Cyber Kill Chain & Diamond Model
Intrusion analysis frameworks for mapping attacker methodology and understanding adversary relationships
Intrusion Analysis Frameworks
Intrusion analysis frameworks give SOC analysts a structured vocabulary and mental model for understanding attacks. Rather than reacting to each alert in isolation, frameworks let analysts position observed activity within a larger context — answering questions like "How far along is this attacker?" and "What are they likely to do next?" Two frameworks are central to the CyberOps 200-201 exam: the Cyber Kill Chain and the Diamond Model of Intrusion Analysis.
Why Frameworks Matter in the SOC
Shared Language
Frameworks give analysts, incident responders, and threat intelligence teams a common vocabulary. When a Tier 1 analyst says "C2 phase," everyone knows exactly what that means.
Predictive Defense
Knowing which Kill Chain phase is active tells you what the attacker needs to do next. You can deploy specific controls to break the chain before the adversary reaches their objective.
Threat Intelligence Pivoting
The Diamond Model lets analysts pivot from a single IOC — an IP address, a hash — to discover related infrastructure, campaigns, or adversary groups.
Detection Gap Analysis
Mapping your sensor coverage to Kill Chain phases reveals where you are blind. If you have no controls at Weaponization, that is a gap to address.
Brief History
Cyber Kill Chain (2011)
Published by Lockheed Martin's Eric Hutchins, Mike Cloppert, and Rohan Amin. Adapted from the military concept of a "kill chain" — a sequence of steps an attacker must complete to achieve an objective. The model was built from real intrusion data at Lockheed Martin and became widely adopted across the industry.
Diamond Model (2013)
Developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz at the Center for Cyber Intelligence Analysis and Threat Research (CCIATR). Formally published as a technical report. The model emerged from the need to analyze and correlate intrusion events scientifically, not just catalogue them.
How They Complement Each Other
Cyber Kill Chain
- Sequential — describes attacker methodology as a linear process
- Temporal — emphasizes what the attacker does and in what order
- Defender-focused — each phase maps to specific countermeasures
- Best for: alert triage, determining attacker progress, playbook development
- Weakness: assumes linear progression; APTs often iterate non-linearly
Diamond Model
- Relational — describes who, with what, where, against whom
- Analytical — emphasizes relationships between intrusion elements
- Intel-focused — designed to connect events and campaigns
- Best for: threat intel, attribution, campaign tracking, pivoting on IOCs
- Weakness: single event-focused; requires combining many diamonds for full picture
The CBROPS exam tests your ability to identify Kill Chain phases from scenario descriptions, map alert data to Diamond Model vertices, and explain how both frameworks support SOC operations. You will see scenario questions that describe attacker activity and ask which phase or vertex applies.
Neither the Kill Chain nor the Diamond Model replace MITRE ATT&CK. They work together: the Kill Chain provides high-level phase categorization, the Diamond Model provides relational context, and ATT&CK provides granular technique-level specifics. In practice, SOC teams use all three simultaneously.
Cyber Kill Chain — Lockheed Martin
The Cyber Kill Chain maps every targeted intrusion into seven sequential phases. An attacker must progress through all phases to achieve their objective. Defenders only need to break the chain at any one phase to disrupt the intrusion. This asymmetry is a key defensive advantage. Click each phase to expand its details.
Reconnaissance is the information-gathering phase. The adversary researches the target organization before any attack tool is deployed. This phase is largely passive from a network perspective — most activity occurs entirely outside the victim's environment. Defenders have limited direct visibility but can identify indicators through external monitoring and threat intelligence.
- OSINT: LinkedIn, job postings, GitHub, social media
- DNS enumeration, WHOIS lookups, certificate transparency
- Shodan/Censys scanning for exposed services
- Email harvesting (theHarvester, Hunter.io)
- Passive network scanning from external vantage
- Identifying target personnel (spear phishing prep)
- Minimize digital footprint (remove sensitive job postings)
- Monitor for brand mentions and exposed credentials
- Alert on certificate transparency logs for domain variants
- Web application firewall rules for scanner signatures
- Threat intel feeds for adversary recon patterns
- Employee OPSEC training for social media exposure
- TA0043: Reconnaissance
- T1595: Active Scanning
- T1596: Search Open Technical Databases
- T1597: Search Closed Sources
- T1598: Phishing for Information
- T1589: Gather Victim Identity Info
In weaponization, the adversary creates an attack tool — pairing an exploit with a payload that will be delivered to the target. A common output is a weaponized document (PDF, Office file) that exploits a vulnerability and drops a backdoor or RAT. This phase also occurs entirely outside the victim environment, making direct detection impossible. Intelligence about this phase comes from sandbox analysis and threat intel sharing.
