Understanding the Diamond Model for Intrusion Analysis: A Comprehensive Overview

so I am very pleased today to be joined by my good friend and often colleague Sergio well as Kelly mission we'll be

walking through an introduction of the diamonds will discuss some practical use cases both beginning and advanced you

know so this is the first time you've ever heard of the diamond model and introduction hopefully you'll be able to

lead today it was some practical things that you can start doing in your day-to-day analysis and then third we'll

walk through a real use case using Drago's worldview intelligence as its integrated into our threatened platform

so right off what is the diamond model so and often this is actually confused as we as we talk with folks it is an

analytic methodology for intrusion analysis it's meant to guide analysts as they're investigating an intrusion or

even pre or post intrusion to better understand the capabilities and infrastructure and how give an adversary

or just a group of activity is clumped together clustered together against a victim or group of victims as you can

see it's it's named the diamond because of the structure here there are four nodes on a graph capabilities

infrastructure victim and then finally adversary we'll talk about it more about each of these as they help analysts

discover develop track group and hopefully counter or place themselves to counter given adversaries it's used day

to day by threat intelligence analysts more nor by incident responders and risk mitigation planners so a little bit of

background how do we come up with the diamond going way back to 2006 in a in a building with not very many windows

Sergio Chris and I needed a way to characterize organized threats that we were seeing effect

lots and lots and increasing numbers commercial entities track those threats as they evolve and then sort them out

from one another to better understand what the capabilities and in timber and ultimately figure out ways that we could

prevent activity from them or counter than what they were in and I'll also state you know given here you know I

can't resist that accrues sensor dealer really the real heroes here hence the Captain America and in Ironman

no one really knows where Captain America's right never worked this fine I think he's he's already somewhere in a

condo yeah exactly I think he's he's he's missing in action right now probably busy fighting many adversaries

that's right okay so current usage cognitive model this means that you know ad hoc as

you're going analysis you can collaborate design a model and that's something that's we train or other

groups train been sort of been taught within the government and military for probably the better part or even over a

decade now but also within commercial space so thousands of folks have been exposed to and used the diamond model it

has been used as a foundational concept for emerging cyber ontology xand standards such as sticks and an even

attack as well and then it you know formally it is a certain graph is theory or theory Wow

set in graph theory based model that we've used within our fair connect platform and I'm sure others have used

this too ok so let's take a walk through the diamond itself so starting at the top here with the adversary this

hopefully as we go through these will be somewhat common sense or easy to understand after

typically a Bacchae persona or maybe a group of back out head support that seek to do harm or otherwise intrude on

victim networks they can be characterized by their actual persona who they are but also features such as

their email desta this handles phone number senses are pivotable and that you can understand or link different

disparate activity to based on deep footprints that they leave about their own persona next the capabilities so

these are very broad spectrum now where the exploits that enable that and our hacker tools that they might use once

they've penetrated a network or other other things such as stolen shirts over on the infrastructure side this is

typically the Internet based infrastructure leverage to deliver capabilities or carrying out attacks and

so these consist of but not limited to IP addresses domain into email addresses etc and then finally the victim and this

can be characterized similar to the adversary by their personas themselves the networking assets that are targeted

or email addresses that are targeted and as we work through these we expect that on any given event that carries out some

capability over some infrastructure delivered to a victim there will be unknowns part of the purpose of the

methodology being developed is so that you can help uncover those unknowns we're going to predict areas where you

don't have full knowledge of an attack there are also meta features within the diamond that help characterize a given

event as is carried out by an adversary or some adversary these include time stamps the phase of a

given intrusion this is pretty easily translated into the kill chain the result whether this was a success or

failure allows for you know if you actually stopped or the adversary failed in some portion of an intrusion you can

track that as well that's great for measuring CoA effectiveness the direction of given activity this can be

and these are abbreviated here but I'd be an infrastructure the victim I to i perfectional infrastructure adversary a

template structure this is also helpful for keeping track of pivots that you're making across diamond capabilities where

infrastructure the class of activity is this a phishing attack is this a watering hole attack etc and then

