Two types of cyberattack pain: Yours and your attackers'
When it comes to cyberattacks against your organization’s technology network, there are two kinds of pain. One is the devastation that a cyberattacker can cause with a security breach on your critical business data. The other is the pain that you as a network defender can inflict against cybercriminals.
By quickly detecting and responding to malicious efforts, a skilled information technology (IT) team can take away a system attacker’s tools, ability and will to cause damage. Regrouping and trying again comes at a higher cost, and that may be a “pain” an attacker is not willing to bear. Simply stated, defense becomes offense, and you’re the one putting a hurting on your adversaries.
The “Pyramid of Pain” is a multilayered baseline tool that classifies how well a security operations center (SOC) is functioning. It’s not a new concept by any means. The pyramid was introduced in 2013 by David J. Bianco, who is now Target Corporation’s principal engineer for cybersecurity.1
Bianco’s pyramid gauges the degree of difficulty, frustration and cost — basically the pain — an SOC team can cause for cyberattackers. For hackers wanting to do you harm, their pain becomes increasingly more severe as your program defense moves from the bottom levels to the pyramid’s point.
The Pyramid of Pain works at all levels of cybersecurity
To protect your network, your data and your investment, you need a team of cybersecurity professionals with the expertise to help ensure that your defense functions at every point of the pyramid.
The pyramid of pain contains six levels of threat indicators that can signal an attack on your network. These levels should be viewed in two ways:2
- How difficult is it for your cybersecurity professionals to detect threats posed by each pyramid level?
Can they process and prioritize the data to develop the proper response and controls?
- How much pain can you cause for cybercriminals?
The goal is to build a defense system that will cause your adversaries to start over with new tools and processes in order to circumvent your controls. You want to make their planned attack so difficult and expensive that they would likely give up.
It's important to work at the top as well as the bottom of the pyramid. That means defending against all threats — from simple hash values and IP addresses to the attackers’ tactics, techniques and procedures, or TTPs. Defending against TTPs requires the capability to zero in on attackers’ behaviors, not just the tools they use. That’s why small wins at the top of the pyramid contribute greatly to the overall defense against a prevailing threat, while large victories toward the bottom, although positive, typically lack resilience.
An SOC team that is skilled enough to cut off an attack at the TTP level will likely force the crooks to change their playbook, learn new behaviors, and yes, spend more money. The return on investment often becomes too great, and they are likely to abort the mission.
The high-grade talent needed to defend at the TTP level is not easily obtained or assembled. This is where most financial organizations express frustration in trying to build it within their own walls. They need a trusted partner with the know-how and experience to outthink cybercriminals and uncover what they’re doing, how they’re doing it and whom they’re doing it with.
By staying steps ahead of an adversary’s tactics and techniques, well-trained cybersecurity professionals can shut them down quickly and efficiently.
Strike back at attack
The pyramid of pain measures how adept an IT security team is at stopping cyberattacks at each level. For a systems attacker, the bottom tiers are pretty easy to maneuver around. But with each escalating level, the attacker’s “pain” in effort and cost grows more severe when a security team has the skill, expertise and threat intelligence to respond with the right controls to legitimately shut down attacks quickly and efficiently.
Sever a lower link: The three lower levels are fairly easy to defend. But for your adversary, malicious efforts at these stages are relatively cheap. Within seconds, an attacker can buy a new IP address or compile a new hash value. It’s vital for IT defenders to recognize and respond to these attack indicators, but the pain for an adversary is minimal.
Sever an upper link: The threat intelligence required to defend systems at the three upper levels is hard to come by. If you can detect and stop threats at these levels, you not only take away the attackers’ tools, but also expose their techniques, tactics and behaviors. The “pain” is extreme.
Level 6: Tactics, techniques and procedures (TTPS)
The top of the pyramid and the most valuable indicators. They zero in on an attackers’ behavior, not just the tools of an attack. Stop an assault here and you will force an adversary to change their playbook, learn new behaviors, spend more money and possibly quit. Pain for attacker: SEVERE
Level 5: Tools
Sophisticated software that cybercriminals use to gain access to your vital information. Thwarting an attack at this level will likely force an adversary to go back to the drawing board. Pain for attacker: SIGNIFICANT
Level 4: Network/host artifacts
Interactions with your network or hosts that tend to distinguish malicious activities from legitimate ones. When you detect and respond to indicators at this level, you cause attackers to rethink, revamp and recompile. Pain for attacker: ANNOYING
Level 3: Domain Names
Network identities that are tracked and regulated by the Domain Name System (DNS). Still, cybercriminals don’t have much difficulty changing a domain name when they want to. New domains, however, are slightly harder to change than IP addresses. Pain for attacker: MINIMAL
Level 2: IP addresses
The most fundamental indicator. There are many IP addresses, and attackers with ample skills can change them with little effort. Denying use of their IPs doesn’t mean much. Adversaries can recover pretty easily. Pain for attacker: LIGHT
Level 1: Hash values
Numeric values that uniquely identify data. They can be used to provide references to specific malware or malicious files. However, hash values are plentiful and easy to change, so adversaries can change direction quickly if detected. Pain for attacker: TRIVIAL
Think about your home
The Pyramid of Pain concept is easily understood if you apply it to home security in a residential neighborhood. The goal is the same — to optimize and protect your investment (systems and infrastructure) and your valuables (data and operations) — in a way that makes you feel comfortable and safe.
One homeowner might choose to go it alone and install a doorbell camera and a good set of door locks. The next-door neighbor, however, teams with a professional security service and installs door and window sensors, motion detectors, multiple surveillance cameras and wireless alarms.
Which house do you think burglars would target first? Experienced crooks are probably sophisticated enough to get around a front-door camera or a few deadbolts. But to break into a highly secured home, even skilled criminals have to spend time and effort on a plan. They also have to dish out a lot of money on technology and tools to try to outwit the security experts.
If your home is protected at the highest level, the bad guys probably won’t even want to bother.
Partners against crime
A team of cybersecurity professionals who operate at every level of the pyramid, including the most difficult top levels, is critical to protect your business, keeping it healthy, secure and most importantly, pain free.
For more information, visit SEI IT Services.