Pyramid Of Pain - Chrono's Cyber Chronicles

| Title | Author | Created | Published | Tags | | --------------- | ---------- | ------------------ | ------------------ | -------------------------------------------- | | Pyramid Of Pain | Jon Marien | September 08, 2025 | September 08, 2025 | [[#soc\|#soc]], [[#arcticwolf\|#arcticwolf]] | ![[red-3.png|36x32]] ![[Pyramid of Pain.png|219x166]] # Pyramid Of Pain This well-renowned concept is being applied to cybersecurity solutions like Cisco Security, SentinelOne, and SOCRadar to improve the effectiveness of CTI (Cyber Threat Intelligence), threat hunting, and incident response exercises. Understanding the Pyramid of Pain concept as a Threat Hunter, Incident Responder, or SOC Analyst is important. --- ## Hashes (Trivial) Hashes can be different even if a single bit is changed --- and using file hashes as a main IOC can become difficult. --- ## IP Address (Easy) A common defense tactic is to block, drop, or deny inbound requests from IP addresses on your parameter or external firewall. This tactic is often not bulletproof as it’s trivial for an experienced adversary to recover simply by using a new public IP address. --- ## Domain Names (Simple) Used for C2 Servers (common): ![[image-936.png]] Or using ASCII to hide malicious sites: ![[image-937.png]] ![[image-938.png]] In the URL above, `adıdas.de`, has the Punycode of `http://xn--addas-o4a.de/` Internet Explorer, Google Chrome, Microsoft Edge, and Apple Safari are now pretty good at translating the obfuscated characters into the full Punycode domain name. URL Shorteners are also used for this. You can use a `+` to have the shortened URL reveal the full link. ![[image-939.png]] --- ## Host Artifacts (Annoying) If we can detect an attack based on Host Artifacts, high chances the attacker will "have to go back to the drawing board", as they say. **Host artifacts** are **the traces or observables** that **attackers leave on the system,** such as **registry values**, **suspicious process execution**, **attack patterns** or **IOCs** (Indicators of Compromise), **files dropped by malicious applications**, or anything **exclusive to the current threat**. --- ## Network Artifacts (Annoying) Network Artifacts belong to the ==yellow zone== in the Pyramid of Pain. This means **if you can detect and respond** to the threat, the **attacker would need more time to go back and change his tactics** or modify the tools, which gives you more time to respond and detect the upcoming threats or remediate the existing ones. Similar to how Host Artifacts are found. HTTP POST requests containing suspicious strings: ![[image-940.png]] Using `TShark` to filter out the `User-Agent` strings by using the following command: `tshark --Y http.request -T fields -e http.host -e http.user_agent -r analysis_file.pcap` ![[image-941.png]] --- ## Tools (Challenging) Once we improve our ability to spot these kinds of attack tools, it becomes much harder for attackers to break into our network. At this point, most attackers will likely give up, or they will have to go back and try to build a brand new tool to do the same job. For many, it’s basically game over, or they are forced to start back at the beginning. They may need to spend money to develop a new tool, search for another option with the same abilities, or even invest time in learning how to use a different tool effectively. Attackers use these tools for things like creating harmful macro documents (called **maldocs**) to trick people with **spearphishing**, setting up backdoors for remote access (known as **Command and Control** or **C2 infrastructure**), or using custom-made programs such as `.EXE` or `.DLL` files, different payloads, or password-breaking tools. [MalwareBazaar](https://bazaar.abuse.ch/) and [Malshare](https://malshare.com/) are good resources to provide you with access to the samples, malicious feeds, and YARA results - these all can be very helpful when it comes to threat hunting and incident response. For detection rules, [SOC Prime Threat Detection Marketplace](https://tdm.socprime.com/) is a great platform, where security professionals share their detection rules for different kinds of threats including the latest CVE's that are being exploited in the wild by adversaries. Fuzzy hashing is also a strong weapon against the attacker's tools. Fuzzy hashing helps you to perform similarity analysis - match two files with minor differences based on the fuzzy hash values. One of the examples of fuzzy hashing is the usage of [SSDeep](https://ssdeep-project.github.io/ssdeep/index.html); on the SSDeep official website, you can also find the complete explanation for fuzzy hashing. ==Alt. name for fuzzy hashes: `Context Triggered Piecewise Hashes`, or **CTPH**.== --- ## TTPs (Tough) TTPs stands for **Tactics, Techniques & Procedures**. This includes the whole [**MITRE ATT&CK Matrix**](https://attack.mitre.org/), which means all the steps taken by an adversary to achieve his goal, starting from phishing attempts to persistence and data exfiltration. If you can detect and respond to the **TTPs** quickly, you leave the adversaries almost no chance to fight back. For, example if you could detect a Pass-the-Hash attack using Windows Event Log Monitoring and remediate it, you would be able to find the compromised host very quickly and stop the lateral movement inside your network. At this point, the attacker would have two options: 1. Go back, do more research and training, reconfigure their custom tools. 2. Give up and find another target. Option 2 could be better, depending on the situation.