☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • 1. Hash Values
  • 2. IP Addresses
  • 3. Domain Names
  • 4. Network/Host Artifacts
  • 5. Tools
  • 6. Tactics, Techniques, and Procedures (TTPs)
  • 7. Adversary Intent/Goals
  1. Threat Hunting in AWS

Pyramid of Pain

PreviousResolution & Follow UpNextMITRE Att&ck

Last updated 8 months ago

Overview

The Pyramid of Pain is a framework designed to help cybersecurity professionals understand the effectiveness of different types of indicators in detecting and responding to cyber threats. Developed by David Bianco, the pyramid categorizes indicators based on how difficult they are for adversaries to change, and thus, how much "pain" they inflict on attackers when these indicators are effectively utilized by defenders. Here’s a breakdown of each level of the Pyramid of Pain:

1. Hash Values

At the base of the pyramid are hash values, which are unique identifiers generated from the contents of a file. Hash values are easy for defenders to use in identifying known malicious files. However, they are also easy for attackers to alter by making minor changes to their malware, thereby generating a new hash. This makes hash values the least painful for adversaries to overcome.

2. IP Addresses

The next level up includes IP addresses. While IP addresses can be useful in identifying the source or destination of network traffic associated with malicious activity, attackers can change these relatively easily. They might use proxy servers, VPNs, or compromised systems to alter their apparent IP address.

3. Domain Names

Domain names, used for identifying and locating computers on networks, are slightly more challenging for adversaries to change frequently. However, techniques like fast flux (rapidly changing DNS records) and domain generation algorithms (DGAs) can still allow adversaries to evade detection based on static domain lists.

4. Network/Host Artifacts

This category includes specific elements that might be left on a host or network, such as unique malware file paths, registry changes, or persistent configurations. These artifacts can provide more reliable indicators of compromise (IoCs) because they require more effort for an adversary to modify extensively across different attacks.

5. Tools

The tools that attackers use (e.g., software kits, exploit tools) are harder to replace or alter without significant cost or effort. Detecting and blocking specific tools can disrupt an attacker’s operations more substantially, as it forces them to develop or acquire new capabilities.

6. Tactics, Techniques, and Procedures (TTPs)

TTPs are the behaviors and methods used by attackers in their operations. Understanding and identifying TTPs are highly effective for defense because they are harder for adversaries to change. This level correlates with frameworks like the MITRE ATT&CK, which documents common TTPs used by threat actors.

7. Adversary Intent/Goals

At the top of the pyramid, understanding the adversaries' overarching goals or strategic intents is the most painful for them to mitigate against. If defenders can anticipate and counter the objectives of an attack, they can implement strategic defenses that preemptively disrupt attackers' plans.

The Pyramid of Pain highlights that while basic indicators like hashes and IP addresses are useful, they often result in lower-impact defenses. As defenders move up the pyramid, the indicators become more challenging for attackers to adjust, leading to more effective and enduring security measures.