probably more obscures the resources needed to be able to carry out the activity this may be the case so it

looks like this is a custom developed exploit that may have taken months you can begin to infer some resources that

would need it in the background prior to attack in order to develop the capability itself or to host the

infrastructure over time okay next kind of moving into a slightly more advanced but also very practical use of

the diamond and this this complements the kill chain pretty almost one for one where activity threads can describe a

given incident in a vertical means this is linking event diamond of events to each other in a causal relationship that

are a time base of one event must occur before the next occurs and I can move down through the phases of the kill

chain then we can use horizontal linking to link similar incidents to each other so in this case the the situ there was

an incident one was the same teacher that was used and incident two or the delivery mechanism was and the delivery

mechanism was also the same or similar so those linkages can occur and can be weighted by confidence especially across

horizontal or vertical links this creates the foundation of some other uses of the diamond that you can you'll

see here and creating activity groups next it's also really useful to note here that miters attack really adds a

whole new capability because they have created a codified means of characterizing TTP's or tactics

techniques and procedures it presents another way or another element to link incidents together as well as another

pivot point for drilling investigations these activity threads aren't limited to you know just one incident you can look

at these in the context of campaigns or grouping powered families or victim clusters

all search do you have anything here you let me keep on going yeah I think the funding is that we're trying to get to

from the diamond model perspective as always for everybody you know to keep in their mind that it's always about

helping the analyst find that next step deal the next unknown you know being an analyst is a lot like you know Hansel

and Gretel in the woods right you follow a breadcrumb trail on you know hoping that the crumbs don't end at some point

but when they do you know what what now you know do we keep going straight do we turn left you know that house with candy

on it looks really inviting you know what do we do here and um you know the diamond models really to help analysts

kind of build this model and picture in their mind of how an adversary is operating not only against them but

against you know the world of other victims and so these threads are fundamentally the linkages these you

know the this there's no two linkage in your mind of how things belong together all right what belongs together because

then you can get to the question of okay well if these things belong together what comes before or what comes after

and you can start asking and interrogate you know interrogating you know your data is said a lot better so it's

fundamentally these threads are about getting to the fundamental relationships of it all and then you know kind of

figuring out well what is the next best question I can ask because you can hit a black hole or you know a hard you know

rock pretty quickly in analysis cool I'm previewing the questions here I think will hold on towards the end but there's

some big ones coming in so activity group so to me this is you know once you want to move beyond the basic

pivoting functionality of the Diamonds activity groups you really become one of the core tenets of defining what a a

given set of activity is in terms of specific feature selection and when we talk about feature selection these are

looking at specific capabilities or specific infrastructure or specific TTP's or attack patterns used either

within a given time frame or as they're evolved over time defining activity groups I think is there's been lots of

debate or within and within threat intelligence communities and sometimes it's a little bit of navel-gazing but

you know is this apt 28 or is this apt 29 I think that activity groups and in particular grouping functions give a

scientific means for determining that based on defined features with confidence weights on whether or not

this belongs in group a or this belongs this activity belongs in Group A or this activity belongs in Group B I will say

also while the diamond is commonly used for determining attribution or helping to sort out attribution it's not limited

to that you can use the same methodology to sort out whether this is you know a given capability is really the same

capabilities as part of an oath our family out you're just using different features and that selection process so

formally you know the way you go about this is it's really parallels the scientific method you define your

question I need to find your hypothesis which can be codified into the grouping function and then you you test across a

given data set that you have access to what meets that criteria and then you look at the results if you need to

refine that if you counter your own hypothesis you might need to change the grouping function or

if it's good then you stick with it but it almost certainly will need to evolve over time as the activity of also every

time sir do you have anything that I do this one okay yeah and I think you know there's um I think the the if we get

down to as you were kind of alluding to in information security we get down to like almost religious battles over

activity and I think you know I've been involved now in this and classifying activity events and intrusions for a

long time and I've been involved in my fair share of you know fighting battles over what what gets named what and you

know so forth and you know I even mentioned in the paper how powerful you know naming is two things and that

really you know where the grouping idea came from is fundamentally the idea that we're going to group stuff together and

