This chapter covers two foundational threat modeling frameworks: the Cyber Kill Chain and the Diamond Model. For the CS0-003 exam, understanding these models is critical for security operations, as they are used to analyze intrusions, identify adversary behavior, and improve detection. Approximately 10-15% of exam questions in the Security Operations domain touch on threat modeling concepts, including these frameworks. You will need to apply them to scenarios, not just recall definitions.
Jump to a section
Imagine a burglar planning to rob a house. The Cyber Kill Chain is like the burglar's step-by-step process: first, they case the neighborhood (reconnaissance), then create a custom tool like a lockpick (weaponization), deliver it by slipping it under the door (delivery), exploit a weak lock (exploitation), install a hidden camera (installation), establish a hideout to monitor (command and control), and finally steal valuables (actions on objectives). Now, the Diamond Model is like a detective's case file that captures the entire crime network. It has four vertices: the burglar (adversary), the house (victim), the lockpick and camera (capability), and the hideout (infrastructure). The detective draws lines between these to show how the burglar uses the capability via the hideout to target the victim. The model also tracks the social, political, and economic context (meta-features) and the timeline. Together, the kill chain shows the sequence of events, while the diamond model reveals the relationships and patterns, helping the detective predict the burglar's next move and connect separate burglaries to the same criminal network.
What Are the Cyber Kill Chain and Diamond Model?
The Cyber Kill Chain, developed by Lockheed Martin in 2011, is a framework that describes the stages of a cyber attack. It is based on military concepts of a 'kill chain' – a systematic process to identify, target, and engage an adversary. In cybersecurity, it models the steps an attacker must take to successfully compromise a network. The original seven phases are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives.
The Diamond Model, introduced by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz in 2013, is a more analytical framework that focuses on the relationships between four core components: Adversary, Victim, Capability, and Infrastructure. It emphasizes that every intrusion event is a diamond with these four vertices, connected by edges representing their relationships. The model also includes meta-features (e.g., timestamp, phase, result, direction, methodology, resources) and social-political-economic context.
How They Work Internally
The Cyber Kill Chain is linear and sequential. It assumes that an attacker must progress through each phase to achieve their goal. However, in practice, attackers may loop back or skip phases (e.g., using a USB drop bypasses delivery via email). The model helps defenders identify where they can break the chain. For example, if you can block delivery (e.g., email filtering), you prevent the attack from progressing.
The Diamond Model is event-focused. Each event is a diamond with four vertices: - Adversary: The threat actor (individual, group, organization). - Victim: The target (organization, person, asset). - Capability: The tools, techniques, and malware used. - Infrastructure: The systems and networks used by the adversary (e.g., C2 servers, domains).
Edges connect vertices: Adversary uses Capability via Infrastructure against Victim. The model also includes event metadata like timestamp, phase (from kill chain), result (success/failure), direction (victim to infrastructure or vice versa), methodology (e.g., spear-phishing), and resources (e.g., knowledge, funding).
Key Components, Values, and Defaults
Cyber Kill Chain Phases (Lockheed Martin): 1. Reconnaissance: Research, identification, and selection of targets. Examples: harvesting email addresses, scanning for open ports. 2. Weaponization: Coupling a payload with a delivery mechanism (e.g., exploit with a dropper). Typically creates a deliverable like a malicious document. 3. Delivery: Transmission of the weapon to the target. Methods: email attachments, USB drives, web downloads. 4. Exploitation: Triggering the weapon to exploit a vulnerability. Often involves code execution. 5. Installation: Installing malware or backdoor on the victim system. 6. Command and Control (C2): Establishing a channel to control the compromised system remotely. 7. Actions on Objectives: Achieving the attacker's goal (e.g., data exfiltration, encryption for ransomware).
