The Pyramid of Pain: A Key Indicator of Your SOC’s Maturity

Listen to this Post

In a Security Operations Center (SOC), detecting and responding to threats are critical tasks. But how can you measure the effectiveness of your detection and ensure it is robust enough to counter attackers? This is where the Pyramid of Pain comes into play—a key concept for evaluating SOC maturity and structuring detection strategies.

What is the Pyramid of Pain?

Developed by David Bianco in 2013, the Pyramid of Pain classifies indicators of compromise (IOCs) based on their impact on an attacker when detected and blocked. It consists of six levels:

1. Hash Values (Easy to bypass)

  • Blocking or detecting a file hash is useful until the attacker modifies the file, which is trivial with automated tools.

2. IP Addresses (Easy to change)

  • An IP can be quickly changed using a VPN, proxy, or botnet, making this detection ineffective in the long term.

3. Domain Names (Harder, but still bypassable)

  • If an attacker has to buy a new domain and reconfigure their infrastructure, it imposes more effort.

4. Network/Host Artifacts (Difficult to bypass)

  • Detecting network traffic signatures (e.g., user-agent, communication patterns) or system artifacts (e.g., registry keys, unusual executions) forces attackers to modify their tools or methods.

5. Tools (Highly impactful for attackers)

  • Detecting and blocking tools like Mimikatz, Cobalt Strike, or Rclone forces attackers to change their habits, slowing them down and increasing their footprint.
  1. TTPs (Tactics, Techniques & Procedures) (Where it really hurts!)

– Identifying attacker behaviors and techniques (e.g., Pass-the-Hash, DLL sideloading, DNS exfiltration) forces them to completely rethink their approach, which is time-consuming and complex.

Why is it Important for a SOC?

A mature SOC doesn’t just block IPs or hashes. It tracks adversarial behaviors (TTPs) and implements robust, persistent detections. The higher you go in the pyramid, the more you disrupt attackers.

You Should Know:

To apply the Pyramid of Pain in your SOC, here are some practical steps and commands:

1. Detecting Hash Values

  • Use tools like YARA to create rules for file hashes:
    yara -r /path/to/rules /path/to/files
    

2. Blocking IP Addresses

  • Use iptables to block malicious IPs:
    iptables -A INPUT -s 192.168.1.100 -j DROP
    

3. Monitoring Domain Names

  • Use Pi-hole or similar DNS filtering tools to block malicious domains:
    pihole -b malicious-domain.com
    

4. Analyzing Network/Host Artifacts

  • Use Sysmon to monitor Windows registry changes:
    <Sysmon schemaversion="4.81">
    <EventFiltering>
    <RuleGroup name="Registry Events">
    <ProcessCreate onmatch="include">
    <TargetObject condition="contains">CurrentVersion\Run</TargetObject>
    </ProcessCreate>
    </RuleGroup>
    </EventFiltering>
    </Sysmon>
    

5. Detecting Tools

  • Use Sigma rules to detect tools like Mimikatz:
    title: Mimikatz Detection
    description: Detects Mimikatz activity
    logsource:
    product: windows
    service: security
    detection:
    selection:
    EventID: 10
    Image: '*\mimikatz.exe'
    condition: selection
    

6. Identifying TTPs