The diamond model of intrusion analysis is a methodology used to describe the process of differentiating APT threats from their specific attributes. The diamond is comprised of four components: Adversary, Infrastructure, Capability, and Victim.
The model attempts to determine the interplay between each of these four groups:
For example, take a simple malware attack. The Adversary is going to use a custom piece of malware. Their ability to develop custom malware indicates their Capability. The Adversary then utilizes their capability to deploy the malware via a compromised web server or infrastructure. This connects to the Victim where the capability exploits a social engineering vulnerability.
This simple example highlights just a small sliver of how the diamond model can be utilized to categorize attacks. Therefore, it is recommended that a deeper exploration be undertaken by reviewing the diamond model paper, which can be downloaded at http://www.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf. By integrating this model, an organization can have a better understanding of the threats they face and how those threats interact during an attack against their infrastructure. From here, they will be able to align their threat intelligence requirements to better fit their unique challenges.
One key reference in determining threat intelligence requirements is the MITRE ATT&CK wiki located at https://attack.mitre.org/wiki/Main_Page. The Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK) is an extensive collection of tactics and techniques in use by adversaries. The tactics include each stage of the kill chain and includes an in-depth analysis of each technique.
ATT&CK also includes detailed information about the various APT groups that have been identified by various information security and incident response research organizations. Entries in the ATT&CK platform are also thoroughly documented and footnoted to allow analysts to view both a digest and a comprehensive report.
The value of the ATT&CK wiki is that it allows analysts to have detailed information about threat groups, their techniques, and their tactics. This can better inform the other models such as the cyber kill chain and the diamond model. This allows organizations to fully understand what threats they face and align their threat intelligence requirements to fulfill that need.