Diamond Model Core Vertices: - Adversary: Can be internal (insider) or external. The model distinguishes between adversary (the actor) and operator (the person executing the attack). - Victim: Can be an organization, person, or asset. Often includes victim persona (e.g., CEO) and victim assets (e.g., database). - Capability: The malware or exploit. Includes capability capacity (e.g., polymorphic) and capability type (e.g., remote access trojan). - Infrastructure: The physical or virtual systems used. Includes command and control servers, domains, IP addresses. Can be malicious (owned by adversary) or compromised (hijacked).
Meta-Features: - Timestamp: When the event occurred. - Phase: The kill chain phase (e.g., Delivery). - Result: Success, failure, or unknown. - Direction: Victim-to-infrastructure (e.g., beaconing) or infrastructure-to-victim (e.g., exploit). - Methodology: The general class of activity (e.g., spear-phishing, watering hole). - Resources: The resources required for the event (e.g., software, knowledge, funding).
Configuration and Verification
These frameworks are not configured like software; they are analytical tools. However, security teams operationalize them through: - Kill chain mapping: Each detection alert is mapped to a phase. For example, an intrusion detection system (IDS) alert for a known exploit signature maps to the Exploitation phase. - Diamond model event construction: For each incident, analysts fill out a diamond template. Tools like MITRE ATT&CK integrate with the diamond model. - Verification commands: In a SIEM, you might query for events matching a specific kill chain phase. For example, to detect delivery, you might search for email logs with malicious attachments:
index=email sourcetype=mail_logs attachment_name=*.exe | stats count by sender, recipientFor C2 detection, you might look for beaconing patterns:
index=network sourcetype=proxy dest_ip=185.220.101.0/24 | timechart count by src_ipInteraction with Related Technologies
The Cyber Kill Chain and Diamond Model complement other frameworks: - MITRE ATT&CK: Provides a detailed taxonomy of tactics and techniques that map to kill chain phases. For example, ATT&CK tactic 'Initial Access' maps to the Delivery phase. The diamond model can be extended with ATT&CK techniques as capabilities. - Unified Kill Chain: An extended version that adds phases like 'Lateral Movement' and 'Impact' to better cover modern attacks. - NIST Incident Response: The kill chain helps identify where detection and prevention controls are needed, while the diamond model helps analyze adversary behavior. - Threat Intelligence: The diamond model is used to structure threat intelligence reports, linking adversaries to their capabilities and infrastructure.
Practical Application: Step-by-Step
When analyzing an intrusion, an analyst might: 1. Identify a suspicious email (Delivery phase). 2. Extract the attachment and analyze it (Weaponization phase). 3. Determine if the attachment exploited a vulnerability (Exploitation). 4. Check for subsequent connections to external IPs (C2). 5. Build a diamond: Adversary (unknown), Victim (the company), Capability (the malware), Infrastructure (the C2 server). 6. Use the diamond to pivot: Search for other events with the same infrastructure or capability.
Exam-Relevant Details
The CS0-003 exam expects you to:
Identify the correct phase of the kill chain given a scenario.
Recognize that the diamond model focuses on relationships, not just sequence.
Understand that the kill chain is linear but attacks may not follow it strictly.
Know that the diamond model includes meta-features like phase, direction, and result.
Be able to apply both models to a given incident description.
Common trap: Candidates confuse the 'Exploitation' phase with 'Installation' or think the kill chain is always followed in order. The exam might present a scenario where an attacker uses a USB drop, skipping the delivery phase. You must recognize that the kill chain still applies but with a different delivery method.
Another trap: The diamond model has four vertices, but candidates forget meta-features. The exam may ask what additional information should be included, and the answer is meta-features like timestamp or phase.
Identify Intrusion Event
The analyst identifies an anomaly, such as an alert from an IDS or a user report. This event is the starting point for analysis. The event includes raw data: source IP, destination IP, timestamp, and alert type. The analyst records the timestamp and basic details. This event will be mapped to both the kill chain and diamond model. For example, an IDS alert for 'ET TROJAN Win32.Zbot Beacon' indicates potential C2 activity.
