What Is Pyramid of Pain?
LAST UPDATED ON JULY 23, 2024
The Pyramid of Pain, first coined by David Bianco, serves as an influential framework, enabling security experts, predominantly blue teamers, to channel their resources on elements inducing the most pain to adversaries to alter. Despite its enduring relevance, it exhibits limitations, primarily due to its exclusive emphasis on the diversity of indicators without considering their robustness and resilience, leading to operational predicaments and a surge in false positives.
To counter these limitations and reinforce robustness and capability abstraction, MITRE Engenuity launched the Summiting the Pyramid project. In this blog, we are going to examine the Pyramid of Pain and the enhancements brought by Summiting the Pyramid to improve our security posture and threat readiness against sophisticated cyber threats.
What Is Pyramid of Pain?
The Pyramid of Pain is a conceptual framework developed by David Bianco that illustrates the varying levels of difficulty and cost an adversary would encounter to evade detection and continue their attack, in the context of cybersecurity defenses.
Structured as a pyramid, it categorizes different indicators and attributes related to cyber threats, ranging from the trivial to change at the bottom, such as hash values, IP addresses, and domain names, to the most costly and complex to alter at the top, like Tactics, Techniques, and Procedures (TTPs) as articulated in the MITRE ATT&CK framework.
Figure 1. Pyramid of Pain Coined by David Bianco
There are six main pain points in the pyramid. In this section, we explained each step in great detail, corresponding with the pain the alteration causes to an adversary.
The examples given under each pyramid level are taken from the real-life investigation of the Snatch ransomware, announced by the joint advisory released by CISA [1].
-
Level 1: Hash Values - Trivial
Hash values of malware binaries or tools, once detected and shared, are perceived as trivial to modify for an adversary. This is because hash values are generated through deterministic algorithms that are sensitive to any alteration, no matter how minor.
Figure 2. Examples of Filenames with Associated SHA-256 Hashes Published by CISA.
A change as subtle as the addition or removal of a single space or a single line of code—provided it doesn’t interfere with the program’s operation—can entirely alter the hash value of the malware. This characteristic makes hash values highly susceptible to modifications, even those that are inconspicuous and don’t disrupt the functionality of the underlying program or tool.
The following example perfectly illustrates the sensitivity of hash functions to even the smallest change in input. The SHA3-256 hash function, in this case, is employed to compute hash values for two nearly identical strings—the only difference being the last bit.
SHA3-256(111111111111111111111111111111111111111111) = |
SHA3-256(111111111111111111111111111111111111111110) = |
This demonstrates that even a singular bit alteration in the input string leads to the generation of a distinctly different hash value, underlining the deterministic yet highly sensitive nature of cryptographic hash functions.
Ones who are curious with the SHA3-256 can take a look at this online tool.
-
Level 2: IP Addresses - Easy
IP addresses are easy for adversaries to change due to the availability of tools and techniques such as proxy servers and VPNs, which mask the real IP addresses, allowing users to appear as if they are connecting from different locations.
Additionally, the use of dynamic IP addresses assigned by Internet Service Providers means that users' IP addresses can change frequently, enabling adversaries to re-connect and receive a new address.
The Tor network offers another layer of anonymity by routing traffic through multiple servers, obscuring the original IP. Furthermore, adversaries can conceal their actual IP addresses by routing their actions through compromised machines, making the attacks appear to originate from those systems instead.
For instance, the transient nature of Tor IDs related to Snatch ransomware highlights their extremely limited utility in developing sustainable cybersecurity defenses. Their rapid and effortless modifiability by adversaries make them a nearly elusive and unreliable element in cybersecurity tracking efforts.
Figure 3. Tor IDs Related to Snatch Ransomware Announced by CISA
The ability to easily change IDs in the encrypted labyrinth of the Tor network necessitates a paradigm shift in security strategies—away from the pursuit of these volatile identifiers and towards the establishment of robust, comprehensive defenses focused on unassailable prevention, precise detection, and rapid response to continuously emerging cyber threats.
