There are many dimensions to categorize cyber attacks and the motivation behind them. Technical vulnerabilities, socio-political and military dynamics, cognitive factors, and the economic, ethical, and inherent need for privacy in a digital world where our private data is transmitted to unknown places, accessible to unknown people. All these perspectives and factors can easily become overwhelming to defenders who are trying to keep up with the latest aces up the sleeves of hackers.
In 2013, in his seminal blog post, cybersecurity researcher David Bianco outlined his conceptualization known as The Pyramid of Pain the Hunting Maturity Model. With more than 20 years of experience in IT security, Incident Detection and Response (IDR), threat hunting, and Cyber Threat Intelligence (CTI), he is more than qualified to consult on attacker behavior.
In this article, we will evaluate David Bianco's Pyramid of Pain, and especially the pinnacle of the pyramid - "TTP", which is the gold standard for modern cyber attack detection. TTP stands for Tactics, Techniques, and Procedures and is considered the most difficult, yet the most reliable means for detecting cyber attacks.
David Bianco's Pyramid of Pain is a concept in cybersecurity that categorizes different types of indicators of compromise (IoC) used to detect cyber attacks. The pyramid transgresses from easy (least pain) at the bottom to difficult (most pain) at the top. The pain represents both the amount of effort required to implement security controls and the effort for cyber attackers to circumvent controls that detect attacks at that level. The pyramid helps security professionals prioritize their responses to cyberattacks by focusing on the most painful aspects of a cyber attack to change.
By focusing on the higher levels of the pyramid, security teams can force attackers to undertake more significant and costly changes, thereby increasing the cost of the attack and reducing its likelihood of success.
Here’s a brief rundown of the levels from the bottom (least pain) to the top (most pain) of the pyramid:
Hash Values: Hash values are specific digital fingerprints of files or segments of files such as their MD5 or SHA-1, or SHA-2 hash values. Hash values are easy for attackers to change by making small insignificant changes to malware. So, while it is the easiest plan to detect malware, it is also simple for attackers to overcome and avoid detection.
IP Addresses: IP addresses are used to identify the source of cyber attacks so they can be blocked via a firewall. Changing IPs requires slightly more effort than altering a malware's hash value so blocking a specific IP address (aka block-listing), or better yet, only allowing access from a specific IP address (aka accept-listing) offers slightly stronger protection for defenders.
Domain Names: Domains are used for establishing various malicious infrastructures. Forcing an attacker to change domain names by blocking a known malicious domain is slightly more disruptive than changing IP addresses.
Network/Host Artifacts: These include particular registry keys or settings altered by malware. Changing these can avoid detection but requires more effort and specific knowledge about the target environment.
Tools: The specific tools used by hackers such as malware, applications, and scripts. Tools are often reused, and changing them can be costly and time-consuming.
Tactics, Techniques, and Procedures (TTPs): These are the behaviors and methods used in cyberattacks. Modifying TTPs is very challenging because it often involves changing the fundamental behavior of the attackers.
So, concluding from the Pyramid Of Pain, defenders should focus their energy on detecting the attacker's Tactics, Techniques, and Procedures (TTP). These TTP represent fundamental attacker behavior and so it could be argued that attackers cannot change them. However, for defenders, detecting TTPs also represents the highest burden of implementing security controls.
David Bianco's Pyramid of Pain is a strategic framework for understanding and the complexities for implementing detective cybersecurity controls. It highlights the importance of focusing on the pinnacle of the pyramid (highest level) - Tactics, Techniques, and Procedures (TTP). But what exactly are these three core categorizations that David Bianco describes as being hard for defenders to implement controls for and yet impossible for defenders to change?
The MITRE ATT&CK framework aims to be a comprehensive library of attacker TTP and classify all attacker behavior according to "tactics", "techniques", and "procedures". In this section, we will clarify what these fundamental attacker behaviors are so defenders can effectively use the MITRE ATT&CK framework, and build better defensive capabilities.
A tactic refers to a broader, higher-level plan or method employed to achieve a specific goal or objective. It's the "what" and "why" of a strategy, providing an overarching approach or method to reach an end. Tactics are usually more conceptual and can encompass a series of techniques. For instance, in cybersecurity, a tactic might involve social engineering to manipulate individuals into breaking security procedures.
A technique, on the other hand, is the specific "how" of executing a tactic. It involves the detailed methods or procedures used to accomplish a part of the tactic. Techniques are the actionable steps that directly engage with the environment or situation. In the context of the previous example, a technique within the social engineering tactic could be phishing emails, quishing, or pretexting — specific ways to deceive and manipulate the target.
Procedures are the specific implementations of techniques by an adversary. They are often referred to as real-world examples of techniques. In other words, procedures are the precise, detailed actions that adversaries take to execute a technique. They represent the actual commands, sequences of commands, or actions (observable behaviors) that realize a technique.
For instance, if the technique is "Spear phishing Attachment," a procedure could be the specifics of a phishing email campaign, detailing the malicious attachment types used, the subject lines crafted, and how responses are handled. Procedures are often limited by the software being leveraged in an attack since the procedures need to take advantage of a specific technical weakness caused by poor implementation.
David Bianco's Pyramid of Pain is a strategic framework for understanding and the complexities for implementing detective cybersecurity controls. It highlights the importance of focusing on the pinnacle of the pyramid (highest level): Tactics, Techniques, and Procedures (TTP).
By seeking to detect at the level of TTP, organizations can significantly disrupt malicious actors' efforts, making cyber attacks more costly and less likely to succeed. The discussion also touches on the Pyramid's other levels, from hash values to tools, providing a comprehensive approach to strengthening cyber defense by targeting the most impactful areas of attacker adaptation.
Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.
Download GuideOctober 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.