it does logically work that way but that grouping our most of our grouping arguments are really you know if any of

you know the the Vienna circle of philosophers and it came you know the idea that all philosophical arguments

came down to a different you know different definitions and language um it kind of comes down to that right if you

see a whole bunch of InfoSec people arguing about what and when something belongs to one group or something

belongs to another group really we're just arguing about definitions um because I may have a completely

different definition of what I would call the group that others call apt 28 and I'm a group very differently for my

own purposes and guess what that's completely legit it doesn't make me wrong on the powerful thing about

grouping functions is that you can group for whatever business reason or mission requirement you have there are times

when I group intrusion activity not by you know supposed adversary but by vulnerability usage um because I want to

do things like attack graphs and stuff and so I want to find out you know how adversaries or what groups of activities

on seem to be following certain paths down attack graphs and doing that you don't group by like a PT 28 or whatever

you you group by several other different types of features and you know we also group malware together in terms

of functionality to do on you know when I was at Microsoft we would group malware together not in Torah not in

terms of you know who would who is responsible for that malware but but more for what functions that malware was

using and how that malware was operating because then we would counter that now we're by using you know we would

counter then whole families or classes of malware and so I think that it's interesting that you know we get to

these battles in here and grouping is really personal and I think we have to be very careful about you know being too

aggressive with others in our own community about it and that we all want a group on different things and that's

okay we can group on how versus a group on who or group on why and so the grouping

function and fundamentally that we're all doing is very different and personal and the features were selecting and the

function that we're using is all different on so I think it's it's very important to realize that and we have a

question in that I think is appropriate to take now so Sergio and I hate to put you on the spot the what would how would

you classify or create a grouping function for does this Fuzzy's not lead that thing yeah so I would probably a

group fuzzy snuggly docked by a whole bunch of trolls on Twitter who like having fun

so yeah probably a whole bunch of miscreants out there who have no idea what they're doing that sounds like you

today okay that was actually much funnier in my head before I said it that I had

maybe I pulled it off okay so the extended diamond this is really looking at kind of taking

really an activity group by itself if it is you know loosely or even strictly defined as an intrusion set and in

looking at the the axes within the diamond so the relationship between the adversary and the victim and the

capabilities and infrastructure so the social political access or meta feature here really this line here is very

useful for looking at or doing analysis around intent so if you can understand why an adversary is going after a victim

you might be able to predict what other victims that I per se may go after well likewise you might be able to predict

what other adversaries might target the given victim you can also do some advanced moves such as if you are doing

a threat hunting in the threat intelligence context of threat hunting and looking out outside your network for

adversaries that might be targeting say state state elections or adversaries that might have an interest in gaining

information from you know about the upcoming Olympics you can actually begin to hunt out and in either publicly

available space or private datasets things like virustotal to look for activity that might be motivated by a

given intent similarly if you look across this access the technology meta feature you can hunt activity that has

nothing to do with a given adversary or victim necessarily but might exploit a given vulnerability or

might be looking for specific types of infrastructure to launch attacks from and then you might discover phone from

that compromised infrastructure or you know discovering attempts for compromising you give in very taking

exploiting given vulnerability and you might discover new victims or you might discover new adversaries any thoughts on

that search before every bomb you know I think that you know what Andy what you said there is really powerful one of the

things I learned early in my career as a hunter was that um these are these you know these extended these extended

elements of the diamond model are really powerful um because you get to almost predictive you can get almost predictive

level Intel right you can see maybe where things are going on there's always a relationship between an adversary and

victim and that relationship might be you know spurious or it might be very direct but there's always going to be

some relationship and so that's that's very helpful to exploit um if you're if you're talking more about the the social

and economic aspects of intrusion activity the technological features are really powerful because you know when

you start thinking in terms of what data can I use can I use passive DNS um can I use you know domain registration data

you know that all falls on that technology meta feature right which is it's the enabling functions of

intrusions it's not the intrusion itself and so when you're looking for things like well what how would I identify new

domains that are created prior to an operation actually taking place on what you're really doing is exploiting that

