Learn about the Pyramid of Pain framework and how security professionals use it to understand the difficulty adversaries face when changing their attack indicators.
Content by Dan Rearden
The Pyramid of Pain is a well-renowned concept in cybersecurity, originally developed by security researcher David J. Bianco in 2013. This framework is being applied to cybersecurity solutions like Cisco Security, SentinelOne, and SOCRadar to improve the effectiveness of CTI (Cyber Threat Intelligence), threat hunting, and incident response exercises.
Understanding the Pyramid of Pain concept as a Threat Hunter, Incident Responder, or SOC Analyst is important.
Task 1: Introduction
This well-renowned concept is being applied to cybersecurity solutions like Cisco Security, SentinelOne, and SOCRadar to improve the effectiveness of CTI (Cyber Threat Intelligence), threat hunting, and incident response exercises. Understanding the Pyramid of Pain concept as a Threat Hunter, Incident Responder, or SOC Analyst is essential for prioritizing detection efforts.
Task 2: Hash Values (Trivial)
As per Microsoft, the hash value is a numeric value of a fixed length that uniquely identifies data. A hash value is the result of a hashing algorithm. The following are some of the most common hashing algorithms:
- MD5 (Message Digest) - Defined by RFC 1321, designed by Ron Rivest in 1992. It is a widely used cryptographic hash function with a 128-bit hash value.
- SHA-1 (Secure Hash Algorithm 1) - Defined by RFC 3174. SHA-1 takes an input and produces a 160-bit hash value string as a 40 digit hexadecimal number. NIST deprecated the use of SHA-1 in 2011 and banned its use for digital signatures.
- SHA-2 (Secure Hash Algorithm 2) - Designed by The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). The SHA-256 algorithm returns a hash value of 256-bits as a 64 digit hexadecimal number.
A hash is not considered to be cryptographically secure if two files have the same hash value or digest.
Various online tools can be used to do hash lookups like VirusTotal and Metadefender Cloud - OPSWAT.
As an attacker, modifying a file by even a single bit is trivial, which would produce a different hash value. With so many variations and instances of known malware or ransomware, threat hunting using file hashes as the IOC (Indicators of Compromise) can become difficult.
Task 2 Questions
Q: Analyse the report associated with the hash "b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d". What is the filename of the sample?
A: Sales_Receipt 5606.xls
Task 3: IP Address (Easy)
An IP address is used to identify any device connected to a network. We rely on IP addresses to send and receive the information over the network.
In the Pyramid of Pain, IP addresses are indicated with the color green. From a defense standpoint, knowledge of the IP addresses an adversary uses can be valuable. A common defense tactic is to block, drop, or deny inbound requests from IP addresses on your parameter or external firewall.
One of the ways an adversary can make it challenging to successfully carry out IP blocking is by using Fast Flux.
According to Akamai, Fast Flux is a DNS technique used by botnets to hide phishing, web proxying, malware delivery, and malware communication activities behind compromised hosts acting as proxies. The purpose of using the Fast Flux network is to make the communication between malware and its command and control server (C&C) challenging to be discovered by security professionals.
The primary concept of a Fast Flux network is having multiple IP addresses associated with a domain name, which is constantly changing.
Task 3 Questions
Q: What is the first IP address the malicious process (PID 1632) attempts to communicate with?
A: 50.87.136.52
Q: What is the first domain name the malicious process (PID 1632) attempts to communicate with?
A: craftingalegacy.com
Task 4: Domain Names (Simple)
Domain Names can be thought as simply mapping an IP address to a string of text. A domain name can contain a domain and a top-level domain (evilcorp.com) or a sub-domain followed by a domain and top-level domain (tryhackme.evilcorp.com).
To detect the malicious domains, proxy logs or web server logs can be used.
Attackers usually hide the malicious domains under URL Shorteners. A URL Shortener is a tool that creates a short and unique URL that will redirect to the specific website specified during the initial step of setting up the URL Shortener link. According to Cofense, attackers use the following URL Shortening services to generate malicious links: bit.ly, goo.gl, ow.ly, s.id, smarturl.it, tiny.pl, tinyurl.com, x.co
You can see the actual website the shortened link is redirecting you to by appending "+" to it.
Viewing Connections in Any.run
Because Any.run is a sandboxing service that executes the sample, we can review any connections such as HTTP requests, DNS requests or processes communicating with an IP address.
- HTTP Requests: This tab shows the recorded HTTP requests since the detonation of the sample. This can be useful to see what resources are being retrieved from a webserver, such as a dropper or a callback.
- Connections: This tab shows any communications made since the detonation of the sample. This can be useful to see if a process communicates with another host. For example, this could be C2 traffic, uploading/downloading files over FTP, etc.
- DNS Requests: This tab shows the DNS requests made since the detonation of the sample. Malware often makes DNS requests to check for internet connectivity.
