mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-11 10:03:42 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,155 @@
|
||||
---
|
||||
name: None
|
||||
description: The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining four core features: Adversary, Capability, Infrastructure, and Victim. This skill co
|
||||
domain: cybersecurity
|
||||
subdomain: threat-intelligence
|
||||
tags: [threat-intelligence, cti, ioc, mitre-attack, stix, diamond-model, intrusion-analysis]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: MIT
|
||||
---
|
||||
# Implementing Diamond Model Analysis
|
||||
|
||||
## Overview
|
||||
|
||||
The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining four core features: Adversary, Capability, Infrastructure, and Victim. This skill covers implementing the Diamond Model programmatically to classify and correlate intrusion events, build activity threads linking related events, create activity-attack graphs, and generate pivot-ready intelligence from intrusion data.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.9+ with `networkx`, `stix2`, `graphviz` libraries
|
||||
- Understanding of the Diamond Model core and meta-features
|
||||
- Access to threat intelligence data (MISP/OpenCTI events)
|
||||
- Familiarity with MITRE ATT&CK for capability mapping
|
||||
|
||||
## Key Concepts
|
||||
|
||||
### Diamond Model Core Features
|
||||
- **Adversary**: The threat actor or operator conducting the intrusion
|
||||
- **Capability**: The tools, techniques, and malware used (maps to ATT&CK)
|
||||
- **Infrastructure**: C2 servers, domains, email addresses, hosting providers
|
||||
- **Victim**: Target organization, system, person, or data asset
|
||||
|
||||
### Meta-Features
|
||||
- **Timestamp**: When the event occurred
|
||||
- **Phase**: Kill chain stage (recon, delivery, exploitation, etc.)
|
||||
- **Result**: Success, failure, or unknown
|
||||
- **Direction**: Adversary-to-infrastructure, infrastructure-to-victim, etc.
|
||||
- **Methodology**: Social engineering, technical exploit, insider threat
|
||||
- **Resources**: Financial, human, technical resources required
|
||||
|
||||
### Activity Threads and Groups
|
||||
- **Activity Thread**: Sequence of Diamond events from a single adversary operation
|
||||
- **Activity Group**: Cluster of threads attributed to the same adversary
|
||||
|
||||
## Practical Steps
|
||||
|
||||
### Step 1: Define Diamond Event Data Structure
|
||||
|
||||
```python
|
||||
from dataclasses import dataclass, field
|
||||
from datetime import datetime
|
||||
from typing import Optional
|
||||
import json
|
||||
import uuid
|
||||
|
||||
@dataclass
|
||||
class DiamondEvent:
|
||||
adversary: str = ""
|
||||
capability: str = ""
|
||||
infrastructure: str = ""
|
||||
victim: str = ""
|
||||
timestamp: str = ""
|
||||
phase: str = ""
|
||||
result: str = ""
|
||||
direction: str = ""
|
||||
methodology: str = ""
|
||||
confidence: int = 0
|
||||
notes: str = ""
|
||||
event_id: str = field(default_factory=lambda: str(uuid.uuid4())[:8])
|
||||
mitre_techniques: list = field(default_factory=list)
|
||||
iocs: list = field(default_factory=list)
|
||||
|
||||
def to_dict(self):
|
||||
return {
|
||||
"event_id": self.event_id,
|
||||
"adversary": self.adversary,
|
||||
"capability": self.capability,
|
||||
"infrastructure": self.infrastructure,
|
||||
"victim": self.victim,
|
||||
"timestamp": self.timestamp,
|
||||
"phase": self.phase,
|
||||
"result": self.result,
|
||||
"direction": self.direction,
|
||||
"methodology": self.methodology,
|
||||
"confidence": self.confidence,
|
||||
"mitre_techniques": self.mitre_techniques,
|
||||
"iocs": self.iocs,
|
||||
"notes": self.notes,
|
||||
}
|
||||
```
|
||||
|
||||
### Step 2: Build Activity Thread from Events
|
||||
|
||||
```python
|
||||
import networkx as nx
|
||||
|
||||
class DiamondAnalysis:
|
||||
def __init__(self):
|
||||
self.events = []
|
||||
self.graph = nx.DiGraph()
|
||||
|
||||
def add_event(self, event: DiamondEvent):
|
||||
self.events.append(event)
|
||||
self.graph.add_node(event.event_id, **event.to_dict())
|
||||
|
||||
def build_activity_thread(self):
|
||||
"""Link events chronologically into activity threads."""