technological meta feature by using an understanding of how adversaries are creating domains

um and then applying those you know those behaviors or analytics to domain data on what you're really doing is

pulling that pulling that out right I mean you're really asking a diamond question of

how our adversary is leveraging domain name creation and how are they doing it and what features are out there right is

it there they using a specific you know email address or a type or a type of domain you know a type of domain a

certain you know regular expression or pattern on that they're following and so you can really get to really I would say

early Intel that's you know beyond as we like to say left of boom um right and so and so I would say that these are the

features that really get you beyond that next step of Intel if you can and get good at asking these questions alright

so next you know the diamonds been around for a while but by no means do we attempt to treat it as the be-all

end-all it actually it gains power and even relies on other models that have been developed or are being developed

and I you know I'm pretty excited about what's you know what the future of attack is overall but in particular in

how it can work with the diamond and also is probably a bit more established with how the diamond and the the kill

chain can work together so probably one of the more advanced moves that you can do with the diamond is building out

inputs into threat modeling and this can be done simply by leveraging if the price of knowledge on particular

activity groups and overlaying those with your own your own defensive pop or your own defensive technology stack and

procedures so your people process technology and over like overlaying the adversaries effectively whether you know

them who the people are but their processes and technology to see where your gaps are on an attack activity grab

I think that's much better informed when you you take that adversary data that the

diamond can provide and then lay it over attack as a cada 5 means for mapping adversary techniques to your controls to

put you know to create a defensive gap analysis similarly with decipher kill chain you

can take that same data and look at what your courses of actions are these severe controls as well but there are other

benefits as well they're probably just more easily leveraged day to day so as we mentioned before attack provides

codify techniques that you can use in your your day to day analysis as you're going to the 'danger creating features

for selection in an activity group and then similarly I think the diamond complements attack by extending the

things that you can pivot off of beyond just ordered the things that you can characterize about an adversary's beyond

just the techniques which that includes the IOC is and possibly attribution that can help you build out your your

holistic understanding of an adversary and what you might do to prevent or respond to attacks from in it and then

of course you know as we showed earlier and you can kind of see throughout the the slide deck here we put the kill

chain and and the diamond together regularly in an activity threads just to categorize them in an understandable

news I think Andy there's questions on the board here that are this is a perfect time to answer um and

one is how can you use the diamond model to inform threat and risk assessment and what we show here using these models

together is exactly how you do that um where you map out so the diamond model works within Intel right so it's it's

ideas to do an Intel based risk assessment um you know so it's not a it's not a like blue sky blue team kind

of approach where you're like okay well let's just type you know let's create a hypothetical adversary with hypothetical

things and see what we can do this is the the diamond model is really a ground based Intel based approach which is

here's what is actually happening in the world on and what we need to know about it and then what you do is you map that

together with attack and that was another question that's asked is how do you use attack and the diamond together

well in the the diamond meta feature methodology is exactly where attack fits right so that's the taxonomy you use to

describe how how each diamond event is operating it's the methodology there and so those together create you know the

kill chain security you know kind of approach in the diamond model we create these activity attack graphs and you can

do a couple of things right here you can take on what's called a coverage analysis and you can ask the question

how much of this can we do or see you know can we detect everything in this you know in these in this graph or in

this table of things and so that's called a coverage analysis right how much can we cover of the of the table

could we see or do everything and then the next one is what we call a severability analysis and that's the

attack graph that we have there on the bottom left and that's where you can draw attacks out as a graph now we

borrowed this you know very heavily from others so I don't claim that this is the first what we did is just basically map

the diamond how you can map intrusion events on an intelligence to an attack graph effectively on but effectively you

just take a severance of several severability approach and you say well how many points

of this graph so if an adversary needs to go from beginning to end to be successful how many points in that graph

can I sever with my operations on and the more you can sever the better right meaning the the less likely that the

adversary is going to be successful and so that's that would be how you would take a risk that's how you would make a

risk assessments and work attack into it and then make you know off me and not offense too but but more defensive

operational decision making in terms of what should we do and also in terms of what maybe weight purchases you should