-
Level 3: Domain Names - Simple
Domain names are simple to change primarily because it's relatively easy and inexpensive even for individuals, including adversaries, to register new domain names.
Once a domain is potentially blacklisted or taken down by authorities, malicious actors can quickly shift their operations to a newly registered domain, maintaining continuity in their malicious activities with minimal disruption. This fluidity makes domain names a less reliable parameter for tracking malicious activities in the long term.
Here are the identified domain addresses for the Snatch Ransomware.
-
Example 1: sezname[.]cz
-
A malicious domain used by Snatch Ransomware Gang, illustrating how threat actors often create domains specifically for nefarious activities.
-
-
Example 2: protonmail[.]com / proton[.]me
-
Legitimate and encrypted email services misused by threat actors, showcasing how legal platforms can be exploited for malicious communications.
-
-
Example 3: sn.tchnews.top@protonmail[.]me
-
Specific email address reported by victims, exemplifying the combination of legitimate email services with uniquely crafted addresses for malicious interactions.
-
The identification of specific email domains used by Snatch threat actors, as highlighted by CISA, underscores a pivotal challenge in cybersecurity defense measures.
Although these domains, ranging from malicious ones like sezname[.]cz to legitimate encrypted services like protonmail[.]com, have been noted, the inherently random nature of the email addresses generated by the threat actors within these domains poses significant limitations.
As the threat actors tend to use a plethora of both conspicuous and seemingly innocuous domains to mask their activities, relying solely on domain names for defensive measures is not only insufficient but can also be misleading.
-
Level 4: Network/Host Artifacts - Annoying
Network/Host Artifacts, categorized as "Annoying" to alter, represent distinctive elements of malicious activity within a network or host that differentiate it from legitimate behavior. Some of these artifacts encompass elements as listed below [1]. .
-
URL Patterns
-
Log Messages
-
Example: A Windows Defender Firewall setting was changed in private, public, and domain profile with type “Enable Windows Defender Firewall” and value of “no”.
-
-
Command and Control (C2) Information,
-
Registry Objects
-
Example: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service
-
-
Files
-
Folders
-
Example: C:$SysReset folder.
-
It is important to note that these artifacts are elements that can be observed in the network or on hosts during or after an attack, offering evidence of malicious activity. Employing threat intelligence to counteract or deny the effectiveness of these artifacts can cause substantial inconvenience to an attacker.
The process of modifying these artifacts can disrupt the attacker's workflow, making it more challenging for them to maintain stealth and evade detection, thereby becoming a source of annoyance and hindrance to their malicious endeavors.
-
Level 5: Tools - Challenging
In the Pyramid of Pain, altering tools represents a significant challenge for adversaries because it demands extensive knowledge, effort, and resources.
Creating or modifying malicious tools requires sophisticated skills and a deep understanding of both
-
the target system, and
-
the tool itself
to maintain efficacy and avoid detection.
It compels attackers to invest substantial time and energy to develop, test, and deploy new malicious tools that can successfully circumvent existing security measures and defenses, making it a burdensome and resource-intensive task, hence positioning it high on the pyramid.
-
Level 6: Tactics, Techniques, and Procedures (TTPs) - Though!
When considering the Pyramid of Pain, Tactics, Techniques, and Procedures (TTPs) represents a high level of difficulty and sophistication, which are substantially tough for adversaries to modify.
Tactics, Techniques, and Procedures (TTPs) are integral components of the attack lifecycle, encapsulating the comprehensive modus operandi of attackers. They detail the sophisticated, sequential methodologies employed in every stage, from Reconnaissance to Initial Access and beyond, as exemplified by the diverse array of TTPs leveraged by Snatch Ransomware Gang.
Altering TTPs necessitates profound understanding, inventive strategy, and adept execution, making them a fundamental aspect of an adversary’s toolkit, and hence, altering them presents significant pain to the adversary, obstructing their ability to seamlessly orchestrate malicious endeavors. Developing a novel and efficacious attack flow that remains undetected requires extensive knowledge and adaptability, underlining why TTPs are integral and strenuous to change in cyber threat landscapes.
