Diamond Model of Intrusion Analysis: A Framework for Advanced Threat Intelligence – ITU Online IT Training
+1 855.488.5327 customerservice@ituonline.com Mon – Fri: 9:00am – 5:00pm ET
Login To My Training Cart
PublishedOctober 27, 2024
Last UpdatedMay 12, 2026
Essential Knowledge for the CompTIA SecurityX certification

Diamond Model of Intrusion Analysis: A Framework for Advanced Threat Intelligence

Ready to start learning? Individual Plans →Team Plans →
In This Article
By ITU Online CompTIA Team
IT training provider since 2012, specializing in CompTIA, Cybersecurity, Project Management, Cisco, Microsoft, AWS, Azure, and Cloud certifications.
Published October 27, 2024 · Last updated May 12, 2026

Diamond Model of Intrusion Analysis: Why Indicator-Only Investigations Miss the Bigger Picture

A suspicious IP address, a malicious hash, or a phishing domain can get you to a block decision fast. It cannot, by itself, tell you whether you are dealing with a one-off intrusion, a repeatable campaign, or a long-running adversary operation. That gap is exactly where the diamond model of intrusion analysis earns its value.

The diamond model gives analysts a structured way to connect adversary, infrastructure, capability, and victim. Instead of treating indicators as isolated clues, it forces you to ask better questions: Who is likely behind this? What systems did they use? What did they do? Why was this target chosen? Those answers matter for threat intelligence, incident response, and governance, risk, and compliance work.

This framework is especially useful when teams need to move quickly but still preserve context. A pure indicator-based workflow can produce noisy alerts, shallow containment, and weak attribution. A relationship-based workflow helps you build a defensible case that can be reused in later hunts, executive reporting, and post-incident review. For background on threat terminology and analytic tradecraft, CISA and the MITRE ATT&CK knowledge base are useful reference points.

In practical terms, this article shows how to apply the diamond model of intrusion analysis to real investigations. You will see where it fits, where it complements other frameworks, and how to use it in repeatable workflows that help you make better decisions under pressure.

Why Indicator-Only Analysis Falls Short

Security teams still rely on indicators because they are easy to collect and fast to act on. An IP can be blocked, a hash can be quarantined, and a domain can be added to a deny list. The problem is that a single indicator often answers only one question: what should we block right now? It does not explain the larger intrusion story.

Attackers know this. They rotate infrastructure, repackage payloads, and shift delivery methods while keeping the same tradecraft. A phishing campaign can move from one domain to another in hours. Malware can be recompiled to change hashes. Command-and-control traffic can blend into legitimate cloud services. If your analysis stops at the indicator layer, you may keep chasing moving targets without understanding the operator behind them.

This is why isolated data points can create false confidence. A team may think containment is complete because the malicious domain is blocked, only to see the same lure, the same macro behavior, and the same lateral movement pattern appear again through a different route. The diamond model of intrusion analysis helps prevent that mistake by tying indicators to behavior and relationships.

  • Short-term value: blocking a domain, IP, or hash
  • Deeper value: understanding campaign structure and adversary tradecraft
  • Operational risk: repeated alerts when the same actor changes infrastructure
  • Analytic risk: weak attribution and incomplete scoping

For incident handling standards, the NIST SP 800-61 incident response guide is a strong companion reference. It reinforces the need to gather evidence, preserve context, and document decisions clearly.

What the Diamond Model of Intrusion Analysis Is

The diamond model of intrusion analysis is a framework for understanding intrusions through four connected elements: adversary, infrastructure, capability, and victim. The core idea is simple: an intrusion is not just a list of artifacts. It is a relationship between an actor, the tools and systems used, and the target affected.

Each point in the diamond answers a different investigative question. Adversary asks who is likely behind the activity. Infrastructure asks what systems or channels were used to deliver or control the attack. Capability asks what malware, exploit, script, or procedure enabled the action. Victim asks who or what was targeted. When those points are analyzed together, the event becomes easier to understand, compare, and communicate.

The real strength of the model is that it works at two levels. At the incident level, it helps you explain a single intrusion in a disciplined way. At the campaign level, it helps you connect multiple events that share tradecraft, delivery infrastructure, or target selection. That makes it useful for both analysts and leaders who need a clearer risk picture.

A useful indicator tells you something happened. A structured model tells you how the pieces fit together.

The framework is not limited to cybercrime or nation-state activity. It can also be applied to insider threats, fraud-related intrusions, and targeted phishing. The point is not just to catalog evidence. The point is to build an evidence-backed narrative that survives scrutiny.

