The Pyramid of Pain

Today, almost every organization focuses on their threat landscape and collects intelligence from different sources whether it is an open source or a paid feed(s). Threat intelligence is not only about gathering information from various sources but it also involves measuring the ability to use this intelligence and assess how well each piece of information helps protect an organization.

This introduces the concept of The Pyramid of Pain that helps in determining and understanding that not every indicator of compromise is at the same level when it comes to using them effectively to defend against the adversaries. The Pyramid of Pain is shown in the following figure:

The Pyramid has different types of indicators at each level that can be gathered by Threat Intelligence. And on the other side, the level of difficulty for an adversary to change that resource (in ascending order). Let us take a quick look at each level to get more clarity on this Pyramid.

• Hash Values: These consists of malware files that entered the system and has unique signatures such as md5, sha1 or sha256 hash values. But, they are most susceptible to change as it is trivial for an attacker to modify file content and change the complete signature.
• IP Addresses: No attacker likes to go open about their infrastructure which ultimately makes them use proxy servers and VPNs. These are easy to manipulate on a new attack, unless they are hard-coded in the malware functionality.
• Domains: Domain names are as simple to change as an IP Address. Attackers tend to use Domain Generation Algorithms to change domain names on almost every new attack. Adversaries widely use encoding techniques such as Punycode and Unicode to hide the original names during an attack.
• System Artefacts: These are the annoying resources for an attacker to change, such as Registry values, System paths, Memory locations, Mutexes and so on.
• Tools: Seeing the same tool used for an attack again and again makes you more effective at detecting it the next time. Changing all the code, functionality or even an exploit framework makes it challenging for an attacker if an organization sits with the defense at this level.
• Tactics, Techniques and Procedures (TTP): This involves the methods or procedures used by the adversary to propagate the malware, recon on the initial vectors and so on. This is the most difficult part for an attacker to change and makes the actor think twice to choose the victim rather than changing the TTP.

It is very essential for an organization to effectively use its intelligence to go up the Pyramid and stay one step ahead of the adversaries. The aim should be to utilize the ingested feed information and make them do their work based on how well they perform at each level.

Hence it is important to setup honeypots and monitor how an attacker grows throughout its cyber kill chain. This also suggests that the malware should be thoroughly studied to understand the underlying nature of its execution and functionality.

So, that's how you should be focusing on going upward in the Pyramid of Pain (for the attacker!) and make the security more tighter and harder to break in.

Source: This was first introduced by David Bianco