Benefits of the Pyramid of Pain Framework
The pyramid of pain framework model serves as a tool for detection engineers to understand and develop effective defense strategies and analytics that can cause maximum disruption to adversaries, forcing them to invest more time, effort, and resources to succeed in their malicious activities.
By focusing on the higher levels of the pyramid, defenders can create more robust and resilient security postures, making it increasingly challenging for attackers to operate undetected.
Challenges of David Bianco’s Pyramid of Pain Framework
David J. Bianco's original Pyramid of Pain highlighted an array of intricate challenges that security professionals grapple with, depicting a hierarchy of adversary tradecraft elements from simplistic indicators, like hash values, to highly sophisticated tools and TTPs (Tactics, Techniques, and Procedures).
However, a critical limitation emerged due to its singular focus on the varied nature of indicators and not their
-
robustness, and
-
resilience.
This lack of focus led to real-world operational issues.
Security teams often found themselves grappling with transient and brittle indicators, leading to a constant game of catch-up with adversaries and an overwhelming amount of false positives. This framework, while insightful, did not address the depth of robustness in detection logic needed to effectively counter advanced threats and reduce the noise in threat detection.
To rectify these inherent limitations and provide a more nuanced and actionable approach, MITRE Engenuity introduced the Summiting the Pyramid project. This initiative emphasizes:
-
Enhanced Robustness: Implementing a comprehensive methodology that accentuates the resilience and robustness of analytics, fostering a systematic approach to detecting and mitigating threats.
-
Capability Abstraction: Leveraging this technique to dissect and understand the relationships between OS abstraction layers better, allowing the identification of invariant behaviors and refining detection logic across disparate attack implementations.
Thus, MITRE Engenuity’s Summiting the Pyramid project refines the foundational principles of the original Pyramid of Pain to offer a sophisticated, actionable, and nuanced framework capable of addressing contemporary cyber threats effectively.
The MITRE Engenuity Summiting the Pyramid Project
The Summiting the Pyramid project consists of five rows of analytic robustness, as depicted in Figure 4, and three columns denoting three different layers within the OS in which sensor data can be generated: Application (A), User-mode (U) and Kernel-mode (K).
Figure 4. MITRE Engunity’s Summiting the Pyramid Project
To gain deeper insights into analytic robustness and to understand from which layers within the OS sensor data can be generated, we will begin this section by exploring the mapping of the original framework to the new one.
Figure 5. Summiting the Pyramid by MITRE Engenuity
Row 1: Ephemeral
As stressed in the original Pyramid of Pain framework, it is emphasized that
- Network/ Host Artifacts
- Domain Names
- IP Addresses
- Hash Values
serve as values or indicators of compromise (IoC) that do not induce significant pain; they are, in essence, almost trivial for an adversary to modify. Consequently, they offer limited value to defensive teams, creating a scenario where blue team professionals find themselves ensnared in a relentless pursuit of numerous, easily alterable data points, positioning them a step behind adversaries.
Acknowledging this, the Summiting the Pyramid project by MITRE Engenuity categorizes these four values as ephemeral values.
Therefore, in terms of Analytic Robustness, they are allocated to the Ephemeral(1) level in this new framework.
Row 2: Core to Adversary-Brought Tool
In the updated Summiting the Pyramid project, there’s a refined and more detailed classification of “tools” compared to its original depiction in the Pyramid of Pain.
Initially positioned as a single category at level 4, “tools” are now subdivided into two distinct levels:
-
Level 2, representing tools that adversaries bring and can modify, and
-
Level 3, encompassing tools already present in the environment.
Figure 6. Tools Mapped to Two New Rows in MITRE’s Pyramid of Pain Framework
This enhanced classification provides a clearer understanding of the different tool types, offering more precise insights into the varied strategies and modifications adversaries may deploy in their attacks.
