The concept of “The Pyramid of Pain” was first introduced by David J. Bianco in 2013. Today, most security professionals are familiar with it as a construct for describing the usefulness and relative ease of acquiring threat data and intelligence.
Toward the bottom of the pyramid are indicators that are easier to obtain and work with – hash values, IP addresses and domain names. As you move up the pyramid, campaigns, adversaries and tactics, techniques and procedures (TTPs) come into play. Their value to you, as a security professional, increases dramatically, but these insights are also harder to obtain and use effectively without doing some groundwork. To gather the data and intelligence you need to fully detect and respond to threats, you need the ability to scale up and down the pyramid. With a platform that spans the entire journey you can aggregate internal and external threat and event data every step of the way, analyze and understand its relevance to you, and use it to strengthen your security posture.
First things first
To complete the round-trip journey successfully, you need to start by communicating with all the different detection tools that comprise your security infrastructure. This is like trying to communicate with a group of kids ranging in age from five to 18. They each communicate differently. So, when you speak with them you need to speak in a way that the five-year-olds will understand too. Similarly, detection tools have many different ways of communicating. So, when you need data from them all the best way to communicate is by using the lowest common denominator – indicators. Indicators allow you to tie things together and make sense of all the output from your different security tools. They also allow you to build a bigger picture and start to scale the pyramid. Here’s how.
Previously, I described a scenario of finding an IP address that you don’t recognize in one tool. You need a bigger picture. So, you look at external threat intelligence and see that the IP address is associated with a specific adversary. Now you can pivot to that adversary and learn that there are numerous additional IP addresses related to that adversary. With a platform that lets you use this lowest common denominator form of communication you can search across your other tools. You may find a substantial set of associated IP addresses, giving you greater certainty that something may be going on. But you need to know more.
Scale up
As you move up the pyramid, you can start to build a complete picture of what is happening. The platform helps you add context and see relationships for a more strategic view. With tools like MITRE ATT&CK that describe campaigns, adversaries and their TTPs, you can pivot and expand your search further. For example, if the indicator is associated with a specific campaign or adversary, are there associated artifacts you can look for in other tools to confirm the presence of malicious activity? As you piece together data and intelligence and reach the top of the pyramid, you can confirm or disprove an attack. With a panoramic view and conclusive evidence of what you’re facing, you can determine how to respond.
Scale down
Now you need the ability to scale back down the pyramid so you can execute your response. This means sending associated data back to the right tools across your defensive grid in the language they speak – indicators. And, when possible, communicating automatically to accelerate response. The ability to scale up and down the Pyramid of Pain not only enables extended detection and response (XDR), it also sends a message to adversaries that their “go to” methods aren’t going to work with you. It’s fairly trivial for attackers to change hashes, IP addresses and domain names to avoid detection. But changing TTPs is extremely costly and time consuming and may result in their disinterest and dropping their focus on your business.
For most of us, physically scaling a pyramid will have to wait until global travel can resume. But scaling up and down the Pyramid of Pain is something we can all do right now – and worth adding to your bucket list if you haven’t already.
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.
More from Marc Solomon
- A One-Two Punch for Security ROI
- The End of “Groundhog Day” for the Security in the Boardroom Discussion?
- The Good, the Bad and the Ugly of Generative AI
- Now’s the Time for a Pragmatic Approach to New Technology Adoption
- Four Things to Consider as You Mature Your Threat Intel Program
- Security Pros: Before You Do Anything, Understand Your Threat Landscape
- Using Threat Intelligence to Get Smarter About Ransomware
- Looking for a New Security Technology? Choose a Partner, not a Vendor
Latest News
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
