Contents
Definition Diamond Model of Intrusion Analysis
What is the Diamond Model of Intrusion Analysis?
providers on the subject
“Diamond Model of Intrusion Analysis” is the name of a model that can be used to describe and track cyber threats. The model uses the four dimensions attacker, infrastructure, ability and victim to describe security events. Graphically, these four dimensions are represented in the form of a diamond. In addition, six meta features provide further information on the respective cybersecurity event.

“Diamond Model of Intrusion Analysis”, sometimes just called Diamond Model, is the name of a scientific model and formal mathematical framework for describing and tracking cyber threats. The model was developed by security experts Sergio Caltagirone, Andrew Pendergast and Christopher Betz and is based on many years of experience in analyzing complex cyber attacks. The model was published in 2013 in a joint paper.
The Diamond Model aims to structure and simplify the analysis of security incidents and cyber threats and improve efficiency and accuracy. The ultimate goal of the model is to strengthen the ability to defend against cyber attacks. An essential feature of the model are four dimensions with which a cybersecurity event is described. The four dimensions are Attacker, Infrastructure, Capability, and Victim. In addition, six meta features provide further information on the respective cybersecurity event. The four dimensions are related to each other and represented graphically in the form of a diamond. Among other things, the name “Diamond Model of Intrusion Analysis” is derived from this diamond representation. In addition to the Diamond Model of Intrusion Analysis, there are other competing models for describing and analyzing security threats in the cybersecurity environment, such as Lockheed Martin’s Cyber Kill Chain or the MITER Att&ck Framework.
The dimensions and meta features of the Diamond Model of Intrusion Analysis in detail
To structure the analysis of cyber attacks, the Diamond Model defines these four dimensions:
- Adversary (in German attacker or enemy): Organization or individual actor that uses its abilities towards victims to achieve its goals.
- Infrastructure (in German infrastructure): logical or physical communication structure used by the attacker to achieve their goals (examples: IP address, email addresses, domain names and others).
- Capability (in German ability): Tools and strategies used by the attacker.
- Victim (in German: victim): Denotes the victim of an attack or a vulnerable target. Targets can be individuals, organizations, devices, software, IP addresses, domain names, and more.
An attack or security threat is called an event and is described using the four dimensions mentioned. The description of the event is based on the basic idea that attackers use their skills to attack their victims via an infrastructure.
In addition to the four dimensions, a total of six meta features provide additional information about a security event. These dimensions are Timestamp, Phase, Result, Direction, Methodology, and Resources. The meta features are not limited to these six and are extensible. For example, the two features “Social-Political” to determine the relationship between attacker and victim and “Technology” to describe the technology used in the dimensions capability and infrastructure are mentioned in the paper. Additional meta features can be defined if required.
(ID:48983207)

Information Security Asia is the go-to website for the latest cybersecurity and tech news in various sectors. Our expert writers provide insights and analysis that you can trust, so you can stay ahead of the curve and protect your business. Whether you are a small business, an enterprise or even a government agency, we have the latest updates and advice for all aspects of cybersecurity.