> For the complete documentation index, see [llms.txt](https://muhammed-hatem.gitbook.io/muhammed-hatem/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/cyber-defence-frameworks/diamond-model.md).

# Diamond Model

## *<mark style="color:blue;">Overview</mark>*

The **Diamond Model** is a framework for analyzing cyber intrusions by mapping relationships between four core elements:
`Adversary`, `Capability`, `Infrastructure`, and `Victim`. It emphasizes the interconnected nature of cyber threats.

<figure><img src="/files/AfAmNFIQpIoHEXjCBzyR" alt="" width="188"><figcaption></figcaption></figure>

### *<mark style="color:blue;">Core Components</mark>*

| Element            | Description                                                          | Example                                                        |
| ------------------ | -------------------------------------------------------------------- | -------------------------------------------------------------- |
| **Adversary**      | The attacker or threat actor (state-sponsored, criminal, hacktivist) | APT29 (Russian SVR), FIN7 (Cybercrime), Anonymous (Hacktivist) |
| **Capability**     | Tools/TTPs used (malware, exploits, scripts)                         | Cobalt Strike, Mimikatz, Zero-day exploits (e.g., ProxyLogon)  |
| **Infrastructure** | Physical/digital assets enabling attacks (IPs, domains, servers)     | Bulletproof hosting, compromised IoT devices, cloud C2 servers |
| **Victim**         | Target organization/individual (industry, geography, systems)        | Healthcare org (HIPAA data), Energy grid (ICS systems)         |

***

### *<mark style="color:blue;">Meta-Features (Extended Analysis)</mark>*

| Feature       | Purpose                                             | Example                                                     |
| ------------- | --------------------------------------------------- | ----------------------------------------------------------- |
| **Timestamp** | Records attack timeline (first seen, duration)      | Initial compromise: 2023-05-15T14:22:00Z                    |
| **Phase**     | Maps to kill chain (e.g., UKC/MITRE ATT\&CK phases) | Delivery (Phishing) → C2 (T1071) → Lateral Movement (T1021) |
| **Result**    | Attack outcome (success/failure)                    | Data exfiltrated (2.5TB), Ransomware deployed ($5M paid)    |
| **Direction** | Attack vector (inbound/outbound, pivot chains)      | VPN → DMZ → Internal DB (East-West movement)                |

***

### *<mark style="color:blue;">Professional Applications</mark>*

#### 1. Threat Intelligence

* **Actor Profiling**: Cluster intrusions by adversary TTPs (e.g., link APT37 to specific capabilities).
* **Infrastructure Tracking**: Map shared IPs/domains across campaigns.

#### 2. Incident Response

* **Event Correlation**: Connect disparate alerts using Diamond nodes (e.g., victim + capability = malware ID).
* **Attack Reconstruction**: Visualize intrusion paths (e.g., `Adversary → C2 → Victim`).

#### 3. Strategic Defense

* **Capability Denial**: Disrupt adversary tools (e.g., block Cobalt Strike C2 traffic).
* **Victim Hardening**: Patch systems targeted by known exploits.

***

### *<mark style="color:blue;">Diamond Model vs. Other Frameworks</mark>*

| Framework            | Focus Area                | Diamond Model Advantage                                             |
| -------------------- | ------------------------- | ------------------------------------------------------------------- |
| **Kill Chain**       | Linear attack progression | Captures bidirectional relationships (e.g., victim countermeasures) |
| **MITRE ATT\&CK**    | Tactical techniques       | Adds adversary/victim context to techniques                         |
| **Cyber Kill Chain** | Defense-centric phases    | Explicitly models infrastructure reuse across campaigns             |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/cyber-defence-frameworks/diamond-model.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.