Security researcher David Bianco came up with an approach titled the Pyramid of Pain, which outlines how to cause adversaries the most difficulty when attacking your network.
Security researcher David Bianco came up with an approach titled the Pyramid of Pain, which outlines how to cause adversaries the most difficulty when attacking your network. Each of the six layers represent different approaches you can take, starting with the simple and working your way up to the most difficult.
For instance, at the base of the pyramid are hashes. Files bearing known malicious hashes are simple to detect, and also simple for the attacker to replace. The same goes for IP addresses, although this takes a little more work, both to find, and for an attacker to replace, hence a smaller piece of the pyramid. Domains are a little bit harder, network artifacts harder still, etc.
Source: David J. Bianco, personal blog
The goal of your threat hunting exercise should be to uncover an attacker’s TTPs - the most valuable IoCs because they are hard for the attacker to replace.
The goal of your threat hunting exercise should be to uncover an attacker’s tactics, techniques, and procedures (TTPs). These are the most valuable because they are hard for the attacker to replace. It’s often the most difficult and/or time consuming to identify, mainly because it requires comparing data points from different data sets and making connections where the relationship isn’t apparent at first.
The trick is, as you go up the pyramid, you force the adversaries to spend more resources in attacking your network, making it more difficult and increasing the chances that they will be caught doing so. The ultimate goal of the Pyramid of Pain is that, by following its principles, your network becomes so challenging to hack that the attackers move on to other, simpler targets.
