RADICL Blog

Pyramid of Pain - You Can't Tie Your Shoes That Way

Written by Josh Shepard | 2024 | 07

The Pyramid of What?? 

The Pyramid of Pain is a conceptual model created by David Bianco in 2013 that helps detection engineers and analysts understand how to best use threat intelligence to halt threat actors. This model breaks indicators of compromise into 6 distinct categories and stacks them in the shape of a pyramid as shown below: 

Each layer of the pyramid represents a category of indicator that is present when a threat actor attacks an environment and, as such, something you can detect. Furthermore, as you ascend the pyramid you will notice that layers become smaller and closer to red. This is deliberate because the higher up the pyramid you go, the more difficult it is for the threat actor to change that indicator of compromise and avoid detection. In other words, if you can build detections based on the top levels of the pyramid then it becomes much more painful for a threat actor to move undetected.  

Breaking it Down 

Let’s go ahead and run through the pyramid of pain layer by layer, discussing what the indicator is and why it’s been marked as easy or hard for a threat actor to change. 

  • Hash Values
    • A hash value uniquely identifies a file. It’s trivial for a threat actor to change because if they modify even a single letter of a comment string in their code before recompiling, the malware will have a different hash. Because of this, hashes are easy detections for a threat actor to bypass.
  • IP Addresses
    • An IP address is the unique address used to identify a device on the internet. Either represented as an IPv4 address (127.0.0.1) or an IPv6 address (0:0:0:0:0:0:0:1). In the modern age of cloud computing, botnets, VPNs, and proxies, changing their IP address has never been easier for threat actors. 
  •  Domain Names 
    • A domain name is a unique, human-understandable address to navigate to the website (think google.com or, even better, RADICL.com). These are a little more effort for a threat actor to change since it requires acquiring and registering a domain, but at the end of the day, it’s still pretty easy to pull off and doesn’t cost a whole lot of money.  
  • Network/Host Artifacts 
    • These are observable artifacts caused by threat actor activity on your network or hosts (endpoint devices). On the network side of the house this can be URI patterns, C2 info, specific ports, etc. On the host side, this can be a registry or list modification, malicious scheduled task naming conventions, etc. These require a little more work for a threat actor to change. It would require tool reconfiguration or recompilation to avoid detection, and while this isn’t terribly difficult to accomplish, it still slows down the attacker. 
  • Tools 
    • These are the specific binaries and scripts the threat actor uses during their attack. If you can effectively detect a specific tool being used, then the threat actor will not only have to acquire a new tool but also learn how to use that tool. This becomes a high cost on the adversary side. 
  • Tactics, Techniques, and Procedures (TTP) 
    • Finally, we have TTP, which represents how a threat actor executes an attack from initial recon (for more information on this, see my blog here) to initial access, lateral movement, and action on objective. TTPs are the toughest thing for a threat actor to change because they represent learned behaviors. This would be like telling you that you couldn’t tie your shoes the way you were taught and instead must learn another way of doing it (blog title mic drop). This is hard and uncomfortable. Detecting on TTP will require a threat actor to learn an entirely new way of conducting operations, and most threat actors will not put in that effort and instead find a softer target elsewhere. 

Moral of the Story 

To stop a sophisticated threat actor, you need to focus your detection engineering efforts on as high up the pyramid as possible. At the bare minimum, I would start with Network/Host Artifact and then try to move up to Tools and TTP. The end goal is to make a threat actor feel the pain of the pyramid and either re-learn how to hack or give up.