- Selecting exploit matching target's patch level
- Embedding shellcode in Office macros or PDF exploits
- Configuring C2 callback parameters in the payload
- Packing or obfuscating malware to evade AV detection
- Testing payload against target's AV engine versions
- Creating ISO/LNK-based lure files (post-macro-block era)
- Threat intel consumption: IOCs for known weaponization tools
- Sandbox detonation of suspicious files from external sources
- Maintain up-to-date patch intelligence to predict exploit targeting
- Monitor threat intel for campaigns targeting your industry
- Track tool releases (Metasploit, CobaltStrike profiles)
- YARA rules for known weaponization frameworks
- TA0042: Resource Development
- T1587: Develop Capabilities
- T1587.001: Malware development
- T1587.004: Exploits
- T1588: Obtain Capabilities
- T1608: Stage Capabilities
Delivery is the first phase where the attacker interacts directly with the victim's environment. The weaponized payload must cross the network perimeter or reach an internal user. This is one of the highest-value phases for defenders — delivery represents the last reliable opportunity to block the attack before a system is compromised. Detection here prevents exploitation entirely.
- Spear phishing: crafted email with malicious attachment/link
- Watering hole: compromising sites visited by target employees
- USB drops: leaving infected drives in target vicinity
- Malvertising: injecting ads that serve exploits
- Supply chain compromise: trojanizing trusted software
- Direct exploitation of internet-facing services (VPNs, RDP)
- Email gateway filtering: attachment sandboxing, URL rewriting
- Web proxy with SSL inspection and category filtering
- Endpoint protection: block USB mass storage
- Phishing simulation and user awareness training
- Block known malicious IPs/domains at perimeter
- Patch internet-facing services — priority over internal systems
- TA0001: Initial Access
- T1566: Phishing (all subtypes)
- T1189: Drive-by Compromise
- T1091: Replication via Removable Media
- T1195: Supply Chain Compromise
- T1190: Exploit Public-Facing Application
Exploitation is the moment the weapon executes against a vulnerability — hardware, software, or human. At this point, the attacker gains their first foothold on the target system. Exploitation may target an application vulnerability, an OS kernel flaw, a browser weakness, or social engineering (tricking a user into running code). The key indicator is unexpected code execution on a host.
- Triggering buffer overflow or use-after-free vulnerability
- Executing macros via user click or automatic execution
- Abusing misconfigured services (default credentials)
- Exploiting unpatched CVEs in browser plugins or software
- Credential stuffing against web applications
- SQL injection, command injection in web apps
- Aggressive patching — especially internet-facing and user-facing apps
- HIPS (Host Intrusion Prevention) to block shellcode patterns
- DEP and ASLR: OS memory protections against exploit techniques
- Disable or sandbox legacy features (macros, VBA, ActiveX)
- Application sandboxing: browsers, PDF readers run in restricted context
- Vulnerability scanning to identify and prioritize patch targets
- TA0002: Execution
- T1203: Exploitation for Client Execution
- T1068: Exploitation for Privilege Escalation
- T1059: Command and Scripting Interpreter
- T1204: User Execution
- T1055: Process Injection
After successful exploitation, the attacker installs a persistent backdoor or implant to ensure continued access even if the initial exploit vector is closed or the system is rebooted. This phase is critical for long-term intrusions — without persistence, the attacker loses access the moment the process exits. Detection of persistence mechanisms is a primary Tier 2/3 forensic activity.
