Pyramid of Pain Flashcards
The rising difficulty is what we want to the layout before attackers. Our data is a resource that we work daily to digest and to put into useful intelligence. These resources are also what malicious actors want as well. They want your information and the ability to sit and farm. Luckily, how quickly we respond, and the level of protection given to that resource can help be defined by what is called “The Pyramid of Pain.”
What is it?
The pyramid of pain is a visual representation of the amount of pain we can cause a malicious actor in denying them certain indicators. By that, the base of the pyramid is the lowest amount, near trivial. Each trivial section is wider to indicate the breadth of the room given to those indicators is wide.
Layers Explained
Hash Values
Trivial amounts of pain relate to hash values. They can provide the highest confidence indicators yet are vulnerable to modification by the attack or accidentally by the end-user. By the degree that these can change and how often, these would be the least useful indicators and provide a minimal amount of frustration to an attacker.
IP Address
Stepping up the pyramid, next is IP addresses. Though having a unique address is beneficial, it is not uncommon to change these with VPNs, TOR browsing, or open proxies to reassemble your attack from a different address.
Domain Names
Rising higher we sit on domain names, which can be changed, but require registration and hosting. Many DNS providers do not all have the same standards across the board in terms of legality and restrictions, which can make it fairly easy for an attacker to change domains. Though not as easy as IP addresses, these can be modified with a longer wait time.
Network/Host Artifacts
Network and host artifacts start to provide more difficulty to the attacker once you begin implementing defenses against these tools and methods they are using. This could be determined by finding where directories are commonly created, specific registry values, files, etc. As an example, the Locky spam waves showcased:
different domain names
different IP addresses
different hashes
But, through a three-month campaign, the host artifacts performed the same. Changing the logic in the malware is much harder than changing IP addresses. By signaling out these indicators and stopping them, it creates greater frustration and hurdle for the attacker.
Tools
Tools are hard to change. Carpenters can use a reliable saw for years. The same goes for adversaries attacking your network. Identifying one or more of the tools they are using to distribute attacks and halting their use puts a severe bend in their hose. This requires re-tooling, researching, or building another method to attack. This could also simply force them to move on.
TTPs
Finally, we come to tactics, techniques, and procedures (TTPs). These are not just tools, but these are behavior patterns. You learn their methods by profiling the behavior and responding accordingly, such as spearphishing with PDFs. These attackers are human and act in similar, producible patterns. Forcing them to change their behavior and methods is the most time-consuming defense against them. This requires a reworking of their whole methodology in attacking.
Why Use It?
The purpose of recognizing these indicators is how to best identify weaknesses and mitigate them. Most importantly, it makes the lives of these adversaries harder. Each layer in front of the bad actor helps solidify your response and tune your organization to better prepare and detect and respond to indicators of compromise.