make right well we can't do this or we can't see this what we need to and so maybe we should go buy something to do

this for us or build it to do this for us and then that's how this that's how all of this fits right so your Intel

team your socks should be using these models to come together to say okay what's actually going on in the world of

what do we need to do about it very good so at this point we're going to

transition a bit to talk about a specific use case using triggers as worldview intelligence for a report from

it so Sergio I'll get meeting the ball yeah thank you um so we're gonna attract this is using real Intel by the way and

the you can get this now through threat connect and we're so Drago's produces industrial control intelligence right so

our view of the world is what adversaries and threats in the world are touching on things that go boom and on

and and that for us is very important right we're the only company in the world who's completely dedicated to that

threat problem so we follow this is this is kind of set up this is with real-world Intel set up like a Incident

Response so this is like one of hundreds in my career I've gone through right so in this instance what we're gonna do is

we're gonna track we're gonna track a file that we showed up in our network and we we may have found it in anyway

right carbon black could have found it or any sort of EDR tool could have found this tool and it all of a sudden this

thing shows up and um you know the sock you know should theoretically have a good decision-making process where it's

well what are we gonna do with this now right is this gonna be a you know a wipe and replace a clean and remediating

approach or we you know or does this go over to like maybe we have we're mature enough and we have an Intel team and the

Intel team needs to ask the question well you know is there something more here than then what meets the eye and

and so you know we in Drago's we track we track activity and we publish and describe activity is an activity group

and that's what I did what we just described earlier today we use that term in general and a Drago's we don't we

don't a group activity by attribution so unlike many others like apt twenty eight or so forth we don't we don't track and

group by by attribution and the reason for that is because in yeah Incident Response and intrusion analysis in

industrial controls is very different not fundamentally different but it is very different than it is in the

traditional IT space and one of the things that makes it different is that we have a very high level maturity of

adversary that we generally operate against and in those that are operating against us and so we also get a lot of

very interesting things that you see in the IT world but honestly most most you know Intel groups in the world are not

sophisticated enough to understand is that there are a lot of times when two groups or three groups or even more will

work together for a common for a common cause we call that if two countries are working together we call that foreign

technical assistance and the thing that that really screws a lot of people up is that if you're going by attribution but

you've got multiple countries working against you um you're not going to group very well uh you know your grouping for

attribution um and one group does part of an operation and another group then takes over and does another part of an

operation your grouping just got all screwed up because you've just thrown effectively you've just messed up your

grouping function because you're not you're not grouping accurately and the reason you're doing that is because

you're effectively guessing at attribution um rather than actually having data you're not actually mapping

data you're mapping it hypotheses and so we can you know I would say my favorite when to poke at as I as much as I love

John and a lot and you know good friend over it fire I you know I give John a lot of about you know about

sandworm right when everything's sandworm nothing is sandworm anymore um and and that's the thing right where

they were you know there's lots of things going on with sandworm and honestly probably not all of those are

actually sandworm and so a drago's what we do is we group activity by how right how they're operating I don't care if

it's multiple teams out there working you know a single victim in a single incident right Mike you know from me and

the defenders perspective we care about the how more than we care about the who now I'm not gonna say you want to throw

away the who but from a defensive perspective it is the primary question that you want to ask who is secondary to

that um and so we prioritize based on what ultimately is your defensive priority the how and and so here what we

do is we group and we label things by rare earth mineral in this case its dime alloy and we're

and so they have a they have a tool right I'm gonna use the word they that's okay it's just a group right I'm just

attributing it to a group not to a an actual person um they have a tool in that in that group called called GU door

and and so what we're gonna do is we're gonna track through an event here so we're gonna assume that one of our EDR

you know things caught goood or and and so we're going to basically go through like okay well what do we do now okay so

now that we found this GU door we got a hash okay so now we're gonna pivot in to go ahead and next slide in D on we're

gonna pivot into threat connect and we're gonna search and we're gonna find that that Drago's has a report on this

activity group called that alloy and this thing called GU door and what does Driggers know about it while we know

that they likely use phishing and that we you know it's a it's an attack it's an exploit Laden attachment and then it