- Registry Run keys for auto-start on login
- Scheduled tasks pointing to malicious executables
- Service installation (malware as Windows service)
- DLL hijacking / side-loading legitimate applications
- Rootkit installation to hide presence from OS
- WMI event subscriptions for fileless persistence
- File Integrity Monitoring (FIM) on critical system paths
- Application whitelisting to block unauthorized executables
- Sysmon EventID 13 (registry modifications) alerting
- Scheduled task monitoring via Sysmon EventID 1 + Windows EID 4698
- Privileged access restrictions to prevent service installation
- UEBA to detect anomalous persistence activity by user/host baseline
- TA0003: Persistence
- T1547.001: Registry Run Keys
- T1053.005: Scheduled Task/Job
- T1543.003: Windows Service
- T1546.015: Component Object Model Hijacking
- T1014: Rootkit
Command and Control (C2 or C&C) is the communications channel the attacker uses to remotely control the compromised system. Modern C2 channels are designed to blend with legitimate traffic to evade detection. Understanding C2 protocols and their behavioral signatures is essential for network-level detection. Disrupting the C2 channel isolates the implant from its operator.
- HTTP/HTTPS beaconing to attacker-controlled domain
- DNS tunneling: data exfil via DNS TXT/A record queries
- ICMP tunneling: C2 commands hidden in ping packets
- Domain fronting via CDN services to hide true C2 host
- Using legitimate cloud services (Dropbox, Google Drive) as C2
- Peer-to-peer C2 among compromised hosts (no central server)
- DNS RPZ (Response Policy Zone) to block known C2 domains
- Network traffic analysis for beacon periodicity (JA3/JA3S fingerprinting)
- Block direct-to-IP HTTPS connections (must use proxy)
- Analyze DNS query frequency and length for tunneling patterns
- Enforce web proxy for all outbound HTTP/HTTPS from endpoints
- IDS/IPS rules for known C2 framework signatures (Cobalt Strike malleable profiles)
- TA0011: Command and Control
- T1071: Application Layer Protocol
- T1071.004: DNS C2
- T1090: Proxy (multi-hop)
- T1568: Dynamic Resolution (DGA)
- T1573: Encrypted Channel
Actions on Objectives is the phase where the attacker accomplishes their mission. What happens here depends entirely on the adversary's goal — espionage operations exfiltrate intellectual property, ransomware operators encrypt files and demand payment, hacktivists deface websites. This phase often generates the highest-confidence alerts but by then significant damage may already have occurred. The goal of detection in earlier phases is to prevent reaching this stage.
- Data staging: collecting and compressing files before exfil
- Exfiltration via HTTPS, FTP, or DNS to external infrastructure
- Ransomware deployment: encrypt files, destroy backups
- Lateral movement: pivot to additional hosts using stolen credentials
- Domain privilege escalation: Kerberoasting, DCSync attack
- Destructive activity: wiper malware, firmware attacks
- DLP solutions to detect and block sensitive data exfiltration
- Network segmentation to limit lateral movement blast radius
- Honeypots and deception technology to detect lateral movement
- Immutable backups stored offline or in separate security zone
- Privileged access workstations (PAWs) for admin operations
- Incident response playbooks — speed of containment is critical
- TA0009: Collection
- TA0010: Exfiltration
- TA0040: Impact
- T1486: Data Encrypted for Impact
- T1021: Remote Services (Lateral)
- T1041: Exfil Over C2 Channel
You do not need to detect every phase to stop an attack. Focus detection investment on phases 3 (Delivery), 5 (Installation), and 6 (C2) — these are where attackers are most visible on your network and where defensive actions have the highest impact. Detecting C2 while the attacker is still in the reconnaissance phase of a new campaign is ideal, but rare.
Diamond Model of Intrusion Analysis
The Diamond Model formalizes the relationship between four core features of every intrusion event: Adversary, Capability, Infrastructure, and Victim. The model is named for the diamond shape formed when the four vertices are connected. Every security event maps to exactly one diamond. Analysts use the model to pivot from known facts about an event to discover unknown related elements.
Click any vertex on the diamond to see detailed information about that element.
Who Conducted the Attack
The adversary is the threat actor responsible for the intrusion — the operator controlling the tools and the customer directing the operation. Attribution to a specific adversary is often the ultimate goal of threat intelligence analysis, though it is rarely possible from a single event.
Adversary attributes that analysts track:
- Threat actor name or designator (APT28, FIN7, LAPSUS$)
- Nation-state nexus (Russia, China, North Korea, Iran, criminal)
- Motivation: espionage, financial gain, hacktivism, destructive
- Operational tempo and targeting patterns (working hours, victim sector)
- Known TTPs and tooling preferences (adversary fingerprint)
- Infrastructure reuse patterns across campaigns
Note: adversary attribution is hard. The same capability or infrastructure can be used by multiple actors, or deliberately mimicked (false flag operations). Analysts must aggregate multiple diamonds and corroborate with external intel before attributing with confidence.
