Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,155 @@
---
name: None
description: The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining four core features: Adversary, Capability, Infrastructure, and Victim. This skill co
domain: cybersecurity
subdomain: threat-intelligence
tags: [threat-intelligence, cti, ioc, mitre-attack, stix, diamond-model, intrusion-analysis]
version: "1.0"
author: mahipal
license: MIT
---
# Implementing Diamond Model Analysis
## Overview
The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining four core features: Adversary, Capability, Infrastructure, and Victim. This skill covers implementing the Diamond Model programmatically to classify and correlate intrusion events, build activity threads linking related events, create activity-attack graphs, and generate pivot-ready intelligence from intrusion data.
## Prerequisites
- Python 3.9+ with `networkx`, `stix2`, `graphviz` libraries
- Understanding of the Diamond Model core and meta-features
- Access to threat intelligence data (MISP/OpenCTI events)
- Familiarity with MITRE ATT&CK for capability mapping
## Key Concepts
### Diamond Model Core Features
- **Adversary**: The threat actor or operator conducting the intrusion
- **Capability**: The tools, techniques, and malware used (maps to ATT&CK)
- **Infrastructure**: C2 servers, domains, email addresses, hosting providers
- **Victim**: Target organization, system, person, or data asset
### Meta-Features
- **Timestamp**: When the event occurred
- **Phase**: Kill chain stage (recon, delivery, exploitation, etc.)
- **Result**: Success, failure, or unknown
- **Direction**: Adversary-to-infrastructure, infrastructure-to-victim, etc.
- **Methodology**: Social engineering, technical exploit, insider threat
- **Resources**: Financial, human, technical resources required
### Activity Threads and Groups
- **Activity Thread**: Sequence of Diamond events from a single adversary operation
- **Activity Group**: Cluster of threads attributed to the same adversary
## Practical Steps
### Step 1: Define Diamond Event Data Structure
```python
from dataclasses import dataclass, field
from datetime import datetime
from typing import Optional
import json
import uuid
@dataclass
class DiamondEvent:
adversary: str = ""
capability: str = ""
infrastructure: str = ""
victim: str = ""
timestamp: str = ""
phase: str = ""
result: str = ""
direction: str = ""
methodology: str = ""
confidence: int = 0
notes: str = ""
event_id: str = field(default_factory=lambda: str(uuid.uuid4())[:8])
mitre_techniques: list = field(default_factory=list)
iocs: list = field(default_factory=list)
def to_dict(self):
return {
"event_id": self.event_id,
"adversary": self.adversary,
"capability": self.capability,
"infrastructure": self.infrastructure,
"victim": self.victim,
"timestamp": self.timestamp,
"phase": self.phase,
"result": self.result,
"direction": self.direction,
"methodology": self.methodology,
"confidence": self.confidence,
"mitre_techniques": self.mitre_techniques,
"iocs": self.iocs,
"notes": self.notes,
}
```
### Step 2: Build Activity Thread from Events
```python
import networkx as nx
class DiamondAnalysis:
def __init__(self):
self.events = []
self.graph = nx.DiGraph()
def add_event(self, event: DiamondEvent):
self.events.append(event)
self.graph.add_node(event.event_id, **event.to_dict())
def build_activity_thread(self):
"""Link events chronologically into activity threads."""
sorted_events = sorted(self.events, key=lambda e: e.timestamp)
for i in range(len(sorted_events) - 1):
self.graph.add_edge(
sorted_events[i].event_id,
sorted_events[i + 1].event_id,
relationship="followed_by",
)
def find_pivots(self):
"""Find pivot points where events share infrastructure or capabilities."""