Below is illustrated a scenario in which adversaries introduce Cobalt Strike into the victim’s environment.
-
Category:
-
Command-line arguments
-
-
Observables:
-
CommandLine (Sysmon)
-
ParentCommandLine (Sysmon)
-
-
Generating Activity:
-
Cobalt Strike, utilizing built-in functionalities, can be invoked by a specific command-line argument, either by a script or through interactive sessions with a user.
-
-
Evade Behavior:
-
An adversary can evade detection by renaming the command-line arguments within Cobalt Strike, necessitating access to the code base and a recompile, thus maintaining the inherent functionality while altering the observable properties to evade detection by Sysmon.
-
Row 3: Core to Pre-Existing Tools
The distinction between adversary-brought tools and existing tools in the MITRE’s Summiting the Pyramid project is essential because adversary-brought tools are not native OS tools and, as such, are generally easier to detect and mitigate.
Figure 7. Distinction Between Row 2 and Row 3 in MITRE’s Pyramid of Pain Framework
This division enables more nuanced and effective defensive measures, allowing for a better understanding of the threats and more tailored counteraction strategies.
The criticality of this level lies in its ability to disguise malicious activities, as adversaries have to behave and act within the constraints of the available tools, blending their activities with benign ones. This level is often associated with Living off the Land (LotL) attacks, where adversaries use legitimate tools present in the environment to avoid detection, making it challenging to distinguish between regular and malicious activities.
Let us examine a real-life example scenario.
Adversaries, after gaining initial access, may use the WMIC tool, a legitimate Windows utility, to create processes maliciously. This tool allows users to access system resources and settings, and adversaries can leverage it to execute commands or scripts that may lead to lateral movement or other malicious activities, all while blending in with legitimate system processes.
-
Category:
-
Process Creation
-
-
Observables:
-
OriginalFileName (Sysmon): Indicative of wmic.exe being invoked.
-
-
Generating Activity:
-
The use of WMIC to invoke or create a process within a Windows environment is a typical legitimate activity, making it a suitable candidate for adversaries attempting to hide malicious actions.
-
-
Evade Behavior:
-
To avoid detection, adversaries might look for alternative legitimate OS tools with different filenames that have similar capabilities or edit the original filename within the PE header of wmic.exe, thereby disguising the tool's invocation.
-
-
Example:
-
For instance, an adversary might use WMIC to create a new process for downloading and executing a malicious payload from a remote server, all under the guise of a legitimate system activity:
-
wmic process call create "cmd /c <MaliciousCommandOrScript>" |
This scenario illustrates how the exploitation of native tools like WMIC for process creation can allow adversaries to execute malicious activities covertly, blending with legitimate system activities, and underscores the importance of closely monitoring the use of such utilities within organizational networks for signs of anomalous or unauthorized behavior.
Row 4: Core to Some Implementations of (Sub-) Technique
In the Summiting the Pyramid project by MITRE, TTPs are viewed as specific behaviors shown by adversaries, and they are challenging to modify without altering the core of the attack methodology. This concept has been further refined and subdivided into two levels in the newer model to better categorize and understand the variations in implementations of these behaviors.
Figure 8. TTPs Mapped to Two New Rows in MITRE’s Pyramid of Pain Framework
-
Level 4: Core to Some Implementations of (Sub-)Technique
-
Level 5: Core to Sub-Technique or Technique
Level 4 focuses on Observables related to specific implementations of a technique or sub-technique, highlighting the behaviors that are consistent within different implementations of the same method. This distinction allows for more targeted and precise defensive analytics.
Let's closely examine a real-world scenario.
After gaining initial access, adversaries might aim to erase their tracks by using the Indicator Removal: File Deletion (ATT&CK T1070.004) technique. By removing indicative files, they can effectively mask their illicit activities and maintain persistence in the environment.
