Pyramid of pain is a threat hunting cookbook used by the threat hunters to investigate or determine cyber threats, it's a combination of multiple approaches to mapping or looping the hunting path
"The Pyramid of Pain was created by a security professional, David J Bianco, in 2013, while he was threat hunting and working on incident response."
in-general Pyramid of pain is a checklist that detailly describes the path of the threat hunting investigations, which includes adversaries' behaviors, tactics, techniques, and tools used for the cyber attacks
Hash Values
IP Address
Domain Name
Network Artifacts / Host Artifacts
Tools
TTP
Hash Values
Determining the maliciousness based on file hashes.
File hash is the unique string generated based on the algorithms which have been assigned to every file on the computer, this technique is used to monitor the integrity of the file and also used for determining malicious files.
Hunting difficulty: Trivial
IP Address
Determining the maliciousness based on IP repudiations.
Many intruders keep on trying to establish a reliable connection with the target system, investigating based on the IP in-bond connection and behavior will help to threat hunter to determine the suspicious IP.
Hunting difficulty: Easy
Domain Names
Determining the maliciousness based on domain names or website repudiation.
Generally, attackers keep on replicating or hosting malicious websites and trick the user to visit and download malicious files, investigating or hunting based on the domain or website visited by the user to demine the suspicious domain names
Hunting difficulty: Simple
Network Artifacts
Determining the maliciousness based on network traffic/communication
Investigating the network communication such as URI patterns, SMTP mailer values, HTTP user agents and determining the suspicious behaviors
Hunting difficulty: Annoying
Host Artifacts
Determining the maliciousness based on host-based behaviors
Investigating the host behavior such as reg value modification, process injection, and new process creation to determine the suspicious host behaviors
Hunting difficulty: Annoying
Tools
Determining the maliciousness based on adversaries' tool
Investigating the various patterns and determining the tool [Nmap, Mimi-Katz etc.] used by adversaries
Hunting difficulty: Challenging
TTP
Determining the maliciousness based on TTPs
TTP --> Tactics Techniques, and Procedures
Investigating and determining various TTPs [Tactics Techniques, and Procedures] of the attack
Hunting difficulty: Tough
What would be your most challenging part of Hunting
Hash
IP
Network / Host Based
Domain Based
Comments