The number of cyberthreats faced by organizations today are more than ever. Organizations today have larger attack surface than earlier and it’s increasing day-by-day. We need to be vigilant more than ever and make intelligent decisions to detect, prevent and mitigate threats.
Conceptual models like Pyramid of Pain were developed to help strengthen cybersecurity capabilities. This well-known concept is being applied to cybersecurity solutions like Cisco Security, SentinelOne, etc. to improve the effectiveness of cyber threat intelligence, threat detection and incident response. Understanding the concept is important in our journey of cybersecurity.
Indicator of Compromise
To discuss Pyramid of Pain, first we need to touch base upon Indicators of Compromise (IOCs). IOCs are clues or evidences that suggests a cyberattack has taken place. This is a piece of digital forensics indicating that an endpoint or network has been breached or compromised.
Pyramid of Pain
The Pyramid of Pain is a conceptual model for understanding cybersecurity threats that categorizes IOCs into six levels. David J. Bianco, an information security expert, was the first to formalize this concept in his article “The Pyramid of Pain.”
The Pyramid of Pain is a visual representation of six types of IOCs arranged in ascending order of threat actor impact and security analyst effort. The six levels of IOCs are organized in the order of how “painful” they would be to the attacker if the victim discovered them and took action against them. These IOCs are listed from bottom to top of the pyramid, from least painful to most painful:
1. Hash Values
A hash value is a software or file “signature” generated by a complex cryptographic hash function like SHA-1, SHA-256, or MD5. These hash functions virtually guarantee that no two files will have the same hash value. Hashes are the most common IOCs used in various cybersecurity defense systems such as IDS/IPS, antimalware, and others. They are, however, likely the least useful type of IOC because threat actors can easily circumvent defense mechanisms by changing the hash values. Polymorphic or metamorphic techniques can be used to easily change hash values. Hence an attacker is unconcerned about the values of the hashes.
2. IP Addresses
An Internet Protocol (IP) address is a set of numbers that identifies a computer or other Internet-connected device. Despite the fact that IP addresses are one of the most common indicators of an attack, only script kiddies use their own IP addresses in an attack. Adversaries use Tor, VPNs, and anonymous proxies to change IP addresses effortlessly.
3. Domain Names
A domain name is a text string that uniquely identifies an Internet resource, such as a website or server. Domain names, unlike IP addresses, are difficult to change since they need tariff or pre-registration. Threat actors, on the other hand, can automatically modify domain names with APIs by using dynamic domain name system (DDNS) services and domain-generated algorithms (DGA). Bypassing domain name rules is simple for attackers.
4. Network/Host Artifacts
Artifacts are components of an activity that readily distinguish malicious from legitimate activity in a network or host. These network/host artifacts can take the shape of C2 (command and control) details, URL patterns, folders, files, registry objects, and so on. Threat intelligence can be used by security teams to refute network/host artifacts to an attacker.
5. Tools
Attackers use variety of software tools and platforms (such as backdoors or password crackers). Attackers continue to modernize their tools, making them more complex. These tools are typically designed to scan vulnerabilities, initiate C2 sessions, develop and execute malicious code, crack passwords, and other tasks. Depriving attackers of the use of tools based on traffic patterns or signatures can be detrimental to them.
6. Tactics, Techniques & Procedures (TTPs)
Everything from the first technique of entrance to the means of propagating throughout the network and exfiltrating data, reveals attackers way of operation that allows them to be identified. TTPs are simply an attacker’s methodologies. Techniques explain an attacker’s behavior depending on his tactics, while procedures exemplify the techniques. Attack behavior aids security teams in their investigation and response to an attack. When attacks are addressed using TTPs, attackers struggle to achieve their goals.
Implication of Pyramid of Pain
With the advent of threat intelligence, organizations can now leverage threat intelligence feeds. However, many organizations are not utilizing them effectively. The Pyramid of Pain improves the effectiveness of threat intelligence by adding value to it. Furthermore, it determines the level of difficulty in obtaining that intelligence as well as avoiding detection from the adversary’s perspective. The higher you go in the pyramid as a defender, the more effective your defense. This concept, in a nutshell, enables security teams to detect and prevent various types of attack indicators.
Closing Thoughts
Each level of the Pain Pyramid provides a scope for identifying and preventing various IOCs. The Pyramid of Pain is the best way to get the most out of cybersecurity defense and threat intelligence investments.
Thank you for reading and adding to the knowledge pool. Stay blessed, be healthy and don’t forget to give your valuable comments.