Map Event to Kill Chain Phase
The analyst determines which phase of the Cyber Kill Chain the event represents. Using the alert type and context, they classify it as, for example, 'Command and Control' if it's a beacon. This mapping helps understand the attacker's progress. If the event is a spear-phishing email, it maps to 'Delivery'. The analyst documents the phase in incident notes. This step is critical for prioritizing response: earlier phases allow more chance to block.
Construct Diamond Model Event
The analyst creates a diamond with four vertices: Adversary (unknown initially), Victim (the affected organization), Capability (the malware or exploit), Infrastructure (the C2 server IP). They populate meta-features: timestamp, phase (from step 2), result (success if compromise occurred), direction (victim-to-infrastructure for beaconing), and methodology (e.g., spear-phishing). This structured representation enables linkage to other events.
Pivot Using Diamond Connections
Using the diamond, the analyst searches for other events sharing the same infrastructure (e.g., same C2 IP) or capability (e.g., same malware hash). This reveals other victims or related activities. For example, if the C2 IP is known from threat intelligence, the analyst can identify the adversary group. This step leverages the diamond's power: connecting events that might otherwise appear unrelated.
Update and Refine Over Time
As the investigation progresses, the analyst updates the diamond. New information may identify the adversary (e.g., via attribution), add more infrastructure (e.g., additional C2 domains), or change the phase (e.g., if later events show data exfiltration, add 'Actions on Objectives'). The diamond evolves into a network of events, forming a 'activity thread' that tells the full story of the intrusion.
Scenario 1: Incident Response at a Financial Institution
A large bank detects unusual outbound traffic from a server in the DMZ. The security team uses the Cyber Kill Chain to map the event: the initial compromise occurred via a phishing email (Delivery) that exploited an unpatched browser (Exploitation), installed a backdoor (Installation), and then beaconed to a foreign IP (C2). The team constructs a Diamond Model: Adversary (suspected APT group 'SilverFish'), Victim (the bank's web server), Capability (a custom backdoor 'BlindEye'), Infrastructure (IP 5.5.5.5). By pivoting on the C2 IP, they find three other servers with similar beacons. The kill chain helps them prioritize containment: they block the C2 IP at the firewall (breaking the C2 phase) and isolate the infected servers. The diamond model is shared with threat intelligence partners, who link the same IP to attacks on other banks. In production, this approach reduces incident response time by 40% and improves detection of lateral movement.
Scenario 2: Threat Hunting in a Cloud Environment
A cloud security engineer monitors AWS CloudTrail logs for suspicious API calls. They use the kill chain to hypothesize that an attacker might be in the Reconnaissance phase (scanning for open S3 buckets). They set up a detection for unusual 'ListBuckets' calls. When triggered, they build a diamond: Adversary (unknown external), Victim (the AWS account), Capability (AWS CLI tools), Infrastructure (source IP from a known VPN provider). The meta-feature 'phase' is Reconnaissance. The engineer then searches for other events from the same IP (infrastructure) to see if it progressed to Delivery (e.g., uploading a malicious file). This proactive hunting prevents a potential data breach. Common mistake: ignoring the meta-feature 'direction' – in this case, the direction is infrastructure-to-victim (the attacker's IP scanning the victim's S3). Misconfiguring the diamond by omitting meta-features leads to incomplete analysis.
Scenario 3: Threat Intelligence Sharing
A Managed Security Service Provider (MSSP) uses the Diamond Model to structure threat intelligence feeds. For each adversary group, they maintain a diamond with known capabilities and infrastructure. When a client reports a new incident, the MSSP automatically correlates it with existing diamonds. For example, a client's alert for a PowerShell script (capability) connecting to a specific domain (infrastructure) matches a known diamond for the 'DarkHydrus' group. The MSSP then provides the client with the full kill chain phases that DarkHydrus typically uses (e.g., spear-phishing, then C2 via DNS tunneling). This enables the client to implement preventive controls for future attacks. Performance consideration: the diamond database must be indexed by capability hash and infrastructure IP for fast correlation. If the database is not normalized, false positives increase.
