Diamond Model of Intrusion Analysis
Dive deep with the Diamond Model's principal creator and learn how to improve your security analysis and security operations through the application of the Diamond Model.
About this Course
Time Commitment: Approximately 12-14 hours
The Diamond Model of Intrusion Analysis is a landmark cybersecurity work and recognized by the community as one of the key resources for all cybersecurity analysts to understand. This course is for all cybersecurity analyst experience levels.
Taught by the primary Diamond Model creator, this is the definitive course on the subject. Structured as a rigorous graduate course with a significant amount of related readings, thought exercises, practical exercises, and regular quizzes, this course will take an analyst at any level and grow their capabilities and abilities.
After this course analysts will have a fresh and advanced perspective on every analytic problem and task.
- Understand and gather key analytic requirements
- Define achievable and testable analytic problems
- Enrich knowledge and intelligence with external sources
- Hunt threats using 720 different techniques
- Integrate the Diamond Model, Cyber Kill Chain, and MITRE ATT&CK framework to understand any cyber threat
- Correlate malicious events across incidents to identify campaigns
- Define new threat groups
- Attribute threat groups using correlation
- Identify and fill detection gaps
- Measure detection coverage
- Create effective detection and mitigation strategies to better protect any organization
- Disrupt malicious activity using 12 new strategies
The course concludes with a final exam of 30 questions requiring a 70% or better passing grade. A passing grade will result in certifying the student in Diamond Model analysis and an associated certificate.
The course material and exam is available to students for 30 days after purchase.
Course curriculum
-
1
Welcome to the Threat Intelligence Academy
-
Welcome Letter
-
-
2
Course Structure and Introduction
-
How to use this course
-
-
3
Diamond Model Introduction
-
Intro Survey
-
The Diamond Model Introduction
FREE PREVIEW -
Optional: Read "Stalking the Wily Hacker"
FREE PREVIEW -
Optional: Watch Cuckoo's Egg Presentation by Cliff Stoll
FREE PREVIEW -
Optional: 36C3 - The KGB Hack: 30 Years Later [Cuckoo's Egg Follow-up]
-
Optional: Read Psychology of Intelligence Analysis
FREE PREVIEW
-
-
4
Diamond Model Overview
-
Read Diamond Model Sections 1-3 pages 1-8
-
Diamond Model Overview
-
Test your learning
-
-
5
Diamond Model Event
-
Prerequisite: Read Section 4 pages 8-19
-
Diamond Model Event
-
Diamond Meta-Features
-
Test your learning
-
-
6
Extended Diamond Model
-
Read Diamond Model Section 5 pages 19-24
-
Extended Diamond Model Overview and Social-Political Feature
-
Persistence and Victimology
-
Technology Diamond Feature
-
Test your learning
-
-
7
Threat Hunting Using the Diamond Model
-
Read Diamond Model Section 7 pages 26-30
-
Pivoting and Threat Hunting
-
Victim-Centered Approach
-
Building Hunting Strategies
-
Read and Respond: Gh0st in the Shell
FREE PREVIEW -
Exercise: Gh0st in the Shell
FREE PREVIEW -
Capability-Centered Approach
-
Optional: Read Kaspersky "Red October" Report
-
Read and Respond: W32.Duqu
-
Exercise: W32.Duqu
-
Infrastructure-Centered Approach
-
Read and Respond: Command and Control in the Fifth Domain
-
Exercise: C5 APT SKHack
-
Adversary-Centered Approach
-
Read: Fancy Bear Cam
-
Read: Unplugged! The biggest hack in history
-
Exercise: Phonemasters
-
Social-Political-Centered Approach
-
Read "An Evening with Berferd"
-
Read: "Before the Gunfire, Cyberattacks"
-
Read: "Espionage Against Pro-Tibet Groups, Others, Spurred Microsoft Patches"
-
Technology-Centered Approach
-
Read: Passive Monitoring of DNS Anomalies
-
Exercise: DNS Anomalies
-
Test your learning
-
-
8
Diamond, Kill Chain, and ATT&CK
-
Read: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
-
Kill Chain Overview
-
Read: MITRE ATT&CK™: Design and Philosophy
-
ATT&CK Overview
-
Integrating Diamond-Kill Chain-ATT&CK
-
Test your learning
-
-
9
Correlating Activity with Activity Threads
-
Read Diamond Model Section 8 pages 30-40
-
Activity Threads Overview
-
Building an Activity Thread
-
Read: "A Requires/Provides Model for Computer Attacks" by Templeton and Levitt
-
Walk Through Example: Building an Activity Thread
-
Exercise: Build an Activity Thread
-
Exercise Answers: Build an Activity Thread
-
Vertical and Horizontal Correlation
-
Adversary Process
-
Analytic Hypotheses
-
Read: "Attack Trees" by Bruce Schneier
-
Activity-Attack Trees
-
Test your learning
-
-
10
Create Clusters using Activity Groups
-
Read Diamond Model Section 9 pages 40-50
-
Activity Group Overview
-
Activity Group Lifecycle
-
Optional: Read Attributing Cyber Attacks
-
Attribution
-
Read: The Power of Names by Adam Alter at the New Yorker
-
Naming
-
Going Beyond: Activity Group Families
-
Test your learning
-
-
11
Disrupting Threat Activity Using the Diamond Model
-
Read Diamond Model Section 10-11 pags 51-60
-
Disruption Strategies
-
Test your learning
-
-
12
Final Examination
-
Exam
-
-
13
Next steps
-
Congrats! Here's what's next...
