Podcast Summary: Hacking Humans – Diamond Model (noun) [Word Notes]

Host: N2K Networks
Release Date: September 16, 2025
Theme: Deception, influence, and social engineering in cybercrime – Unpacking the Diamond Model for Intrusion Analysis

Episode Overview

This episode of “Hacking Humans” delves into the Diamond Model—a cyber threat intelligence framework designed to better understand, attribute, and track cyber adversary activity. The discussion centers on how this model formalizes the relationships among attackers, their tactics, and victims, and how it enhances existing models like the kill chain and MITRE ATT&CK. The episode contextualizes the model’s history, clarifies how analysts use it, and highlights its continued relevance in tracking modern threat actors.

Key Discussion Points & Insights

1. Definition & Structure of the Diamond Model

[02:01] Rick Howard:

• The Diamond Model is a cyber threat intelligence analysis model.
• It structures cyber incidents as a relationship between four core components—arranged in the shape of a diamond:
  • Adversary: The attacker or threat actor
  • Capability: The tools or exploits used (malware, vulnerabilities, etc.)
  • Infrastructure: The resources used for attack or targeted (servers, emails, networks)
  • Victim: The targeted entity or individual

“A cyber threat intelligence analysis model that defines relationship pairs between four core components in the shape of a diamond: the adversary, their capability, the infrastructure used or attacked, and the victim.”
— Rick Howard [02:01]

2. Origins and Academic Context

• Developed by Sergio Caltagironi, Andrew Pendergrast, and Christopher Betts (2011, DoD).
• Built to improve upon and complement earlier methods like attack trees and attack graphs (originating with Bruce Schneier).
• The Diamond Model formalizes language and relationships in cyber incident analysis to enable more systematic tracking of threat actors across events.

3. How the Diamond Model Works in Practice

• Each event in the Diamond Model includes all four features: adversary, capability, infrastructure, victim.
• Activity Threads: Analysts connect events across incidents using shared features (like common malware). This can reveal broader attack campaigns, even if seemingly unrelated incidents are involved.
• Over time, these threads can be correlated to uncover adversary campaigns (e.g., identifying the same group behind different incidents).

“As analysts collect intelligence using the Diamond Model, the kill chain becomes more complete with data for all the incidents.”
— Rick Howard [04:38]

• This correlation process produces the named threat actors often seen in cybersecurity news (e.g., APT10, Lazarus Group).

4. Relationship to Other Cybersecurity Frameworks

• NOT a replacement for the Lockheed Martin kill chain model or MITRE ATT&CK.
• Functions as an enhancement, providing more granularity and a way to visualize and connect complex relationships in adversary campaigns.

“To be clear, the Diamond Model is not an alternative to the Lockheed Martin kill chain model or the MITRE attack framework. It’s an enhancement.”
— Rick Howard [05:17]

5. Diamond Model Events Explained

[06:16] Guest Cybersecurity Expert (Andy Pendergrass paraphrased):

• Each diamond (event) contains:
  • A timestamp (when it happened)
  • The person/entity responsible (adversary)
  • The tool or exploit used (capability)
  • The infrastructure involved (either for launching or as the target)
  • The victim (targeted persona, network, address, etc.)
• Pivoting: Security teams can track any one element (e.g., malware signature) to uncover related infrastructure, other victims, or associated adversaries across multiple cases.

“Every diamond has some time that the event occurred. It has some person that was responsible for the event, the adversary; some capability that they leveraged… some infrastructure that they used… And then every event has something that's affected, something that's being targeted, and that's the victim.”
— Cybersecurity Expert [06:16]

Notable Quotes & Moments

• Rick Howard on Model Purpose:

  “The Diamond Model allowed security analysts to attribute with high confidence that Sandworm penetrated Ukraine's government networks.” [02:30]

• On Correlating Events:

  “These activity threads connect the two incidents together, may indicate that the attacks have originated from the same adversary, and implies a much broader campaign against your network.”
  — Rick Howard [04:57]

• On Threat Actor Naming:

  “In simpler terms, this process is how we get all of those colorful names that splash across as headlines in the CyberSecurity news space.”
  — Rick Howard [05:41]

• On Enhancement, Not Replacement:

  “It’s an enhancement. The Diamond Model’s atomic element, the event, with its four core features, is present at each phase of the intrusion kill chain.”
  — Rick Howard [05:19]

Important Timestamps

• [02:01] – Introduction and history of the Diamond Model
• [03:00] – Attack graphs, attack trees, and the need for formal models
• [04:38] – Application of the Diamond Model in practice; building activity threads
• [05:41] – How named adversary groups are tracked and attributed using the model
• [06:16] – Deep dive: What constitutes a Diamond Model event, explained by Andy Pendergrass
• [07:27] – Closing credits

Summary Flow & Relevance

The episode offers a concise yet thorough journey through the Diamond Model, demystifying its purpose, construction, and everyday application for cybersecurity professionals. By connecting theory to high-profile cases and operational processes, the discussion reinforces the value of robust, structured analysis tools in defending against evolving cyber threats. Listeners unfamiliar with the model will gain a clear understanding of how modern defenders track, connect, and thwart adversaries—and why names like “APT10” exist in the first place.