How the Attack Was Conducted
Capability encompasses the tools, techniques, and malware employed during the intrusion. This is the "weapon" vertex. Capabilities range from commodity malware available to anyone, to highly sophisticated nation-state implants developed over years.
Capability attributes analysts document:
- Malware family and variant (Cobalt Strike, SUNBURST, X-Agent)
- Exploits leveraged (CVE numbers, 0-day vs N-day)
- Post-exploitation techniques (credential dumping, lateral movement methods)
- Evasion techniques (packing, obfuscation, living-off-the-land)
- Capability sophistication score (commodity vs custom-developed)
- Relationship to known tool kits and frameworks (ATT&CK technique IDs)
Capability is often the most technically rich vertex. Malware analysis output directly populates this vertex. YARA signatures and ATT&CK technique IDs are the standard way to document and share capability intel.
Where the Attack Originated and Was Controlled
Infrastructure is the physical and logical communication structures used to deliver capabilities to victims and command them. This is typically the most actionable vertex for blocking — infrastructure IOCs (IPs, domains) can be immediately operationalized in firewalls and DNS sinkholes.
Infrastructure elements analysts track:
- C2 IP addresses and hosting providers (ASN, geolocation)
- Registered domains and subdomains used in the campaign
- Email accounts used for spear phishing delivery
- Compromised third-party systems used as C2 relays
- Certificate details (SSL certs with repeated organizational data)
- Bulletproof hosting providers favored by specific adversaries
Infrastructure Type 1 is directly controlled by the adversary. Infrastructure Type 2 is owned by a third party but leveraged (compromised) by the adversary. The distinction matters for attribution and takedown operations.
Who or What Was Targeted
The victim is the target of the adversary's capability via their infrastructure. Victims can be organizations, specific individuals within an organization, computer systems, or data assets. Understanding victim targeting patterns reveals adversary intent and helps predict future targets.
Victim attributes analysts document:
- Organization name, industry sector, and size
- Geographic location and country of domicile
- Specific individuals targeted (executive, sysadmin, help desk)
- Compromised systems (workstation, server, OT device)
- Targeted data or business function (R&D, financial, SCADA)
- Victim's relationship to other known victims (supply chain link)
Victim personae (general targeting pattern) vs. victim assets (specific targeted systems) are separate concepts. An adversary may target an organization's CEO persona but the actual compromised system may be a mid-level employee whose credentials were the path to the CEO's data.
Meta-Features: Additional Context
Meta-features extend the core four vertices with contextual data that helps correlate events into campaigns and clusters. They are not vertices — they annotate the diamond event itself.
The Phase meta-feature directly connects the Diamond Model to the Cyber Kill Chain. Each diamond event can be tagged with the Kill Chain phase in which it occurred. This allows analysts to build a complete narrative: multiple diamonds occurring across Kill Chain phases, aggregated into a campaign-level picture showing full adversary lifecycle.
The Pivoting Concept
Pivoting is the core analytical technique of the Diamond Model. When one vertex is known, it can be used to discover unknown vertices. The logic: if two diamonds share the same infrastructure IP, they are likely part of the same campaign. If they share the same adversary TTPs, they may be the same threat group hitting multiple victims.
Infrastructure
| Known Vertex | Pivot Method | Potential Discovery |
|---|---|---|
| Infrastructure (C2 IP) | Passive DNS, WHOIS, RiskIQ, Shodan | Registered domains, shared hosting, associated malware hashes |
| Capability (Malware hash) | VirusTotal, MalwareBazaar, sandbox reports | C2 addresses in config, attributed threat actor, other victims |
| Adversary (TTP patterns) | ATT&CK Navigator, threat intel reports | Other campaigns by same group, additional infrastructure, victim sectors |
| Victim (sector/geography) | ISAC sharing, government advisories | Other organizations in same sector being targeted, predicted next victims |
Exercise: Map the IOCs to Diamond Vertices
SOC Application
Using the Kill Chain for Alert Triage
When a SIEM alert fires, the first question a SOC analyst should ask is: "What Kill Chain phase does this activity represent?" The phase immediately tells you how urgent the situation is, what the attacker likely did before this event, and what they are trying to do next. This context shapes the entire investigation and escalation decision.