drops us you know the the the installer drops go door which implants the victims machine which then uses HTTP posts from

the victim to several different command and control IPS so with that right if our sock gave us this um hash and we're

like hey that's that's interesting now we pivoted it in here and we're like hey this isn't good right we got other

things going on here plus Drago's you know is telling us that this is potentially associated with an

industrial control um threat on there might be more here than we than meets the eye so maybe we

should take a different remediation approach right maybe we should be more strategic in our image remediation

rather than just wipe and replace what's going on on so now let's go and we're going to pivot and we're gonna take one

of them we're gonna take one of the known IPS and we're gonna pivot further down into into into Intel in in via

threat connect and what we find is that hey this IP address you know on this this this exact same hash was being used

by another intrusion that us-cert released a report on and it is a call back string for a

and that's interesting because Drago's reporters from 2017 and this us-cert report is from 2018 which means that now

I have new Intel that I can use and again these are all based on the diamond right what I'm asking or questions is I

have a capability in front of me it's this hatch right it's the it's the description of a file and my question

now is well what infrastructure is out there right Drago's just gave me a bunch of IPs and

hey I got a whole bunch of new ones from us-cert and these you know seem to be really interesting and hey this one IP

address has been active for at least a year um that's interesting right not all adversaries leveraged infrastructure

forever or for a very long time so somebody using command control for more than a year that's kind of interesting

what that means to me now is an Intel analyst is saying maybe some of the older indicators are as valuable as the

newer indicators because maybe they're not very good at refreshing and renewing all of their stuff so I should be able

to use something possibly be able to use some of the older stuff right so um that's important as the threat analyst

cuz we need to start knowing about when we drop you know when things don't become as important to us and where we

don't want to waste our time and so this is a good piece of Intel now and so now we've moved into we've moved into a new

piece of a new piece of infrastructure now I'm gonna search right maybe I'll search my wireless logs and I'll search

my firewall logs I'll search my proxy logs my VPN all that stuff ready where I get IP data all

right I'm gonna go ask questions I'm gonna interrogate my data and gonna say where have I seen this and if I have

where have I seen it um and so now we know we know we have a box infected and we can pivot out and check our network

data to see what we got so right so we found a network sample we're gonna go out and now we're like hey the samples

got IP is I can go pull that IP for new infrastructure um and I can say hey this stuff all seen you know it's all of the

stuff still seems to be active which is good for me and now I can match you know these known TTP's to a group and I can

say hey this this these behaviors on these and these IPs and this you know hash all belong to this time

alloy group and now I can read more about them you know what kind of victims are they targeting or do we fall within

that or not within that you know things of things of that nature and so you can start asking a lot more questions and

again this just came down to a single a single hash that came out and then some pivoting and some good questions we

started asking about what do we need to know about this campaign okay so next Deenie so a lot of good things right

like I just said we have reuse of a previously known tool using the same default string I'm using known

infrastructure we've pivoted and found a different report over a different time frame that described another incident um

and you know is are we is this the same victim are we within their victimology maybe they changed over time right maybe

we are a new victim and they you know some you know we didn't that didn't follow through on these are all very

good questions right as to what's going on here so how does this how does this all help right um well first of all the

diamond model just becomes a very simple taxonomy and it's not one I ever claimed to say it's a complete or effective

taxonomy but it becomes a very basic one at least for mental models where we have adversaries capabilities infrastructure

and victims and those are the fundamental things that every intrusion event has and so when you get down to

when you get down to it you got to get down to basics and this is really it right there's a bad guy targeting a

victim using a capability over some infrastructure and they can swap all of those pieces out right it's like a

Rubik's Cube right and we can move all of the colors and we can move all this together and maybe create a different

picture than what's created before and the important thing is that you know we can plug all of this together and we

could ask questions of of the intelligence of the data of our knowledge and we can ask meta questions

right like I was just saying is well what do we know now what should we know what could we predict about an adversary

in the future and these are all questions as analyst security analysts and Intel analysts we want to stretch

for on the Riu cij's and domains and TTP's are extremely common right bad guys don't want to recreate

stuff as much as you want to recreate stuff um they're just as lazy as you and I are and so you know effectively if we

can if we can use our Intel to identify the best to identify a good date of cutoff date right what we call the Intel

cutoff date of when is the Intel good for um that's not easy right as an Intel producer myself you know it's hard for

me to tell you how long this is gonna be good for right I just don't know and I could guess maybe depending on the data

