Organizations today face more cyberthreats than ever before and have larger attack surfaces than ever. Given these challenges, companies need to stay ahead of the curve and make intelligent decisions about how they prevent, detect, and mitigate threats.
For this reason, security experts have developed conceptual models such as the Pyramid of Pain to help businesses strengthen their cybersecurity capabilities. Below, we’ll discuss the Pyramid of Pain and how it helps with threat detection and mitigation.
What Is the Pyramid of Pain?
- Hash values: A hash value is a software or file “signature” that is the output of a complex cryptographic hash function such as SHA-1 and MD5. These hash functions practically guarantee that two different files will not have the same hash value.
- IP addresses: An Internet Protocol (IP) address is a set of numbers that uniquely identifies a computer or other device connected to the Internet.
- Domain names: A domain name is a string of text that uniquely identifies an Internet resource such as a website or server.
- Network artifacts/host artifacts: A network artifact is produced as the result of some network activity, while a host artifact is produced as the result of some activity on a host machine.
- Tools: Attackers use various software tools and platforms to carry out attacks (such as backdoors or password crackers).
- Tactics, techniques, and procedures (TTPs): Attackers often have a modus operandi that identifies them—everything from the initial method of entry to the means of spreading throughout the network and exfiltrating data.
What Are the Types of Threat Detection?
- Configuration: In configuration threat detection, analysts look for signs that a device has deviated from a known standard configuration. For example, if a device on the network is set to communicate using only specific port numbers, any communication on a different port number should be treated as suspicious.
- Modeling: Beyond configuration changes, analysts can look for deviations from a predefined baseline using mathematical modeling. For example, if a device sends more packets than normal or sends them at unusual times of day, this behavior might be flagged as suspicious.
- Indicators: An indicator is a piece of information, either “good” or “bad,” that provides some clue as to a device’s state or context. IOCs are the most common indicators, offering evidence that a malicious actor has gained access to the system.
- Behaviors: Behavioral threat analysis looks for abstract, higher-level techniques and methods used by a malicious actor. For example, a known adversary might use a particular form of spear phishing email to obtain user credentials.
How Does the Pyramid of Pain Help Mitigate Threats?
If a career in threat analysis appeals to you, obtaining a threat analyst certification is an ideal way to get a foothold in the industry while honing your in-demand cybersecurity skills. EC-Council offers the Certified Threat Intelligence Analyst (C|TIA) program, with real-world training in how to identify and thwart active and potential attacks.
Designed in coordination with leading cybersecurity and threat intelligence experts, the C|TIA program teaches students to identify and mitigate critical business risks with both theoretical and practical modules. The C|TIA program offers hands-on experience in the latest tools, techniques, and methodologies at all stages of the threat intelligence lifecycle.
Want to learn more about how to launch a career in the growing field of threat intelligence? Click here to learn more about the C|TIA curriculum and start down the path of becoming a leading threat intelligence expert.
Bianco, D. (2013). The pyramid of pain. Enterprise Detection & Response. https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html