What CS0-003 Tests
The exam objectives under 'Security Operations' (1.1) include 'Explain the importance of threat modeling frameworks' and specifically mention the Cyber Kill Chain and Diamond Model. You must be able to:
Identify the correct kill chain phase given a scenario (e.g., 'An attacker sends a spear-phishing email' → Delivery).
Recognize that the Diamond Model has four core components: Adversary, Victim, Capability, Infrastructure.
Understand that the Diamond Model includes meta-features like phase, direction, and result.
Apply both models to an intrusion analysis scenario.
Common Wrong Answers and Why Candidates Choose Them
Confusing Exploitation and Installation: Candidates often think that executing a payload is 'Installation', but it's 'Exploitation' (triggering the vulnerability). Installation happens after exploitation, when the attacker ensures persistence. The exam might describe a scenario where a dropper downloads and executes malware – that's Exploitation (the dropper exploits a vulnerability to run), not Installation.
Thinking the Kill Chain is Always Linear: The exam may present a scenario where an attacker uses a USB drop (Delivery) but skips Weaponization (the USB already contains the weapon). Candidates might say the kill chain is broken, but the model still applies – the phases are just condensed. The correct answer is that the kill chain is a guideline, not a strict sequence.
Omitting Meta-Features in Diamond Model: When asked 'What is missing from this diamond?', candidates often list only the four vertices. But the exam expects meta-features like timestamp, phase, direction, and result. For example, a diamond without a timestamp is incomplete for timeline analysis.
Confusing Victim and Infrastructure: In a scenario where a victim's machine connects to a C2 server, candidates might label the victim's machine as 'Infrastructure'. But infrastructure is the adversary's systems, not the victim's. The victim's machine is part of the victim asset, not infrastructure.
Specific Numbers, Values, and Terms
The Cyber Kill Chain was developed by Lockheed Martin (2011).
The Diamond Model was introduced in 2013 by Caltagirone, Pendergast, and Betz.
The original kill chain has 7 phases. Some extended versions have more (e.g., 18 in Unified Kill Chain).
The Diamond Model has 4 core vertices and 6 meta-features (timestamp, phase, result, direction, methodology, resources).
Edge Cases and Exceptions
Insider threats: The kill chain may not apply neatly because the insider already has access (no Reconnaissance or Delivery). The diamond model still works: Adversary is the insider, Victim is the organization, Capability is their access, Infrastructure is internal systems.
Ransomware: Often skips some phases (e.g., no C2 if ransomware uses built-in encryption). The kill chain still maps: Delivery via phishing, Exploitation, Installation, then Actions on Objectives (encryption). C2 may be absent or minimal.
Cloud-based attacks: Infrastructure may be ephemeral (e.g., AWS Lambda functions). The diamond model must capture the infrastructure as the cloud resource, not just IP addresses.
How to Eliminate Wrong Answers
If a question asks for the kill chain phase of a specific action, think about the goal of that action. Reconnaissance is about gathering info; Delivery is about sending the weapon; Exploitation is about triggering the vulnerability; Installation is about persistence; C2 is about communication; Actions is about achieving the objective.
If a question asks about the Diamond Model, eliminate answers that list only three components or that include 'vulnerability' (which is not a core vertex). Vulnerability is part of the capability or the victim's weakness, but not a separate vertex.
For meta-features, remember the acronym 'TPRDM' (Timestamp, Phase, Result, Direction, Methodology) – but also resources. If a question says 'what additional data should be included?', look for these.
The Cyber Kill Chain has 7 phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.
The Diamond Model has 4 vertices: Adversary, Victim, Capability, Infrastructure.