pivots = {"infrastructure": {}, "capability": {}, "adversary": {}}
for event in self.events:
if event.infrastructure:
pivots["infrastructure"].setdefault(event.infrastructure, []).append(event.event_id)
if event.capability:
pivots["capability"].setdefault(event.capability, []).append(event.event_id)
if event.adversary:
pivots["adversary"].setdefault(event.adversary, []).append(event.event_id)
return {
k: {pk: pv for pk, pv in v.items() if len(pv) > 1}
for k, v in pivots.items()
}
def generate_report(self):
return {
"total_events": len(self.events),
"unique_adversaries": len(set(e.adversary for e in self.events if e.adversary)),
"unique_victims": len(set(e.victim for e in self.events if e.victim)),
"unique_infrastructure": len(set(e.infrastructure for e in self.events if e.infrastructure)),
"pivots": self.find_pivots(),
"events": [e.to_dict() for e in self.events],
}
```
## Validation Criteria
- Diamond events capture all four core features with meta-features
- Activity threads link related events chronologically
- Pivot analysis identifies shared infrastructure and capabilities across events
- Graph visualization renders the activity-attack graph correctly
- Events map to MITRE ATT&CK techniques for capability classification
## References
- [Diamond Model Paper](https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf)
- [MITRE ATT&CK](https://attack.mitre.org/)
- [STIX 2.1 Campaign Object](https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html)
@@ -0,0 +1,39 @@
# Diamond Model Analysis Report Template
## Report Metadata
| Field | Value |
|-------|-------|
| Report ID | CTI-YYYY-NNNN |
| Date | YYYY-MM-DD |
| Classification | TLP:AMBER |
| Analyst | [Name] |
| Confidence | High/Moderate/Low |
## Executive Summary
[Brief overview of key findings and their significance]
## Key Findings
1. [Finding 1 with supporting evidence]
2. [Finding 2 with supporting evidence]
3. [Finding 3 with supporting evidence]
## Detailed Analysis
### Finding 1
- **Evidence**: [Description of evidence]
- **Confidence**: High/Moderate/Low
- **MITRE ATT&CK**: [Relevant technique IDs]
- **Impact Assessment**: [Potential impact to organization]
## Indicators of Compromise
| Type | Value | Context | Confidence |
|------|-------|---------|-----------|
| | | | |
## Recommendations
1. **Immediate**: [Actions requiring immediate attention]
2. **Short-term**: [Actions within 1-2 weeks]
3. **Long-term**: [Strategic improvements]
## References
- [Source 1]
- [Source 2]
@@ -0,0 +1,24 @@
# Standards and Frameworks Reference
## Applicable Standards
- **STIX 2.1**: Structured Threat Information eXpression for CTI data representation
- **TAXII 2.1**: Transport protocol for sharing CTI over HTTPS
- **MITRE ATT&CK**: Adversary tactics, techniques, and procedures taxonomy
- **Diamond Model**: Intrusion analysis framework (Adversary, Capability, Infrastructure, Victim)
- **Traffic Light Protocol (TLP)**: Information sharing classification (CLEAR, GREEN, AMBER, RED)
## MITRE ATT&CK Relevance
- Technique mapping for threat actor behavior classification
- Data sources for detection capability assessment
- Mitigation strategies linked to specific techniques
## Industry Frameworks
- NIST Cybersecurity Framework (CSF) 2.0 - Identify function
- ISO 27001:2022 - A.5.7 Threat Intelligence
- FIRST Standards - TLP, CSIRT, vulnerability coordination
## References
- [STIX 2.1 Specification](https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html)
- [MITRE ATT&CK](https://attack.mitre.org/)
- [Diamond Model Paper](https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf)
- [NIST CSF 2.0](https://www.nist.gov/cyberframework)
@@ -0,0 +1,31 @@
# Diamond Model Analysis Workflows
## Workflow 1: Collection and Analysis
```
[Intelligence Sources] --> [Data Collection] --> [Analysis] --> [Reporting]
| | | |
v v v v
OSINT/HUMINT/SIGINT Normalize/Enrich Assess/Correlate Disseminate
```
### Steps:
1. **Planning**: Define intelligence requirements and collection priorities
2. **Collection**: Gather data from relevant sources
3. **Processing**: Normalize data formats and filter noise
4. **Analysis**: Apply analytical frameworks and correlate findings
5. **Production**: Generate intelligence products and reports
6. **Dissemination**: Share with stakeholders via appropriate channels
7. **Feedback**: Collect consumer feedback to refine future collection
## Workflow 2: Continuous Monitoring
```
[Watchlist] --> [Automated Monitoring] --> [Change Detection] --> [Alert/Update]
```
### Steps:
1. **Define Watchlist**: Identify indicators, actors, and topics to monitor
2. **Configure Monitoring**: Set up automated collection from relevant sources
3. **Change Detection**: Identify new or changed intelligence
4. **Assessment**: Evaluate significance of changes
5. **Alerting**: Notify stakeholders of significant intelligence updates
6. **Archive**: Store intelligence for historical analysis and trending
@@ -0,0 +1,125 @@
#!/usr/bin/env python3
"""
Diamond Model of Intrusion Analysis Implementation
Creates Diamond Model events, builds activity threads, and performs pivot analysis.
