Open in app

Sign in

Write

Sign in

The Pyramid of Pain: A Practical Guide to Strengthening SOC Detection

Arachne Digital
7 min readSep 15, 2024

--

In cybersecurity, one of the most valuable tools we have for making informed decisions is threat intelligence. It is more than just collecting data; it is about understanding and acting on that data to improve detection and response capabilities. The Pyramid of Pain, created by David Bianco, offers a straightforward model to help Security Operations Center (SOC) teams target the actions that will cause the most disruption for cyber threat actors (CTAs). If you are not familiar with the concept or need a refresher, this guide breaks it down and shows you how to use it to strengthen your SOC detection.

What Is the Pyramid of Pain?

The Pyramid of Pain represents a hierarchy of indicators used in cybersecurity, arranged from least to most impactful when leveraged to disrupt attackers.

At the base of the pyramid, indicators like hashes and IP addresses are easy for attackers to change. Blocking an IP or a hash might only delay them momentarily. But as you move up the pyramid, you get to the more sophisticated components like TTPs. These represent how attackers operate, the tools they use, and their overarching strategies. Changing these is much harder for attackers and inflicts greater pain, hence the name “Pyramid of Pain.”

Why Is It Important?

For SOCs, the goal is to optimise your detection and response strategies by focusing on where you can cause the most friction for the adversary. A SOC overloaded with low-impact indicators like hashes might catch simple attacks but will struggle against more sophisticated threats. By understanding and applying the Pyramid of Pain, you focus your resources on monitoring and detecting behaviours that are costly for attackers to change.

Mapping your existing detection capabilities to the Pyramid of Pain ensures you are aiming at what really matters. TTPs, for example, are key because they involve deeper aspects of the attacker’s strategy. These are the behaviours and processes an attacker must fundamentally change if disrupted. If your SOC can detect and respond to TTPs, you are causing real pain to your adversary, not just swatting away low-level nuisances.

Evaluating the Quality of Your Intelligence with the Pyramid of Pain

The Pyramid of Pain does not just apply to detecting and disrupting CTAs; it is also a way to evaluate the quality of the intelligence you are using to defend your organisation. If you are relying on static indicators like IP addresses or file hashes, you are dealing with data — not intelligence. To truly elevate your security posture, you need to go through the intelligence cycle: turning raw data into information, and then refining that information into actionable intelligence.

Good intelligence feeds — whether you generate them internally or purchase them — should include elements from every level of the Pyramid of Pain. If your feed stops at low-level indicators, you are not getting the full picture. An intelligence feed that delivers insight into TTPs is providing real value. That is where the Pyramid of Pain becomes a benchmark — if the intelligence you are working with can track TTPs, it is useful and strategic. If it only consists of indicators that can be easily swapped out by attackers, it is little more than noise.

Measuring Your Own Pain

The Pyramid of Pain can also serve as a measure of how hard it is to acquire intelligence. Obtaining basic indicators is easy and often cheap, but the further up the pyramid you go, the more difficult — and expensive — it becomes to gather that intelligence. Good intelligence that tracks CTAs’ tools and techniques is harder to produce, but it provides a much higher return on investment. Essentially, the Pyramid of Pain reflects your own “pain” as well as that of the threat actor.

However, the investment is usually worth it. While it may be costly to gather intelligence on a CTA’s TTPs, the payoff comes in causing significant disruption to their operations. Forcing a CTA to change a TTP is far more painful for them than the cost of generating intelligence on that TTP is for you. This is where your effort pays off — you endure marginal pain to generate the intelligence, but in doing so, you cause the CTA significant pain, forcing them to adapt, which takes time, resources, and money.

Making Life Hard for CTAs

The goal of applying the Pyramid of Pain is to force CTAs to expend effort. They are not just hackers operating in a vacuum — many of them have bosses, budgets, and limited resources just like any other organisation. When you make it hard for them, you are not just defending your network; you are actively attacking their efficiency and bottom line. Even if you cannot completely evict them from your network right away, you can make their operations so costly and time-consuming that they decide to leave on their own. There are always easier targets, and a CTA will often choose to move on rather than waste precious time, money, and resources retooling and developing new methods just to stay inside your environment.

