Diamond Model of Intrusion Analysis
Dive deep with the Diamond Model's principal creator and learn how to improve your security analysis and security operations through the application of the Diamond Model.
Time Commitment: Approximately 12-14 hours
The Diamond Model of Intrusion Analysis is a landmark cybersecurity work and recognized by the community as one of the key resources for all cybersecurity analysts to understand. This course is for all cybersecurity analyst experience levels.
Taught by the primary Diamond Model creator, this is the definitive course on the subject. Structured as a rigorous graduate course with a significant amount of related readings, thought exercises, practical exercises, and regular quizzes, this course will take an analyst at any level and grow their capabilities and abilities.
After this course analysts will have a fresh and advanced perspective on every analytic problem and task.
The course concludes with a final exam of 30 questions requiring a 70% or better passing grade. A passing grade will result in certifying the student in Diamond Model analysis and an associated certificate.
The course material and exam is available to students for 30 days after purchase.
Welcome Letter
How to use this course
Intro Survey
The Diamond Model Introduction
FREE PREVIEWOptional: Read "Stalking the Wily Hacker"
FREE PREVIEWOptional: Watch Cuckoo's Egg Presentation by Cliff Stoll
FREE PREVIEWOptional: 36C3 - The KGB Hack: 30 Years Later [Cuckoo's Egg Follow-up]
Optional: Read Psychology of Intelligence Analysis
FREE PREVIEWRead Diamond Model Sections 1-3 pages 1-8
Diamond Model Overview
Test your learning
Prerequisite: Read Section 4 pages 8-19
Diamond Model Event
Diamond Meta-Features
Test your learning
Read Diamond Model Section 5 pages 19-24
Extended Diamond Model Overview and Social-Political Feature
Persistence and Victimology
Technology Diamond Feature
Test your learning
Read Diamond Model Section 7 pages 26-30
Pivoting and Threat Hunting
Victim-Centered Approach
Building Hunting Strategies
Read and Respond: Gh0st in the Shell
FREE PREVIEWExercise: Gh0st in the Shell
FREE PREVIEWCapability-Centered Approach
Optional: Read Kaspersky "Red October" Report
Read and Respond: W32.Duqu
Exercise: W32.Duqu
Infrastructure-Centered Approach
Read and Respond: Command and Control in the Fifth Domain
Exercise: C5 APT SKHack
Adversary-Centered Approach
Read: Fancy Bear Cam
Read: Unplugged! The biggest hack in history
Exercise: Phonemasters
Social-Political-Centered Approach
Read "An Evening with Berferd"
Read: "Before the Gunfire, Cyberattacks"
Read: "Espionage Against Pro-Tibet Groups, Others, Spurred Microsoft Patches"
Technology-Centered Approach
Read: Passive Monitoring of DNS Anomalies
Exercise: DNS Anomalies
Test your learning
Read: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
Kill Chain Overview
Read: MITRE ATT&CK™: Design and Philosophy
ATT&CK Overview
Integrating Diamond-Kill Chain-ATT&CK
Test your learning
Read Diamond Model Section 8 pages 30-40
Activity Threads Overview
Building an Activity Thread
Read: "A Requires/Provides Model for Computer Attacks" by Templeton and Levitt
Walk Through Example: Building an Activity Thread
Exercise: Build an Activity Thread
Exercise Answers: Build an Activity Thread
Vertical and Horizontal Correlation
Adversary Process
Analytic Hypotheses
Read: "Attack Trees" by Bruce Schneier
Activity-Attack Trees
Test your learning
Read Diamond Model Section 9 pages 40-50
Activity Group Overview
Activity Group Lifecycle
Optional: Read Attributing Cyber Attacks
Attribution
Read: The Power of Names by Adam Alter at the New Yorker
Naming
Going Beyond: Activity Group Families
Test your learning
Read Diamond Model Section 10-11 pags 51-60
Disruption Strategies
Test your learning
Exam
Congrats! Here's what's next...
More resources for you
Before you go...
Sergio Caltagirone
Sergio Caltagirone has not only made what is within the original paper very digestible, but he also further expands upon the key concepts of the diamond mode...
Read MoreSergio Caltagirone has not only made what is within the original paper very digestible, but he also further expands upon the key concepts of the diamond model. I have read the paper a handful of times before this course. Coming out of it, I can confidently say that my understanding of the diamond model has deepened and will be implementing some of the key takeaways that I have gained within our CTI team.
Read LessI started the course because I was always interested in the Diamond Model but never read the complete paper only the summary document. The combination of sp...
Read MoreI started the course because I was always interested in the Diamond Model but never read the complete paper only the summary document. The combination of split reading the document in several sessions, additionally reading other really good and relevant papers and finally explaining everything in between in short videos is a perfect way to teach and learn. Seeing how this model can be used together with the Cyber Kill Chain and the MITRE ATT&CK framework and how they complement each other is really great. Attending this course was fun and boosted my level of knowledge.
Read LessOne of the best courses I have ever taken in my career. Totally disruptive !!!
One of the best courses I have ever taken in my career. Totally disruptive !!!
Read LessAll Courses, Analysts
Taught by the "Godfather of Threat Intelligence," students at all levels learn how to produce, consume, use, and evaluate threat intelligence across all cybersecurity operations roles like analysts, pen testers, incident responders.
All Courses, Analysts, Leadership, Operations
All Courses, Analysts
All Courses, Analysts, Operations