Breaking the Pyramid of Pain: Why Focusing on TTPs Matters in Cybersecurity
Introduction
It is very easy for attackers to change their IP, domain, or a file’s hash. In fact, some advanced threats, like polymorphic malware, can automate these changes, making them nearly useless as long-term indicators. Compared to these, the tools attackers use — or better yet, their techniques and procedures — are much harder to change. This is where the Pyramid of Pain becomes a game-changer in modern cybersecurity.
Definition
The Pyramid of Pain, introduced by David J. Bianco, categorizes the different types of indicators defenders use to detect adversaries, highlighting how impactful disrupting each level can be. But the real power of this framework lies in shifting the focus to higher levels — like Tactics, Techniques, and Procedures (TTPs) — which impose the most significant operational cost on attackers.
The Levels of the Pyramid and Real-World Examples
- Hash Values
Hashes are unique identifiers for files, calculated based on their content. Attackers can easily modify a file to create a new hash, making detection tools reliant on hashes ineffective.
→ Example: Polymorphic malware, such as the Zeus banking trojan, generates a new hash for its files every time it infects a system, bypassing hash-based detection mechanisms. - IP Addresses
Attackers frequently change IP addresses using dynamic allocation, proxies, or VPNs, making IP-based blocking unreliable.
→ Example: A botnet like Mirai can utilize thousands of IPs from compromised IoT devices, rendering static IP blocklists ineffective. - Domain Names
Domains are easier to manage than IPs but are still trivial for attackers to alter using Domain Generation Algorithms (DGAs) or disposable domains.
→ Example: The Conficker worm used DGAs to create thousands of domains daily, ensuring a fallback communication channel even if some domains were blocked. - Network/Host Artifacts
These are traces left by malware or attackers, like unusual registry entries, file paths, or traffic patterns. While more challenging to change, attackers can adapt their methods if they notice detection.
→ Example: WannaCry ransomware created specific file extensions (.wncry) and left behind a unique kill switch domain, which defenders could use to identify infections. - Tools
Attackers often use specific tools like malware or exploitation kits. Disrupting these tools forces adversaries to create or procure alternatives, which is time-consuming and costly.
→ Example: The Cobalt Strike framework is a popular tool among attackers. When defenders blacklist its signatures, attackers need to modify the tool or switch to less effective alternatives. - Tactics, Techniques, and Procedures (TTPs)
TTPs represent the overarching strategies attackers use, such as phishing, lateral movement, or data exfiltration methods. Altering these requires rethinking and redesigning operations, posing the most significant challenge to attackers.
→ Example: The MITRE ATT&CK framework categorizes TTPs. If defenders implement behavioral detections for lateral movement, such as unusual account access, attackers must rethink their approach to achieve the same goal.
Leveraging YARA & Sigma Rules to Fight Back
To stay ahead, defenders can use tools like YARA and Sigma for detection and response:
YARA Rules: Ideal for identifying specific malware families by analyzing file characteristics and patterns.
- A YARA rule can identify Emotet malware by searching for unique strings in its codebase.
Sigma Rules: Platform-agnostic rules that analyze log events to detect anomalies.
- A Sigma rule can flag brute-force attacks by monitoring logs for repeated failed login attempts followed by a successful login.
Making the Pyramid Work for You
By prioritizing higher levels of the Pyramid of Pain, defenders can disrupt attackers at their core. Hashes, IPs, and domains are fleeting and easily replaceable, but tools, artifacts, and TTPs represent investments that attackers cannot abandon without significant cost.