Pyramid of Pain

The Pyramid of Pain is a cybersecurity concept that illustrates the relationship between indicators of compromise (IoCs) and the level of difficulty they impose on adversaries when defenders detect and act upon them. This is like the feeling of an attacker when the defender caught them.

Here is the pyramid level from the top (less painful) to the bottom (most painful):

• Hashes - (Trivial) Attackers can easily change file hashes by modifying even a single byte, recompiling the malware, or using packers. This makes hash-based detection ineffective.
• IP Address - (Easy) Adversaries can quickly change IP addresses using VPNs, proxies, or botnets (network of compromised computers with different IPs). While blocking malicious IPs may temporarily disrupt an attack.
• Domain Name - (Simple) Changing domains is more effort-intensive than changing an IP, as attackers need to purchase, register, and configure DNS settings. However, techniques like Domain Generation Algorithms (DGA), which create and use randomized domain names to evade detection and bulk domain registration, can automate this process, making it manageable for attackers.
• Network/Host Artifacts - (Annoying) If defenders detect changes in registry keys, suspicious network traffic, or unusual scheduled tasks, attackers face more difficulties. These artifacts are harder to change and require significant modifications to their attack infrastructure.
• Tools - (Challenging) Attackers rely on well-known tools like Mimikatz or BloodHound for credential dumping and network reconnaissance. If defenders detect and block these tools, attackers must modify them, find alternatives, or even develop custom tools, which increases effort and risk.
• TTPs - (Tough) The most painful level for attackers. If defenders can detect behaviors and methodologies (rather than just tools or indicators), they can predict and proactively block future attacks. Changing TTPs requires fundamental shifts in how attackers operate, making it the hardest for them to evade detection.

Cyber Killchain

The Cyber Kill chain is a framework developed by Lockheed Martin to describe the different stages of Cyber attack. Kill chain is a military concept related to the structured of an attack. So let's think here how an attacker initiate an attack. In this explanation, I will give a Bank Robbery Analogy for us to understand it effectively.

• Reconnaissance - Identifying vulnerable systems, employees, or network configurations. This is where the attacker gathers information.
  • Planning the attack - Robbers scout the bank for CCTV, where the guards are posted, the time of post and another entry point
• Weaponization - It's time for malicious payload such as malware or exploit creation.
  • Preparing Tools - Robbers prepare for their weapons such as lock picks, guns, and masks.
• Delivery - Attackers delivered the created payload via phishing email, malicious websites, or USB devices. In this stage attacker is waiting to the victim to respond.
  • Getting inside the bank - Robbers trick the employees or use the backdoor to enter the bank.
• Exploitation - Malicious payload is executed. Maybe the victim opened the attachment in the phishing email or visited a malicious website. This is where the vulnerabilities are exploited.
  • Disabling Security - Robbers threaten the security guards and disable the alarm.
• Installation - Install malware or backdoors to maintain persistent access to the compromised systems.
  • Establishing control - Place an insider or surveillance to keep control to the bank.
• Command and Control (C2) - Compromised system connects to the attackers controlled server allowing remote execution and data exfiltration
  • Coordinating the heist It is where the car arrives for transferring the money.
• Actions on Objective - Achieves the goal. It's either Data theft, destruction, espionage, etc.
  • Stealing money and escaping - The robbers take the money and escape without caught.