-
Category:
-
Indicator Removal
-
-
Observables:
-
Event ID 524
-
Provider Name: Microsoft-Windows-Backup
-
The occurrence of these observables is indicative of a file deletion event, representing a potential attempt to conceal unauthorized activities.
-
-
Generating Activity:
-
Recording of Event ID 524 in conjunction with Microsoft-Windows-Backup is typical of legitimate file deletion processes.
-
This regular occurrence provides a plausible cover for adversaries desiring to hide unauthorized file deletions.
-
-
Evade Behavior:
-
To evade detection, adversaries might employ alternative file deletion methods or tamper with event logs to eliminate or modify entries related to their illicit file deletions, thus concealing the unauthorized removal of files and artifacts.
-
-
Example:
-
Suppose an adversary uses this technique to erase log files or other residues that might disclose unauthorized access or the presence of malicious entities.
-
The corresponding log entry would resemble:
Microsoft-Windows-Backup Event ID 524 |
Row 5: Core to Sub-Technique or Technique
Level 5 deals with behaviors that are universally consistent across all implementations of a technique or sub-technique, representing invariant behaviors or "chokepoints" in the attack chain.
The division into two levels emphasizes the nuanced differences between specific and invariant behaviors, offering a more robust and differentiated approach to understanding and addressing adversary tactics and methodologies.
Let us examine a real-life example.
Adversaries may employ the Scheduled Tasks (T1053) technique to discreetly perform malicious activities by leveraging invariant behaviors within systems. For this technique, regardless of how it's implemented, certain artifacts or observables will always be produced, providing defenders with crucial chokepoints to detect malicious implementations.
-
Category:
-
Scheduled Tasks Manipulation
-
-
Observables
-
TargetObject:
-
“HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree”
-
When a new task is created, the registry key value is invariably generated, serving as a reliable indicator of task scheduling.
-
-
Example:
-
An adversary might schedule a task to routinely execute malicious payloads, leaving the indicated registry key value as an artifact of this scheduling, thus:
-
schtasks /create /tn "MaliciousTask" /tr <MaliciousCommandOrScript> /sc onlogon |
This succinct illustration underscores the significance of monitoring invariant behaviors associated with system techniques to promptly detect and counteract adversarial activities, especially as the definitions and observables of the ATT&CK framework may be periodically refined.
Now, we have covered all the rows listed in MITRE’s new Pyramid of Pain project. Now, we are going to move on to the columns.
Column 1: Application (A)
This category pertains to interactions at the application level, primarily involving observables connected to applications that are accessible to defenders prior to any adversary manipulation.
Observables in this category, such as various Event IDs related to task scheduling, provide insights into the activities occurring closest to the applications, allowing defenders to detect anomalies and potential threats early. For instance, monitoring the creation, deletion, enabling, and updating of scheduled jobs through corresponding Event IDs can reveal unauthorized or malicious modifications, indicative of adversarial activities.
Column 2: User-Mode (U)
Moving a step deeper, User-Mode focuses on the interactions occurring within the user mode of the OS, especially through system wrapper functions like Nt or Zw in Windows. Observables in this category, such as Sysmon IDs for process creation, termination, and access, reveal user-mode OS activities that can indicate malicious attempts to manipulate processes or install new services.
For example, abnormal process termination or creation detected through Sysmon IDs can flag potential security incidents where adversaries might be trying to gain unauthorized access or control over system processes.
Column 3: Kernel-Mode (K)
Delving into the core, the Kernel-Mode category involves interactions directly interfacing with the kernel, the heart of the OS. The observables in this level, including event IDs related to process creation and exit, are crucial for monitoring activities in the kernel, providing the most robust and hard-to-evade indicators of compromise.
Monitoring observables like creating remote threads or modifications in the registry can unveil attempts of adversaries to exploit kernel vulnerabilities or conduct unauthorized activities at the core level of the OS.
These three levels together offer a layered perspective into system interactions, enabling defenders to monitor, detect, and respond to threats from the surface applications to the core kernel activities, each level escalating in depth and criticality within the system infrastructure.
