#status/done

Pyramid of Pain

Pyramid of Pain v2.png

Types of Indicators

  1. Hash Values: SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious files.  Often used to provide unique references to specific samples of malware or to files involved in an intrusion.
  2. IP Addresses:  It's, um, an IP address.  Or maybe a netblock.
  3. Domain Names: This could be either a domain name itself (e.g., "evil.net") or maybe even a sub- or sub-sub-domain (e.g., "this.is.sooooo.evil.net")
  4. Network Artifacts: Observables caused by adversary activities on your network. Technically speaking, every byte that flows over your network as a result of the adversary's interaction could be an artifact, but in practice this really means those pieces of the activity that might tend to distinguish malicious activity from that of legitimate users.  Typical examples might be URI patterns, C2 information embedded in network protocols, distinctive HTTP User-Agent or SMTP Mailer values, etc.
  5. Host Artifacts: Observables caused by adversary activities on one or more of your hosts.  Again, we focus on things that would tend to distinguish malicious activities from legitimate ones.  They could be registry keys or values known to be created by specific pieces of malware, files or directories dropped in certain places or using certain names, names or descriptions or malicious services or almost anything else that's distinctive.
  6. Tools: Software used by the adversary to accomplish their mission.  Mostly this will be things they bring with them, rather than software or commands that may already be installed on the computer.  This would include utilities designed to create malicious documents for spearphishing, backdoors used to establish C2 or password crackers or other host-based utilities they may want to use post-compromise.
  7. Tactics, Techniques and Procedures (TTPs): How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between.  "Spearphishing" is a common TTP for establishing a presence in the network.  "Spearphishing with a trojaned PDF file" or "... with a link to a malicious .SCR file disguised as a ZIP" would be more specific versions.  "Dumping cached authentication credentials and reusing them in Pass-the-Hash attacks" would be a TTP.  Notice we're not talking about specific tools here, as there are any number of ways of weaponizing a PDF or implementing Pass-the-Hash.

Tactics, Techniques & Procedures

When you detect and respond at this level, you are operating directly on adversary behaviors, not against their tools.  For example, you are detecting Pass-the-Hash attacks themselves (perhaps by inspecting Windows logs) rather than the tools they use to carry out those attacks.  From a pure effectiveness standpoint, this level is your ideal.  If you are able to respond to adversary TTPs quickly enough, you force them to do the most time-consuming thing possible: learn new behaviors.

Let's think about that some more.  If you carry this to the logical extreme, what happens when you are able to do this across a wide variety of the adversary's different TTPs?  You give them one of two options:

  1. Give up, or
  2. Reinvent themselves from scratch
    [1]

Relevant Note(s): Detection Engineering Tactics, Techniques & Procedures

  1. http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html ↩︎