Claude Code for Diamond Model Intrusion Workflow Tutorial

The Diamond Model of intrusion analysis provides a structured framework for understanding and documenting cyberattacks. By organizing intrusion data around four core elements—Adversary, Victim, Infrastructure, and Capability—security analysts can systematically track threat actors and their tactics. This tutorial shows you how to leverage Claude Code to build reusable skills that automate and streamline Diamond Model analysis workflows.

Understanding the Diamond Model Framework

Before diving into the implementation, let’s briefly cover the Diamond Model’s four vertices:

• Adversary: The threat actor or attacker group conducting the intrusion
• Victim: The target organization, system, or individual being attacked
• Infrastructure: The tools, servers, domains, and networks used to conduct the attack
• Capability: The attack techniques, malware, exploits, and skills employed

Each intrusion event creates a “diamond” connecting these four elements. By tracking multiple diamonds over time, analysts can identify patterns, attribute attacks, and build comprehensive threat intelligence.

Creating a Diamond Model Analysis Skill

The first step is building a Claude Code skill that guides analysts through the Diamond Model documentation process. Here’s how to structure this skill:

Skill Structure and Front Matter

---
name: diamond-model-analysis
description: Guides security analysts through Diamond Model intrusion analysis
tools: [read_file, write_file, bash]
---

The skill restricts tool access to file operations and bash commands, keeping the workflow focused on documentation rather than enabling unintended actions.

Guided Analysis Prompts

The skill body should guide analysts through each Diamond Model vertex systematically:

## Diamond Model Intrusion Analysis

Follow this workflow to document a new intrusion incident using the Diamond Model framework.

### Step 1: Document the Adversary
- Identify the threat actor group (or create an anonymous identifier)
- Note any known aliases, motivations, or targeting preferences
- Record the date and time of first evidence

### Step 2: Document the Victim
- Identify the affected organization or systems
- Note the industry sector and geographic location
- Describe the initial compromise vector if known

### Step 3: Document the Infrastructure
List all infrastructure elements:
- Command and control (C2) domains and IP addresses
- Staging servers and file transfer points
- Malware deployment URLs

### Step 4: Document the Capability
- Primary attack vector (phishing, exploit, etc.)
- Malware families and variants used
- Post-exploitation tools and techniques
- MITRE ATT&CK techniques observed

Generate a summary report in markdown format with all findings.

This structured approach ensures consistency across different analysts and incidents.

Automating Diamond Model Data Extraction

Beyond guided analysis, you can build skills that automatically extract Diamond Model elements from existing security data. For example, a skill that processes firewall logs to identify potential infrastructure:

---
name: diamond-infrastructure-extractor
description: Extracts potential Diamond Model infrastructure from log data
tools: [read_file, write_file]
---

## Infrastructure Extraction Workflow

1. Read the provided log file to identify:
   - External IP addresses with unusual connection patterns
   - DNS queries to suspicious domains
   - Connections to known threat intelligence indicators

2. For each identified element, classify it as:
   - C2 infrastructure
   - Staging server
   - Exfiltration endpoint

3. Output a structured list in YAML format:

This skill can then output extracted indicators in a standardized format:

infrastructure:
  - type: c2
    indicator: 192.0.2.100
    confidence: high
    source: firewall_logs
  - type: staging
    indicator: malware-dist.example.com
    confidence: medium
    source: dns_logs

Building Correlation Skills

One of the most powerful applications of Claude Code skills is correlating new intrusions with historical data. Create a skill that:

1. Reads existing Diamond Model documentation from your knowledge base
2. Compares new intrusion indicators against historical patterns
3. Suggests potential adversary attribution based on infrastructure or capability overlaps

## Intrusion Correlation Analysis

Given a new intrusion's Diamond Model elements:

1. Search the incident database for matching:
   - Infrastructure overlaps (shared C2, staging servers)
   - Capability similarities (same malware families, techniques)
   - Victim patterns (same industry, geographic region)

2. Calculate correlation scores for each potential match

3. Present findings with confidence levels and supporting evidence

This workflow enables analysts to quickly determine if a new incident is related to known threat actors.

Integrating with MITRE ATT&CK

The Diamond Model’s “Capability” vertex naturally maps to MITRE ATT&CK techniques. Build a skill that helps analysts translate their capability observations into ATT&CK mappings:

## Capability to ATT&CK Mapping

For each capability element identified:
1. Analyze the technique description
2. Search the ATT&CK framework for matching techniques
3. Document the mapping with confidence level

Output format:
- Capability: "PowerShell-based credential dumping"
- ATT&CK Technique: T1003 - OS Credential Dumping
- Confidence: High

This integration ensures your Diamond Model analysis aligns with industry-standard threat frameworks.

Actionable Advice for Implementation

When building Diamond Model skills for Claude Code, consider these best practices:

Standardize Your Data Formats: Define consistent YAML or JSON schemas for storing Diamond Model data. This makes correlation skills more effective and enables easier integration with other security tools.

Version Your Diamonds: Each intrusion analysis should include timestamps and version numbers. As new information emerges, update rather than overwrite existing diamonds to maintain historical accuracy.

Link Related Intrusions: When correlation skills identify related incidents, create explicit links between diamonds. This builds a connected graph of threat intelligence that reveals campaign-level activity.

Export for SIEM Integration: Build skills that export Diamond Model data in formats compatible with your SIEM or threat intelligence platform. JSON and STIX are common choices for interoperability.

Automate Where Safe: Start with guided analysis skills before attempting automation. Validate automated extractions manually until confidence levels are established.

Conclusion

Claude Code skills transform Diamond Model intrusion analysis from a manual, inconsistent process into a structured, repeatable workflow. By creating skills for guided analysis, automated extraction, correlation, and framework integration, you build a comprehensive toolkit for threat intelligence operations. Start with simple guided workflows, then progressively add automation as your skills mature and your confidence in their accuracy grows.

The key is maintaining consistency in how you document intrusions. Once your team standardizes on a Diamond Model skill workflow, the accumulated data becomes increasingly valuable for pattern recognition and adversary attribution.