Tryhackme - Diamond Model

Tryhackme – Diamond Model

In this walk through, we will be going through the Diamond Model room from Tryhackme. This room introduces you to the Diamond Model of Intrusion Analysis and how does it work in the real world to map out the relationship between the adversary, victim, infrastructure used and the capabilities of the attacker. So, let’s get started to understand it further.

Diamond Model

Task 1 – Introduction

Task 1 - Introduction

Task 2 – Adversary

Question 1 – What is the term for a person/group that has the intention to perform malicious actions against cyber resources?

Adversary Operator

Question 2 – What is the term of the person or a group that will receive the benefits from the cyberattacks?

Adversary Customer

Task 2 - Adversary

Task 3 – Victim

Question 1 – What is the term that applies to the Diamond Model for organizations or people that are being targeted?

Victim Personae

Task 3 - Victim

Task 4 – Capability

Question 1 – Provide the term for the set of tools or capabilities that belong to an adversary.

Adversary Arsenal

Task 4 - Capability

Task 5 – Infrastructure

Question 1 – To which type of infrastructure do malicious domains and compromised email accounts belong?

Type 2 Infrastructure

Question 2 – What type of infrastructure is most likely owned by an adversary?

Type 1 Infrastructure

Task 5 - Infrastructure

Task 6 – Event Meta Features

Question 1 – What meta-feature does the axiom “Every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result” belong to?


Question 2 – You can label the event results as “success”, “failure”, and “unknown”. What meta-feature is this related to?


Question 3 – To what meta-feature is this phrase applicable “Every intrusion event requires one or more external resources to be satisfied prior to success”?


Task 6 - Event Meta Features

Task 7 – Social-Political Component

Task 7 - Social-Political Component

Task 8 – Technology Component

Task 8 - Technology Component

Task 9 – Practice Analysis

Question 1 – Complete all eight areas of the diamond. What is the flag that is displayed to you?

Diamond Model


  • Adversary


  • Timeline


  • Victim


  • Resources


  • Result


  • Capability


  • Methodology

Lockheed Martin's Cyber Kill Chain

  • Lockheed Martin’s Cyber Kill Chain

The flag


Task 9 - Practice Analysis

Task 10 – Conclusion

Task 10 - Conclusion

Also Read: Tryhackme – Cyborg

So this was the room on “Diamond Model” of Intrusion Analysis. We covers what it is and its different elements. Along with that, we also covers other event meta-features of the model. Further, we tested the theory we learned by solving a series of exercise questions. In short, we can define that the diamond model is one of the famous model of intrusion analysis which shows relationship between the adversary and the victim. Learn more about it on your own to get more familiar with it, for now i am taking your leave, but remember to “Keep Defending” the systems in my absence.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top