Connect with us

Hi, what are you looking for?


Incident Response

Is Scaling a Pyramid on Your Bucket List? It Should Be

The concept of “The Pyramid of Pain” was first introduced by David J. Bianco in 2013. Today, most security professionals are familiar with it as a construct for describing the usefulness and relative ease of acquiring threat data and intelligence.

The concept of “The Pyramid of Pain” was first introduced by David J. Bianco in 2013. Today, most security professionals are familiar with it as a construct for describing the usefulness and relative ease of acquiring threat data and intelligence.

Toward the bottom of the pyramid are indicators that are easier to obtain and work with – hash values, IP addresses and domain names. As you move up the pyramid, campaigns, adversaries and tactics, techniques and procedures (TTPs) come into play. Their value to you, as a security professional, increases dramatically, but these insights are also harder to obtain and use effectively without doing some groundwork. To gather the data and intelligence you need to fully detect and respond to threats, you need the ability to scale up and down the pyramid. With a platform that spans the entire journey you can aggregate internal and external threat and event data every step of the way, analyze and understand its relevance to you, and use it to strengthen your security posture.

First things first

To complete the round-trip journey successfully, you need to start by communicating with all the different detection tools that comprise your security infrastructure. This is like trying to communicate with a group of kids ranging in age from five to 18. They each communicate differently. So, when you speak with them you need to speak in a way that the five-year-olds will understand too. Similarly, detection tools have many different ways of communicating. So, when you need data from them all the best way to communicate is by using the lowest common denominator – indicators. Indicators allow you to tie things together and make sense of all the output from your different security tools. They also allow you to build a bigger picture and start to scale the pyramid. Here’s how.

Previously, I described a scenario of finding an IP address that you don’t recognize in one tool. You need a bigger picture. So, you look at external threat intelligence and see that the IP address is associated with a specific adversary. Now you can pivot to that adversary and learn that there are numerous additional IP addresses related to that adversary. With a platform that lets you use this lowest common denominator form of communication you can search across your other tools. You may find a substantial set of associated IP addresses, giving you greater certainty that something may be going on. But you need to know more.

Scale up

As you move up the pyramid, you can start to build a complete picture of what is happening. The platform helps you add context and see relationships for a more strategic view. With tools like MITRE ATT&CK that describe campaigns, adversaries and their TTPs, you can pivot and expand your search further. For example, if the indicator is associated with a specific campaign or adversary, are there associated artifacts you can look for in other tools to confirm the presence of malicious activity? As you piece together data and intelligence and reach the top of the pyramid, you can confirm or disprove an attack. With a panoramic view and conclusive evidence of what you’re facing, you can determine how to respond.

Advertisement. Scroll to continue reading.

Scale down

Now you need the ability to scale back down the pyramid so you can execute your response. This means sending associated data back to the right tools across your defensive grid in the language they speak – indicators. And, when possible, communicating automatically to accelerate response. The ability to scale up and down the Pyramid of Pain not only enables extended detection and response (XDR), it also sends a message to adversaries that their “go to” methods aren’t going to work with you. It’s fairly trivial for attackers to change hashes, IP addresses and domain names to avoid detection. But changing TTPs is extremely costly and time consuming and may result in their disinterest and dropping their focus on your business.

For most of us, physically scaling a pyramid will have to wait until global travel can resume. But scaling up and down the Pyramid of Pain is something we can all do right now – and worth adding to your bucket list if you haven’t already.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...