## Written by Ahmed Eid Mousa: # Pyramid of Pain in Cyber Security ## 🟩 **1: Introduction** ### Task Content: > This well-renowned concept is being applied to cybersecurity solutions like Cisco Security, SentinelOne, and SOCRadar to improve the effectiveness of CTI (Cyber Threat Intelligence), threat hunting, and incident response exercises. > > Understanding the Pyramid of Pain concept as a Threat Hunter, Incident Responder, or SOC Analyst is important. > > Are you ready to explore what hides inside the Pyramid of Pain? --- ### Explanation: This task is an **introduction** to the "Pyramid of Pain" concept. It explains why it is so important for: - **Threat Hunting** - **Incident Response** - **Cyber Threat Intelligence (CTI)** The pyramid is not just a shape; it helps analysts understand: - **How difficult it is for attackers to adapt** once we discover certain indicators. - **Which types of indicators** (IOCs) can be useful in investigations or hunting activities. --- ### Example: Imagine you’re working in a SOC, and you receive an alert about a suspicious IP. If you only block that IP, the attacker can easily switch to another IP using VPN or proxy. But if you detect the specific tool or TTP being used, you cause real **pain** to the attacker—they must completely change their tactics, not just an IP. --- ### Real-world Examples: - **Cisco Security Analytics**: integrates CTI and uses the pyramid to evaluate indicator effectiveness. - **SentinelOne**: detects TTPs like Mimikatz running on an endpoint. - **SOCRadar**: assesses the quality of threat feeds using the pyramid. --- ### Summary: This introduction tells you that the **Pyramid of Pain** is a crucial framework for any SOC analyst or threat hunter. It will serve as a **map** to measure the strength and effectiveness of different types of indicators. --- ## 🟦 **2: Hash Values (Trivial)** ### Objective: Explain why **hash values** are the easiest indicators to use, but also the easiest for attackers to bypass—hence placed at the **bottom of the pyramid**. --- ### What is a Hash? A hash is a **digital fingerprint** of a file, created by applying an algorithm (like MD5 or SHA-1). If you change even a single bit, the hash changes completely. --- ### Common Hash Types: |Algorithm|Length|Security Status| |---|---|---| |**MD5**|128-bit| Broken, collisions possible| |**SHA-1**|160-bit| Deprecated since 2013| |**SHA-256**|256-bit| Strong and widely used| If two files share the same hash, that’s called a **collision**. --- ### Usage in Security: Hashes are commonly used for malware lookup: - [VirusTotal] - [MetaDefender Cloud] --- ### Example – Small Change, Different Hash: **Before change:** ```powershell Get-FileHash .\OpenVPN_2.5.1_I601_amd64.msi -Algorithm MD5 ``` `MD5: D1A008E3A606F24590A02B853E955CF7` **After appending text:** ```powershell echo "AppendTheHash" >> .\OpenVPN_2.5.1_I601_amd64.msi Get-FileHash .\OpenVPN_2.5.1_I601_amd64.msi -Algorithm MD5 ``` `MD5: 9D52B46F5DE41B73418F8E0DACEC5E9F` > An attacker can easily alter the hash. --- ### Why “Trivial”? - Easiest thing for attackers to change. - Weak IOC for long-term detection. - In hunting, it’s better to rely on behavior, tools, or TTPs. --- ### Real-world Scenario: 1. Researcher uploads a SHA-256 hash to VirusTotal → identifies WannaCry. 2. Attacker modifies one line of code → hash completely different, but malware behavior identical. --- ### Summary: - Hashes are useful for quick file identification. - But **very weak as indicators** because attackers can easily modify them. - That’s why hashes are placed at the **bottom of the Pyramid of Pain**. --- ## 🟦 **3: IP Address (Easy)** ### Objective: Understand why IPs are slightly harder than hashes but still **easy for attackers to evade**. --- ### IPs as Indicators: If you detect a suspicious IP (like a C2 server), you can block it via firewall. But attackers can easily: - Use VPNs or proxies - Rent new VPS IPs - Deploy **Fast Flux** techniques --- ### Fast Flux: Attackers rotate IP addresses for the same domain (like `evil.com`) every few seconds or minutes. This makes blocking single IPs useless. --- ### Real-world Scenario: - Analyst finds connection to `185.27.134.101` (linked to Emotet). - Blocked. - Next day → attacker switches to `185.27.134.109`. Same malware, different IP. --- ### Summary: - IP addresses are simple to detect and block. - But attackers can change them very easily. - That’s why IPs are