What is Pyramid of Pain ? & It’s types

Pyramid of Pain & It’s types is all loCs are not created with the same value as some hold much more importance in comparison to other loCs. Pyramid of pain represents the types of indicators that the analyst must look out to detect the activities of an adversary as well as the amount of pain that the adversary needs to adapt to pivot and continue with the attack even when the indicators at each level are being denied.

Pyramid of pain consists of six types of loCs that are arranged in increasing order of the impact on the adversary and effort of the analyst respectively.

Given below are the types of loCs placed in a pyramid from bottom to top:

1. Hash Values

Hash values generated by algorithms like SHA land MOS are used to represent specific malicious files. These hashes provide specific references to suspicious files and malware used for the intrusion.

2. IP Addresses

An IP address or net block uniquely identifies a suspicious system or network used to perform the attack.

3. Domain Names

Domain names are the text labels that are used instead of numerical address signifying the control of the resource. It can be domain or sub-domain or sub-sub-9.lb domain.

4. Network Artifacts

These are indicators caused by malicious activities performed by the adversaries on the network. Anything communicated over the network by the adversary can be referred to as network artifact, which includes URI patterns, SMTP mailer values, HTTP user agent, and the like.

5. Host Artifacts

These are indicators caused by malicious activities performed by the adversaries on one or more hosts. Artifacts like registry keys or values created by malware, files or directories injected in specific locations, and the like are considered as host artifacts.

6. Tools

Tools are malicious software or utilities used by the adversaries to perform the attack. They include software designed to generate malware documents for performing spear phishing attacks and to create backdoor for establishing command and control channels, cracking passwords, etc.

7. Tactics Techniques, and  Procedures

It includes TTPs used by an adversary from collecting the network information, system information, and the organizational information of the target to data infiltration in order to achieve their end goal. Adversaries generally use spear phishing to gain access In the target network. Spear phishing with malicious attachments in the form of PDF file or ZIP would be a TTP. TTPs are not specific to any particular tool as there are numerous ways to perform malicious activities.

Related Product : Certified Ethical Hacker | CEH Certification

The IoC on the bottom of the pyramid of pain will have less impact on the adversary, whereas loC placed on the top would not only have a huge impact on also require a vast amount of effort by the analyst for its disclosure.  The pyramid of pain, both the color and width play a major role in understanding the importance of various loCs.

Hashes are placed at the bottom of the pyramid of pain as their disclosure does not affect the adversary. Moreover, hashes are considered to be the most accurate loCs. They can easily be changed by appending any insignificant bit making their discovery insignificant. It requires very less effort or resources by the analyst unless it is a fuzzy hash that would require different tools to calculate hashes.

Next up, level two is the essential Indicator; that is the IP address. Adversaries need an II P address to establish a connection with the target host. As there are a huge collection of IP addresses available, they occupy the broadest area of the pyramid. Adversaries can frequently change the IP address of their system with a very less effort. Proxy services like TOR help adversaries change the IP addresses and go unnoticed frequently. If one of the IP addresses used by the adversary is blocked, then he/she can immediately change the IP address and continue with attack process. Hence, this level is specified with the green color.

Level three, in light green color, is little more pain full as compared to the other two levels and is occupied by the domain names. Since domain names are registered and paid to get visibility on the Internet, it becomes little hard for the adversary to change the domain. However, various DNS providers with lenient registration standards make it easy for the adversaries to get a domain in hardly two days.

Also Read : Essential Terminology in Cyber security

The network and host artifacts occupy the center of the pyramid. The light-yellow color signifies the beginning of the negative impact on the adversaries due to the increased effort of the analyst in discovering this loC. At this level, the discovery of network and host artifacts can make the adversary to reconstruct the tool by identifying the artifact that led to the discovery. Finding, fixing, and overcoming such obstacles require a lot of effort and time of the adversary.

Further up on the pyramid is tools that are represented in yellow color. Once the analyst is able to identify and detect the tools, the adversaries have to devote time for research and development based on the capabilities of existing tools and to develop a new tool to make it much more capable for performing the attack. It will halt their performance for a long time.

Finally, the peak is given to TTPs whose detection can have the worst impact on the adversaries. It forces them to either quit or restart from the foundation, which would again be time-consuming. It not only requires a lot of efforts by the analyst but also has the potential to cause the highest pain to the adversary. At this level, the analyst is well aware of the behavior of the adversary and knows the methodology, execution, and lateral movement. So, it is difficult rather impossible for the adversary to overcome this disclosure of TTP by the analyst.

Questions related to this topic

  1. What is Pyramid of Pain ?
  2. What are the types of Pyramid of Pain ?
  3. What is TTP?

Cyber Security Related Things

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com


2 thoughts on “What is Pyramid of Pain ? & It’s types”

Leave a Comment