The Four Core Elements of the Diamond Model

Each side of the diamond adds context, but none of them stands alone. If you understand the four elements well, you can move from “we saw suspicious activity” to “we understand the likely operation behind it.” That shift is what makes the model so valuable in advanced threat intelligence.

Adversary

The adversary is the person, team, criminal group, or state-linked actor driving the intrusion. In many cases, you will not know the identity with certainty. That is fine. The model still helps you reason about likely ownership based on behavior, target selection, and operational patterns.

Analysts often over-focus on naming the actor too early. A better approach is to treat adversary identity as a confidence-based assessment. You might describe it as a financially motivated group, a suspected insider, or a cluster of activity linked to a known campaign. That keeps the analysis grounded while evidence accumulates.

Infrastructure

Infrastructure includes domains, IPs, servers, email accounts, cloud resources, proxy nodes, and delivery channels used during the intrusion. Infrastructure is often the easiest element to observe, which is why it becomes the first thing defenders block. But infrastructure is also the most disposable element. Attackers expect it to burn.

That is why analysts should track infrastructure as a pattern, not a single artifact. A phishing domain may change, but the registration style, hosting region, TLS certificate pattern, and redirect chain may remain consistent. Those repeated choices can be more useful than the domain itself.

Capability

Capability refers to the malware, exploit, script, credential abuse, persistence method, or operator behavior used in the intrusion. This is where behavioral analysis matters. Two incidents may use different filenames or delivery methods but still share the same PowerShell obfuscation, same privilege escalation sequence, or same exfiltration approach.

Capability is often where you connect the diamond model to adversary tradecraft. If a group uses the same loader, the same scheduled task pattern, and the same data staging technique across cases, that becomes a strong analytic signal even if other evidence changes.

Victim

Victim is the targeted user, host, business unit, organization, or environment. Victimology matters because adversaries rarely choose targets at random. They pick based on access value, revenue potential, geopolitical value, or trust relationships. In some cases, the victim profile is the clue that reveals the likely motive.

For example, a campaign targeting finance users with invoice lures and fake payment portals is very different from one targeting engineering teams with code repository credentials. The victim element helps explain why the intrusion happened in the first place.

Key Takeaway

The four elements are useful because they answer different questions. The real insight comes from how they relate to each other across one incident or many incidents.

How the Relationships Between the Elements Create Meaning

The diamond model matters because relationships carry more analytic value than isolated artifacts. A domain is only a domain until you connect it to a lure, a payload, a delivery time, and a targeted user group. Once those pieces line up, you begin to see campaign structure instead of disconnected alerts.

Consider a phishing case where the infrastructure changes daily. The domain names differ, the hosting providers differ, and the hashes differ. Yet the lure template, file naming convention, and macro behavior remain the same. That relationship set can be enough to conclude that the same operator, or at least the same playbook, is still active. The diamond model of intrusion analysis gives you the structure to preserve that linkage.

Relationship analysis also helps you decide whether a single event is part of a broader operation. If one user receives a malicious attachment, that may be a random attempt. If five users across the same business unit receive related lures from different infrastructure in the same two-hour window, the picture changes quickly. You are likely looking at a coordinated effort, not a one-off.

  • Shared infrastructure can reveal operational reuse.
  • Shared capability can reveal common tradecraft.
  • Shared victimology can reveal targeting preferences.
  • Shared timing can reveal campaign coordination.

For standards-based thinking about adversary behavior, MITRE ATT&CK and NIST CSF help teams describe and organize what they observe. The diamond model adds the relational layer that turns those observations into a story.

Using the Diamond Model in Threat Intelligence

Threat intelligence teams use the diamond model to move from raw reporting to useful judgment. Tactical intelligence may identify a malicious domain. Operational intelligence may cluster that domain with other infrastructure used in the same operation. Strategic intelligence may explain what the campaign means for business risk, customer exposure, or sector targeting.

This is where the model becomes practical. Analysts can cluster incidents by shared infrastructure, capability, or victimology instead of treating each ticket as a separate universe. That makes it easier to see whether several “different” events are actually part of one campaign. It also improves triage, because the team can assign confidence based on relationships rather than intuition alone.

The framework also improves communication. A SOC analyst, a threat hunter, a manager, and a legal reviewer do not need the same technical detail. They do need a shared structure. The diamond model gives them that structure: who, what, how, and whom. It reduces ambiguity when you present findings in a case note, a briefing, or a post-incident memo.

Leadership benefits too. A report that says “we blocked 17 indicators” is less useful than one that says “we identified a recurring phishing operation targeting finance staff, using rotating infrastructure and a consistent payload delivery method.” The second version supports actual decision-making.