Requirements: pip install networkx stix2
Usage:
python process.py --events events.json --output analysis.json
python process.py --demo --output demo_analysis.json
"""
import argparse
import json
import uuid
from collections import defaultdict
from dataclasses import dataclass, field
from typing import Optional
@dataclass
class DiamondEvent:
adversary: str = ""
capability: str = ""
infrastructure: str = ""
victim: str = ""
timestamp: str = ""
phase: str = ""
result: str = "success"
confidence: int = 0
mitre_techniques: list = field(default_factory=list)
iocs: list = field(default_factory=list)
event_id: str = field(default_factory=lambda: str(uuid.uuid4())[:8])
def to_dict(self):
return vars(self)
class DiamondModelAnalyzer:
def __init__(self):
self.events = []
def add_event(self, event: DiamondEvent):
self.events.append(event)
def load_events(self, filepath):
with open(filepath) as f:
data = json.load(f)
for e in data:
self.events.append(DiamondEvent(**e))
def find_pivots(self):
pivots = {"infrastructure": defaultdict(list), "capability": defaultdict(list),
"adversary": defaultdict(list), "victim": defaultdict(list)}
for e in self.events:
for feature in pivots:
val = getattr(e, feature, "")
if val:
pivots[feature][val].append(e.event_id)
return {k: {pk: pv for pk, pv in v.items() if len(pv) > 1} for k, v in pivots.items()}
def build_activity_threads(self):
threads = defaultdict(list)
for e in sorted(self.events, key=lambda x: x.timestamp):
key = e.adversary or "unknown"
threads[key].append(e.to_dict())
return dict(threads)
def generate_report(self):
return {
"total_events": len(self.events),
"unique_adversaries": len(set(e.adversary for e in self.events if e.adversary)),
"unique_victims": len(set(e.victim for e in self.events if e.victim)),
"unique_infrastructure": len(set(e.infrastructure for e in self.events if e.infrastructure)),
"pivots": self.find_pivots(),
"activity_threads": self.build_activity_threads(),
"events": [e.to_dict() for e in self.events],
}
def run_demo():
analyzer = DiamondModelAnalyzer()
analyzer.add_event(DiamondEvent(
adversary="APT29", capability="Cobalt Strike", infrastructure="198.51.100.1",
victim="Gov Agency A", timestamp="2025-06-01T10:00:00Z", phase="initial-access",
mitre_techniques=["T1566.001"], confidence=80,
))
analyzer.add_event(DiamondEvent(
adversary="APT29", capability="Custom Backdoor", infrastructure="198.51.100.1",
victim="Gov Agency A", timestamp="2025-06-01T12:00:00Z", phase="persistence",
mitre_techniques=["T1547.001"], confidence=85,
))
analyzer.add_event(DiamondEvent(
adversary="APT29", capability="Mimikatz", infrastructure="198.51.100.2",
victim="Gov Agency A", timestamp="2025-06-02T09:00:00Z", phase="credential-access",
mitre_techniques=["T1003.001"], confidence=90,
))
return analyzer.generate_report()
def main():
parser = argparse.ArgumentParser(description="Diamond Model Analyzer")
parser.add_argument("--events", help="Events JSON file")
parser.add_argument("--demo", action="store_true", help="Run demo analysis")
parser.add_argument("--output", default="diamond_analysis.json")
args = parser.parse_args()
if args.demo:
report = run_demo()
elif args.events:
analyzer = DiamondModelAnalyzer()
analyzer.load_events(args.events)
report = analyzer.generate_report()
else:
parser.print_help()
return
print(json.dumps(report, indent=2))
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
if __name__ == "__main__":
main()