ANALYSIS FRAMEWORKS

CTI Models

Discover the essential frameworks and models to structure, analyze and effectively communicate Threat Intelligence information.

4 major frameworksIndustry standardsDetailed guides

Practical cases

Analysis frameworks

The 4 essential models

Each model brings a unique perspective to understand, analyze and effectively communicate about cyber threats.

Model 1/4

Diamond Model

Analysis framework structuring threats around 4 interconnected components for a holistic understanding of cyberattacks

The Diamond Model, developed by Sergio Caltagirone, Andrew Pendergast and Christopher Betz, provides an analytical structure for understanding the relationships between different elements of a cyberattack.

Main components

Adversary

The malicious actor behind the attack

APT group, hacktivist, cybercriminal or nation-state

Infrastructure

Technical resources used

C2 servers, domains, IP addresses, cloud services

Capability

Tools, techniques and tactics

Malware, exploits, scripts, social engineering methods

Victim

Target of the attack

Organization, sector, individuals, targeted assets

Meta-characteristics

Timestamp:Timing of events

Phase:Step in the kill chain

Result:Success or failure of action

Direction:Flow of attack (infrastructure→victim)

Methodology:Technical approach used

Resources:Mobilized means

Use cases

Correlation of security incidents
Attribution of attacks to APT groups
Identification of coordinated campaigns
Threat prioritization

Advantages

Clear and reproducible structure
Facilitates pivot analysis
Improves communication between teams
Allows contextual enrichment

Model 2/4

Cyber Kill Chain

Sequential model in 7 phases describing the complete life cycle of a cyberattack, from initial reconnaissance to final objectives

Developed by Lockheed Martin, the Cyber Kill Chain® is inspired by military concepts and adapted to cybersecurity to understand and counter intrusions.

The 7 attack phases

Reconnaissance

Gathering information about the target

Techniques:

•OSINT
•Network scanning
•Social engineering

Defenses:

•Monitoring scan attempts
•Honeypots
•Limiting public information

Weaponization

Creation of the attack vector

Techniques:

•Malware crafting
•Exploit packaging
•Weaponized document

Defenses:

•Threat Intelligence
•Malware analysis
•Signatures

Delivery

Transmission of the weapon to the target

Techniques:

•Phishing
•Drive-by download
•USB/physical media

Defenses:

•Email filtering
•Web proxy
•Endpoint protection

Exploitation

Exploitation of vulnerabilities

Techniques:

•Zero-day
•Known CVEs
•Weak configuration

Defenses:

•Patch management
•Vulnerability scanning
•IPS/IDS

Installation

Installation of persistent access

Techniques:

•Backdoor
•Rootkit
•Scheduled tasks

Defenses:

•Application whitelisting
•Integrity monitoring
•EDR

Command & Control

Establishment of C2 channel

Techniques:

•HTTP/HTTPS C2
•DNS tunneling
•P2P

Defenses:

•Network segmentation
•C2 detection
•Firewall rules

Actions on Objectives

Achievement of final objectives

Techniques:

•Exfiltration
•Sabotage
•Ransomware

Defenses:

•DLP
•Backup
•Incident response

Advantages

Linear model easy to understand
Identification of breaking points
Orientation toward defense in depth
Recognized industry standard

Limitations

Assumes linear progression
Less suited to modern non-linear attacks
Does not cover insider threats
Focused on network perimeter

Model 3/4

MITRE ATT&CK

Comprehensive knowledge base documenting tactics, techniques and procedures (TTPs) actually observed in cyberattacks

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) has become the reference framework for understanding adversary behaviors.

