Combining the Diamond Model, Kill Chain, and ATT&CK

Diamond Model, Kill Chain, and MITRE ATT&CK Oh My! So many models to choose. Luckily, you do not have to choose. These three seminal cybersecurity and intrusion analysis models are not conflicting, in fact, they are complementary, you use all three – together.

The Diamond Model is for analysts to hunt, pivot, analyze, group, and structure mitigation for intrusions. (Diamond Model of Intrusion Analysis)

The Kill Chain is a phase-structured detection and defense-in-depth against adversary operations ensuring a broadly capable cybersecurity defense. (Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains)

The MITRE ATT&CK framework classifies adversary tactics and techniques to “convey threat intelligence, perform testing through red teaming or adversary emulation, and improve network and system defenses against intrusions.” (MITRE ATT&CK™: Design and Philosophy)

Each model has different, but interrelated, use cases and by combining them an organization can build a more effective cyber defense program. Here are some examples of how you can combine these models:

Diamond “Phase” Meta-feature Maps Malicious Events to the Kill Chain As analysts discover malicious activity using the Diamond Model’s 720 hunting strategies, they can organize the activity by Kill Chain using the Diamond Model phase meta-feature.  Importantly, Diamond Model Axiom 4 states, “every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result.”  For most analysts, the Kill Chain is the intrusion phase model they use to organize malicious events.

Diamond Activity Thread Analysis Uses the Kill Chain Phase Ordering Analysts naturally form Diamond Model Activity Threads when associating events. An Activity Thread is a Kill Chain phase-ordered causally linked set of malicious events which help analysts identify intelligence gaps and new hypotheses.

MITRE ATT&CK Tactics are Kill Chain Phases The ATT&CK framework classifies malicious activity into tactics and techniques. The ATT&CK tactics are a phase-ordered Kill Chain. While ATT&CK utilizes different phases for their framework from the original Kill Chain paper (as do many organizations and analysts), the specific phases are not the defining feature of the Kill Chain but rather the approach and methodology.

MITRE ATT&CK Techniques Describe Diamond Model “Methodology” Meta-feature The Diamond Model long lacked a consistent and effective taxonomy for classifying malicious behavior and methodology until MITRE ATT&CK even through the model had a “place holder” for such a momentous occasion. Analysts can use the Diamond Model “methodology” meta-feature to classify the behavior of each event for further analysis and inclusion in detection and mitigation strategies.

Threat Hunting with the Diamond Model Yields New ATT&CK Tactics and Techniques The ATT&CK taxonomy requires that analysts have previously discovered and analyzed a malicious technique prior to its inclusion in ATT&CK. Using the Diamond Model’s threat hunting “approaches” and threat hunting strategies analysts can more efficiently find new threats for ATT&CK classification. Anyone is welcome to submit new ATT&CK tactics and techniques here.

In summary, make sure you are using the full features of these models together to maximize cyber defense operations:

• Diamond Model malicious events are mapped to the Kill Chain using the “phase” meta-feature, which is also the ATT&CK tactic.
• Diamond Model malicious events are mapped to ATT&CK techniques using the “methodology” meta-feature.
• Diamond Model Activity Threads use the Kill Chain analysis to develop defense and detection-in-depth strategies including “vertical correlation” for hunting hypothesis development.
• ATT&CK tactics are a phase-ordered Kill Chain.
• Analysts threat hunting with the Diamond Model approaches and strategies will find new malicious techniques to complete the ATT&CK taxonomy.

All three models work together to enable the development of comprehensive hunting, detection, defense, and mitigation strategies. We will discuss how these models can be used cooperatively in strategy development and why it is no coincidence these models are so well intertwined in future Moderately Confident posts.  Stay tuned!