(Attempting to) Automate the Diamond Model
February 2023 • Presentation
Teresa Chila (Chevron)
This talk presents a framework for automating some of the tasks in the Diamond Model for Intrusion Analysis.
Software Engineering Institute
This presentation was given at FloCon 2023, an annual conference that focuses on applying any and all collected data to defend enterprise networks.
The Diamond Model is a well-known methodology for analyzing cyber intrusion events. Meticulous application of the Diamond Model can yield valuable insight into cyber threats targeting your company and allow for the proactive development of defensive and remediation plans. However, applying the Diamond Model is mainly a manual process, which does not scale to analyze all the successful and unsuccessful attacks a company might face on a given day. In an effort to achieve better situational awareness around cyber threats targeting our company’s networks, we decided to expand the use of the Diamond Model by leveraging data science and automation.
The Diamond Model process relies heavily on the expertise and experience of cyber threat analysts. Combined with the large variety of investigative paths one can go down, it has been difficult to automate the process. This talk presents our first attempt at this automation challenge. By no means can we claim we will achieve complete automation, but we aim to present an approach to get started and continue to expand and cover more ground in the future.
First, we focused on phishing campaigns and malware events. The data goes through a complex processing pipeline involving enrichment, correlation, filtering, pivoting, normalization, and prioritization to produce actionable insights for analysts and management as trends and situational awareness. Our goal is to group unique or individual cyber events with other activities that have overlapping characteristics to discover campaigns that otherwise might be missed. Multiple places in this processing pipeline utilize advanced analytic models and algorithms to achieve the best results. This talk will provide an overview of the large workflow as well as individual models and algorithms embedded. Examples include classification models to normalize and categorize, distance algorithms and clustering to find similarity, and graph algorithms to prioritize and group.
This talk presents a framework for automating some of the tasks in the Diamond Model for Intrusion Analysis. Security Incident Response and Threat Intelligence teams can leverage this approach to increase their intrusion analysis speed and volume. Security teams can even increase the scope of the analysis by including blocked events that contain much intelligence but may not be on the radar of the incident response team.