return
Cybersecurity is a field that faces constant challenges and evolving threats. In this context, there are tools and methodologies that help us understand and combat these threats. One such conceptual tool is David Bianco's Pyramid of Pain, a concept that has "revolutionized" the way cybersecurity professionals prioritize threat responses. In this post, we will explore in detail what the Pyramid of Pain is, and some ideas for putting it into practice.
Introduction to the Pyramid of Pain
The Pyramid of Pain is a conceptual framework introduced by David Bianco in 2013. This pyramid ranks different types of indicators of compromise (IoCs) according to the "pain" they cause adversaries when we use them to detect and block their malicious activities. The idea is that the more "painful" an indicator is for an adversary, the more effective it is for us as defenders.
Structure
The Pyramid is structured in five levels, each representing a different type of IoC:
Hash Values: At the base of the pyramid, we find the hash values, which are easy to use, but also the simplest for an adversary to modify.
IP Addresses: The next level includes IP addresses. Although they are a bit more difficult to change than hashes, they are still relatively easy for attackers to alter.
Domain Names: Domain names are more complex for adversaries to manage, as changing a domain may require more effort and resources.
Network/Host Artifacts: This level includes network or host artifacts, such as specific traffic patterns or anomalous configuration files, which are more difficult to mimic or change without affecting the operation of the malware.
Tools and TTPs (Tactics, Techniques, and Procedures): At the top of the pyramid, we find the tools and TTPs. These are the most difficult indicators for adversaries to modify, since they involve changing their attack methods and strategies.
The Pyramid of Pain helps us understand not only how to detect threats, but also how our actions impact attackers. By focusing on the indicators that are higher up the pyramid, we can increase the operational cost to adversaries, forcing them to invest more time, resources and effort in their attacks. This not only improves our defense posture, but also reduces the frequency and severity of attacks.
Practical application of the Pyramid
This is more than a theoretical framework; it is a practical guide that can transform any organization's security strategy. Let's look at how we can apply each level of this pyramid to improve threat detection and response.
Starting at the Base: Hashes
Different tools collect and generate lists with hashes values of files that we consider malicious (or confirmed). External tools such as VirusTotal or malware databases can be useful. Multiple security tools such as antivirus and EDRs are good at automatically comparing the hashes of files on your systems with a list of known hashes, typically in the response process hashes are built in to block them. Most automatically react when they detect a file with a malicious hash by deleting or quarantining it. Or in the case of network devices, blocking a connection.
Among some limitations of these methods, we know that attackers can easily modify their pieces of malware to generate a different hash, this method, although essential, is essential, it is fast, but it has its effectiveness in isolation.
Taking it up a notch: IP addresses
Lists of malicious IPs can keep us aware of malicious activity and block it at firewalls, other entry points. Even from a browser plug-in.
An "analytical" look at this technique can use a SIEM and analyze traffic patterns to and from these external IPs. In the face of an incident, these IP addresses represent external nodes that our assets should not connect to, and although they are not known addresses, we consider them malicious in the context of that incident and can block them. For these cases, they will always be IP addresses detected and correlated with other compromise signals related to threat detection.
We know here that, although not with the change of a bit, but the IPs used by an adversary can change. There is a combination of strategies that come together to both incorporate an IP as malicious, and the correct time to remove it from that block list.
Beyond the Basics: Domain Names
Each device will communicate with the outside world, typically using a domain, this is where implementing DNS-level blocking can prevent systems from accessing domains known to host malicious content. In this case (but also the previous one) we could feed our blocking lists with threat intelligence feeds, so that we can get up-to-date information on malicious domains, which we can apply in real time.
As with IPs, anything that is already recognized as malicious can be recognized as malicious at the right time, and this is where looking for unusual patterns or randomly generated domains, used by many types of malware, can bring special value to detection.
Network and Host Artifacts
Implementing endpoint monitoring solutions that can identify and respond to malicious artifacts such as PowerShell scripts, anomalous scheduled tasks, or suspicious system configuration changes will give us a broader view from the endpoints.
We can develop automatic response playbooks in the orchestration tools to react quickly to the detection of any malicious artifact. From blocking, to collecting logs to analyze the situation.
Artifacts can vary considerably between different attacks, requiring an advanced knowledge base and detection tools.
At the Top: Tools and TTPs
Here we begin to see elements that arise from threat modeling, using frameworks such as MITRE ATT&CK to model the tactics, techniques and procedures used by adversaries helps us understand how to approach protection.
Here, attack simulation exercises (ream network) not only allow us to test the effectiveness of controls, but also of the associated detection for each case.
Training the various teams in charge of detection will enable them to recognize and respond to TTPs, and complement the layers defined at lower levels of the pyramid.
It is true that this is the most "sophisticated" layer of the pyramid and requires a proactive approach and high level of expertise, but it is also the level that causes the most pain for the adversaries to modify, even in some cases it is not possible to modify as it is fully dependent on the assets involved.
Conclusion
Understanding the implementation of David Bianco's Pyramid of Pain is key to feeding the internal protection strategy. It provides a basis for prioritizing threat detection and response. By focusing on elevating the 'pain' for the adversary at each level of the pyramid, we not only improve defense, but may also force an attacker to reconsider their objectives, potentially diverting them to less protected targets. Applying these principles requires a commitment to continuous improvement.