|
||||
sorted_events = sorted(self.events, key=lambda e: e.timestamp)
|
||||
for i in range(len(sorted_events) - 1):
|
||||
self.graph.add_edge(
|
||||
sorted_events[i].event_id,
|
||||
sorted_events[i + 1].event_id,
|
||||
relationship="followed_by",
|
||||
)
|
||||
|
||||
def find_pivots(self):
|
||||
"""Find pivot points where events share infrastructure or capabilities."""
|
||||
pivots = {"infrastructure": {}, "capability": {}, "adversary": {}}
|
||||
|
||||
for event in self.events:
|
||||
if event.infrastructure:
|
||||
pivots["infrastructure"].setdefault(event.infrastructure, []).append(event.event_id)
|
||||
if event.capability:
|
||||
pivots["capability"].setdefault(event.capability, []).append(event.event_id)
|
||||
if event.adversary:
|
||||
pivots["adversary"].setdefault(event.adversary, []).append(event.event_id)
|
||||
|
||||
return {
|
||||
k: {pk: pv for pk, pv in v.items() if len(pv) > 1}
|
||||
for k, v in pivots.items()
|
||||
}
|
||||
|
||||
def generate_report(self):
|
||||
return {
|
||||
"total_events": len(self.events),
|
||||
"unique_adversaries": len(set(e.adversary for e in self.events if e.adversary)),
|
||||
"unique_victims": len(set(e.victim for e in self.events if e.victim)),
|
||||
"unique_infrastructure": len(set(e.infrastructure for e in self.events if e.infrastructure)),
|
||||
"pivots": self.find_pivots(),
|
||||
"events": [e.to_dict() for e in self.events],
|
||||
}
|
||||
```
|
||||
|
||||
## Validation Criteria
|
||||
|
||||
- Diamond events capture all four core features with meta-features
|
||||
- Activity threads link related events chronologically
|
||||
- Pivot analysis identifies shared infrastructure and capabilities across events
|
||||
- Graph visualization renders the activity-attack graph correctly
|
||||
- Events map to MITRE ATT&CK techniques for capability classification
|
||||
|
||||
## References
|
||||
|
||||
- [Diamond Model Paper](https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf)
|
||||
- [MITRE ATT&CK](https://attack.mitre.org/)
|
||||
- [STIX 2.1 Campaign Object](https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html)
|
||||
@@ -0,0 +1,39 @@
|
||||
# Diamond Model Analysis Report Template
|
||||
|
||||
## Report Metadata
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Report ID | CTI-YYYY-NNNN |
|
||||
| Date | YYYY-MM-DD |
|
||||
| Classification | TLP:AMBER |
|
||||
| Analyst | [Name] |
|
||||
| Confidence | High/Moderate/Low |
|
||||
|
||||
## Executive Summary
|
||||
[Brief overview of key findings and their significance]
|
||||
|
||||
## Key Findings
|
||||
1. [Finding 1 with supporting evidence]
|
||||
2. [Finding 2 with supporting evidence]
|
||||
3. [Finding 3 with supporting evidence]
|
||||
|
||||
## Detailed Analysis
|
||||
### Finding 1
|
||||
- **Evidence**: [Description of evidence]
|
||||
- **Confidence**: High/Moderate/Low
|
||||
- **MITRE ATT&CK**: [Relevant technique IDs]
|
||||
- **Impact Assessment**: [Potential impact to organization]
|
||||
|
||||
## Indicators of Compromise
|
||||
| Type | Value | Context | Confidence |
|
||||
|------|-------|---------|-----------|
|
||||
| | | | |
|
||||
|
||||
## Recommendations
|
||||
1. **Immediate**: [Actions requiring immediate attention]
