Jasper Alblas
TryHackMe: Diamond Model Walkthrough (SOC Level 1)
Welcome to this walkthrough of the Diamond Model Room on TryHackMe. We will learn about the four core features of the Diamond Model of Intrusion Analysis: adversary, infrastructure, capability, and victim.
This room is part of the SOC Level 1 Path.
Room URL: https://tryhackme.com/r/room/diamondmodelrmuwwg42
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Now, let’s move on!
Table of Contents
Task 1: Introduction
This task introduces the room. In this room, we will be introduced to the Diamond Model.
What is the Diamond Model?
The Diamond Model of Intrusion Analysis is a cybersecurity framework developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz in 2013. It provides a structured approach for understanding, analyzing, and communicating about cyber intrusion events.
Core Features:
The model is built around four core features, represented as nodes of a diamond:
Adversary:
- The threat actor or group behind the attack.
- Examples: Hackers, Advanced Persistent Threats (APTs), insider threats.
Infrastructure:
- The resources used by the adversary to execute the attack.
- Examples: Command-and-control servers, phishing websites, compromised systems.
Capability:
- The tools, techniques, or exploits used to carry out the intrusion.
- Examples: Malware, ransomware, social engineering tactics.
Victim:
- The target of the attack.
- Examples: Individuals, organizations, networks, systems.
Why the “Diamond”?
The model is called the Diamond Model because these four features are edge-connected in a way that forms the shape of a diamond. The connections emphasize the relationships and dependencies between the features.
Why is it useful?
- Simplifies Analysis: Breaks down a cyberattack into clear components.
- Improves Defense: Helps predict future threats and plan responses.
- Easy to Explain: Makes it simpler to communicate what happened, even to non-technical people.
Axes and Additional Components:
The Diamond Model includes axes that provide context for the relationships:
- Social-Political Axis: Represents the motivations, objectives, or political/organizational dynamics driving the adversary.
- Technology Axis: Captures the technological dependencies, vulnerabilities, and interactions between the capability and infrastructure.
Questions
Read the above.
Answer: No answer needed
Task 2: Adversary
One of the core features of the diamond model is the Adversary.
What is an Adversary?
An adversary is the person or group behind a cyberattack, also known as an attacker, hacker, or cyber threat actor. They are responsible for using tools and techniques (capabilities) to achieve their goals, such as stealing data or causing disruption.
Key Points:
Types of Adversaries:
- Adversary Operator: The hacker or person actively carrying out the attack.
- Adversary Customer: The entity benefiting from the attack, which might be the same as the operator or a separate group.
Challenges in Identification:
- It’s hard to identify the adversary early in a cyberattack.
- Data from the incident, like breach details or attack signatures, helps uncover their identity over time.
Importance of Understanding Adversaries:
- Knowing whether the operator and customer are the same or separate provides insight into their goals, persistence, and adaptability.
Questions
What is the term for a person/group that has the intention to perform malicious actions against cyber resources?
As discussed earlier, the term for a person/group that has the intention to perform malicious actions against cyber resources is Adversary Operator.
Answer: Adversary Operator
What is the term of the person or a group that will receive the benefits from the cyberattacks?
The person that benefits from the cyber attacks is called the Adversary Customer.
Answer: Adversary Customer
Task 3: Victim
A victim is the target of a cyberattack. This can be an organization, individual, email address, IP address, domain, or other target.
Every cyberattack involves a victim, as attackers need a foothold to achieve their goals.
Types of Victims:
Victim Personae: The people or organizations being targeted, such as specific individuals, industries, or job roles.
Victim Assets: The systems, networks, email accounts, or other parts of the attack surface the adversary targets.
Role in Cyberattacks:
- Victims often provide attackers an entry point, such as through a phishing email.
- For example, if a company employee clicks a malicious link in a spear-phishing email, both the individual and the organization are victims.
Questions
What is the term that applies to the Diamond Model for organizations or people that are being targeted?
In IT we could describe software or hardware as an asset.
Answer: Victim Personae
Task 4: Capability
Capability refers to the skills, tools, and techniques an adversary uses during an attack. It showcases their tactics, techniques, and procedures (TTPs).
Components:
- Capability Capacity: The vulnerabilities and exposures the capability can exploit. Focuses on what each tool or technique can do or target.
- Adversary Arsenal: The full set of capabilities an adversary possesses or can access. Refers to the set of tools, skills, and techniques an adversary has access to.
Questions
Provide the term for the set of tools or capabilities that belong to an adversary.
The tools or capabilities belonging to an adversary are called the adversary arsenal.
Answer: Adversary Arsenal
Task 5: Infrastructure
Cybersecurity infrastructure refers to the physical and logical components adversaries use to execute and maintain malicious activities, such as command and control (C2) systems, data exfiltration, IP addresses, domain names, email accounts, or even malicious devices like USB drives.
- Type 1 Infrastructure: Directly controlled by the adversary.
- Type 2 Infrastructure: Managed by intermediaries (aware or unaware) to obfuscate the adversary’s identity. Examples include malware staging servers and compromised domains or email accounts.
Service Providers (e.g., ISPs, domain registrars, webmail providers) enable the functionality of both types, often unknowingly supporting adversarial operations.
Questions
To which type of infrastructure do malicious domains and compromised email accounts belong?
Malicious domains and comprimised email accounts are controlled by intermediaries, so they are part of Type 2 Infrastructure.
