Pyramid Of Pain

Definition

The Pyramid of Pain is a model that shows how difficult it is for attackers to adapt when defenders block different types of indicators. It helps defenders choose which kinds of indicators to focus on so that their work causes the most trouble for attackers, not just the easiest wins for themselves.

The pyramid is usually shown in layers from bottom to top. Each layer represents a type of indicator that defenders can use in detection and blocking. The higher you go in the pyramid, the more effort it takes for an attacker to change their behavior and continue the attack.

From bottom to top, the layers are:

1. **Hash values**
   A hash is a unique fingerprint of a specific file. Blocking or alerting on a known malicious hash is easy for defenders. It is also easy for attackers to bypass. They can recompile or slightly modify the file to generate a new hash. This changes nothing about how the malware behaves, only how it looks at a hash level.

2. **IP addresses**
   An IP address identifies where traffic is coming from or going to on the internet. Blocking an attacker’s IP address is simple, but attackers can move to another address or use new servers, VPNs, or proxies. This causes some inconvenience but is still relatively easy for them to change.

3. **Domain names**
   Domains like `example.com` are used for phishing, malware delivery, or command and control. Blocking malicious domains is helpful, but attackers can register new domains or use domain generation algorithms. It takes a bit more effort than changing an IP, but not a lot.

4. **Network artifacts**
   These are patterns in the network traffic itself, such as specific URLs, URI paths, headers, or protocol quirks. For example, a command and control channel that always talks to a particular API path or uses a distinct user agent string. Changing these artifacts may require the attacker to modify code or infrastructure, which is more work than just changing domains or IPs.

5. **Host artifacts**
   These are traces left on endpoints, such as particular file paths, registry keys, scheduled tasks, or command line patterns. For example, a specific folder structure where a tool is dropped, or a unique service name the attacker creates. Changing these can require the attacker to redesign how their tools install and operate on a system.

6. **Tactics, Techniques, and Procedures (TTPs)**
   TTPs are the characteristic ways an attacker operates. This includes how they gain access, move laterally, escalate privileges, exfiltrate data, and maintain persistence. At this level, defenders are detecting and disrupting the attacker’s behavior pattern, not just single values. To evade these defenses, the attacker must meaningfully change how they work. This can require new tools, new workflows, and new training for their operators.

The core message of the Pyramid of Pain is that not all indicators are equal. Blocking hashes and IPs is easy, but it causes little pain to the attacker. Focusing detection and hunting on higher layers, such as host artifacts and TTPs, forces attackers to invest significant time and effort to adapt. This makes defenses more durable and raises the cost of attacking the organization.

Pyramid Of Pain

Definition

Explore More Terms