The model represents a security incident or event. In the Diamond Model, an event is a time-bound activity that is restricted to a specific step in which an adversary uses a capability over infrastructure to attack a victim to achieve a specific result.
The Diamond Model of Intrusion Analysis is made up of four parts which are:
Adversary: These are the parties responsible for the intrusion either an organization or threat actor leveraging on the capability against a victim to fulfill its goal.
Capability: This is a tool or technique that the adversary uses to attack the victim.
Infrastructure: This is the network path or paths that the adversaries use to establish and maintain command and control over their capabilities such as IP or e-mail addresses, domain names, and others.
Victim: This is the target of the attack. It can be organizations, people, or assets, such as target email or IP addresses, domains, and so on. However, a victim might be the target initially and then used as part of the infrastructure to launch other attacks.