|
||||
2. **Short-term**: [Actions within 1-2 weeks]
|
||||
3. **Long-term**: [Strategic improvements]
|
||||
|
||||
## References
|
||||
- [Source 1]
|
||||
- [Source 2]
|
||||
@@ -0,0 +1,24 @@
|
||||
# Standards and Frameworks Reference
|
||||
|
||||
## Applicable Standards
|
||||
- **STIX 2.1**: Structured Threat Information eXpression for CTI data representation
|
||||
- **TAXII 2.1**: Transport protocol for sharing CTI over HTTPS
|
||||
- **MITRE ATT&CK**: Adversary tactics, techniques, and procedures taxonomy
|
||||
- **Diamond Model**: Intrusion analysis framework (Adversary, Capability, Infrastructure, Victim)
|
||||
- **Traffic Light Protocol (TLP)**: Information sharing classification (CLEAR, GREEN, AMBER, RED)
|
||||
|
||||
## MITRE ATT&CK Relevance
|
||||
- Technique mapping for threat actor behavior classification
|
||||
- Data sources for detection capability assessment
|
||||
- Mitigation strategies linked to specific techniques
|
||||
|
||||
## Industry Frameworks
|
||||
- NIST Cybersecurity Framework (CSF) 2.0 - Identify function
|
||||
- ISO 27001:2022 - A.5.7 Threat Intelligence
|
||||
- FIRST Standards - TLP, CSIRT, vulnerability coordination
|
||||
|
||||
## References
|
||||
- [STIX 2.1 Specification](https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html)
|
||||
- [MITRE ATT&CK](https://attack.mitre.org/)
|
||||
- [Diamond Model Paper](https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf)
|
||||
- [NIST CSF 2.0](https://www.nist.gov/cyberframework)
|
||||
@@ -0,0 +1,31 @@
|
||||
# Diamond Model Analysis Workflows
|
||||
|
||||
## Workflow 1: Collection and Analysis
|
||||
```
|
||||
[Intelligence Sources] --> [Data Collection] --> [Analysis] --> [Reporting]
|
||||
| | | |
|
||||
v v v v
|
||||
OSINT/HUMINT/SIGINT Normalize/Enrich Assess/Correlate Disseminate
|
||||
```
|
||||
|
||||
### Steps:
|
||||
1. **Planning**: Define intelligence requirements and collection priorities
|
||||
2. **Collection**: Gather data from relevant sources
|
||||
3. **Processing**: Normalize data formats and filter noise
|
||||
4. **Analysis**: Apply analytical frameworks and correlate findings
|
||||
5. **Production**: Generate intelligence products and reports
|
||||
6. **Dissemination**: Share with stakeholders via appropriate channels
|
||||
7. **Feedback**: Collect consumer feedback to refine future collection
|
||||
|
||||
## Workflow 2: Continuous Monitoring
|
||||
```
|
||||
[Watchlist] --> [Automated Monitoring] --> [Change Detection] --> [Alert/Update]
|
||||
```
|
||||
|
||||
### Steps:
|
||||
1. **Define Watchlist**: Identify indicators, actors, and topics to monitor
|
||||
2. **Configure Monitoring**: Set up automated collection from relevant sources
|
||||
3. **Change Detection**: Identify new or changed intelligence
|
||||
4. **Assessment**: Evaluate significance of changes
|
||||
5. **Alerting**: Notify stakeholders of significant intelligence updates
|
||||
6. **Archive**: Store intelligence for historical analysis and trending
|
||||
@@ -0,0 +1,125 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
Diamond Model of Intrusion Analysis Implementation
|
||||
|
||||
Creates Diamond Model events, builds activity threads, and performs pivot analysis.
