The Diamond Model of Intrusion Analysis （入侵的钻石模型分析）.pdf

The Diamond Model of Intrusion Analysis A Summary By Sergio Caltagirone This document is not a reference guide to the Diamond Model. See technical report for official reference and complete details. Why the Diamond Model Matters The Diamond Model, for the first time, accurately details the fundamental aspects of all malicious activity as well as the core analytic concepts used to discover, develop, track, group, and ultimately counter both the activity and the adversary. The model emerged in 2006 by senior analysts asking the simple question, “How do we do our work?” Unfortunately, it required seven years of thought, implementation, and refinement to complete the model. This delay is primarily because the intrusion analysis discipline has long been regarded as an art – to be learned and practiced, rather than a science – to be studied and refined. It is a discipline that prizes and studies analytic outcomes far more than understanding the processes and principles used to those achieve those outcomes. This approach has held analysis back from identifying first principles and foundational concepts. It frustrated the development of new tradecraft and a more complete understanding of malicious activity. This restriction had further implications slowing the evolution of threat mitigation which relies on efficient, effective, and accurate analysis. The Diamond Model begins to address these challenges by applying scientific rigor to the discipline. With the Diamond, new and more effective mitigation strategies can be developed that increase the cost on the adversary while reducing the cost to the defender. It integrates traditional information assurance strategies and cyber threat intelligence seamlessly. It increases analytic efficiency and effectiveness by highlighting analytic opportunities and intelli