Pyramid of Pain

The Pyramid of Pain is a concept used in cybersecurity to prioritize and categorize different types of threat intelligence. It is a framework that helps security professionals understand the value and usefulness of different types of information and how to prioritize their efforts accordingly.

The Pyramid of Pain is divided into four levels, each representing different types of information and their relative value in terms of detecting and preventing cyber-attacks.

At the base of the pyramid, there are indicators of compromise (IOCs). These are specific pieces of information that are associated with a known threat, such as IP addresses, domain names, and hashes of known malware. IOCs are relatively easy to obtain and are often included in threat intelligence feeds and reports. While IOCs can be useful for detecting known threats, they have limited value in detecting unknown or sophisticated threats.

Above IOCs, there are tactics, techniques, and procedures (TTPs). TTPs are the methods and strategies used by attackers to carry out their attacks. They are often associated with specific threat actors or groups and can be used to identify patterns of behavior that can help anticipate future attacks. TTPs are more difficult to obtain than IOCs, but they can be more useful in detecting and preventing both known and unknown threats.

The third level of the pyramid is comprised of tools, infrastructure, and behaviors (TIBs). TIBs are the physical and virtual assets that attackers use to carry out their attacks, such as command and control servers, malware, and phishing emails. By analyzing TIBs, security professionals can gain insight into the methods and techniques used by attackers and can better anticipate future attacks.

At the top of the pyramid is the ultimate goal of threat intelligence: the identification of threat actors and their motivations. By understanding who is behind an attack and what they hope to achieve, security professionals can develop more effective strategies for preventing and responding to cyber-attacks.

The Pyramid of Pain is a useful tool for security professionals to help prioritize their efforts and allocate resources effectively. By focusing on the higher levels of the pyramid, security teams can gain a deeper understanding of the threat landscape and develop more effective strategies for preventing and responding to cyber-attacks.