L10
An open-source graphical packet capture utility tool
Wireshark
a technique that isolates untrusted data in a closed virtual environment to conduct tests and analyze the data for threats and vulnerabilities
Sandboxing
a framework to analyze an intrusion event (E) by exploring the relationships among four core features: adversary, capability, infrastructure, and victim
Diamond Model of Intrusion
Developed by the Institute for Security and Open Methodologies (ISECOM), this manual outlines every area of an organization that needs testing and goes into details about how to conduct the relevant tests
OSSTMM
A command line packet capture utility for Linux
tcpdump
open-source malware analysis tool that allows security researchers to analyze and detect advanced malware threats.
Cuckoo Sandbox
This element represents the individual or group responsible for the intrusion. Adversaries can include nation-states, criminal organizations, hacktivists, or malicious insiders
Adversary
A DNS record identifying hosts authorized to send mail for the domain
SPF / Sender Policy Framework
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.
EDR
A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment
SOAR
The victim element represents the organization or individual the adversary has targeted, such as government agencies, businesses, or individuals. Victims vary in size, industry type, and defensive capabilities.
Victim
a cryptographic authentication mechanism for DNS records and supplements SPF.
DKIM /DomainKeys Identified Mail
a look-up service that provides information about a domain name or IP address
whois
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses to a network intrusion.
This element describes the technical skills and aptitude of the adversary, such as their ability to craft advanced techniques to evade detection, exploit vulnerabilities, and persist on target systems
Capability
A framework for ensuring proper application of SPF and DKIM, utilizing a policy published as a DNS record
DMARC / Domain-based Message Authentication, Reporting, and Conformance
a very popular website used by analysts to investigate suspicious traffic
AbuseIPDB
A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
This element refers to the tools and resources used by the adversary to carry out the intrusion. Tools include malware, exploit kits, command and control servers, and other types of network infrastructure.
Infrastructure
some sort of code implemented within the message body.
Malicious Payload