| SIEM Alert Description | Kill Chain Phase | Urgency | Analyst Next Action |
|---|---|---|---|
| Port scan from external IP against web server | Reconnaissance | Low | Log, check if same IP appears in threat intel feeds |
| User opened macro-enabled Word doc from email | Delivery | Medium-High | Check for child process spawn, quarantine and sandbox the file |
| Word.exe spawned PowerShell.exe with encoded command | Exploitation | Critical | Isolate endpoint immediately, escalate to Tier 2, begin IR |
| New scheduled task created at 02:00 by non-admin user | Installation | Critical | Examine task command line, cross-reference with endpoint timeline |
| Endpoint beaconing to unknown IP on HTTPS every 60 seconds | C2 | Critical | Block C2 IP at firewall, isolate host, pull memory for analysis |
| Large compressed archive uploaded to cloud storage | Actions on Objectives | Critical | Block upload, DLP review of archive contents, full IR activation |
A port scan from the internet is routine noise. A port scan from an internal endpoint that just had a suspicious macro executed is a critical signal of lateral movement during the Actions phase. The same raw alert has completely different implications depending on the Kill Chain context.
Using the Diamond Model for Threat Intelligence
The Diamond Model's primary strength is connecting disparate pieces of intelligence into a coherent picture. When a Tier 2/3 analyst receives a list of IOCs from a Tier 1 escalation, they populate a diamond and then pivot to enrich each vertex with additional intelligence.
Case Study: APT29 / SolarWinds (2020)
The SolarWinds supply chain attack is one of the most significant intrusions in history. Mapping it through both frameworks illustrates how they work together.
Integration with MITRE ATT&CK
Kill Chain + ATT&CK
Each Kill Chain phase maps to one or more ATT&CK tactics. Delivery = Initial Access (TA0001). C2 = Command and Control (TA0011). ATT&CK provides the technique-level detail within each phase — it answers "how specifically" was each Kill Chain phase executed.
Diamond + ATT&CK
ATT&CK technique IDs populate the Capability vertex. When malware analysis identifies T1055 (Process Injection) and T1071.001 (Web Protocols C2), those technique IDs become the formal capability documentation in the diamond. ATT&CK Navigator can visualize coverage across campaigns.
Detection Coverage Mapping
Overlay your SIEM rules against ATT&CK technique coverage. Gaps in your coverage map = phases where you are blind. Cross-reference with Kill Chain phases to prioritize — gaps at Delivery and C2 are higher priority than gaps at Weaponization.
In an interview or exam scenario, you should be able to look at any suspicious activity description and immediately identify the Kill Chain phase and the Diamond vertex it most directly represents. Practice by reading threat intel reports and mapping each IOC. The more automatic this becomes, the faster your triage will be in production.
Knowledge Check
Test your understanding of the Cyber Kill Chain and Diamond Model. Score 75% or higher to complete the module.
1. A SOC analyst observes that an attacker used LinkedIn to identify IT staff and Shodan to enumerate exposed services at the target organization. Which Kill Chain phase does this represent?
2. Threat intelligence reveals that an adversary embedded a Cobalt Strike payload inside a Word document that exploits a macro vulnerability. Before the document is sent to any victim, which Kill Chain phase is active?
3. After a successful phishing attack, malware creates a scheduled task that runs at system startup to ensure it survives a reboot. This activity maps to which Kill Chain phase?
4. In the Diamond Model, an analyst identifies that a known C2 IP address is hosted on the same autonomous system as three other malicious domains previously attributed to APT28. This analytical technique is called:
5. A malware sample is analyzed. The report identifies it as a Dridex variant with two hardcoded C2 IP addresses in its configuration. In the Diamond Model, the malware and its encoded C2 configuration data would be categorized under which vertex?
6. An endpoint sends HTTPS requests to an unknown IP every 57 seconds. The destination has never been visited by any other host on the network. Which Kill Chain phase is most likely occurring, and what is the immediate priority action?
7. Which statement best describes the primary difference between the Cyber Kill Chain and the Diamond Model?
8. During analysis of the SolarWinds attack, an analyst notes that SUNBURST communicated via DNS queries to attacker-controlled subdomains. This infrastructure component — the attacker-registered domain used for C2 — belongs to which Diamond Model vertex?