-
More resources for you
-
Before you go...
-
Instructor(s)
Lead Instructor
Sergio Caltagirone
Sergio Caltagirone has been called the "Godfather of Threat Intelligence" having built over a dozen threat intelligence teams in both public and private sector and leading the development of threat intelligence worldwide with hundreds of publications and presentations. He co-created the Diamond Model of Intrusion Analysis, helping thousands of others bring more pain to adversaries by strengthening hunters and analysts. He spent 9 years at the US National Security Agency as their lead threat intelligence analyst hunting and tracking the world's most sophisticated threats. He left NSA to build Microsoft's threat intelligence capability and practice protecting over 1 billion customers from cyber threats. Now, Sergio leads the world's only dedicated industrial control system threat intelligence team at Dragos protecting electric power grids, water systems, oil and gas plants, and manufacturing worldwide. He furthers several humanitarian goals through membership on the International Committee of the Red Cross cybersecurity experts committee and serving as Technical Director for the Global Emancipation Network combating human trafficking on the internet globally.
Email
Reviews
Great course for both beginners and people who are famili...
Sherman Chu
Sergio Caltagirone has not only made what is within the original paper very digestible, but he also further expands upon the key concepts of the diamond mode...
Read MoreSergio Caltagirone has not only made what is within the original paper very digestible, but he also further expands upon the key concepts of the diamond model. I have read the paper a handful of times before this course. Coming out of it, I can confidently say that my understanding of the diamond model has deepened and will be implementing some of the key takeaways that I have gained within our CTI team.
Read LessHighly recommended course for all interested or working i...
Timo Jobst
I started the course because I was always interested in the Diamond Model but never read the complete paper only the summary document. The combination of sp...
Read MoreI started the course because I was always interested in the Diamond Model but never read the complete paper only the summary document. The combination of split reading the document in several sessions, additionally reading other really good and relevant papers and finally explaining everything in between in short videos is a perfect way to teach and learn. Seeing how this model can be used together with the Cyber Kill Chain and the MITRE ATT&CK framework and how they complement each other is really great. Attending this course was fun and boosted my level of knowledge.
Read LessSensational
Ricardo Silva
One of the best courses I have ever taken in my career. Totally disruptive !!!
One of the best courses I have ever taken in my career. Totally disruptive !!!
Read LessMandatory training for CTI Analysts!
Przemyslaw Skowron
Diamond Model of Intrusion Analysis training is one of the best on my CTI training path so far, and I highly recommend it for all Analysts and Managers in ...
Read MoreDiamond Model of Intrusion Analysis training is one of the best on my CTI training path so far, and I highly recommend it for all Analysts and Managers in this field. Regardless of what you are focused on, Requirements, Collection, Analysis or Writing Intel products. It is good training for people from the DFIR field as well - Threat Hunters, Incident Responders. I've read the Diamond Model paper before the course, I even used it with my approach, figuring out how to leverage strong sides of the model, but it has a source in my previous experience, not the training. With Sergio's (trainer) guidance, comments, exercises (+explanation!), which allows settling the Diamond Model in my world, I'm much more familiar and aware of the co-author's philosophy, purposes, powers and limitations of the model. The course is worth much more than the current price. Thank you, Sergio!
Read LessRelated Courses
-
All Courses, Analysts
TIA-810 Advanced Cyber Threat Intelligence
(1) 5.0 average ratingTaught by the "Godfather of Threat Intelligence," students at all levels learn how to produce, consume, use, and evaluate threat intelligence across all cybersecurity operations roles like analysts, pen testers, incident responders.
-
All Courses, Analysts, Leadership, Operations
Building and Operating a Threat Intelligence Function and Team
0 Lessons
-
All Courses, Analysts
Presenting Threat Intelligence
0 Lessons
-
All Courses, Analysts, Operations
Evolving Defense and Detection with Threat Intelligence
0 Lessons