Learn about the Pyramid of Pain framework and how security professionals use it to understand the difficulty adversaries face when changing their attack indicators.
Content by Dan Rearden
The Pyramid of Pain is a well-renowned concept in cybersecurity, originally developed by security researcher David J. Bianco in 2013. This framework is being applied to cybersecurity solutions like Cisco Security, SentinelOne, and SOCRadar to improve the effectiveness of Cyber Threat Intelligence (CTI), threat hunting, and incident response exercises.
Understanding the Pyramid
The Pyramid of Pain describes the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you deny those indicators. The pyramid has six levels, from bottom to top:
1. Hash Values (Trivial)
Hash values like MD5, SHA-1, and SHA-256 are unique identifiers for specific files. While useful for identifying known malware, they're trivial for attackers to change—simply modifying a single bit produces an entirely different hash.
- Easy to detect known malware
- Extremely easy for attackers to bypass
- One small change = completely new hash
2. IP Addresses (Easy)
IP addresses are slightly more difficult to change than hashes, but attackers can easily switch to new infrastructure using cloud services, VPNs, or compromised systems.
- Can block known malicious IPs
- Attackers can rent new servers within minutes
- Cloud services make IP rotation trivial
3. Domain Names (Simple)
Domain names require more effort to change than IPs. Attackers must register new domains, set up DNS, and potentially wait for propagation. However, cheap domain registration makes this only a minor inconvenience.
- DNS-based blocking is effective short-term
- Domain generation algorithms (DGAs) help attackers
- New domains cost just a few dollars
4. Network/Host Artifacts (Annoying)
These are indicators like User-Agent strings, registry keys, specific file paths, or network protocol quirks. Changing these requires modifying tools, which takes real effort.
- Requires tool modifications to change
- Detection rules based on behavior patterns
- More reliable than simple IOCs
5. Tools (Challenging)
When you can identify and block the actual tools an adversary uses, they must develop or acquire new tools. This significantly increases their cost and time investment.
- Forcing tool changes disrupts operations
- New tools require testing and refinement
- May require entirely new infrastructure
6. TTPs - Tactics, Techniques, and Procedures (Tough!)
At the top of the pyramid are TTPs—the behaviors and methods adversaries use. Detecting and disrupting TTPs forces attackers to fundamentally change how they operate, which is extremely costly.
- Behavioral detection is most effective
- Forces complete operational changes
- Requires significant adversary investment to overcome
Practical Application
Understanding the Pyramid of Pain helps security teams prioritize their detection efforts:
- Focus detection on higher levels - While hash-based detection has its place, investing in behavioral detection provides better long-term value
- Layer your defenses - Use indicators at all levels for defense in depth
- Track adversary adaptation - When attackers change tactics, document the new TTPs
- Measure defensive impact - Consider how much "pain" your detections cause
Integration with MITRE ATT&CK
The Pyramid of Pain complements the MITRE ATT&CK framework beautifully. While ATT&CK catalogs adversary techniques, the Pyramid helps prioritize which detections provide the most value.
Conclusion
The Pyramid of Pain reminds us that not all indicators are created equal. By focusing our detection efforts on TTPs and tools rather than easily-changed hash values, we can create more resilient defenses that truly impact adversary operations.
Was this article helpful?
