The Anatomy of a Cyber Attack: The Cyber Kill Chain and Diamond Model for Intrusion Analysis
December 15th, 2025
Cyber Kill Chain Analysis and the Diamond Model for Intrusion Analysis
Modern cybersecurity threats are rarely random. On the contrary, they are structured, iterative, and purpose driven. To understand, detect, and defend against these threats, cybersecurity professionals rely on analytical frameworks. Two of the most influential are the Cyber Kill Chain and the Diamond Model for Intrusion Analysis.
While both aim to broaden our knowledge of threats, they approach this task from different perspectives. This article explores each model, their strengths and limitations, and how they can be used for more effective intrusion analysis.
The Cyber Kill Chain
Developed by Lockheed Martin, the Cyber Kill Chain outlines 7 sequential “phases" of a cyberattack, helping defenders identify how an attack can be best detected or disrupted.
The 7 phases:
Reconnaissance- Attackers gather information about the target with the goal of finding a vulnerability to exploit.
Weaponization- Creation of a malicious payload (exploit + malware).
Delivery- Transmission of the weapon (phishing email, USB, drive-by download).
Exploitation- The exploit triggers the vulnerability on the victim’s system.
Installation- Malware establishes persistence.
Command and Control- Attacker gains remote control.
Actions and Objectives- Data exfiltration, lateral movement, sabotage, or ransomware deployment.
Strengths of Cyber Kill Chain Analysis
Easy to follow, understand, and communicate.
Excellent for defensive planning and control mapping
Helps identify breakpoints to stop attacks early
Limitations of Cyber Kill Chain Analysis
Linear and less effective against non-linear or iterative attacks.
Focuses more on how attacks happen than who is behind them.
Less suited for advanced persistent threats (APTs) that adapt over time.
The Diamond Model for Intrusion Analysis
Developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, the Diamond Model focuses on relationships rather than stages. It is particularly powerful for threat intelligence and attribution.
The Four Core Elements:
Adversary- Who is responsible?
Capability- What tools, techniques, or malware were used?
Infrastructure- What systems or services supported the attack?
Victim- Who or what was targeted?
These relationships allow analysts to pivot across data points and uncover patterns across multiple incidents.
Strengths of The Diamond Model for Intrusion Analysis
Excellent for advanced threat analysis and attribution.
Encourages correlation across campaigns.
Works well with threat intelligence sharing.
Limitations of The Diamond Model for Intrusion Analysis
Requires mature data collection and analysis capabilities.
Less intuitive for beginners.
Does not explicitly define attack progression stages.
Final remarks
The Cyber Kill Chain and the Diamond Model serve complementary purposes in intrusion analysis. The Cyber Kill Chain breaks an attack down into seven distinct phases, allowing defenders to identify where an intrusion can be detected, disrupted, or prevented. In contrast, the Diamond Model introduces four core elements that help analysts understand the relationships and motivations behind an attack. Together, these frameworks provide both tactical defense through lifecycle analysis and strategic insight through contextual threat intelligence, making them invaluable tools for modern intrusion analysis.
— Ben Skinner