3.1 Explain concepts related to attack methodology frameworks.
📘CompTIA CySA+ (CS0-003)
1. Core Concept of the Diamond Model
The Diamond Model represents an attack as a relationship between four main elements. These elements form a diamond shape:
🔷 The Four Core Features:
- Adversary
- Infrastructure
- Capability
- Victim
Each of these is equally important and connected.
2. The Four Core Features Explained
2.1 Adversary
The adversary is the attacker or threat actor responsible for the attack.
Key Points:
- Could be an individual hacker, a group, or an automated system
- May have different motivations (data theft, disruption, espionage)
- Often uses multiple tools and techniques
IT Example:
An attacker attempting to gain unauthorized access to a company server using stolen credentials.
2.2 Infrastructure
The infrastructure is what the attacker uses to carry out the attack.
Key Points:
- Includes servers, domains, IP addresses, and communication systems
- Often used to launch attacks or communicate with compromised systems
- Can include command-and-control (C2) servers
IT Example:
A remote server used to send malicious requests or control infected systems inside a network.
2.3 Capability
The capability refers to the tools, techniques, and methods used by the attacker.
Key Points:
- Includes malware, exploits, scripts, or attack techniques
- Defines how the attack is executed
- Can evolve over time as attackers improve methods
IT Example:
A malicious script that exploits a web server vulnerability to gain access.
2.4 Victim
The victim is the target of the attack.
Key Points:
- Could be a user, system, network, or organization
- Can include multiple victims in a single campaign
- Understanding the victim helps identify why the attack happened
IT Example:
A database server containing sensitive customer information.
3. How the Diamond Model Works
The model shows how all four elements are connected:
- The adversary uses infrastructure
- To deliver a capability
- Against a victim
This creates a complete picture of an attack.
Simple Flow:
Adversary → Infrastructure → Capability → Victim
4. Relationships in the Diamond Model
Each element in the diamond is connected to the others. Understanding these relationships helps analysts:
- Trace the origin of an attack
- Identify patterns across multiple incidents
- Predict future attacks
Example Relationships:
- Same adversary using different infrastructure
- Same capability used against multiple victims
- Same infrastructure reused in different attacks
5. Meta-Features (Additional Context)
Beyond the four core features, the model includes meta-features that provide extra details:
5.1 Timestamp
- When the attack occurred
- Helps build timelines
5.2 Phase
- Stage of the attack (reconnaissance, exploitation, etc.)
- Aligns with attack lifecycle models
5.3 Result
- Outcome of the attack (success, failure, partial success)
5.4 Direction
- Shows how the attack flows (from attacker to victim)
5.5 Methodology
- Describes how the attack was carried out
6. Pivoting (Very Important for Exam)
Pivoting is a key concept in the Diamond Model.
What is Pivoting?
- Moving from one piece of information to another related piece
- Helps expand the investigation
How It Works:
- Start with one element (e.g., IP address)
- Find related elements (domain, malware, attacker)
- Continue expanding the investigation
IT Example:
- Analyst detects a suspicious IP address
- Finds that IP is linked to a known malicious domain
- That domain is associated with a specific malware family
- That malware is used by a known attacker group
This process helps build a full attack picture.
7. Activity Threads
An activity thread is a sequence of related attack events.
Key Points:
- Shows how an attack progresses over time
- Links multiple diamond events together
- Helps understand the full attack lifecycle
IT Example:
- Initial login attempt → privilege escalation → data exfiltration
8. Event vs. Activity
Event:
- A single occurrence (e.g., one login attempt)
Activity:
- A series of related events forming a complete attack
9. Advantages of the Diamond Model
- Provides a structured way to analyze attacks
- Helps in correlating multiple incidents
- Improves threat intelligence sharing
- Supports faster detection and response
- Helps identify attacker patterns and behaviors
10. How It Is Used in IT Environments
Security teams use the Diamond Model in:
10.1 Security Operations Center (SOC)
- Analyze alerts and incidents
- Correlate logs and detect patterns
10.2 Threat Intelligence
- Track attacker groups and campaigns
- Share intelligence across organizations
10.3 Incident Response
- Investigate breaches
- Identify attack sources and methods
10.4 Vulnerability Management
- Understand how vulnerabilities are exploited
- Prioritize patching based on attacker behavior
11. Exam Tips (Very Important)
- Remember the four core features:
- Adversary
- Infrastructure
- Capability
- Victim
- Understand how they are connected
- Know what pivoting means and why it is important
- Be able to distinguish between:
- Event vs Activity
- Capability vs Infrastructure
- Understand how the model helps in:
- Threat analysis
- Incident investigation
12. Quick Summary
The Diamond Model of Intrusion Analysis helps break down cyberattacks into four key parts:
- Adversary (who is attacking)
- Infrastructure (what they use)
- Capability (how they attack)
- Victim (who is targeted)
By connecting these elements and using techniques like pivoting, security professionals can better understand, detect, and respond to cyber threats.