I have available but maybe I can and so honestly as a consumer of Intel that's gonna be a really important question for

you to ask and so that's one of the things that you should get from a wide variety of data that's available on to

you since something like threat connect and then you know fundamentally then understanding how slight modifications

of the attack chain right well what if they swap out a tool well that's okay if they're using the same IP addresses for

command and control they can go use another tool you know one of the cool things I found in my career is that bad

guys really only swap one of two things out at a time um you know it's at least on the on you not necessarily entirely

on the commodity threat side but but you know generally you don't swap infrastructure and capability at the

same time on and it just didn't it changes too much and causes too much risk and damage to operations and so dad

the value of that is the defenders we can use that against them and we do and you should continue to do so so with

that um I think fundamentally the idea is that it gets you to a better place from a decision-making perspective right

how do we remediated we remediate and what should I do now as a defender are fundamentally the the questions you

should be asking your organization and your Intel right that you're getting from others that you're producing

yourself as you are the best producer of Intel in the world um you know out of your own data and your own visibility is

the best Intel you can get ever um and so fundamentally you know you should be getting - how am i improving the

decision-making process in my security operations right are we making ourselves more secure over time and fundamentally

the diamond model helps you get there by asking you know helping you ask important and intelligent questions of

your data very good Oh the only thing I'll answer here is something you you hit on there

with the and typically you there's a high cost to the adversary of changing out you know all capabilities were all

infrastructure in any given time and that is really what enables the diamond model to be useful is that we you can

pivot across these even as they evolve because they very rarely if ever do you see an adversary that is capable of

changing out everything once and if they are as far as an activity group goes you know fundamentally they've they've

changed they may attack the same victim over time in which case you might reacquire them but in in reality they

have limits to their their own resources that make that extremely difficult to actually pull off yep you're absolutely

right so we do have several questions I'll you know I'll make sure that we hit conclusion is that this was just a

primer well I thoroughly enjoyed the dialogue that sergeyev and I had we really only you

know hit various facets of the surface of the diamond here and putting them to uses oh I you know we'll take more

investigation and so encourage anyone who's really really serious or very interested in it please check out the

diamond lab org you can get the full paper and various other resources to help you get started if you actually

want to buy something from us please please contact if you're interested in drago sis worldview intelligence please

contact IntelliJ gross if you're interested in that's where connect platform or both please contact our our

team at sales and fair connect calm and with that why don't I start going through some of these questions that we

haven't hit yet um Alan asked a good one do adversaries also include malicious insiders

absolutely Alan on the diamond model does not discriminate in fact an insider operates pretty much exactly like an

outsider in in many ways in the diamond model doesn't discriminate between the two so yes yeah I'd say that the only

nuance is there is that your your infrastructure is likely to be mostly within your own material within your own

exactly and the capabilities may be different think that think also that a capability can be is like a USB

key um it could be a printer on you know in fact if you're talking about like offline attacks you know against against

air gap networks then you know usually we do see you know sneaker netting and things like that happening and so

capabilities can be non not work you know infrastructure and capabilities can be interesting non not work non

networking on digital assets okay let me read off the next one from from Joseph do you see the diamond model needing to

be adapted in the near future due to a improving adversary OPSEC and B GDP our GDP our and the EU it feels like soon

the jump from capability to adversary will rely heavily on our analyst and others who can identify code reuse and

other recurring TTP's I think this is a fair question so I'll think of a shot and then Sergio had anything that I did