Enterprise

Windows, Linux, macOS, Cloud environments

WindowsLinuxmacOSAzure AD+6

Mobile

Threats on Android and iOS

AndroidiOS

ICS

Industrial control systems

Engineering WorkstationHuman-Machine InterfaceControl ServerField Controller/RTU/PLC

The 14 enterprise tactics

Initial Access

TA0001

9 techniques

Techniques to gain a foothold in the system

PhishingExploit Public-Facing ApplicationValid Accounts

Execution

TA0002

13 techniques

Execution of malicious code

Command and Scripting InterpreterUser ExecutionScheduled Task/Job

Persistence

TA0003

19 techniques

Maintenance of access

Boot or Logon AutostartCreate AccountValid Accounts

Privilege Escalation

TA0004

13 techniques

Obtaining elevated permissions

Process InjectionAccess Token ManipulationExploitation for Privilege Escalation

Defense Evasion

TA0005

42 techniques

Circumventing defenses

Obfuscated Files or InformationProcess InjectionMasquerading

Credential Access

TA0006

17 techniques

Theft of credentials

Brute ForceCredentials from Password StoresOS Credential Dumping

Discovery

TA0007

30 techniques

Reconnaissance of the environment

System Information DiscoveryNetwork Service DiscoveryAccount Discovery

Lateral Movement

TA0008

9 techniques

Movement within the network

Remote ServicesInternal SpearphishingUse Alternate Authentication Material

Collection

TA0009

17 techniques

Collection of targeted data

Data from Local SystemScreen CaptureClipboard Data

Command and Control

TA0011

16 techniques

Communication with C2 infrastructure

Application Layer ProtocolEncrypted ChannelWeb Service

Exfiltration

TA0010

9 techniques

Data extraction

Exfiltration Over C2 ChannelExfiltration Over Alternative ProtocolTransfer Data to Cloud Account

Impact

TA0040

13 techniques

Disruption, degradation or destruction

Data Encrypted for ImpactService StopResource Hijacking

Use cases

Mapping of adversary behaviors
Evaluation of detection coverage
Red team / Purple team exercises
Structured threat hunting
Documentation of incidents
Security gap analysis

Advantages

Living knowledge base with regular updates
Common language for the community
Mapping with real APT groups
Integration in many tools
Free and open source

Model 4/4

STIX/TAXII

OASIS standards for structured representation and automated exchange of Threat Intelligence information between organizations

STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information) form the backbone of automated CTI sharing.

STIX 2.1 objects

Attack Pattern

Type of TTP used by an adversary

Spearphishing, SQL Injection

Campaign

Set of coordinated malicious activities

APT29 Campaign 2023

Course of Action

Action to prevent or respond

Block IOC, Apply patch

Identity

Individual, organization or group

APT28, Lazarus Group

Indicator

Pattern to detect suspicious activity

File hash, malicious IP

Intrusion Set

Group of behaviors and resources

Arsenal of an APT group

Malware

Malicious software

Emotet, Cobalt Strike

Observed Data

Raw observation of an event

Logs, network traffic

Report

Threat Intelligence report

Campaign analysis

Threat Actor

Malicious actor

Nation-state, cybercriminal

Tool

Legitimate software used

Mimikatz, PowerShell

Vulnerability

Exploitable weakness

CVE-2023-12345

Collection

Repository of accessible STIX content

Sharing service

Discovery

Entry point to discover services

Discovery service

API Root

Access point grouping collections

Organization service

STIX 2.1

Current

JSON format
Rich relationships
Extensibility
Compatibility with ATT&CK

TAXII 2.1

Current

RESTful API
Mandatory HTTPS
Flexible authentication
Advanced filtering

Use cases

CTI sharing between organizations
Automation of IOC collection
SIEM/SOAR enrichment
Sharing communities (ISACs)
Threat Intelligence Platforms

Advantages

Open and interoperable standard
Wide adoption in the industry
Machine-readable format (JSON)
Complex relationships between objects
Extensibility via custom objects
Integration in MISP, OpenCTI, etc.

Continue your learning

Explore CTI Platforms

Discover the tools and platforms that implement these models to automate your Threat Intelligence analysis.

Discover platforms→Practical cases→