Meta-features in the Diamond Model include timestamp, phase, result, direction, methodology, and resources.
The kill chain is a guideline, not a strict sequence; attackers may skip phases.
The Diamond Model is event-based and helps connect separate incidents to the same adversary.
Both models are used together in incident analysis: kill chain for sequence, diamond for relationships.
On the CS0-003 exam, expect scenario-based questions asking which phase or which diamond component is described.
These come up on the exam all the time. Here's how to tell them apart.
Cyber Kill Chain
Linear sequential model with 7 phases.
Focuses on the attacker's steps over time.
Developed by Lockheed Martin in 2011.
Helps identify where to break the attack chain.
Less effective for analyzing complex relationships between multiple events.
Diamond Model
Relational model with 4 core vertices and meta-features.
Focuses on relationships between adversary, victim, capability, and infrastructure.
Introduced by Caltagirone et al. in 2013.
Helps correlate events and identify patterns across incidents.
Does not inherently capture the sequence of steps.
Mistake
The Cyber Kill Chain must be followed in strict order; any deviation means the model is invalid.
Correct
The kill chain is a conceptual model; attackers may skip, repeat, or reorder phases. For example, an insider threat may skip Reconnaissance and Delivery. The model still helps identify where controls can be applied.
Mistake
The Diamond Model only has four vertices and no other attributes.
Correct
The Diamond Model includes meta-features such as timestamp, phase, result, direction, methodology, and resources. These are essential for contextualizing the event.
Mistake
The 'Victim' in the Diamond Model is always a person or organization.
Correct
The victim can be an asset, such as a server, database, or even a specific file. The victim persona (e.g., CEO) is a sub-component.
Mistake
Weaponization and Delivery are the same phase.
Correct
Weaponization is creating the exploit (e.g., bundling malware with a PDF), while Delivery is transmitting it to the target. They are distinct phases.
Mistake
The Diamond Model replaces the Cyber Kill Chain.
Correct
They are complementary. The kill chain provides a temporal sequence, while the diamond model provides a relational structure. Together, they offer a comprehensive view of an intrusion.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Cyber Kill Chain is a framework developed by Lockheed Martin that describes the stages of a cyber attack. It consists of seven phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. It helps defenders understand and break the attack sequence.
The Diamond Model is a framework for analyzing cyber intrusions by focusing on the relationships between four core components: Adversary, Victim, Capability, and Infrastructure. It also includes meta-features like timestamp, phase, and result. It helps correlate events and identify adversary patterns.
The Cyber Kill Chain provides a temporal sequence of an attack, while the Diamond Model provides a relational structure. Analysts use the kill chain to map the phase of an event and the diamond model to connect events to the same adversary, capability, or infrastructure. Together, they offer a comprehensive view.
Meta-features in the Diamond Model include: Timestamp (when the event occurred), Phase (the kill chain phase), Result (success or failure), Direction (victim-to-infrastructure or vice versa), Methodology (e.g., spear-phishing), and Resources (e.g., knowledge, funding). They provide context for the event.
Yes, but with modifications. An insider may skip Reconnaissance and Delivery because they already have access. The kill chain can start at Exploitation or Installation. The Diamond Model still applies: the adversary is the insider, victim is the organization, capability is their access, infrastructure is internal systems.
Weaponization is the creation of the attack tool, such as coupling an exploit with a payload into a deliverable (e.g., a malicious PDF). Delivery is the transmission of that weapon to the target, such as via email attachment or USB drive. They are distinct phases in the kill chain.
Use the acronym 'AVCI' (Adversary, Victim, Capability, Infrastructure). Think of 'AVCI' as 'A Very Critical Incident' to remember the four core components. Meta-features can be remembered as 'TPRDM' (Timestamp, Phase, Result, Direction, Methodology) plus Resources.
You've just covered Cyber Kill Chain and Diamond Model — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?