Elevate your Threat Detections using the Almighty Pyramid of Pain

Hey friend, welcome back!

Today we will be taking a look at “The Pyramid of Pain” and how you can make bad guys cry.

The pyramid is an illustration that shows how some IOCs (Indicators of Compromise) are more difficult for an adversary to change than others. Its creator, David J Bianco, claims that denying the adversary certain indicators causes them a greater loss (more pain) than denying them others. Because of this, a defender should aim to target the indicators that cause a greater loss to the adversary. This loss is the time it would take an adversary to reproduce the IOC. The pyramid has become a cornerstone of many Cyber Threat Intelligence (CTI) teams and platforms, with its use guiding many security architects in their deployment of security solutions.

To understand the pyramid, and why it is so important, we must first consider what an IOC is and how they are used by defenders.

According to CrowdStrike an IOC is “a piece of digital forensics that suggests that an endpoint or network may have been breached” and these clues can aid a security professional in determining if the malicious activity has occurred. A defender will use IOCs in three ways:

• They will use an IOC to determine if an endpoint or network has been compromised. This happens during Digital Forensic Investigation & Response (DFIR) operations, where a DFIR team will search through log files and machines looking for indicators of a compromise.
• They will use an IOC to block the “known” bad from interacting with their endpoints and networks. For instance, if they know a certain IP address is associated with a ransomware campaign then they will block it from connecting to their external servers. This was how traditional Anti-Virus (AV) products worked. They had a long list of hashes that were known to be malicious and would block files with this hash from executing on a machine.
• They will use an IOC to perform IOC-based hunting. This form of threat hunting involves ingesting a threat intelligence report, which contains the latest IOCs threat intelligence vendors are seeing infecting or targeting environments, and then actively searching for these IOCs in their estate.