Four Cybersecurity Models

Keeping a notion of an “adversary” and more of an OODA-mindset lies at the core of managing human-made incidents whether they’re digital or physical. In the case of battling nature, I think that knowing physics and any kind of *science* is what can drive an advantage in how critical event managers think.

The strong interconnectedness of digital-to-digital and physical-to-physical and all the various ways they intersect is what results in complexity. I like to think that the goal of managing complexity is to reduce it to what’s truly just complicated (i.e. understandable) versus truly complex (i.e. not-understandable). And then tackle what’s complicated, first.

Lockheed Model: Cyber Kill Chain

Mental model of hacker

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control
  7. Actions on Objectives

Diamond Model

Nodes in a graph structure

  • Adversary
  • Infrastructure
  • Capabilities
  • Victim

Mitre Model: ATT&CK (Adversarial Tactics, Techniques and Common Knowledge)

Mental model of hacker

  1. Initial access
  2. Execution
  3. Persistence
  4. Privilege escalation
  5. Defense evasion
  6. Credential access
  7. Discovery
  8. Lateral movement
  9. Collection
  10. Command and control


Zero Trust Model: ZTA (Zero Trust Architecture)

Removes the idea of protecting a castle with a moat, and assumes that the blurred boundaries of a network and service providers already has adversaries present. So the goal is to shrink trust zones around a specific role to minimize their potential negative impact. Core components of ZTA include:

  • Enterprise identities and devices: First, let them in with authentication.
  • Trust Verification Systems (Policy Decision Points (PDP) & Policy Enforcement Points (PEP) and policy engine): Second, determine your confidence level for them based on their device, time of day when connecting, and anything outside a normal pattern.
  • Enterprise Resources: Anything to be protected like data, applications, devices, etc.

Seven basic tenets of ZTA:

  • “All data sources and computing services are considered as ‘resources’
  • All communication is secured (internal or external)
  • All access is provided ‘per-session’
  • Access is provided based on a dynamic risk-based policy
  • All devices should be in the most secure state possible. They should be monitored for this
  • Dynamic authentication and authorization is strictly enforced before granting access
  • Collect as much information about the network and infrastructure as possible”**

References: and **