Pyramid Of Pain
The model that categorizes the difficulty and impact of various threat indicators and their detection or mitigation.
Last updated
The model that categorizes the difficulty and impact of various threat indicators and their detection or mitigation.
Last updated
In 2013, security expert David J. Bianco introduced the concept of the Pyramid of Pain to enhance the practicality of attack indicators, with a specific focus on incident and threat hunting.
The Pyramid serves as a tool to evaluate the potential role of threats and assess the challenge in acquiring such intelligence while avoiding detection, from an adversary's perspective. The height of the pyramid correlates with the resilience of our defenses.
So, what exactly is the Pyramid of Pain?
This pyramid comprises six distinct attack indicators that enable the detection of malicious actions and, when effectively mitigated, can gauge the extent of discomfort an attacker may experience. Each level within the Pyramid of Pain presents an opportunity for security teams to identify and thwart various attack indicators.
One way to categorize indicators is by using this pyramid, which is used to show how much pain it causes the adversary when indicators at levels are identified and alerted upon.
Hashes are easy to alert upon with high confidence. They are also easy to change, and therefore, it cause a trivial amount of pain.
The hash value is a numeric value of a fixed length that uniquely identifies any data.
As an example of most common hashing algorithms we can find:
MD5 (Message-Digest Algorithm): The algorithm takes as input a message of arbitrary length and produces as output a 128-bit (16-byte) "fingerprint" or "message digest" the input and typically are represented as 32-digit.
SHA-1 (US Secure Hash Algorithm 1): SHA-1, for computing a condensed representation of a message or a data file. When a message of any length < 2^64 bits is input, the SHA-1 produces a 160-bit output called a message digest and ypically rendered as 40 hexadecimal digits.
SHA-2 US Secure Hash Algorithm 2): SHA-2 includes significant changes from its predecessor, SHA-1. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits. SHA-256 and SHA-512 are novel hash functions computed with eight 32-bit and 64-bit words, respectively.
A hash is not considered to be cryptographically secure if 2 files have the same value or digest. Therefore, we use the hash values to gain insight into a specific malware sample, a malicious or a suspicious file, and as a way to uniqely identify and reference the malicious artifact.
A changing IP address is more difficult than changing hashes; however most adversaries have disposable infrastructure and can also change the IP addresses of their hop point and C2 (Command & Control) nodes once they are compromised.
In the Pyramid of Pain, IP addresses are indicated with the color gree. May you ask why, and what this associate the green color with ?
The answer is, from a defense standpoint, knowing the IP addresses of an adversary uses can be valuable. A common defense tactic is to block, drop, and/or deny inbound request from IP addresses on the internal network or external firewall. This tactic is often not bulletproof as it's trivial fro an experienced adversary to recover simply by using a new public IP address.
One of the ways an adversary can make it challenging to successfully carry out IP blocking is by using Fast Flux. ( You can visit the Palo Alto blog for more explanation, https://unit42.paloaltonetworks.com/fast-flux-101/
The following is an example of C2 connection made by a malware, found and analyzed by app.any.ru:
This could be either a domain name itself (e.g., "evil.net") or maybe even a sub- or sub-sub-domain (e.g., "this.is.sooooo.evil.net")
As we can see on the Pyramid of Pain, referencing to the domain names, you can see the transition from color - from green to teal. Here, because, domain names can be a little more of pain for attacker to change as they would mose likely need to purchage domain, register it and modifyt its DNS records.
The following is an example from app.any.run
Observables caused by adversary activities on one or more of your hosts. Again, we focus on things that would tend to distinguish malicious activities from legitimate ones. They could be registry keys or values known to be created by specific pieces of malware, files or directories dropped in certain places or using certain names, names or descriptions or malicious services or almost anything else that's distinctive a files modified/dropped by a malicious actor:
Observables caused by adversary activities on your network. Technically speaking, every byte that flows over your network as a result of the adversary's interaction could be an artifact, but in practice this really means those pieces of the activity that might tend to distinguish malicious activity from that of legitimate users. Typical examples might be URI patterns, C2 information embedded in network protocols, distinctive HTTP User-Agent or SMTP Mailer values, etc.
Software used by the adversary to accomplish their mission. Mostly this will be things they bring with them, rather than software or commands that may already be installed on the computer. This would include utilities designed to create malicious documents for spearphishing, backdoors used to establish C2 or password crackers or other host-based utilities they may want to use post-compromise.
How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between. "Spearphishing" is a common TTP for establishing a presence in the network. "Spearphishing with a trojaned PDF file" or "... with a link to a malicious .SCR file disguised as a ZIP" would be more specific versions. "Dumping cached authentication credentials and reusing them in Pass-the-Hash attacks" would be a TTP. Notice we're not talking about specific tools here, as there are any number of ways of weaponizing a PDF or implementing Pass-the-Hash.
In summary, the Pyramid of Pain provides a structured approach to assessing and mitigating cyber threats, from easily detectable indicators like hash values to more resilient elements such as tactics and techniques. This framework enhances our understanding of security challenges and guides effective threat detection and defense strategies in an ever-evolving digital landscape.