Answer: Type 2 Infrastructure
What type of infrastructure is most likely owned by an adversary?
Type 1 Infrastructure is directly controlled by the adversary.
Answer: Type 1 Infrastructure
Task 6: Event Meta Features
The Diamond Model can include six meta-features that provide valuable context for analyzing intrusion events:
- Timestamp:
Records the date and time of an event, helping to identify patterns and correlate activities (e.g., time zones or business hours of the adversary). - Phase:
Identifies the stage of the attack based on sequences like the Cyber Kill Chain and Unified Kill Chain:
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Actions on Objective - Result:
Captures the outcome of the adversary’s actions, such as “success,” “failure,” or “unknown,” and relates them to the CIA triad (Confidentiality, Integrity, Availability). - Direction:
Describes the flow of the attack, using predefined categories such as Victim-to-Infrastructure or Infrastructure-to-Victim. - Methodology:
Classifies the type of intrusion (e.g., phishing, DDoS, or port scanning). - Resources:
Details external requirements for the attack, like software, hardware, knowledge, funds, or access.
These meta-features enhance the Diamond Model’s ability to organize and interpret intrusion events systematically. I like to think that it adds metadata to an event.
Questions
What meta-feature does the axiom “Every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result” belong to?
This is a part of the phase feature, which covers which stage of the attack the attack is in.
Answer: Privilege Escalation
You can label the event results as “success”, “failure”, and “unknown”. What meta-feature is this related to?
Not much to explain here 🙂
Answer: Result
To what meta-feature is this phrase applicable “Every intrusion event requires one or more external resources to be satisfied prior to success”?
It literally says “resources” in the question, so the answer is the same.
Answer: Resources
Task 7: Social-Political Component
The Social-Political Component refers to the motivations and goals driving the adversary’s actions, such as:
- Financial gain: e.g., stealing data or resources for profit.
- Acceptance in the hacker community: e.g., showing off skills or achieving status.
- Hacktivism: e.g., attacking organizations for ideological reasons.
- Espionage: e.g., stealing sensitive information for political or strategic advantage.
This component emphasizes the “why” behind an attack and links the adversary’s goals with their actions.
Questions
Read the above.
Answer: No answer needed.
Task 8: Technology Component
The Technology Component focuses on the relationship between two core features: Capability and Infrastructure. It explains how the adversary uses their tools, techniques, and infrastructure to operate and communicate effectively during an attack.
A watering-hole attack showcases this relationship. In this attack, the adversary compromises legitimate websites that they expect their target victims to visit. The Capability includes the tools or malware used to exploit the site, while the Infrastructure is the compromised website itself, serving as a delivery mechanism for the attack.
This component helps us understand the technical methods and resources an adversary leverages to achieve their goals.
Questions
Read the above.
Answer: No answer needed.
Task 9: Practice Analysis
Are you ready to construct the Diamond Model? Please, deploy the static site attached to this task and dive into the case study and extract the information needed to populate our Diamond Model.
(Please note: The case study for this room occurred in 2015, and is not in light of recent developments in Ukraine).
Ensure you have deployed the static site attached to this task. To complete the static site, you will need to click on each triangular section of the diamond until you have completed all eight areas of the diamond.
Questions
Complete all eight areas of the diamond. What is the flag that is displayed to you?
We are met by the image of a diamond. Let’s go through all of the statements from each area.
I will start with the upperleft small triangle, and will move clockwise from there.
The incident response team has determined that a group of notorious underground hackers named APT2166 are responsible for the attack.
Answer: Adversary
The attack occurred on 2021–10–23 at 15:45:00:00.000.
Answer: Timestamp
The attackers targeted the Information Technology (IT) systems of the corporation.
Answer: Victim
The attackers used a recent malware campaign known as OneTrick to ransomware the corporation’s servers.
Answer: Resources
The attackers stole data from the corporation and sold it on an underground hacking forum.
Answer: Result
The attackers gained access using legitimate credentials that were gained as a result of a phishing attack.
I picked the wrong one first, but the used tools are a part of the Capability component.
Answer: Capability
Once the attackers gained access to the network, they pivoted to the internal databases and file shares.
This question is more about the method used in the attack, and thus a part of the methodology meta-feature.
Answer: Methodology
The attacker’s steps can be followed using the phases of what Cyber Kill Chain model?
It asks what “Cyber Kill Chain”, so the only answer can be Lockheed Martin’s Cyber Kill Chain. Otherwise the Unified Kill Chain could also have worked.
Answer: Lockheed Martin’s Cyber Kill Chain
Now we can see the flag. Well done!
Complete all eight areas of the diamond. What is the flag that is displayed to you?
Answer: THM{DIAMOND_MODEL_ATTACK_CHAIN}
Task 10: Conclusion
We are done! I hope you learned a lot about this theoretical model, which can be used to disrupt threat activities, as well as communicate threats to stakeholders.
With this in your arsenal, you will have opportunities to leverage real-time intelligence for network defence and predict adversary operations.
Read the above.
Answer: No answer needed
Congratulations on completing Diamond Model!!!
Another great theoretical model understood. Great job on following along. Happy hacking!
Read more of my walkthroughs here.
Like my articles?
You are welcome to comment on this post, and please do share with friends.
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
https://referral.hackthebox.com/mzwwXlg
