The concept of the pain pyramid was first introduced by David J. William. Bianco in 2013. Most security experts today know it as a blueprint describing the value and relative ease with which threat data and information can be obtained.
At the bottom of the pyramid are indicators that are easier to obtain and process: hash values, IP addresses and domain names. As the pyramid rises, campaigns, opponents and tactics, techniques and procedures (TTP) come into play. This will greatly increase their value to you as a security expert, but this knowledge is also more difficult to obtain and use effectively if you don’t do the basic work. The ability to move the pyramid up and down is crucial for collecting the data and intelligence needed to fully detect and combat threats. With an end-to-end platform, you can collect, analyze, understand, and use data about internal and external threats and events at every stage of the journey to strengthen your security posture.
One thing at a time
To make a successful roundtrip, you first need to communicate with all the different detection tools that are part of your security infrastructure. It’s like trying to communicate with a group of children between the ages of 5 and 18. Each of them communicates in their own way. So when you talk to them, you have to speak in a way that five-year-olds can understand. Likewise, the recognition instruments have many different ways of communicating. So if you need their data, the best way to communicate is to use the lowest common denominator: indicators. Using indicators, you can link things together and understand the meaning of all the results obtained with the various safety tools. They also give you an overview and allow you to climb the pyramid. That’s the way it is.
Earlier I described a scenario where you couldn’t detect an IP address in a tool. You need an overview. So you search for information about external threats and discover that the IP address is associated with a particular enemy. You can now turn to this enemy and learn that there are many other IP addresses connected to this enemy. Thanks to a platform that allows you to use this form of communication with the lowest common denominator, you can browse through your other instruments. You can find a large set of matching IP addresses, which gives you a lot of confidence that something can happen. But you need to know more.
If you walk up the pyramid, you can get a complete picture of what’s going on. The platform allows you to add context and see relationships for a more strategic vision. With tools such as MITRE ATT&CK describing campaigns, opponents and their TTP, you can rotate and broaden your search. For example, if the indicator is related to a particular campaign or opponent, are there related artifacts that can be searched for in other tools to confirm malicious activity? If you collect data and information and reach the top of the pyramid, you can confirm or deny the attack. With a panoramic view and solid evidence of what lies ahead, you can decide how to react.
You must now be able to reduce the size of the pyramid in order to execute your answer. This means that the corresponding data must be returned to the appropriate tools in your defense register in the language they speak – the indicators. And if possible, automatic communication is used to speed up the response. The ability to zoom in and out on the pain pyramid not only provides advanced detection and response (XDR), but also sends a message to opponents that their methods of transition to you will not work. It is common enough for an attacker to change hashes, IP addresses and domain names to prevent detection. But replacing TTP is extremely expensive and time consuming and can make you feel like you are losing interest and focus on your business.
For most of us who physically climb the pyramid, we have to wait for the resumption of world travel. But zooming up and down the pain pyramid is something we can all do now – and it’s worth adding buckets to the list if you haven’t already done so.
Mark Solomon is director of marketing at ThreatQuotient. She has a solid experience that has contributed to the growth and team spirit of fast-growing security companies and has led to the success of several cash events. Prior to ThreatQuotient, he was vice president of security marketing at Cisco after acquiring Sourcefire for $2.7 billion. While working at Sourcefire, Mark worked as CMO and SVP. He has also held executive positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Mark is also a consultant for several technology companies, including Valtix.
Mark Solomon’s previous columns: