Pyramid of Pain & It’s types is all loCs are not created with the same value as some hold much more importance in comparison to other loCs. Pyramid of pain represents the types of indicators that the analyst must look out to detect the activities of an adversary as well as the amount of pain that the adversary needs to adapt to pivot and continue with the attack even when the indicators at each level are being denied.
Pyramid of pain consists of six types of loCs that are arranged in increasing order of the impact on the adversary and effort of the analyst respectively.
Given below are the types of loCs placed in a pyramid from bottom to top:
1. Hash Values
Hash values generated by algorithms like SHA land MOS are used to represent specific malicious files. These hashes provide specific references to suspicious files and malware used for the intrusion.
2. IP Addresses
An IP address or net block uniquely identifies a suspicious system or network used to perform the attack.
3. Domain Names
Domain names are the text labels that are used instead of numerical address signifying the control of the resource. It can be domain or sub-domain or sub-sub-9.lb domain.
4. Network Artifacts
These are indicators caused by malicious activities performed by the adversaries on the network. Anything communicated over the network by the adversary can be referred to as network artifact, which includes URI patterns, SMTP mailer values, HTTP user agent, and the like.
5. Host Artifacts
These are indicators caused by malicious activities performed by the adversaries on one or more hosts. Artifacts like registry keys or values created by malware, files or directories injected in specific locations, and the like are considered as host artifacts.
6. Tools
Tools are malicious software or utilities used by the adversaries to perform the attack. They include software designed to generate malware documents for performing spear phishing attacks and to create backdoor for establishing command and control channels, cracking passwords, etc.
7. Tactics Techniques, and Procedures
It includes TTPs used by an adversary from collecting the network information, system information, and the organizational information of the target to data infiltration in order to achieve their end goal. Adversaries generally use spear phishing to gain access In the target network. Spear phishing with malicious attachments in the form of PDF file or ZIP would be a TTP. TTPs are not specific to any particular tool as there are numerous ways to perform malicious activities.
Related Product : Certified Ethical Hacker | CEH Certification
The IoC on the bottom of the pyramid of pain will have less impact on the adversary, whereas loC placed on the top would not only have a huge impact on also require a vast amount of effort by the analyst for its disclosure. The pyramid of pain, both the color and width play a major role in understanding the importance of various loCs.
Hashes are placed at the bottom of the pyramid of pain as their disclosure does not affect the adversary. Moreover, hashes are considered to be the most accurate loCs. They can easily be changed by appending any insignificant bit making their discovery insignificant. It requires very less effort or resources by the analyst unless it is a fuzzy hash that would require different tools to calculate hashes.
Next up, level two is the essential Indicator; that is the IP address. Adversaries need an II P address to establish a connection with the target host. As there are a huge collection of IP addresses available, they occupy the broadest area of the pyramid. Adversaries can frequently change the IP address of their system with a very less effort. Proxy services like TOR help adversaries change the IP addresses and go unnoticed frequently. If one of the IP addresses used by the adversary is blocked, then he/she can immediately change the IP address and continue with attack process. Hence, this level is specified with the green color.
Level three, in light green color, is little more pain full as compared to the other two levels and is occupied by the domain names. Since domain names are registered and paid to get visibility on the Internet, it becomes little hard for the adversary to change the domain. However, various DNS providers with lenient registration standards make it easy for the adversaries to get a domain in hardly two days.
Also Read : Essential Terminology in Cyber security
The network and host artifacts occupy the center of the pyramid. The light-yellow color signifies the beginning of the negative impact on the adversaries due to the increased effort of the analyst in discovering this loC. At this level, the discovery of network and host artifacts can make the adversary to reconstruct the tool by identifying the artifact that led to the discovery. Finding, fixing, and overcoming such obstacles require a lot of effort and time of the adversary.
Further up on the pyramid is tools that are represented in yellow color. Once the analyst is able to identify and detect the tools, the adversaries have to devote time for research and development based on the capabilities of existing tools and to develop a new tool to make it much more capable for performing the attack. It will halt their performance for a long time.
Finally, the peak is given to TTPs whose detection can have the worst impact on the adversaries. It forces them to either quit or restart from the foundation, which would again be time-consuming. It not only requires a lot of efforts by the analyst but also has the potential to cause the highest pain to the adversary. At this level, the analyst is well aware of the behavior of the adversary and knows the methodology, execution, and lateral movement. So, it is difficult rather impossible for the adversary to overcome this disclosure of TTP by the analyst.
Questions related to this topic
- What is Pyramid of Pain ?
- What are the types of Pyramid of Pain ?
- What is TTP?
Cyber Security Related Things
- Top Cyber security Certifications of 2020 India
- Concept of Security, Cyber Space & Cyber Crime
- 10 Steps to Cyber Security
- Climbing the Cyber Security Certification Ladder
- Top 5 Key Elements of an Information Security
- Essential Terminology in Cyber security
- Top categories which includes in Information Warfare
- What is Defense in Depth? & How Defense in depth Works
- Information Security Incidents
- What is Information Security & types of Security policies
- Overview of Cyber security Frameworks
- 9 Tips for Top Data Backup Strategy
- What is Cyber Kill Chain? and it’s 7 Phases
- A Need for Tactics, Techniques & Procedures
- An Overview of knowledge Acquisition
- Business Needs and Requirements
- What is Pyramid of Pain ? & It’s types
- Top IT Management Certifications of 2020 to Impress Recruiters
- Best Cyber security career 2020 road map for IT Professionals
- 15 Benefits Of Security Certifications to Upgrade Career Path 2020
- 6 Things You Should know About Social Engineering
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
very nice blog.
I truly love your blog.. Excellent colors & theme. Many thanks!