About this Course

Time Commitment: Approximately 12-14 hours

The Diamond Model of Intrusion Analysis is a landmark cybersecurity work and recognized by the community as one of the key resources for all cybersecurity analysts to understand.  This course is for all cybersecurity analyst experience levels.

Taught by the primary Diamond Model creator, this is the definitive course on the subject.  Structured as a rigorous graduate course with a significant amount of related readings, thought exercises, practical exercises, and regular quizzes, this course will take an analyst at any level and grow their capabilities and abilities.

After this course analysts will have a fresh and advanced perspective on every analytic problem and task.

  • Understand and gather key analytic requirements
  • Define achievable and testable analytic problems
  • Enrich knowledge and intelligence with external sources
  • Hunt threats using 720 different techniques
  • Integrate the Diamond Model, Cyber Kill Chain, and MITRE ATT&CK framework to understand any cyber threat
  • Correlate malicious events across incidents to identify campaigns
  • Define new threat groups
  • Attribute threat groups using correlation
  • Identify and fill detection gaps
  • Measure detection coverage
  • Create effective detection and mitigation strategies to better protect any organization
  • Disrupt malicious activity using 12 new strategies

The course concludes with a final exam of 30 questions requiring a 70% or better passing grade. A passing grade will result in certifying the student in Diamond Model analysis and an associated certificate.

The course material and exam is available to students for 30 days after purchase.

Course curriculum

  • 1

    Welcome to the Threat Intelligence Academy

    • Welcome Letter

  • 2

    Course Structure and Introduction

    • How to use this course

  • 4

    Diamond Model Overview

    • Read Diamond Model Sections 1-3 pages 1-8

    • Diamond Model Overview

    • Test your learning

  • 5

    Diamond Model Event

    • Prerequisite: Read Section 4 pages 8-19

    • Diamond Model Event

    • Diamond Meta-Features

    • Test your learning

  • 6

    Extended Diamond Model

    • Read Diamond Model Section 5 pages 19-24

    • Extended Diamond Model Overview and Social-Political Feature

    • Persistence and Victimology

    • Technology Diamond Feature

    • Test your learning

  • 7

    Threat Hunting Using the Diamond Model

    • Read Diamond Model Section 7 pages 26-30

    • Pivoting and Threat Hunting

    • Victim-Centered Approach

    • Building Hunting Strategies

    • Read and Respond: Gh0st in the Shell

    • Exercise: Gh0st in the Shell

    • Capability-Centered Approach

    • Optional: Read Kaspersky "Red October" Report

    • Read and Respond: W32.Duqu

    • Exercise: W32.Duqu

    • Infrastructure-Centered Approach

    • Read and Respond: Command and Control in the Fifth Domain

    • Exercise: C5 APT SKHack

    • Adversary-Centered Approach

    • Read: Fancy Bear Cam

    • Read: Unplugged! The biggest hack in history

    • Exercise: Phonemasters

    • Social-Political-Centered Approach

    • Read "An Evening with Berferd"

    • Read: "Before the Gunfire, Cyberattacks"

    • Read: "Espionage Against Pro-Tibet Groups, Others, Spurred Microsoft Patches"

    • Technology-Centered Approach

    • Read: Passive Monitoring of DNS Anomalies

    • Exercise: DNS Anomalies

    • Test your learning

  • 8

    Diamond, Kill Chain, and ATT&CK

    • Read: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

    • Kill Chain Overview

    • Read: MITRE ATT&CK™: Design and Philosophy

    • ATT&CK Overview

    • Integrating Diamond-Kill Chain-ATT&CK

    • Test your learning

  • 9

    Correlating Activity with Activity Threads

    • Read Diamond Model Section 8 pages 30-40

    • Activity Threads Overview

    • Building an Activity Thread

    • Read: "A Requires/Provides Model for Computer Attacks" by Templeton and Levitt

    • Walk Through Example: Building an Activity Thread

    • Exercise: Build an Activity Thread

    • Exercise Answers: Build an Activity Thread

    • Vertical and Horizontal Correlation

    • Adversary Process

    • Analytic Hypotheses

    • Read: "Attack Trees" by Bruce Schneier

    • Activity-Attack Trees

    • Test your learning

  • 10

    Create Clusters using Activity Groups

    • Read Diamond Model Section 9 pages 40-50

    • Activity Group Overview

    • Activity Group Lifecycle

    • Optional: Read Attributing Cyber Attacks

    • Attribution

    • Read: The Power of Names by Adam Alter at the New Yorker

    • Naming

    • Going Beyond: Activity Group Families

    • Test your learning

  • 11

    Disrupting Threat Activity Using the Diamond Model

    • Read Diamond Model Section 10-11 pags 51-60

    • Disruption Strategies

    • Test your learning

  • 12

    Final Examination

    • Exam

  • 13

    Next steps

    • Congrats! Here's what's next...

    • More resources for you

    • Before you go...


Lead Instructor

Sergio Caltagirone

Sergio Caltagirone has been called the "Godfather of Threat Intelligence" having built over a dozen threat intelligence teams in both public and private sector and leading the development of threat intelligence worldwide with hundreds of publications and presentations. He co-created the Diamond Model of Intrusion Analysis, helping thousands of others bring more pain to adversaries by strengthening hunters and analysts. He spent 9 years at the US National Security Agency as their lead threat intelligence analyst hunting and tracking the world's most sophisticated threats. He left NSA to build Microsoft's threat intelligence capability and practice protecting over 1 billion customers from cyber threats. Now, Sergio leads the world's only dedicated industrial control system threat intelligence team at Dragos protecting electric power grids, water systems, oil and gas plants, and manufacturing worldwide. He furthers several humanitarian goals through membership on the International Committee of the Red Cross cybersecurity experts committee and serving as Technical Director for the Global Emancipation Network combating human trafficking on the internet globally.


5 star rating

Great course for both beginners and people who are famili...

Sherman Chu

Sergio Caltagirone has not only made what is within the original paper very digestible, but he also further expands upon the key concepts of the diamond mode...

Read More

Sergio Caltagirone has not only made what is within the original paper very digestible, but he also further expands upon the key concepts of the diamond model. I have read the paper a handful of times before this course. Coming out of it, I can confidently say that my understanding of the diamond model has deepened and will be implementing some of the key takeaways that I have gained within our CTI team.

Read Less
5 star rating

Highly recommended course for all interested or working i...

Timo Jobst

I started the course because I was always interested in the Diamond Model but never read the complete paper only the summary document. The combination of sp...

Read More

I started the course because I was always interested in the Diamond Model but never read the complete paper only the summary document. The combination of split reading the document in several sessions, additionally reading other really good and relevant papers and finally explaining everything in between in short videos is a perfect way to teach and learn. Seeing how this model can be used together with the Cyber Kill Chain and the MITRE ATT&CK framework and how they complement each other is really great. Attending this course was fun and boosted my level of knowledge.

Read Less

Related Courses