Task 4 Questions
Q: Provide the first suspicious domain request you are seeing in the Any.run report.
A: craftingalegacy.com
Q: What term refers to an address used to access websites?
A: Domain Name
Q: What type of attack uses Unicode characters in the domain name to imitate a known domain?
A: Punycode attack
Q: Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u
A: https://tryhackme.com/
Task 5: Host Artifacts (Annoying)
Host artifacts are the traces or observables that attackers leave on the system, such as registry values, suspicious process execution, attack patterns or IOCs (Indicators of Compromise), files dropped by malicious applications, or anything exclusive to the current threat.
Task 5 Questions
Q: A process named regidle.exe makes a POST request to an IP address based in the United States (US) on port 8080. What is the IP address?
A: 96.126.101.6
Q: The actor drops a malicious executable (EXE). What is the name of this executable?
A: G_jugk.exe
Q: Look at this report by VirusTotal. How many vendors determine this host to be malicious?
A: 9
Task 6: Network Artifacts (Annoying)
Network Artifacts also belong to the yellow zone in the Pyramid of Pain. This means if you can detect and respond to the threat, the attacker would need more time to go back and change his tactics or modify the tools, which gives you more time to respond and detect the upcoming threats or remediate the existing ones.
A network artifact can be a user-agent string, C2 information, or URI patterns followed by the HTTP POST requests. An attacker might use a User-Agent string that hasn't been observed in your environment before or seems out of the ordinary. The User-Agent is defined by RFC2616 as the request-header field that contains the information about the user agent originating the request.
Network artifacts can be detected in Wireshark PCAPs (file that contains the packet data of a network) by using a network protocol analyzer such as TShark or exploring IDS (Intrusion Detection System) logging from a source such as Snort.
Using TShark for Analysis
Let's use TShark to filter out the User-Agent strings by using the following command:
tshark --Y http.request -T fields -e http.host -e http.user_agent -r analysis_file.pcapTask 6 Questions
Q: What browser uses the User-Agent string shown in the screenshot?
A: Internet Explorer
Q: How many POST requests are in the screenshot from the pcap file?
A: 6
Task 7: Tools (Challenging)
Attackers would use the utilities to create malicious macro documents (maldocs) for spearphishing attempts, a backdoor that can be used to establish C2 (Command and Control Infrastructure), any custom .EXE, and .DLL files, payloads, or password crackers.
Antivirus signatures, detection rules, and YARA rules can be great weapons for you to use against attackers at this stage.
MalwareBazaar and Malshare are good resources to provide you with access to the samples, malicious feeds, and YARA results - these all can be very helpful when it comes to threat hunting and incident response.
For detection rules, SOC Prime Threat Detection Marketplace is a great platform, where security professionals share their detection rules for different kinds of threats including the latest CVEs that are being exploited in the wild by adversaries.
Fuzzy hashing is also a strong weapon against the attacker's tools. Fuzzy hashing helps you to perform similarity analysis - match two files with minor differences based on the fuzzy hash values. One of the examples of fuzzy hashing is the usage of SSDeep.
Task 7 Questions
Q: Provide the method used to determine similarity between the files.
A: Fuzzy Hashing
Q: Provide the alternative name for fuzzy hashes without the abbreviation.
A: context triggered piecewise hashes
Task 8: TTPs (Tough)
TTPs stands for Tactics, Techniques & Procedures. This includes the whole MITRE ATT&CK Matrix, which means all the steps taken by an adversary to achieve his goal, starting from phishing attempts to persistence and data exfiltration.
If you can detect and respond to the TTPs quickly, you leave the adversaries almost no chance to fight back.
For example, if you could detect a Pass-the-Hash attack using Windows Event Log Monitoring and remediate it, you would be able to find the compromised host very quickly and stop the lateral movement inside your network.
Task 8 Questions
Q: Navigate to ATT&CK Matrix webpage. How many techniques fall under the Exfiltration category?
A: 9
Q: Chimera is a China-based hacking group that has been active since 2018. What is the name of the commercial, remote access tool they use for C2 beacons and data exfiltration?
A: Cobalt Strike
Task 9: Practical - The Pyramid of Pain
In this practical exercise, you'll apply your knowledge of the Pyramid of Pain by completing a static site challenge.
Task 9 Questions
Q: Complete the static site. What is the flag?
A: THM{PYRAMIDS_COMPLETE}
Conclusion
The Pyramid of Pain reminds us that not all indicators are created equal. By focusing our detection efforts on TTPs and tools rather than easily-changed hash values and IP addresses, we can create more resilient defenses that truly impact adversary operations. Understanding where each indicator type falls on the pyramid helps security teams prioritize their threat hunting and incident response activities for maximum effectiveness.
Was this article helpful?
