The cybercriminal underground has increasingly shifted to an ecosystem of ultraspecialization, which has put threat analysts behind the eight ball.

Current approaches to threat modeling and analysis frequently treat attack campaigns as if conducted completely by a single group or with a single motivation. But a number of companies aim to modify existing threat models to account for the increasing compartmentalization among threat groups as they focus on providing specific techniques or services.

On May 11, researchers from the Cisco Talos threat-intelligence team proposed the adoption of a relationship layer into the traditional approach to intrusion analysis, known as the Diamond Model, an update that allows analysts to maintain separate profiles for each actor while mapping the relationships between them. The modified approach helps capture the focus of specific groups on providing services, says Edmund Brumaghin, a researcher with Cisco Talos and a co-author of their analysis.

“By leveraging the extended Diamond Model and maintaining this relational data,” Brumaghin says, “the community will be better equipped to report more accurately on threats that are observed, avoid attribution pitfalls when analyzing artifacts seen during intrusion analysis, and enable more effective and comprehensive identification of overlaps when analyzing related intrusion activity.”

Cybercriminals’ move to specialized services is not a new trend. Underground marketplaces, such as the now-defunct Genesis Dark Web forum, allow various groups to buy and sell discrete services, whether initial access to valuable targets, denial-of-service attacks to order, or affiliate connections through ransomware-as-a-service (RaaS).

Yet whether the well-established trend is accelerating is not clear. Google’s threat researchers, for example, observed fewer ransomware incidents involving an initial access partnership in 2024. However, the company regularly responds to incidents that involve more than one threat group as well, says Genevieve Stark, head of cybercrime and information operations intelligence analysis at the Google Threat Intelligence Group.

“Typically, cases [involve] one threat actor provid[ing] initial access to a second threat actor that completes the post-compromise operations,” she says, adding: “Some of these partnerships are short-lived and transactional, while other partnerships may last several years and involve significant collaboration. … Threat actors that are conducting intrusion operations tend to be extremely adaptable and shift monetization methods over time.”

A number of threat models already exist. The kill chain model of an intrusion focuses on the tactics, techniques, and procedures used by a threat actor, typically encompassing seven different phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The diamond model focuses on profiling a cyberattack using four different facets of the typical cybersecurity incident: victimology, infrastructure details, the adversary’s attributes, and the capabilities on display during the attack.

Those models fall short in helping analyze compartmentalized threat groups, however. One group may buy malware from a second group, use that malware to gain initial access, and then sell that access to a third group. Unlike Google, Cisco Talos sees these divisions of labor growing more popular, Brumaghin says.

“We are now seeing an increase in other types of threat actors, such as state-aligned [or] state-sponsored actors who are tasked with obtaining access for the purpose of transferring it to other actors,” he says. “As threat actors continue to mature their capabilities and specialize in the performance of certain tasks, we expect to see more compartmentalization occurring moving forward.”

Other companies have also noted the increase in compartmentalization and have adapted their analysis approaches to account for multiple groups. Incident responders for AI-focused search firm Elastic, for example, increasingly see compartmentalization, a trend driven by RaaS, says Devon Kerr, director of threat research at Elastic.

For that reason, Kerr appreciates the addition of a relationship layer.

“I see strategic benefits to adopting this taxonomy for describing threats, such as leveraging your understanding of groups with handoff relationships to determine which of those groups you are best able to disrupt,” he says.

Cisco Talos researchers collaborated with the intelligence platform from The Vertex Project to create an intelligence tool that adds a relationship layer to the Diamond Model. The researchers then used the updated framework to map relationships between actors in the ToyMaker-Cactus campaign, showing how the new model helped separate the activities of the different groups.

In that campaign, ToyMaker functioned as a financially motivated initial access group, gaining initial access to systems and then handing over that access to the Cactus ransomware group. The deconstructed campaigns highlight how adversaries are increasingly outsourcing components of attacks, which also complicates attribution and threat modeling.

Cisco’s approach is not the only one. Google’s Threat Intelligence Group has adopted labels to denote role or specialization, and another set of labels that track motivation. Specializations can include initial access, bulletproof hosting, or a ransomware affiliate, while motivations could be political, financial, or personal, says Google Threat Intelligence Group’s Stark.

“We recommend this approach, as opposed to combining them into a single taxonomy, given that a threat cluster’s motivation may not always be immediately apparent, can change over time, and does not always align with their partners’ or customers’ motivations,” she says. “Further, threat actors can be motivated by a variety of factors beyond espionage and financial gain, to include ideology and ego.”

Changing the approach to threat modeling can help researchers focus on other aspects of compartmentalized threats, such as identifying motivations in initial access groups, which the Cisco Talos researchers dissected in a second analysis.

Many groups focus on initial access operations, with at least three different variants, according to the researchers. Financially motivated initial access groups (FIA) focus on compromising systems for financial gain, while state-sponsored initial access (SIA) groups aim to establish beachheads within the networks of high-value targets. Finally, opportunistic initial access (OIA) groups fall between the FIA and SIA groups, often selling access to both groups, reusing access from one area — say, financial — against targets in another area.

“Actors like government contractors may operate as an SIA group as part of their normal means of employment while operating as an FIA group to generate additional income,” Cisco Talos researchers stated in their analysis. “Once the state-sponsored actor’s operation has been conducted, the initial access may then be re-sold under the pretext of ‘financial gain’ while providing plausible deniability and forensic confusion once the access is reused.”

Overall, Elastic’s Kerr appreciates the additional relationship layer, he says.

“Elastic Security Labs researchers perform rigorous analysis of the threats we track, and these details are routine parts of that analysis,” he says. “If our goal as practitioners is to understand threat phenomena and meaningfully alter a bad outcome, this provides additional context for doing so.”