This is why causing pain to a CTA is not just about blocking an attack — it is about strategic deterrence. Make it too expensive for them to stay in your network, and they will take their operations elsewhere.

Practical Steps to Applying the Pyramid of Pain in Your SOC

Understand Your Threat Landscape

Start by gathering threat intelligence relevant to your industry and geography. For instance, if you get regular snapshots of the CTAs targeting your sector, focus on the TTPs they are using. Tools like the MITRE ATT&CK framework provide a structured way to map these TTPs to your current detection capabilities.

Map Your SIEM Queries to MITRE ATT&CK

A good place to start is by evaluating your SIEM queries against the MITRE ATT&CK framework. This will help you identify which TTPs you are already detecting and where there are gaps (the delta). For example, if you know that a particular CTA uses credential dumping as part of its campaign, but your current SIEM queries do not detect those techniques, you can build new queries to cover that gap.

Regularly Update Detection Logic

As the threat landscape evolves, so should your detection logic. CTAs frequently adapt, and so must you. Regularly updating SIEM queries to reflect the latest TTPs ensures that you are detecting relevant behaviours. Rather than focusing solely on low-level indicators like IP addresses (which change frequently), invest time in detecting the harder-to-change elements such as tools and techniques.

Integrate Threat Hunting

Threat hunting plays a critical role in applying the Pyramid of Pain. By proactively searching for TTPs within your network, you can find attacks that might evade traditional signature-based detection. SOCs should prioritise threat hunting missions based on the TTPs that are most relevant to their threat landscape. If you know that CTAs targeting your industry rely on specific lateral movement techniques, for instance, build hunts around detecting those behaviours.

Evaluate Your Success Regularly

It’s crucial to measure the effectiveness of your SOC in causing pain to attackers. Are you regularly detecting TTPs? Are you identifying attacker tools in use before they cause damage? Regularly review your detection logs and threat reports to ensure your SOC is moving beyond basic indicator detection and disrupting attackers at a strategic level.

Additional Applications of the Pyramid of Pain

Beyond tuning SIEM queries, the Pyramid of Pain can also guide several other SOC activities:

Incident Response

During an incident, focus your response efforts on indicators higher up the pyramid. For example, detecting the use of specific tools or techniques during an attack can provide insight into the attacker’s playbook and inform your response.

Red Team Exercises

When running red team scenarios, map their activities to the Pyramid of Pain. Ensure that your SOC can detect red team behaviours at the TTP level. If your team only catches IP addresses or file hashes, the exercise has revealed a critical gap in your detection capabilities.

SOC Maturity Assessment

Use the Pyramid of Pain as part of a SOC maturity assessment. Ask yourself: How well does your SOC detect and respond to indicators at the top of the pyramid? If most of your capabilities are focused on low-level indicators, it may be time to reassess your priorities.

Final Thoughts

The Pyramid of Pain is not just a theoretical model. It is a practical tool for SOCs to ensure they are spending time and resources on the areas that will truly make an impact. By focusing on the higher levels of the pyramid — tactics, techniques, and procedures — you force attackers to change the way they operate. That is how you cause pain, and that is how you keep your organisation secure.

Remember, causing pain to attackers is a good thing. Make it difficult, make it expensive, and most importantly, make it worth your team’s time.

References

RVAs3c: David Bianco: Pyramid of Pain: Intel-Driven Detection/Response to Increase Adversary’s Cost https://www.youtube.com/watch?v=zlAWbdSlhaQ

Cybersecurity
Threat Intelligence
Security Operation Center
Detection Engineering
Security

--

--

Arachne Digital
Arachne Digital

Written by Arachne Digital

8 Followers
9 Following

Providing timely and actionable cyber threat intelligence. Email us on contact at arachne dot digital.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams