What is Pyramid of Pain?

Dec 22, 2022


Back again with another blog and with this one I wanted to dive into a topic called "Pyramid of Pain". While doing some studying on THM, I came across the module that speaks about the Pyramid and the importance. In short, the Pyramid of Pain is a well known concept that is applied to several cybersecurity solutions. For today, let's get to the core of what the pyramid is in detail and why analyst will use it.

When working as a SOC you will receive many IOCs (Indicators of Compromise) that will need a response. When you respond you prevent hackers from using the types of IOCs for attacks. The idea behind the detecting the attack indicators is to create difficulties for the attackers by using the IOCs to implement a defensive strategy. It was in 2013 that the concept "Pyramid of Pain" was introduced. This pyramid consist of 6 types of attack IOCs that are characterized by the amount of difficulties they will cause the attacker when you deny them. As a defender, the higher you go in the pyramid, more effective is your defense. This helps security teams to detect and prevent different types of attack indicators. Now having insights about the IOCs, let's speak briefly about the Pyramid in more detail.

Hash Values:

  • A numeric value of fixed length that uniquely identifies data.

  • Security pros usually use the hash values to gain insight into a specific malware sample, malicious or suspicious file, and as a way to uniquely identify and reference the malicious artifact.

  • Great Hash Lookup Tools:

  • 3 Main Parts of Hashing Algorithms:

    • Speed, but also not too quick

    • Change on bit in a hash and you can destroy the whole file.

    • Avoid Hash Collisions. A great reference of this is the "Pigeonhole Principle". Two files cannot have the same hash. Security may be at risk.

  • Common Hash Algorithms:

    • MD5:

    • SHA-1:

    • SHA-2:

    • SHA-3:

IP Addresses: The IP address may be malicious so we can test this with virus total tooling or meta defender as well. Great info to collect for the investigation. The attacker may have a tool to change the IP address leaving insights of many during the investigation. If you know about IP addresses how I've learned, you know that this can give much info. A tool that many attackers will use is something called Fast Flux. It allows them to have multiple IP addresses for a domain. It's used by botnets to hide phishing, web proxying, malware delivery and communication activities compromised by hosts acting as proxies.

Domain Names: Attackers will use domain names to attack by compromising subdomains of the top domain. Unlike IP Address, domain names are difficult to change, but attackers will use DDNS and DGAs to modify them with APIs. This allows domain name regulations to be bypassed. Attackers will also use URL shorteners to redirect to a specific website. When providing defense, you can detect them by using proxy logs or server logs. An example of a URL Shortener tool would be : bit.ly, ow.ly, or even a site called tinyurl.com.

Network and Host Artifacts: When an attacker tries to perform malicious activity they may leave traces on the system. Traces may be things like registry values, attack patterns. This could be leverage for security teams because they can refute network/host artifacts to an attacker.

Tools: Many tools these days are becoming very powerful and detailed. These tools can do several things from scanning bugs to making malicious codes. Depending on the traffic patterns, you can detect the tooling being used having the attacker not to use it. Most attackers may try to use the same tool multiple times because it worked on other systems. Keeping afloat of the tools that are within the industry is very important so you can know how to defend.

TTPs: On the top of the pyramid is the Tactics, Techniques, and Procedures (TTPs). Learning the methodologies of an attacker helps security teams investigate and respond to an attack. Once you know how the attacker thinks and maneuver, the struggle will occur on their end.

Enjoy this post?
Buy Orion3000 a coffee
Sign up or Log in to leave a comment.