Once you detect threat indicators of compromise (IOCs), you need to respond to them. By responding to them, you prevent threat actors from using those IOCs to attack you. Not all indicators are alike, some are more beneficial than others to an attacker. The whole point behind detecting the attack indicators is to create difficulties for the attacker by taking these IOCs and implementing them into your defensive strategy. The relationship between IOCs and the difficulties the attackers face when the use of IOCs is denied to them can be well understood with the concept of the Pyramid of Pain.
What is the Pyramid of Pain?
While working on threat hunting and incident response in 2013, David J Bianco, a security professional, came up with the concept of Pyramid of Pain to improve the applicability of IOCs. Pyramid of Pain is a representation of six types of attack indicators arranged in ascending order of the impact on the threat actor and effort of the security analyst respectively. Each level of the pyramid illustrates different types of IOCs you might employ to detect an attacker’s activities. These IOCs are characterized by the amount of pain or difficulties they will cause the adversary when you deny those IOCs to them.
Significance of Pyramid of Pain
The emergence of threat intelligence has enabled organizations to leverage threat intelligence feeds. However, many organizations are not effectively utilizing them. The Pyramid of Pain makes threat intelligence more effective by adding value to it. Moreover, it determines the level of difficulty in procuring that intelligence as well as avoiding detection from the standpoint of the adversary. The Pyramid of Pain provides security teams comprehensive insights into the areas they can investigate IOCs and leverage the knowledge gained to develop robust defensive capabilities. As a defender the higher you go in the pyramid, more effective is your defense. In a nutshell, this concept empowers security teams to detect and prevent different types of attack indicators.
Types of Attack Indicators
The IOCs can be classified into two categories—automation and traditional and behavioral-based detection indicators. While the automation and traditional indicators include hash values, IP addresses, and domain names, behavioral-based detection indicators involve network/host artifacts, tools, and tactics, techniques, and procedures (TTPs).
Cryptographic hashes such as SHA1, SHA256, and MD5, are the most commonly used IOCs in different cybersecurity defense systems like IDS/IPS, antimalware, and others. Hash values can be easily altered by employing polymorphic or metamorphic techniques. However, they are probably the least beneficial type of IOC as threat actors can easily circumvent defense mechanisms by changing the hash values. Focusing on the values of the hashes is insignificant to an attacker.
Though IP addresses are one of the most common indicators of attack, only script kiddies employ their own IP addresses in an attack. Adversaries use Tor, VPNs, and anonymous proxies to spontaneously and effortlessly change IP addresses. By navigating through defensive systems with only IP address limitations, cybercriminals can easily perform an attack.
Unlike IP addresses, domain names are difficult to change as they require tariff or pre-registration. However, by using dynamic domain name system (DDNS) services and domain-generated algorithms (DGA), threat actors can automatically modify domain names with APIs. Attackers find bypassing domain name regulations easy.
Artifacts are the elements of an activity that clearly differentiates between malicious and legitimate activities in a network or host. These network/host artifacts can be in the form of command and control (C2) information, URL patterns, directories, files, registry objects, etc. Security teams can leverage threat intelligence to refute network/host artifacts to an attacker.
Attackers keep on modernizing the tools they use, making them more sophisticated. Typically, these tools are built to scan bugs, develop and execute malicious codes, initiate C2 sessions, crack passwords, and more. Based on the traffic patterns or signatures, depriving the use of tools to attackers can prove disadvantageous for them.
Tactics, Techniques, and Procedures (TTPs)
TTPs are nothing but an attacker’s methodologies. While tactics delineate an attacker's behavior, techniques outline an attacker’s behavior based on his tactics, and procedures illustrate the techniques. Attack behavior helps security teams investigate and respond to an attack. Attackers struggle to fulfill their objectives when attacks are addressed using TTPs.
Each level in the Pyramid of Pain provides a scope to identify and prevent different IOCs. Hash values, IP addresses, and domain names can be accessed through micro or commercial threat intelligence feeds. Moreover, network and host artifacts can be observed via micro threat intelligence feeds. However, robust security programs can detect and prevent threat actors’ tools and TTPs, which help in predicting attacker behavior. Ultimately, the Pyramid of Pain is the way forward to obtaining optimal value for your cybersecurity defense and threat intelligence investments.