|
||||
|
||||
Requirements: pip install networkx stix2
|
||||
|
||||
Usage:
|
||||
python process.py --events events.json --output analysis.json
|
||||
python process.py --demo --output demo_analysis.json
|
||||
"""
|
||||
|
||||
import argparse
|
||||
import json
|
||||
import uuid
|
||||
from collections import defaultdict
|
||||
from dataclasses import dataclass, field
|
||||
from typing import Optional
|
||||
|
||||
|
||||
@dataclass
|
||||
class DiamondEvent:
|
||||
adversary: str = ""
|
||||
capability: str = ""
|
||||
infrastructure: str = ""
|
||||
victim: str = ""
|
||||
timestamp: str = ""
|
||||
phase: str = ""
|
||||
result: str = "success"
|
||||
confidence: int = 0
|
||||
mitre_techniques: list = field(default_factory=list)
|
||||
iocs: list = field(default_factory=list)
|
||||
event_id: str = field(default_factory=lambda: str(uuid.uuid4())[:8])
|
||||
|
||||
def to_dict(self):
|
||||
return vars(self)
|
||||
|
||||
|
||||
class DiamondModelAnalyzer:
|
||||
def __init__(self):
|
||||
self.events = []
|
||||
|
||||
def add_event(self, event: DiamondEvent):
|
||||
self.events.append(event)
|
||||
|
||||
def load_events(self, filepath):
|
||||
with open(filepath) as f:
|
||||
data = json.load(f)
|
||||
for e in data:
|
||||
self.events.append(DiamondEvent(**e))
|
||||
|
||||
def find_pivots(self):
|
||||
pivots = {"infrastructure": defaultdict(list), "capability": defaultdict(list),
|
||||
"adversary": defaultdict(list), "victim": defaultdict(list)}
|
||||
for e in self.events:
|
||||
for feature in pivots:
|
||||
val = getattr(e, feature, "")
|
||||
if val:
|
||||
pivots[feature][val].append(e.event_id)
|
||||
return {k: {pk: pv for pk, pv in v.items() if len(pv) > 1} for k, v in pivots.items()}
|
||||
|
||||
def build_activity_threads(self):
|
||||
threads = defaultdict(list)
|
||||
for e in sorted(self.events, key=lambda x: x.timestamp):
|
||||
key = e.adversary or "unknown"
|
||||
threads[key].append(e.to_dict())
|
||||
return dict(threads)
|
||||
|
||||
def generate_report(self):
|
||||
return {
|
||||
"total_events": len(self.events),
|
||||
"unique_adversaries": len(set(e.adversary for e in self.events if e.adversary)),
|
||||
"unique_victims": len(set(e.victim for e in self.events if e.victim)),
|
||||
"unique_infrastructure": len(set(e.infrastructure for e in self.events if e.infrastructure)),
|
||||
"pivots": self.find_pivots(),
|
||||
"activity_threads": self.build_activity_threads(),
|
||||
"events": [e.to_dict() for e in self.events],
|
||||
}
|
||||
|
||||
|
||||
def run_demo():
|
||||
analyzer = DiamondModelAnalyzer()
|
||||
analyzer.add_event(DiamondEvent(
|
||||
adversary="APT29", capability="Cobalt Strike", infrastructure="198.51.100.1",
|
||||
victim="Gov Agency A", timestamp="2025-06-01T10:00:00Z", phase="initial-access",
|
||||
mitre_techniques=["T1566.001"], confidence=80,
|
||||
))
|
||||
analyzer.add_event(DiamondEvent(
|
||||
adversary="APT29", capability="Custom Backdoor", infrastructure="198.51.100.1",
|
||||
victim="Gov Agency A", timestamp="2025-06-01T12:00:00Z", phase="persistence",
|
||||
mitre_techniques=["T1547.001"], confidence=85,
|
||||
))
|
||||
analyzer.add_event(DiamondEvent(
|
||||
adversary="APT29", capability="Mimikatz", infrastructure="198.51.100.2",
|
||||
victim="Gov Agency A", timestamp="2025-06-02T09:00:00Z", phase="credential-access",
|
||||
mitre_techniques=["T1003.001"], confidence=90,
|
||||
))
|
||||
return analyzer.generate_report()
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="Diamond Model Analyzer")
|
||||
parser.add_argument("--events", help="Events JSON file")
|
||||
parser.add_argument("--demo", action="store_true", help="Run demo analysis")
|
||||
parser.add_argument("--output", default="diamond_analysis.json")
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.demo:
|
||||
report = run_demo()
|
||||
elif args.events:
|
||||
analyzer = DiamondModelAnalyzer()
|
||||
analyzer.load_events(args.events)
|
||||
report = analyzer.generate_report()
|
||||
else:
|
||||
parser.print_help()
|
||||
return
|
||||
|
||||
print(json.dumps(report, indent=2))
|
||||
with open(args.output, "w") as f:
|
||||
json.dump(report, f, indent=2)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user