Follow us

How to organize threat intelligence data?

Updated: August 2, 2021 By Dmytro Cherkashyn

Threat hunting uses 6 steps of pyramid of pain according to Bianco

Image source - Shutterstock

I bet you have seen the pyramids of Giza at least once in a movie or a picture.

But have you ever seen Pyramid of Pain (PoP), which is really famous among threat intelligence and threat hunters?

We will take a look at the concept of PoP and why it became so popular. But most importantly, we will check practical cases on its use.

 

The table presents different tools to accomplish the IoC collection and analysis cycle for specific Pyramid of Pain levels.

Pyramid of Pain level
Tools to use for SOC
Adversaries countermeasures
Hash value
Hash calculators and comparators
Code mutation and randomization
IP address
Black and whitelisting of know affected IP addresses
Hacking more systems with new IP addresses or using VPNs and proxies
Domain name
Proving domains are belonging to legitimate entities and not spoofed
Creating new, nearly authentic looking domain names
Network artifacts
Span/tap port deep packet inspection
Wrapping packet into false one, using port redirects
Host artifacts
Host event services and log files
Clear traces of activity from mentioned files/places
Tools
SIEM or IDS/IPS
Change tools banners and trick IDS/IPS about specific tool use
TTP
Change behavior and habits, destroy signature of attacks

Why does this pyramid representation called Pyramid of Pain?

If we take a look at the posted initially Pyramid of Pain, then we will see that each level has its own one-work explanation regarding difficulty. And from this point, many specialists will interpret it differently.

But let's take a look first and this piece of art from David Bianco.

Originally presented pyramid of TTP better known as pyramid of pain of Bianco

Image source – detect-respond.blogspot.com 

  1. A Pain to adversaries if proactive measures are implemented. Initially, those comments left side of the PoP were showing how much trouble will potentially adversaries facing if the level of this particular threat will be covered by proactive measures from an operator.
    Logically, "Trivial" means here that such kind of IoC can be replaced very quickly and easily by the new one, which was not yet discovered anywhere else. Don't worry; we will look in detail at each of them and explain real struggles and reliefs for the SOC team to work with them.
  2. A Pain to SOC team members to use such Indicators of Compromise for fast and effective defense controls implementation. It is basically didn't collide with the previous one but explicitly use the contrast approach.
    Really, take a "TTP" as IoC for the SOC team. How should they describe those features to automated frameworks or teach automatic systems to react in a way professional analysts only can do by correlating many observations into one subjective picture for their own interpretation.
  3. A Pain of organizing the effective exchange of such threat intelligence between independent parties. Again, taking the highest level of PoP – how to present and pack all sophisticated interrelations between groups of attackers, tools, techniques, and tactics into something tangible and digestible among the wide range of specialists, probably, even from different domains.

I am actually feeling this pain. Ah...

What are the 6 levels of the Pyramid of Pain?

It is all looks and sounds excellent and significant but not yet really related to any specific IoC.

I will propose referring to the previous chapter with 3 options of PoP understanding to explain each level in detail.

Let’s start!

Hash values

A description on the pyramid says it is trivial. The hashes can be calculated by hundred different tools, e.g., hash-identifier, findmyhash or hcxtools.

We are assuming a few hundred different hashing techniques and algorithms are existing for today. You may know some of them, especially are relevant for Bitcoin mining and password cracking. Among the most popular are CRC32, MD5, SHA1, SHA256, SHA384, SHA512.

Calculated SHA1 for particular folder.

  1. It doesn't really a big challenge for attackers to change a hash value for peace of malware. It heavily depends on the encrypting technology itself, but usually, even a new empty line in the malware code can create a totally new hash checksum, which will not match with the known.
  2. Hack calculators are pretty basic tools and can provide information within seconds. If the calculated hash is matching the known malware hash, it could be a sign of a potential breach.
  3. Those lines about 16 up to 32 characters long are straightforward to share. Another advantage of it, instead of file names, they do not disclose any data because the hash calculation is a one-way process

IP addresses

A description on the pyramid says it is easy. We can get IP addresses from a history of proxy-server communication or from a firewall.

Since many IP-based attacks are easily recognizable even without sophisticated techniques, it will be enough to confirm abnormal traffic from specific IP addresses, whether inside the company or outside.

  1. Attackers are using many intermediate IP servers, which are hiding original IP and compromised services to hide their own real IP address or using a proxy server. In case some of them are being blocked, others will still be functioning.
  2. Most known ways to work with IP addresses are firewalls rules and applications white and blacklists
  3. IP addresses are lines max 15 characters in length so that they could be easily sent from one place to another. For additional security, IP addresses are participating in this process could be temporarily encrypted.

Domain names

A description of the pyramid says it is simple. Domain names are translated to specific IP addresses. This happened at the authorized DNS servers, which is having a connection to further DNS servers. If one of them is compromised, that attacker can trick a victim forwarding to a malicious IP address through realistic enough website names.

Example of search entry, which looks and reads quickly as microsoft.com

  1. This required an additional step to the IP address story for an attacker. If a DNS attack is resolved as well as a suspicious domain name, an attacker will only need to change DNS entry for specific IP.
  2. Respond forces can quite effectively deal with such kinds of attacks by adding them to the blacklist of proxy servers.
  3. Such names are relatively short and normally don’t exceed 12-16 characters.

Network/Host artifacts

A description on the pyramid says it is annoying. Modern operational systems are storing a history of everything that happened for the last years without any problems. The same is possible to say about network monitoring devices.

  1. Even if this is not so straightforward as the previous step, adversaries still have an opportunity to clear or obfuscate their activities behind legitimate processes.
  2. Here is still possible to apply some automation, but it becomes much more difficult in comparison to previous steps.
  3. Such data can already include some company's confidential details, which nobody wants to disclose and be shared about a wide range of organizations and people.

Tools

A description on the pyramid says it is challenging.

  1. Depend on the sophistication of attack and maturity of an adversary, some black market tools could be used, which leaves not too much space for the attacker to change the tool itself. If there are new tools, which are highly customizable by an attacker, he will take advantage of that.
  2. If some low-level tools can leave traces of their use, more sophisticated customized or self-created tools will probably be very silent and leaving minimum breadcrumps to follow them.
  3. If adversaries were successful in running specific exploits, then it is impossible to exclude that this malicious code or program will not store many highly confidential data. Because of that, sharing the data and threat information can take a long day for data anonymization.

TTPs

A description on the pyramid says it is tough. As you might already be understood, this is the most sophisticated type of analysis and reaction either for SOC or adversaries themselves.

  1. Since it is very high-level, it requires much more data than any other method. Search and correlation around collected and received data can take up to days and weeks.
  2. It is not easy to redevelop your own behavior from scratch. That is why even for very experienced adversaries, the risk of being identified upon some behavioral failures is quite high.
  3. TTP is hardly implementable in some structured objects, which are used for threat intelligence analysis and sharing.

Conclusion

We have looked at one of the most genius and easy to understand representations of challenges, which are cybersecurity specialists in different departments and domains are facing every day:

  • How to find unified understanding and definitions, when speaking about complex threats like APT.
  • How to analyze and correlate between many sources of non-identical data.
  • How to process threat data for sharing and distribution.

Stay tuned and watch around!

Tags: 
Threats
Editor-in-Chief
Dmytro Cherkashyn
Being a passionate security expert from Ukraine, Dmytro has passed through various security domains for the last 12 years, starting with the physical security of nuclear facilities and coming to operational technology cybersecurity for critical infrastructure in Germany.

Leave a comment

click to select