Critical thinking skills are a core requirement for a security analyst. The security analyst must be able to link together logs, events, and other meta-data by identifying patterns across a massive amount of gathered data. The diamond model, developed by Caltagirone, Pendergast, and Betz is a method for helping the security analysts derive order from the chaos.

The basic intent of the diamond model is to create a systematic way to analyze events in a repeatable way so that the threats can be organized, tracked, sorted, and countered. In summary, the diamond model is a framework by which an SOC team can organize and verify advanced persistent threats and then use that knowledge to thwart malicious adversaries

The four-diamond model nodes are as follows:

• Adversary: The threat actor or organization responsible for utilizing a capability against the victim to achieve their intent. The knowledge about the adversary is generally elusive, and this node is likely to be empty for most events, at least at the time of discovery.
• Capability: The tools and/or techniques of the adversary that are used in the event.
• Infrastructure: The physical and/or logical communication structures the adversary uses to deliver a capability, maintain control of capabilities (for example, CnC), and affect results from the victim (for example, exfiltrate data).
• Victim: The adversary’s target against whom vulnerabilities and exposures are exploited and capabilities are used.