware or backdoors to maintain access.
- Examples:
- Installing remote access tools (RATs).
- Dropping keyloggers or spyware.
- Command and Control (C2)
- The attacker establishes a channel to control the compromised system.
- Examples:
- Outbound connections to attacker’s server.
- Persistent beaconing traffic to communicate with malware.
- Actions on Objectives
- The attacker performs the ultimate goal, like stealing data or disrupting operations.
- Examples:
- Exfiltrating sensitive files.
- Encrypting data for ransom.
Key Point for Exam:
- Intrusion events can be categorized based on which step of the Kill Chain they belong to.
- This helps in detecting attacks early, ideally in Recon or Delivery stages, before damage happens.
2. Diamond Model of Intrusion
The Diamond Model looks at cyberattacks differently. It represents intrusions as a relationship between four core elements.
Four Core Elements of the Diamond Model
- Adversary (Attacker)
- The person, group, or organization conducting the attack.
- Capability (Tools/Methods)
- The tools, malware, exploits, or techniques the adversary uses.
- Infrastructure (Pathway)
- The systems or networks used to deliver the attack.
- Example: C2 servers, phishing servers, VPNs.
- Victim (Target)
- The person, system, or network being attacked.
Visualization: Think of a diamond with the four elements at the corners. Connections between them explain the attack flow.
Additional Concepts
- Event Analysis:
- Each intrusion event can be analyzed by mapping which adversary used what capability, through which infrastructure, targeting which victim.
- Meta-Features:
- The model also considers timestamp, severity, or location of events for deeper analysis.
Key Point for Exam:
- Unlike the Kill Chain (linear steps), the Diamond Model is relational, showing how attacker, tools, infrastructure, and target connect.
- Useful for linking multiple intrusion events to understand broader campaigns.
3. How These Models Help Classify Intrusion Events
| Model | Purpose | Event Classification Example |
|---|---|---|
| Cyber Kill Chain | Stage-based analysis | Recon: scanning; Delivery: phishing email; Exploitation: malware execution |
| Diamond Model | Relationship-based analysis | Adversary: Hacker X; Capability: RAT malware; Infrastructure: compromised server; Victim: HR database |
- Cyber Kill Chain → “Which step is this intrusion in?”
- Diamond Model → “Who did it, with what, through what, to whom?”
Tip for Exam:
- You may be asked to classify an intrusion event using one or both models. Focus on the stage (Kill Chain) and components (Diamond).
4. Quick Exam-Friendly Summary
- Cyber Kill Chain = 7 steps from attack start to goal.
- Diamond Model = 4 elements showing attacker-target relationships.
- Intrusion events can be classified using either model for better detection and response.
- Early detection is easier with these models, minimizing damage.