I miss is I I don't think that the diamond model itself needs to be adapted I think that the the ability to pivot

from one feature or another is expected to change over time whether that's because of new regulation that makes

certain datasets no longer available such as what we've got with who is in GPR or improving

adversary out stuck where they just make it harder because they're better although that that is in a bit self and

sometimes a false premise appreciate aspect is not they improve over time at least in my in

my observations search you have anything other yep I completely agree the data is gonna

change the facts that bad guys are still gonna do things are gonna are gonna remain the same how they do things are

gonna change but I also agree that I bad guys don't necessarily get smarter over time Andy I think there's I think it's

because they're adding new people just like we're adding new people and so the new people continue to make mistakes and

learn the hard way so um you know I'm not seeing necessarily a quote-unquote better adversary over time I certain

adversaries are but I think as a general trend okay next one are you using events and incidents to mean the same thing it

appears that the activity threads make up an instant so of incidents and should be different in the diamond a actually a

diamond in is an event although there may be some aspects of that event that are unknown in terms of the

infrastructure adversary or capability but the string of causally related events for an activity throughout which

is conveniently characterized as an incident but if there's instances where perhaps is not and I think we answered

this next one about mitre an attack or in it and also the next one by Josiah yep thank you very much let's see I have

an idea to create a new forge a web application if I handle the diamond model that's awesome yeah yeah well I

don't know anything like that yeah I have not seen anyone just open-source putting that out there we of course we

use the diamond model to inform our own data model within Direct Connect and I think there are some organizations that

have done it in you know inside of their own organization I'm not available any thing just out there and Annie asks a

great question on reference guides on TTLs for iOS and that's great um there is not as I as

far as I understand or I know there's not been any real good fundamental research done on TTLs for IOC s and so

you're right I think your what you described there is exactly right you know using a mixture of the kill chain

and attack and you know and a bunch of things to kind of figure out how to do it so the answer is like that's that's

great yeah I mean that's a huge amount of research work that could be done I could see an entire graduate set of

computer security papers coming out of something like that and then you ask is there future work being done on the

diamond model um yeah there is but it is gonna be some work between us and mitre probably on the attack on attack and

diamond and how they work together better I'm more to clarify the position for analysts and make it more like a

handbook kind of like you know here's how these things work together right so that it's easier for everyone to take

advantage of it um I've asked been asked before about a diamond 2.0 and honestly I'm just mentally I just don't think

it's ready for that yet I mean I've got some ideas but it's a I think yeah I think honestly I hope other people take

the idea and just go go with it right and see and involve it and see what we can make it better s yeah the only thing

I'd add to that is I you know as I mentioned before I'm excited to see that the you know as as newer work is done in

complementary space that oftentimes you know we can find use cases quite easily and naturally the tie-in with the

diamond or the complement it and you can see that with kill chain you can see that with attack and and others I'm sure

we'll won't be the same yeah um Josiah if you were jazz I asks if you were to expand the diamond model by one

additional node what would you suggest to add value um well I think that's a bit heretical because the diamond model

is perfect as is I it would it wouldn't look right anymore I just I don't know no you asked a great question which is I

think it gets back to Annie's question right which is well the future work to be done on the diamond um is it right no

it is not it is a starting point and I hope it's a starting point for a lot of people and I hope

people end up making it making it better than it is so um I don't know I've one off the top of my head it works pretty

well right now but um but I have seen some flaws some challenges with it so yeah okay what keeps you up at night

when threats keep you up the night Sergio um let's see it would be it would

probably be poisoning drinking water um the ability there's there's several ways of poisoning drinking water and I would

say that that's probably the biggest thing that's keeping me up at night and thinking of water protecting water

assets yeah that's um that's scarier than oh but I was thinking of so I'm gonna hold up I think you trumped me all

that way so yeah I mean there are threats of democracy right but those are a little bit less tangible than you know

threats to life that I think a lot of the space that Drago's spins its time defending is probably the scariest set

of threats out there okay well we are just about at the top of the hour and I think we've gone through all the

immediate questions I saw several questions in here and I think our team answered already about what the slides

be posted yes they will and will make the we'll make the recording available as well yeah thank you everybody for

your time I really do appreciate it your time is really valuable and it was awesome to have you here thank you so

much likewise and thank you sir here for joining us today yeah thanks for having me indeed this has been fun we should do

it again any time okay thank you everyone thanks everyone