For broader threat context and workforce relevance, the NICE/NIST Workforce Framework is a helpful reference for mapping analytic tasks to roles and capabilities.

Applying the Model in Incident Response

Incident response teams need structure when the timeline is moving fast. The diamond model helps responders organize evidence during triage, containment, eradication, and recovery. It keeps the investigation from becoming a random pile of alerts and screenshots.

Start by identifying what triggered the case. Was it a suspicious login, a malicious email, a PowerShell event, or a DNS anomaly? Then map what you know into the four elements. If the suspicious login came from a cloud provider IP range, the infrastructure point may be “external hosting used for password spray attempts.” If the affected account belongs to payroll, the victim point becomes much more specific. That helps responders scope related systems faster.

The model is also useful for deciding whether persistence, lateral movement, or exfiltration may be present. If the capability includes scheduled tasks, registry run keys, and remote service creation, persistence and post-compromise movement should be checked immediately. If the infrastructure includes unusual outbound destinations and consistent beacon timing, exfiltration or command-and-control should stay on the table.

Post-incident, the framework improves the review process. Instead of saying “the endpoint was compromised,” you can document the full chain: who was targeted, what delivery mechanism was used, what capability was executed, and what infrastructure supported the intrusion. That level of detail is easier to defend in audits, legal review, and executive briefings.

Warning

Do not wait until the incident is over to structure the evidence. If you map the diamond model early, you will preserve context that is easy to lose during containment.

Connecting the Diamond Model to MITRE ATT&CK and Other Frameworks

The diamond model and MITRE ATT&CK solve different problems, and they work well together. ATT&CK is excellent for describing tactics and techniques. The diamond model is better at organizing the relationships around those techniques: the adversary using them, the infrastructure enabling them, and the victim being targeted.

Think of ATT&CK as the language for describing behavior, and the diamond model as the structure for linking that behavior to a broader intrusion story. For example, if you observe PowerShell-based execution and credential dumping, ATT&CK helps you label the techniques. The diamond model helps you connect those techniques to the specific campaign infrastructure, affected user group, and suspected actor.

This alignment improves consistency across incidents. If multiple analysts use the same framework, they are more likely to document similar events in similar ways. That makes comparison easier. It also improves hunting, because detection engineers can translate observed techniques into control logic while intelligence analysts maintain the relationship view.

Framework alignment matters for reporting too. A detection-centric report often ends at “what triggered.” An adversary-centric report asks “what pattern is this part of?” That is a much better question for threat hunting, control validation, and executive communication.

For official ATT&CK references, use the MITRE ATT&CK site. For incident response structure and lifecycle guidance, NIST SP 800-61 remains one of the most practical public references.

Practical Workflow for Performing Diamond Model Analysis

A good diamond model workflow is iterative. You do not fill in the four points once and call the case done. You update the model as logs, endpoint data, and threat intelligence improve your confidence.

  1. Collect evidence from SIEM, EDR, email security, DNS logs, proxy logs, firewall data, and authentication logs.
  2. Identify the initial contact point, such as a suspicious attachment, a domain, an anomalous login, or a process tree.
  3. Populate each element with confirmed facts first, then separate assumptions or hypotheses.
  4. Look for repeated relationships across users, hosts, timing, geographies, and file or domain patterns.
  5. Reassess continuously as new telemetry changes what you know about the case.

Here is a simple example. A user opens a spreadsheet from a vendor-themed email. The spreadsheet launches a script that contacts a suspicious domain. The capability is the script and payload behavior. The infrastructure is the phishing email and command-and-control domain. The victim is the finance user and, by extension, the finance function. If you later see the same lure style sent to procurement staff, the model helps you recognize a wider campaign.

Documenting the difference between confirmed and suspected is critical. If you think a domain is related to a known actor, label it as a hypothesis until you have enough evidence. This keeps the analysis honest and prevents overstatement.

Pro Tip

Use a simple case template with four fields: confirmed facts, suspected relationships, open questions, and next actions. That keeps the model usable during high-pressure investigations.

Tools and Data Sources That Support the Framework

The diamond model works best when you feed it with diverse telemetry. A SIEM gives you timeline visibility and correlation. An EDR platform gives you process, command-line, and persistence detail. DNS, proxy, and firewall logs show where infrastructure was contacted and how often. Email security data shows how the lure arrived and which recipients were targeted.

Threat intelligence feeds can help you compare current findings with prior cases, but internal case notes are just as important. Analysts often find the strongest links by reviewing old tickets, not just vendor feeds. A repeated subject line, a reused macro pattern, or a familiar hosting pattern may reveal a campaign that has been active for months.