Mapping Ransomware with MITRE's Pyramid of Pain Project
Ransomware attacks are becoming increasingly sophisticated, but defenders can use MITRE's Pyramid of Pain project to map these attacks and identify effective mitigation strategies.
In this section, we are going to dissect the Snatch Ransomware and map a particular tactic, technique, and procedure (TTPs) of this ransomware gang to MITRE's new pyramid of pain project.
Detecting Modification of Registry (ATT&CK T112): Level 5 x Kernel-Mode
To have a more sophisticated example that will be mapped to level 5 and kernel-mode(k) attack, we can look at the tactic, techniques, procedures of the Snatch Ransomware Gang, which is alerted by CISA’s advisory AA23-263A [1].
The following registry key is associated with Snatch ransomware's method to enforce persistence and operation in the Windows Safe Mode environment. The detailed explanation of the attack can be found here [2].
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service |
This key ensures that the malicious service, deceptively named SuperBackupMan, is initiated during a Safe Mode boot, where most security and other non-essential services are disabled, allowing the ransomware to operate with less resistance.
SuperBackupMan is configured with properties preventing it from being stopped or paused by the user, aiding in the malware’s effort to evade detection and removal, subsequently allowing it to execute its encryption routine unhindered and disrupt recovery of the encrypted files by deleting Volume Shadow Copies.
Snatch Ransomware |
Application(A) |
User-Mode(U) |
Kernel-Mode(K) |
Core to (Sub-) Technique (5) |
Detecting Modification of Registry (ATT&CK T1112)
|
||
Core to Some Implementation of (Sub-) Technique (4) |
|||
Core to Pre-Existing Tool (3) |
|||
Core to Adversary-brought Tool (2) |
|||
Ephemeral (1) |
In the context of Windows Security Events, the creation of a registry key could be tracked by an Event ID 4657: “A registry value was modified.”
Monitoring for the creation or modification of registry keys, especially in the noted location related to Safe Mode operations, would be a critical step in identifying and responding to threats like the Snatch ransomware.
Additionally, the creation of a new service, such as the “SuperBackupMan” service, would typically generate an Event ID 7045: “A service was installed in the system.”
Both events can provide invaluable data points for incident response and forensic investigations. Keep in mind that having appropriate audit policies is essential to ensure that these events are being logged.
Benefits of the MITRE’s Summiting the Pyramid Project
To grasp the advantages of applying the Summiting the Pyramid project by MITRE Engenuity in a cybersecurity context, it's helpful to relate it to the discussion on the registry key modification tactics employed by Snatch Ransomware in the preceding section [2].
Summiting the Pyramid: Core to (Sub-) Technique (5) x Kernel-Mode(K)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service |
Mapping the TTP (Tactics, Techniques, and Procedures) of Snatch ransomware with the MITRE Engenuity’s Pyramid of Pain’s framework aids in developing more resilient and adaptive defense mechanisms. By analyzing and mapping high-level indicators like TTPs, which are more challenging and costly for adversaries to modify, defenders can construct more robust and proactive security postures.
Within this project, by focusing on higher-level groups like Event IDs linked directly to techniques (level 5: Core to Technique), defenders can isolate indicators that are not only crucial to the attacker’s operation but are also significantly hard to alter. This leads to the development of analytics that are not easily evaded by adversaries, ultimately making the attacker’s job more complex and resource-intensive.
Utilizing this approach in conjunction with reliable and harder-to-manipulate data sources (moving to the right on the grid), allows for enhanced detection capabilities and a more holistic, enduring security stance, mitigating the risks associated with evolving threats like Snatch ransomware.
[1] “#StopRansomware: Snatch Ransomware,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a. [Accessed: Sep. 21, 2023]
[2] A. Brandt, “Snatch ransomware reboots PCs into Safe Mode to bypass protection,” Sophos News, Dec. 09, 2019. Available: https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/. [Accessed: Sep. 21, 2023]