Re-examining the Pyramid of Pain to Use Cyber Threat Intelligence More Effectively

The Pyramid of Pain was initially established in 2013 by security specialist David J Bianco in order to increase the applicability of the attack indicators by focusing on incident and threat hunting.

The Pyramid assesses your threat’s possible role. It also assesses the problem of achieving this intelligence and avoiding the discovery at this level (from the perspective of the adversary). The taller the pyramid, the longer our defenses will last.

What is the Pyramid of Pain?

The pain pyramid lists six attack indicators which may be used to detect the actions of attackers and, when denied, to assess the amount of pain an attacker would cause.

Each level of the Pyramid of Pain is an opportunity for security teams to detect and prevent the various indicators of attack.

These attack indicators can be classified into two:

Automation and Traditional Indicators – Hash Values, IP Addresses, Domain Names.
Behavioral Based Detection – Network/Host Artifacts, Tools, Tactics, Techniques, and Procedures.

What are the types of indicators?

Source: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

Hash Values: SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious files. Often used to provide unique references to specific samples of malware or to files involved in an intrusion.

Source: SOCRadar

IP Addresses: IP address or maybe a netblock.

Source: SOCRadar

Domain Names: This could be either a domain name itself or maybe even a sub- or sub-sub-domain.

Source: SOCRadar

Network Artifacts: Observables caused by adversary activities on your network. Technically speaking, every byte that flows over your network as a result of the adversary’s interaction could be an artifact, but in practice this really means those pieces of the activity that might tend to distinguish malicious activity from that of legitimate users. Typical examples might be URL patterns, C2 information embedded in network protocols, distinctive HTTP User-Agent or SMTP Mailer values, etc.

Source: SOCRadar

Host Artifacts: Observables caused by adversary activities on one or more of your hosts. Again, we focus on things that would tend to distinguish malicious activities from legitimate ones. They could be registry keys or values known to be created by specific pieces of malware, files or directories dropped in certain places or using certain names, names or descriptions or malicious services or almost anything else that’s distinctive.

Source: SOCRadar

Tools: Software used by the adversary to accomplish their mission. Mostly this will be things they bring with them, rather than software or commands that may already be installed on the computer. This would include utilities designed to create malicious documents for spear phishing, backdoors used to establish C2 or password crackers or other host-based utilities they may want to use post-compromise.

Source: SOCRadar

Tactics, Techniques and Procedures (TTPs): How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between. Spear Phishing is a common TTP for establishing a presence in the network.

Source: SOCRadar

How can the Pyramid be used for more effective CTI?

In recent ransomware campaigns, for example, we see domains being registered and activated merely hours before their use. Such tactics exploit the fact that there will be a window of opportunity to use this infrastructure prior to defenders being able to reconfigure the many devices in their security infrastructure. The Pyramid can be used to