top of page

Pyramid of pain



Pyramid of pain is a threat hunting cookbook used by the threat hunters to investigate or determine cyber threats, it's a combination of multiple approaches to mapping or looping the hunting path


"The Pyramid of Pain was created by a security professional, David J Bianco, in 2013, while he was threat hunting and working on incident response."
Pyramid of pain

in-general Pyramid of pain is a checklist that detailly describes the path of the threat hunting investigations, which includes adversaries' behaviors, tactics, techniques, and tools used for the cyber attacks


  1. Hash Values

  2. IP Address

  3. Domain Name

  4. Network Artifacts / Host Artifacts

  5. Tools

  6. TTP

Hash Values

Determining the maliciousness based on file hashes.


File hash is the unique string generated based on the algorithms which have been assigned to every file on the computer, this technique is used to monitor the integrity of the file and also used for determining malicious files.


Hunting difficulty: Trivial



IP Address

Determining the maliciousness based on IP repudiations.


Many intruders keep on trying to establish a reliable connection with the target system, investigating based on the IP in-bond connection and behavior will help to threat hunter to determine the suspicious IP.


Hunting difficulty: Easy


Domain Names

Determining the maliciousness based on domain names or website repudiation.


Generally, attackers keep on replicating or hosting malicious websites and trick the user to visit and download malicious files, investigating or hunting based on the domain or website visited by the user to demine the suspicious domain names


Hunting difficulty: Simple


Network Artifacts

Determining the maliciousness based on network traffic/communication


Investigating the network communication such as URI patterns, SMTP mailer values, HTTP user agents and determining the suspicious behaviors


Hunting difficulty: Annoying


Host Artifacts

Determining the maliciousness based on host-based behaviors


Investigating the host behavior such as reg value modification, process injection, and new process creation to determine the suspicious host behaviors


Hunting difficulty: Annoying


Tools

Determining the maliciousness based on adversaries' tool


Investigating the various patterns and determining the tool [Nmap, Mimi-Katz etc.] used by adversaries


Hunting difficulty: Challenging


TTP

Determining the maliciousness based on TTPs


TTP --> Tactics Techniques, and Procedures


Investigating and determining various TTPs [Tactics Techniques, and Procedures] of the attack


Hunting difficulty: Tough


What would be your most challenging part of Hunting

  • Hash

  • IP

  • Network / Host Based

  • Domain Based





194 views0 comments

Recent Posts

See All
bottom of page