The Pyramid of Pain may sound like a WWE (World Wrestling Entertainment) move, but it’s actually a model used in threat hunting, incident response, and threat intel.
The model shows how much pain defenders cause to attackers when they deny the use of various types of indicators. It also shows the difficulty of acquiring intel about those indicators.
The closer an indicator type is to the base of the pyramid, the easier (less painful) it is for an attacker to change. For example, it’s trivial for an attacker to change hash values, and easy for them to change IP addresses.
The closer an indicator type is to the base of the pyramid, the easier it is to obtain intel about it.
The closer an indicator type is to the top of the pyramid, the harder (more painful) it is for an attacker to change. For example, it’s challenging for an attacker to change the tools they use, and tough for them to change TTPs (tactics, techniques, and procedures).
The closer an indicator type is to the top of the pyramid, the harder it is to obtain intel about it.
What makes some indicator types more painful for an attacker to change than others?
- The amount of effort required to change them. It’s trivial to change a hash value because changing the data in a file will change the generated hash value. It’s annoying to change network/host artifacts because it requires changing infrastructure.
- How deeply the indicator type is tied to the attacker’s behavior. It’s easy to change IP addresses because an attacker’s identity has little or nothing to do with the IP addresses they use. It’s tough to change TTPs because they’re closely tied to an attacker’s TTPs identity (skills, experience, and habits).
How can defenders, including CTI analysts, use the Pyramid of Pain? By focusing defensive efforts on more-painful indicator types (those closer to the top of the pyramid), you can prevent a wider range of attacks. If you focus on less-painful indicator types, you’ll likely miss many attacks, plus you’ll be stuck playing whack-a-mole, as attackers can easily change those.
This article’s author, Chad Warner, is seeking a cybersecurity job, preferably in cyber threat intelligence (CTI) or OSINT. Please contact him if you know of any openings.