labeled **Easy** in the pyramid. --- ## 🟦 **4: Domain Names (Simple)** ### Objective: Domains are slightly harder for attackers to change (compared to IPs). But still relatively simple. --- ### IP vs Domain: |IOC Type|Difficulty for attacker|How to change| |---|---|---| |**IP**|Very low|Use VPN, botnet, VPS| |**Domain**|Medium|Requires registration, DNS setup, often money| --- ### Domains as IOCs: - Can be blocked using DNS sinkholes or proxy blacklists. - Useful in DNS and proxy logs. --- ### Evasion Techniques: - Registering new domains - Using **Dynamic DNS** services - **Punycode Attacks** (lookalike domains like `adıdas.de`) - URL shorteners (bit.ly, tinyurl) --- ### SOC Scenario: CTI feed warns about domain `updates-win32.com` used by Emotet. Analyst queries DNS logs → finds internal device connecting. Containment begins immediately. --- ### Summary: - Domains are harder to change than IPs, but still relatively simple. - Analysts should look for **patterns and behavior**, not just domains. --- ## 🟨 **5: Host Artifacts (Annoying)** ### Objective: Host artifacts are **annoying for attackers** because they leave traces on the victim machine. --- ### Examples: - Registry keys - Dropped files - Suspicious process chains (Word → PowerShell → C2) - Persistence mechanisms (scheduled tasks, services) --- ### SOC Scenario: - Alert: Word launches PowerShell → downloads EXE → adds registry Run key. - Analyst uploads hash to VirusTotal → known Emotet variant. - Containment and cleanup executed. --- ### Summary: - Host artifacts are the **first layer that truly hurts attackers**. - They expose behavior, not just surface indicators. - Harder for attackers to modify or hide. --- ## 🟨 **6: Network Artifacts (Annoying)** ### Objective: Understand **network-level indicators** such as User-Agent strings or URI patterns. --- ### Examples: - User-Agent anomalies (`python-requests/`, `curl/`, fake Outlook strings) - URI patterns (`/gate.php`, `/cmd.php`) - Abnormal HTTP requests --- ### Tools: - TShark / Wireshark - IDS/IPS (Snort, Suricata) - SIEM (Splunk, Elastic) --- ### SOC Scenario: Repeated POST requests to `abc.dyndns.org/data?...` User-Agent: `Mozilla/4.0 (compatible; MSIE 6.0...)` (too old for Windows 10+) Confirmed as Emotet activity. --- ### Summary: - Network artifacts reveal malware behavior. - Attackers must modify tools/code to bypass them. - Stronger IOC than host-only indicators. --- ## 🟧 **7: Tools (Challenging)** ### Objective: Detecting **attacker tools themselves** (like Mimikatz, Cobalt Strike). This is extremely painful for attackers. --- ### Detection Methods: - **YARA Rules** (string patterns inside binaries) - **Antivirus signatures** - **Fuzzy Hashing (ssdeep)** - **Threat feeds** (MalwareBazaar, SOC Prime, Malshare) --- ### Example: File `Stealer.exe` found in Temp directory. - Uploaded to VirusTotal → detected as malware. - Fuzzy hashing shows similarity to known samples. - YARA rule written for detection. --- ### Summary: - Tools are expensive and time-consuming for attackers to change. - Detecting tools causes significant disruption. --- ## 🟥 **8: TTPs (Tough)** ### Objective: TTPs = **Tactics, Techniques, Procedures**. The **highest and hardest level** of the pyramid. --- ### Why TTPs matter: - Attackers can change IPs, domains, tools… - But **their behavior** (like Pass-the-Hash, PowerShell obfuscation) is harder to change. --- ### Tools: - Sysmon - Elastic / Splunk / Sentinel - Sigma rules - MITRE ATT&CK Navigator --- ### Example: Attacker performs Pass-the-Hash using Mimikatz. Analyst doesn’t look for the binary → instead monitors unusual NTLM logons in Event Logs. Technique mapped to **MITRE T1550.002**. --- ### Summary: - TTPs are the **most powerful detection layer**. - Force attackers to rethink their entire strategy. - Very hard for them to change consistently. --- ## 🟥 **10: Conclusion** The **Pyramid of Pain** classifies IOCs into six levels: 1. **Hash Values** (Trivial) 2. **IP Addresses** (Easy) 3. **Domain Names** (Simple) 4. **Host Artifacts** (Annoying) 5. **Network Artifacts** (Annoying) 6. **Tools** (Challenging) 7. **TTPs** (Tough) --- ### Key Takeaway: The higher the IOC type is in the pyramid: - The harder it is for attackers to change. - The more **pain** you cause them by detecting it. Instead of blocking just IPs or hashes, aim to detect **behaviors (TTPs)**. That’s the true power of the Pyramid of Pain. --- End of walkthrough. ---