Connect with us

Hi, what are you looking for?


Incident Response

Is Scaling a Pyramid on Your Bucket List? It Should Be

The concept of “The Pyramid of Pain” was first introduced by David J. Bianco in 2013. Today, most security professionals are familiar with it as a construct for describing the usefulness and relative ease of acquiring threat data and intelligence.

The concept of “The Pyramid of Pain” was first introduced by David J. Bianco in 2013. Today, most security professionals are familiar with it as a construct for describing the usefulness and relative ease of acquiring threat data and intelligence.

Toward the bottom of the pyramid are indicators that are easier to obtain and work with – hash values, IP addresses and domain names. As you move up the pyramid, campaigns, adversaries and tactics, techniques and procedures (TTPs) come into play. Their value to you, as a security professional, increases dramatically, but these insights are also harder to obtain and use effectively without doing some groundwork. To gather the data and intelligence you need to fully detect and respond to threats, you need the ability to scale up and down the pyramid. With a platform that spans the entire journey you can aggregate internal and external threat and event data every step of the way, analyze and understand its relevance to you, and use it to strengthen your security posture.

First things first

To complete the round-trip journey successfully, you need to start by communicating with all the different detection tools that comprise your security infrastructure. This is like trying to communicate with a group of kids ranging in age from five to 18. They each communicate differently. So, when you speak with them you need to speak in a way that the five-year-olds will understand too. Similarly, detection tools have many different ways of communicating. So, when you need data from them all the best way to communicate is by using the lowest common denominator – indicators. Indicators allow you to tie things together and make sense of all the output from your different security tools. They also allow you to build a bigger picture and start to scale the pyramid. Here’s how.

Previously, I described a scenario of finding an IP address that you don’t recognize in one tool. You need a bigger picture. So, you look at external threat intelligence and see that the IP address is associated with a specific adversary. Now you can pivot to that adversary and learn that there are numerous additional IP addresses related to that adversary. With a platform that lets you use this lowest common denominator form of communication you can search across your other tools. You may find a substantial set of associated IP addresses, giving you greater certainty that something may be going on. But you need to know more.

Scale up

As you move up the pyramid, you can start to build a complete picture of what is happening. The platform helps you add context and see relationships for a more strategic view. With tools like MITRE ATT&CK that describe campaigns, adversaries and their TTPs, you can pivot and expand your search further. For example, if the indicator is associated with a specific campaign or adversary, are there associated artifacts you can look for in other tools to confirm the presence of malicious activity? As you piece together data and intelligence and reach the top of the pyramid, you can confirm or disprove an attack. With a panoramic view and conclusive evidence of what you’re facing, you can determine how to respond.

Scale down

Advertisement. Scroll to continue reading.

Now you need the ability to scale back down the pyramid so you can execute your response. This means sending associated data back to the right tools across your defensive grid in the language they speak – indicators. And, when possible, communicating automatically to accelerate response. The ability to scale up and down the Pyramid of Pain not only enables extended detection and response (XDR), it also sends a message to adversaries that their “go to” methods aren’t going to work with you. It’s fairly trivial for attackers to change hashes, IP addresses and domain names to avoid detection. But changing TTPs is extremely costly and time consuming and may result in their disinterest and dropping their focus on your business.

For most of us, physically scaling a pyramid will have to wait until global travel can resume. But scaling up and down the Pyramid of Pain is something we can all do right now – and worth adding to your bucket list if you haven’t already.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights