HOME // BLUE TEAM // PYRAMID OF PAIN
BLUE TEAM SOC ANALYST 2024-08-20 // 8 MIN READ

Pyramid of Pain — IOCs and cost for the attacker

Analysis of David Bianco's Pyramid of Pain framework: how to categorize indicators of compromise based on the cost it takes the attacker to change them, and how to use it to prioritize detections in the SOC.

What is the Pyramid of Pain?

The Pyramid of Pain, created by David Bianco in 2013, is a conceptual framework that classifies indicators of compromise (IOCs) into six levels based on the pain it causes the attacker to change them when detected and blocked by the defender.

The premise is simple but powerful: not all IOCs are equally useful. Blocking an IP is trivial for an attacker — they just change the server — but detecting and countering their Tactics, Techniques and Procedures (TTPs) forces them to completely rethink their operation.

The name "Pyramid of Pain" reflects that the higher you are in the pyramid, the more pain you cause the adversary when you detect and respond to those indicators.

The 6 levels of the pyramid

1. Hash Values (trivial)

Cryptographic hashes (MD5, SHA1, SHA256) of malicious files are the most basic IOC. They are easy to use in detection rules but also the easiest to evade: an attacker only needs to change one byte of the file to get a different hash. 

# Example: look up hash on VirusTotal
curl "https://www.virustotal.com/api/v3/files/{hash}" \
  -H "x-apikey: TU_API_KEY"

2. IP Addresses (easy)

IP addresses for C2 servers, droppers or exfiltration are slightly more costly to change (infrastructure must be redirected), but remain trivial. Sophisticated actors use fast flux DNS or cloud infrastructure to rotate IPs automatically.

3. Domain Names (simple)

Domains are somewhat more painful because registering and configuring new domains has a time and financial cost. However, with domain generation algorithms (DGA) or cheap domain providers, attackers can rotate domains with relative ease.

4. Network/Host Artifacts (annoying)

Network and host artifacts include things like: specific User-Agents, registry paths, filenames in specific locations, or network traffic patterns. They require the attacker to modify their tooling, which consumes development time.

Detecting host artifacts requires good endpoint visibility through EDR, Sysmon or similar tools. Without adequate telemetry, this level is difficult to monitor.

5. Tools (challenging)

The tools used by the attacker — Mimikatz, Cobalt Strike, BloodHound — have characteristic signatures that are very difficult to fully remove without rewriting the tool. Detecting the use of these tools forces the attacker to invest in developing custom malware, which is costly and slow. 

# Sigma rule example: detect Mimikatz by process name
title: Mimikatz Execution
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\mimikatz.exe'
  condition: selection

6. TTPs (tough)

The attacker's Tactics, Techniques and Procedures — mapped in the MITRE ATT&CK framework — are the highest and most valuable level for the defender. These are the adversary's behavioral patterns: how they move laterally, how they establish persistence, how they exfiltrate data. Changing these patterns requires retraining the attack team and completely changing their methodology.

Practical application in the SOC

In practice, the Pyramid of Pain helps to prioritize detection investments:

  • Don't allocate excessive resources to reactively blocking IPs or hashes
  • Invest in behavioral detection (behavioral analytics) focused on TTPs
  • Use MITRE ATT&CK to map your current detection coverage
  • Build SIEM and EDR rules oriented toward detecting actions, not artifacts

A rule that detects "process execution with LSASS dump" (TTP) is infinitely more durable than one that looks for the mimikatz.exe hash.

Conclusion

The Pyramid of Pain is a simple but highly effective mental tool for any SOC analyst. Next time you configure a detection rule, ask yourself: what level of the pyramid am I operating at? If you're always at the lower levels (hashes, IPs), your detection program can be significantly improved.

← PREVIOUS
View all posts
NEXT →
Log Analysis with Splunk