Pyramid of Pain

The Pyramid of Pain is an infosec concept that classifies IOCs (Indicators of Compromise) on a level of difficulty faced by an attacker in succeeding if they are denied certain indicators.

Hash Values (Trivial)

Software hash values are used by SOC analysts for the purpose of identification. Using a platform like VirusTotal, security researchers can upload a hash to gain more insight into a specific malware sample. It’s easy to spot a malicious file if its hash has been cataloged. However, an attacker can easily modify a known piece of malware to make it produce a different, unknown hash.

IP Address (Easy)

While it’s easy to block, drop, or deny inbound requests from malicious IPs, attackers can easily recover from this by just using a different public IP. Attackers can make it challenging to carry out IP blocking by using Fast Flux. Fast Flux is a DNS technique used by botnets to hide phishing, web proxying, malware delivery, and malware communication activities behind compromised hosts being used as proxies. This makes it difficult for security professionals to discover the communication between the malware and it’s C2 server. https://unit42.paloaltonetworks.com/fast-flux-101/

Domain Names (Simple)

Domain names can be a little bit more of a pain for an attacker to change as they need to purchase the domain, register it, and modify DNS records. Unfortunately for defenders, many DNS providers have loose standards and provide APIs to make it easy for attackers to change the domain.

Host Artifacts (Annoying)

Host artifacts are the traces or observables that attackers leave on the system, such as registry values, suspicious process execution, attack patterns or IOCs (Indicators of Compromise), files dropped by malicious applications, or anything exclusive to the current threat.

Network Artifacts (Annoying)

A network artifact can be a user-agent string, C2 information, or URI patterns followed by the HTTP POST requests. Network artifacts can be detected in Wireshark PCAPs by using a network protocol analyzer such as TShark, or exploring IDS logging from a source like Snort.

Tools (Challenging)

When you can block attackers from using their tools, it’s game over. The attacker will most likely give up trying to break into the network, or go back to try and create a new tool that serves the same purpose. It’s game over when they need to invest money into building a new tool, find a tool that has the same potential, or even get training to learn how to be proficient in a certain tool.

TTPs (Tough)

TTPs are Tactics, Techniques & Procedures. If you can detect and respond to TTPs quickly, adversaries have almost no chance of fighting back. For example, if you could detect a Pass-the-Hash attack using Windows Event Log Monitoring and remediate it, you would be able to find the compromised host very quickly and stop the lateral movement inside the network.

Cyber Kill Chain

“Kill chain” is a military concept related to the structure of an attack. It consists of target identification, decision, and order to attack the the target, and finally target destruction.

Lockheed Martin established the Cyber Kill Chain framework in 2011, which defines the steps used by adversaries or malicious actors in cyberspace.

The Cyber Kill Chain helps analysts understand and protect against ransomware attacks, security breaches, and Advanced Persistent Threats.

Reconnaissance

Recon involves gathering OSINT (Open Source Intelligence) on the target. Email harvesting is one such method of reconnaissance, as collecting emails would allow an attacker to run a phishing campaign.

Weaponization

After successful reconnaissance, an attacker would craft a “weapon of destruction”. Rather than interacting with the target directly, a weaponizer should combine malware and exploit into a deliverable payload. Most attackers use automated tools to generate the malware or refer to the Dark Web to purchase malware. More sophisticated actors or nation-sponsored APT would write their own custom malware.

  • Malware - Program or software designed to damage, disrupt, or gain unauthorized access to a system

  • Exploit - Program or code that takes advantage of vulnerability or flaw in application/system

  • Payload - Malicious code attacker runs on system

Delivery

Delivery of the payload can be done through various methods such as phishing, USB drops, and watering hole attacks.

Watering hole attacks aim at a specific group of people by compromising the website they are usually visiting and redirecting them to the malicious website of an attacker’s choice.

Exploitation

To gain access to the system, an attacker needs to exploit the vulnerability. Lateral movement are the techniques that a malicious actor uses after gaining initial access to the victim’s machine to move deeper into a network to obtain sensitive data.

Installation

Once the attacker has gotten into the system, he wants to reaccess if he loses connection or got detected and had the initial access removed. This is when the attacker needs to install a persistent backdoor.

Persistence can be achieved through:

  • Installing a web shell
  • Installing a back door on the victim’s machine
  • Creating or modifying Windows services
  • Adding entry to the “run keys” for the malicious payload in the Registry or Startup Folder

Command & Control

After getting persistence and executing malware on the victim’s machine, the attack can open up the C2 channel through the malware to remotely control and manipulate the victim. This is known as C&C or C2 Beaconing as a type of malicious communication between a C&C server and malware on the infected host.

The most common C2 channels used by adversaries nowadays are:

  • HTTP Port 80 and HTTPS Port 443 - this type of beaconing blends malicious traffic with legitimate traffic and can help the attacker evade firewalls
  • DNS - Infected machine makes constant DNS requests to the DNS server that belongs to the attacker. Also known as DNS Tunneling.

Exfiltration

After going through the six phases of attack, the attacker can finally achieve his goals.

  • Collect user credentials
  • Perform privilege escalation
  • Internal reconnaissance
  • Lateral movement
  • Collect and exfiltrate sensitive data
  • Deleting backups and shadow copies
  • Overwrite or corrupt data

Unified Kill Chain

The UKC is a framework that is used to help understand how cyber attacks occur. It aims to complement other kill chain frameworks, such as Lockheed Martin’s Cyber Kill Chain and MITRE’s ATT&CK.

Threat Modeling

Threat modeling is a series of steps to ultimately improve the security of a system.

  1. Identify what systems and applications need to be secured and what function they serve in the environment. Is the system critical to normal operations, and is a system holding information like payment info or addresses?
  2. Addressing what vulnerabilities and weaknesses these systems and applications may have and how they could potentially be exploited.
  3. Creating a plan of action to secure these systems from the vulnerabilities highlighted.
  4. Putting in policies to prevent these vulnerabilities from occurring again where possible.

18 Phases of the UKC

![[Pasted image 20250716114446.png]]