Any intrusion into a network calls for a thorough analysis to give security teams cyber intelligence about different threats and to help thwart similar future attacks.
Effective incident analysis has long been held back by uncertainty and high false positive rates in intrusion detection systems that lead to slow threat mitigation.
The diamond model of intrusion analysis brings efficient, effective, and accurate analysis of incidents that companies and security teams have long lacked.
Here's a quick guide to give you the lowdown on the model.
The diamond model organizes the key aspects of malicious activity into the shape of a diamond, which is visually memorable, easy to understand, and symbolizes the relationship between these key aspects.
Underneath the clear image of a diamond is a more complex mathematical relationship that explains the model via game theory and other fields of math.
The diamond model defines an event as the central element necessary for four key aspects of malicious activity to occur.
Any event in the model is a time-bound activity restricted to a specific phase where 1) an adversary uses 2) a capability over 3) infrastructure against 4) a victim with a given result.
Reflecting the fact that knowledge about features depends on further analysis and good-quality data sources, the diamond model requires analysts to ascribe a confidence value that estimates the subjective confidence in the accuracy of the assessment of a given event feature.
At the time of initially discovering any intrusion event, it's unlikely you know who the adversary is.
The model states that a victim doesn't always need to be a person or company; it could be an email address or a domain.
Each event also has so-called meta-features that are useful for higher-order intrusion analysis and grouping.
Timestamp: the date or time that an event occurred Phase: One of the model's axioms states that any malicious activity requires two or more phases carried out in succession to achieve the adversary's intended result.
Resources: Another axiom in the diamond model of intrusion analysis is that any intrusion event requires one or more external resources to succeed.
This list of meta-features is non-exhaustible; your company can adapt the model to incorporate additional event meta-features based on your needs, resources, and industry-specific cyber threats.
The diamond model of intrusion analysis is a valuable tool for any security analysts focused on threat intelligence.
This model allows those tasked with generating cyber threat intelligence to quickly analyze large amounts of incoming data and establish clear linkages between various pieces of threat information.
The diamond model also helps to identify intelligence gaps and lays the groundwork for the development of cyber taxonomies, ontologies, threat intelligence exchange protocols, and knowledge management.
While it is a highly effective tool for threat intelligence analysts seeking to stay ahead of evolving cyber threats, bear in mind that like any model or tool, it comes with its limitations.
If your company decides to adopt the diamond model of intrusion analysis, it's worth complementing this analysis with other external sources of cyber threat intelligence.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 03 Jan 2024 15:43:04 +0000