Visualization is useful, but it does not need to be fancy. A spreadsheet can work if it is disciplined. A simple graph view can be even better when you need to show how a domain, a host, a user, and a payload relate. The point is to preserve the relationships in a way that another analyst can follow later.

  • SIEM: timeline correlation and cross-source alerting
  • EDR: process execution, persistence, and memory-level clues
  • DNS/proxy/firewall: infrastructure tracing and beacon patterns
  • Email security: delivery method, sender behavior, lure content
  • Case management or graphing tools: relationship preservation

For email and network analysis, vendor documentation is often the best source of truth. Microsoft’s security guidance at Microsoft Learn and AWS security documentation at AWS Docs are practical references when you are tracing cloud-based activity.

Common Mistakes Analysts Make When Using the Diamond Model

One of the biggest mistakes is treating the diamond model like a checklist. It is not a form to fill out once. It is an analytical method that should evolve as the case evolves. If you freeze the model too early, you will miss the campaign context that makes the data useful.

Another common mistake is overvaluing infrastructure. Many teams become so focused on blocking the latest domain that they ignore the capability and victimology. That can lead to whack-a-mole operations where the same intrusion pattern keeps returning under a different hostname. Infrastructure matters, but it is rarely the most durable part of an adversary’s playbook.

Analysts also confuse attribution with confidence. A suspicion is not proof. If the evidence supports “likely linked” or “possibly associated,” use those words. Good intelligence writing is precise about uncertainty. That precision protects the credibility of the team.

Finally, many organizations fail to compare the current case with prior incidents. That is a lost opportunity. The same lure format, the same hosting pattern, or the same data staging routine may show up again and again. If your team does not actively compare cases, you will miss the campaign links the model is designed to reveal.

  • Do not treat the framework as static.
  • Do not anchor on infrastructure alone.
  • Do not overstate attribution confidence.
  • Do compare present findings to prior cases.

Using the Model for Better Hunting and Detection Engineering

The diamond model is not just for after-action analysis. It can shape better hunting hypotheses and more durable detections. If you repeatedly see a specific capability, such as encoded PowerShell launching from user-writable directories, that behavior can become a hunt focus across endpoints and identities.

Victimology is especially useful for prioritization. A hunt across the whole enterprise may be too broad to sustain every week. But if a campaign tends to target finance, legal, or identity administration teams, you can focus first on those accounts and systems. That makes your hunt program more efficient without becoming narrow-minded.

Detection engineers can also use the model to reduce fragility. If the alert logic depends only on a domain or hash, it will break when attackers rotate infrastructure. If the logic tracks behavior, parent-child process chains, unusual authentication patterns, or suspicious delivery patterns, it has a better chance of surviving minor attacker changes.

Once validated, findings should feed back into controls. That could mean a new YARA rule, a mail gateway rule, a Sigma detection, or an authentication policy adjustment. The key point is feedback. The model should improve your detection posture over time, not just your reporting.

For tradecraft mapping and hunt guidance, MITRE ATT&CK is still the strongest public reference, while the CIS Critical Security Controls can help translate findings into control improvements.

How the Diamond Model Supports GRC and Audit Readiness

Security governance, risk, and compliance teams need evidence they can trust. The diamond model helps because it creates a repeatable structure for documenting incident scope, impact, and response. That makes review easier for internal audit, legal, privacy, and executive stakeholders.

When an incident is documented in a consistent way, it is easier to answer questions like: What was targeted? What capability was used? What infrastructure was involved? How did the event evolve? Those are the questions reviewers ask when they need to assess control effectiveness or regulatory exposure.

The model also improves cross-functional communication. Security teams often speak in logs and techniques. Risk teams want business impact. Legal teams want defensible facts. Executives want concise conclusions. A structured intrusion analysis gives all of them the same underlying story, even if the level of detail changes by audience.

That matters for audit readiness. If your incident records show consistent reasoning, clear evidence trails, and explicit confidence levels, your response process looks much more mature. It also supports lessons learned, because you can trace where the response was strong and where visibility broke down.

For governance and control mapping, ISO/IEC 27001 and NIST CSF are useful external anchors. They do not replace the diamond model, but they pair well with it when you need to show repeatable process and control alignment.

Conclusion

The diamond model of intrusion analysis is valuable because it forces analysts to think in relationships, not just indicators. That shift improves threat intelligence, incident response, hunting, and governance work by adding context where isolated data points fall short.

