ThePyramid of Painwas first introduced in 2013 by David Bianco. Using the Pyramid of Pain, he strongly asserts that not all attack indicators (indicators of compromise) are of the same value to an attacker. He defines the Pyramid of Pain as the level of difficulties or pain an attacker faces to be successful with his objectives. The "pain" as defined by David Bianco is the difficulty faced by attackers when denied certain indicators.
Pyramid of Pain gives security teams additional insights into where and how they might be able to investigate attack indicators and use the knowledge gained to build effective defensive capabilities.
Attack indicators refer to any piece of information that points to a certain conclusion (attack or compromise).
The fundamental reason for detecting these indicators is to respond to them quickly in the shortest time possible. The goal is to create pain for the attack by taking these attack indicators and applying them to your defensive strategy.
The Pyramid of Pain is exemplified in a diagram that illustrates the relationship between attack indicators and the pain it takes an attacker when these indicators are denied in security defense systems.
These attack indicators can be classified into two:
Automation and Traditional Indicators- Hash Values, IP Addresses, Domain Names.
Behavioral Based Detection- Network/Host Artifacts, Tools, Tactics, Techniques, and Procedures.
The pyramid of pain enumerates six attack indicators that can be used to identify attackers' activities and the level of pain it will cause an attacker when those indicators are denied.
Each level of the Pyramid of Pain is an opportunity for security teams to detect and prevent the various indicators of attack.
Types of Attack Indicators
Hash Values [Trivial]: Cryptographic hashes (like MD5, SHA1, SHA256, etc.) are the most widely used attack indicators in various security defense systems like Antimalware, IDS/IPS, etc. Hash values are highly susceptible to change using polymorphic or metamorphic techniques. Hashes are likely the least useful type of attack indicator as an attacker can bypass defense mechanisms by changing the value of the hashes. Focusing on hash values to stop malicious activities is trivial to an attacker.
IP Addresses [Easy]: Though IP addresses still remain the most basic attack indicator, only script kiddies use their own IP addresses during an attack. VPNs, Tor, and anonymous proxies make changing IP addresses spontaneous and effortless to an attacker. The act of pivoting through defensive systems with just IP address restrictions is easy for an attacker.
Domain Names [Simple]: Domain names are harder to change than IP addresses as they require pre-registration and sometimes a fee. With Dynamic DNS services on the web and domain-generated algorithms (DGA), an attacker can automatically update domain names with APIs. Circumventing domain name restrictions is simple to an attacker.
Network/Host Artifacts [Annoying]: This refers to pieces of an activity that distinctively differentiates malicious activities in a network or host from legitimate ones. These artifacts can be in the form of URL patterns, command and control (C2) information, registry objects, files, and directories, etc. Leveraging threat intelligence to deny network/host artifacts can be annoying to an attacker.
Tools [Challenging]: Most attackers are typically as sophisticated as the tools they use. These tools are usually designed to scan for vulnerabilities, create and execute malicious codes, establish C2 sessions, perform password cracking attacks, etc. Denying the use of the tools based on their signatures or traffic patterns can be challenging to an attacker.
Tactics, Techniques, and Procedures -TTPs [Tough]: TTPs are the expressions of the attacker's methodology. Tactics describe the attacker's behavior; the techniques give details of the attacker’s behavior based on the tactics while the procedure provides deep details about the techniques used. When attacks are detected and responded to at this level, security defense is made directly on the attack behavior and not just their tools. Addressing attacks at the level of TTPs makes it tough for attackers to succeed with their objectives.
Even with the advent of threat intelligence in security, having threat intelligence feeds is not the same as using it effectively. The pyramid of pain gives value to threat intelligence in that it makes it more effective.
Thepyramid of painis the way to go to get optimal value for your threat intelligence and security defense investments.