Rob MacGregor at PwC in “Diamonds or chains” asked , do you choose the Diamond Model or Kill Chain? I get asked this question often. The question assumes that the models are mutually exclusive when, in fact, they are not only complementary but interconnected. Both models express fundamental elements of network exploitation in methods usable by network defenders. You can’t expect complete intelligence or network defense without using both the Diamond Model and the Kill Chain.
Most understand that the Diamond Model expresses the first axiom encompassing the basic components of any malicious event: “For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result.” However, most readers stop there, at page 15 – only 25% of the model.
Adversaries don’t just conduct one activity and move on – no, they must conduct several in a phased approach each successfully completing before the next. As expressed on page 15 via Axiom 4: “Every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result.” Axiom 4 effectively describes the Intrusion Kill Chain (section 3.2 of the Kill Chain). Therefore, Events interconnect via Activity Threads which describe campaigns.
One may notice a great similarity between the figure describing key campaign indicators (Kill Chain pg. 8) and the Activity Threads illustration (Diamond Model pg. 31). The two approaches interconnect at this point!
Dependent Events (composed of a victim, adversary, capability, victim) create Activity Threads across the Kill Chain. These threads compose (using key campaign indicator analysis) adversary campaigns. Ta Da! The first interconnection between the two models.
The Diamond Model and Kill Chain analysis are highly complementary. Kill Chain analysis allows an analyst “to target and engage an adversary to create desired effects.” (Kill Chain pg. 4) The Diamond allows analysts to develop tradecraft and understanding to build and organize the knowledge necessary to execute the Kill Chain analysis.
- Once an analyst develops an activity thread, courses of action for each event along the thread can be identified using the Kill Chain’s course of action matrix. As illustrated in the figures, courses of action for each of the Kill Chain stages are identified for activity threads. The power of the Diamond Model is that courses of action can be designed to span multiple victims and across the activity of an adversary making the actions even more powerful as they further reduce the capacity of the adversary.
- Activity groups clustered by same likely adversary (i.e., clustering by attribution) with analysis of the largest common feature set amongst the events in a group can provide the Kill Chain’s required key campaign indicators necessary to focus and prioritize courses of actions.
In the end, don’t ask: do we use the Diamond Model or the Kill Chain. Instead ask: are you using them both effectively?