Summary4 min read

Podcast Summary: Hacking Humans – Diamond Model (noun) [Word Notes]

Host: N2K Networks
Release Date: September 16, 2025
Theme: Deception, influence, and social engineering in cybercrime – Unpacking the Diamond Model for Intrusion Analysis

Episode Overview

This episode of “Hacking Humans” delves into the Diamond Model—a cyber threat intelligence framework designed to better understand, attribute, and track cyber adversary activity. The discussion centers on how this model formalizes the relationships among attackers, their tactics, and victims, and how it enhances existing models like the kill chain and MITRE ATT&CK. The episode contextualizes the model’s history, clarifies how analysts use it, and highlights its continued relevance in tracking modern threat actors.

Key Discussion Points & Insights

1. Definition & Structure of the Diamond Model

[02:01] Rick Howard:

The Diamond Model is a cyber threat intelligence analysis model.
It structures cyber incidents as a relationship between four core components—arranged in the shape of a diamond:
- Adversary: The attacker or threat actor
- Capability: The tools or exploits used (malware, vulnerabilities, etc.)
- Infrastructure: The resources used for attack or targeted (servers, emails, networks)
- Victim: The targeted entity or individual

“A cyber threat intelligence analysis model that defines relationship pairs between four core components in the shape of a diamond: the adversary, their capability, the infrastructure used or attacked, and the victim.”
— Rick Howard [02:01]

2. Origins and Academic Context

Developed by Sergio Caltagironi, Andrew Pendergrast, and Christopher Betts (2011, DoD).
Built to improve upon and complement earlier methods like attack trees and attack graphs (originating with Bruce Schneier).
The Diamond Model formalizes language and relationships in cyber incident analysis to enable more systematic tracking of threat actors across events.

3. How the Diamond Model Works in Practice

Each event in the Diamond Model includes all four features: adversary, capability, infrastructure, victim.
Activity Threads: Analysts connect events across incidents using shared features (like common malware). This can reveal broader attack campaigns, even if seemingly unrelated incidents are involved.
Over time, these threads can be correlated to uncover adversary campaigns (e.g., identifying the same group behind different incidents).

“As analysts collect intelligence using the Diamond Model, the kill chain becomes more complete with data for all the incidents.”
— Rick Howard [04:38]

This correlation process produces the named threat actors often seen in cybersecurity news (e.g., APT10, Lazarus Group).

4. Relationship to Other Cybersecurity Frameworks

NOT a replacement for the Lockheed Martin kill chain model or MITRE ATT&CK.
Functions as an enhancement, providing more granularity and a way to visualize and connect complex relationships in adversary campaigns.

“To be clear, the Diamond Model is not an alternative to the Lockheed Martin kill chain model or the MITRE attack framework. It’s an enhancement.”
— Rick Howard [05:17]

5. Diamond Model Events Explained

[06:16] Guest Cybersecurity Expert (Andy Pendergrass paraphrased):

Each diamond (event) contains:
- A timestamp (when it happened)
- The person/entity responsible (adversary)
- The tool or exploit used (capability)
- The infrastructure involved (either for launching or as the target)
- The victim (targeted persona, network, address, etc.)
Pivoting: Security teams can track any one element (e.g., malware signature) to uncover related infrastructure, other victims, or associated adversaries across multiple cases.

“Every diamond has some time that the event occurred. It has some person that was responsible for the event, the adversary; some capability that they leveraged… some infrastructure that they used… And then every event has something that's affected, something that's being targeted, and that's the victim.”
— Cybersecurity Expert [06:16]

Notable Quotes & Moments

Rick Howard on Model Purpose:

“The Diamond Model allowed security analysts to attribute with high confidence that Sandworm penetrated Ukraine's government networks.” [02:30]
On Correlating Events:

“These activity threads connect the two incidents together, may indicate that the attacks have originated from the same adversary, and implies a much broader campaign against your network.”
— Rick Howard [04:57]
On Threat Actor Naming:

“In simpler terms, this process is how we get all of those colorful names that splash across as headlines in the CyberSecurity news space.”
— Rick Howard [05:41]
On Enhancement, Not Replacement:

“It’s an enhancement. The Diamond Model’s atomic element, the event, with its four core features, is present at each phase of the intrusion kill chain.”
— Rick Howard [05:19]

Important Timestamps

[02:01] – Introduction and history of the Diamond Model
[03:00] – Attack graphs, attack trees, and the need for formal models
[04:38] – Application of the Diamond Model in practice; building activity threads
[05:41] – How named adversary groups are tracked and attributed using the model
[06:16] – Deep dive: What constitutes a Diamond Model event, explained by Andy Pendergrass
[07:27] – Closing credits

Summary Flow & Relevance

The episode offers a concise yet thorough journey through the Diamond Model, demystifying its purpose, construction, and everyday application for cybersecurity professionals. By connecting theory to high-profile cases and operational processes, the discussion reinforces the value of robust, structured analysis tools in defending against evolving cyber threats. Listeners unfamiliar with the model will gain a clear understanding of how modern defenders track, connect, and thwart adversaries—and why names like “APT10” exist in the first place.