If you use the framework well, you stop asking only “what should we block?” and start asking “what pattern are we seeing, who is likely behind it, and how does it behave across time?” That is the difference between reactive security and informed security.

The practical win is repeatability. When analysts use the same structure to document adversary, infrastructure, capability, and victim, they produce better cases, stronger handoffs, and more useful reporting. The value is not in the individual data points. It is in the structure they reveal.

If your team is still relying on indicator-only analysis, start small. Apply the model to the next phishing case, malware alert, or suspicious login review. Use it to separate facts from assumptions, identify relationships, and preserve context for the next analyst who touches the case. That one change can make your investigations faster, clearer, and much easier to defend.

CompTIA®, Microsoft®, AWS®, Cisco®, PMI®, EC-Council®, ISC2®, and ISACA® are trademarks of their respective owners.

[ FAQ ]

Frequently Asked Questions.

What is the Diamond Model of Intrusion Analysis?

The Diamond Model of Intrusion Analysis is a structured framework used by cybersecurity professionals to understand and analyze cyber threats. It focuses on illustrating the relationships between four core components: adversary, infrastructure, capability, and victim.

This model helps analysts visualize how these elements interact and evolve over time during an intrusion campaign. By mapping these relationships, security teams can identify patterns, link related incidents, and develop more strategic defense mechanisms.

Unlike indicator-only investigations, which focus solely on specific malicious artifacts, the diamond model provides a holistic view of an attack, enabling proactive threat hunting and comprehensive incident response.

Why do indicator-only investigations often fall short?

Indicator-only investigations focus on specific malicious artifacts such as IP addresses, hashes, or domains. While these indicators can help quickly block threats, they often miss the broader context of an attack.

This narrow approach can lead to false positives or missed connections between related activities. For example, a malicious IP may be temporarily rerouted or reused by different adversaries, making indicator-based blocking ineffective over time.

The limitation is that indicator-only methods do not account for the adversary’s tactics, infrastructure, or objectives. This is where the Diamond Model provides added value by offering a comprehensive view of the threat landscape.

How does the Diamond Model enhance threat intelligence analysis?

The Diamond Model enhances threat intelligence by providing a systematic approach to connect various aspects of an intrusion. It emphasizes understanding the relationships between the adversary, their infrastructure, capabilities, and the victim environment.

This holistic perspective allows analysts to uncover patterns, predict future actions, and attribute attacks more accurately. It also improves the sharing of threat intelligence across organizations by establishing a common framework for describing intrusion campaigns.

By focusing on these interconnected components, security teams can develop more effective detection strategies and prioritize responses based on the adversary’s objectives and methods.

What are the key components of the Diamond Model?

The four key components of the Diamond Model are adversary, infrastructure, capability, and victim. Each element plays a crucial role in understanding an intrusion:

  • Adversary: The threat actor responsible for the intrusion.
  • Infrastructure: The servers, domains, and communication channels used by the adversary.
  • Capability: The tools, techniques, and methods employed by the attacker.
  • Victim: The organization or individual targeted by the attack.

Mapping these components helps analysts visualize how adversaries operate and adapt their tactics over time, enabling more strategic defense planning.

Can the Diamond Model be used to attribute cyber attacks?

Yes, the Diamond Model can aid in cyber attack attribution by revealing patterns and relationships among the four core components. When analysts link infrastructure, capabilities, and adversary behaviors, they can identify overlaps with known threat groups or campaigns.

However, attribution remains complex and should be approached with caution. The model provides valuable contextual information but does not definitively identify the attacker on its own. Combining the Diamond Model with other intelligence sources enhances accuracy and confidence in attribution efforts.

Overall, the framework is a powerful tool for understanding attack campaigns and supporting attribution, especially when integrated into a broader threat intelligence strategy.

Related Articles

Ready to start learning? Individual Plans →Team Plans →
Discover More, Learn More
Threats to the Model: Model Inversion Discover how model inversion poses privacy risks and learn effective strategies to… Threats to the Model: Model Theft As artificial intelligence (AI) becomes central to business operations, organizations invest heavily… Threats to the Model: Model Denial of Service (DoS) Learn how to identify and defend against model denial of service attacks… Abuse Cases: A Key Method in Threat Modeling for CompTIA SecurityX Learn how abuse cases enhance threat modeling by identifying potential misuse scenarios… Antipatterns in Threat Modeling: Understanding and Avoiding Security Pitfalls Learn how to identify and avoid common threat modeling antipatterns to enhance… Attack Trees and Graphs in Threat Modeling: A Structured Approach to Security Analysis Learn how to utilize attack trees and graphs to systematically analyze security…