Loading summary

Transcript7 lines

[00:02]
Podcast Host
You're listening to the Cyberwire network.
[00:04]
Cybersecurity Expert
Powered by N2K.
[00:14]
Podcast Host
The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. Think your Certificate security is covered by March 2026 TLS, certificate lifespans will be cut in half, meaning double today' renewals and in 2029, certificates will expire every 47 days, demanding between eight and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy, Cyberark proven in identity security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk Scan for vulnerabilities, streamline operations, scale security visit cyberark.com 47day that's cyberark.com the numbers 47day.
[02:02]
Rick Howard
The word is the diamond model spelled diamond as in the shape of and model as in a representation to show the construction of something A cyber threat intelligence analysis model that defines relationship pairs between four core components in the shape of a diamond of adversary playbook activity across the intrusion kill chain, the adversary, their capability, the infrastructure used or attacked, and the victim. Example sentence the diamond model allowed security analysts to attribute with high confidence that Sandworm penetrated Ukraine's government networks and context. Sergio Caltagironi, Andrew Pendergrast, and Christopher Betts, who in 2011 were working for the U.S. department of Defense, published their paper the Diamond Model of Intrusion Analysis, in which they laid out a methodology to describe how cyber adversaries use their capabilities and infrastructure against victims. The authors were riffing off something called attack trees, originally proposed by cybersecurity luminary and thought leader Bruce Schneier. Schneier's idea was that attack graphs attempt to generate all possible attack paths and vulnerabilities for a given set of protected resources to determine the most cost effective defense and the greatest degree of protection. It's a terrific idea, but it didn't scale. The diamond model authors attempted to formalize the language around cyber incidents, and it was a first step to improve that situation. In their model, they build activity threads that combine intelligence and traditional attack graphs into activity activity attack graphs by Merging traditional vulnerability analysis with knowledge of adversary activity. As analysts collect intelligence using the diamond model, the kill chain becomes more complete with data for all the incidents. At a certain point, analysts might note that the diamond model event for the delivery phase and the command control phase in incident one is remarkably similar to the events captured in incident two. These activity threads connect the two incidents together, may indicate that the attacks have originated from the same adversary, and implies a much broader campaign against your network. According to the paper, the diamond model's events can then be correlated across activity threads to identify adversary campaigns and coalesced into activity groups to identify similar events and threats which share common features. In simpler terms, this process is how we get all of those colorful names that splash across as headlines in the CyberSecurity news space. For example, Chinese APT10 hackers use zero login exploits against Japanese orgs or ferocious kitten. Six years of COVID surveillance in Iran or the Lazarus Group may have been behind the 2009 attacks of European targets. To be clear, the diamond model is not an alternative to the Lockheed Martin kill chain model or the MITRE attack framework. It's an enhancement. The diamond model's atomic element, the event, with its four core features, is present at each phase of the intrusion. Kill chain. From the diamond model paper. The kill chain provides a highly effective and influential model of adversary operations which directly informs mitigation decisions. Our model integrates their phased approach and complements kill chain analysis by broadening the perspective, which provides needed granularity and the expression of complex relationships amongst intrusion activity. End quote Nerd reference in 2020, Andy Pendergrass, now working for ThreatConnect, gave a presentation about the evolution of the diamond model.
[06:16]
Cybersecurity Expert
We look at the diamond as an event. Every diamond has some time that the event occurred. It has some person that was responsible for the event, the adversary, some capability that they leveraged, be that a piece of malware that exploits a certain vulnerability or a tool, or on that to move laterally, whatever the case may be. And they have some infrastructure that they used, some point of presence either on the Internet or within the victim's network to carry out that capability, or that they carried out that capability on. And then every event has something that's affected, something that's being targeted, and that's the victim. And we can track those as Personas, network addresses, email addresses for the victims as well. What we originally used this for was pivoting across each one. So if I could track a capability, if I had a signature for malware activity, then I might be able to find infrastructure used by the same or similar groups also using that capability in different places.
[07:28]
Rick Howard
Wordnotes is written by Tim Nodar, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard. The mixed sound design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.
[08:02]
Podcast Host
And now a word from our sponsor, ThreatLocker the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from threat locker.