By: Kamran Saifullah
There will be times when you will keep hearing about The Crown Jewels and The Pyramid of Pain. These two are very important when it comes to Cyber Security.
In today’s world, all we are trying is to secure our critical assets (Mission Critical Assets). These are the assets which drive an organization and without which one organization will never stand on its feet. Also, if these are breached, the organization as a whole will be destroyed because only due to these assets, one organization handling its customer’s requests as well as their customer data which is indeed the most critical asset to one organization.
Due to this reason, it is really important to protect the crown jewels. In order to ease the process of finding your critical assets, all you need is the complete “Asset Inventory” which in most cases is never maintained. If it is maintained most of your work has already been done and if not the responsible department (IT) will have to get it done and a copy will be shared with the Information Security Team.
Once all the organization’s assets are covered, you can perform the BIA (Business Impact Analysis), Calculate the Asset Value, or by performing the Risk Assessment of the assets. This will yield out the Crown Jewels and Mission Critical Assets.
Why are we doing this? It is all because we have to protect these assets from adversaries, internal and external threats etc. Thus, the security of these crown jewels is required to be ensured and it can be done by doing the following.
- Identify the Mission Critical Assets → We have done it already!
- Identify the Adversarial Threats to these Mission Critical Assets → To ensure what adversaries are looking for!
- Identify the most appropriate Security Precautions, Policies, Procedures, and Guidelines to be implemented in order to ensure these Mission Critical Assets (MCAs).
- Finally, we need to monitor the actions we have taken (Monitoring) and to perform an ongoing Threat Hunting to keep on hunting the adversaries.
David Bianco introduced the Pyramid of Pain back in 2013 in which he emphasized the IOCs (Indicator of Compromise) importance. He mentioned that these IOCs will always have value for the attackers who are trying to compromise the organizations.
The Pyramid of Pain can be understood by two different aspects.
Malware, Ransomware, Exploit Kits, Root-Kits and everything else is being developed by the attackers. This is all to ensure their software’s/programs remain hidden. The main reason is that APTs always want to remain hidden in the organization’s network for a long. This will help them evade themselves and will allow them to take as much information as required.
Research has been performed on these APT groups, MITRE has come up with the TTPs (Tactics, Techniques and Procedures). These are the known techniques of the known APT Groups. FireEye, KasperSky, Symantec, Mandiant and many other organizations are publishing their reports which cover a detailed analysis of the adversaries’ TTPs.
For the attackers, this is daunting and a nightmare all because threat intelligence feeds are now being shared around the globe and all known threats will raise an alert and suspicion which will eventually lead security teams to catch these adversaries. So, for the attackers, the Pyramid of Pain, adds a pain value on 6 levels. They will have to come up with something which will never get caught.
Defenders are collecting the Threat Intelligence feeds around the globe, SOC is monitoring the threats, and Red Teams are performing the Breach and Attack Simulations. This is all due to the need for security and is clear that attackers will be coming in someday/sometime.
The Pyramid of Pain provides a way forward and the best approach to be followed in order to hunt down the adversaries.
David Bianco also emphasizes that the need of detecting the indicators is to respond to them. If this wasn’t the case we shall not be detecting the indicators of compromises. He also mentions that, once you can respond to these indicators quickly enough, you have denied the adversary the use of those indicators when they are attacking you.
It is required to be understood that not all indicators are valued equally.
SHA1, SHA2, MD5 or other similar hashes that correspond to specific suspicious or malicious files. Often used to provide unique references to specific samples of malware or to files involved in an intrusion.
IP Addresses It is an IP address Or maybe a netblock.
Domain Names This could be either a domain name itself (e.g., “evil.net”) or maybe even a sub- or sub-sub-domain (e.g., “this.is.sooooo.evil.net”)
Network Artifacts are caused by adversary activities on your network. Technically speaking, every byte that flows over your network as a result of the adversary’s interaction could be an artifact. However, in practice, this really means those pieces of the activity that might tend to distinguish malicious activity from that of legitimate users. Typical examples might be URI patterns, C2 information embedded in network protocols, distinctive HTTP User-Agent or SMTP Mailer values, etc.
Host Artifacts are caused by adversary activities on one or more of your hosts. Again, we focus on things that would tend to distinguish malicious activities from legitimate activities. They could be registry keys or values known to be created by specific pieces of malware, files or directories dropped in certain places or using certain names, names or descriptions or malicious services or almost anything else that’s distinctive.
Software is used by the adversary to accomplish its mission. Mostly these will be things they bring with them, rather than software or commands that may already be installed on the computer. This would include utilities designed to create malicious documents for spear phishing, backdoors used to establish C2 or password crackers or other host-based utilities they may want to use post-compromise.
Tactics, Techniques and Procedures (TTPs)
How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between. “Spearphishing” is a common TTP for establishing a presence in the network. “Spearphishing with a trojan PDF file” or “… with a link to a malicious . SCR file disguised as a ZIP” would be more specific versions. “Dumping cached authentication credentials and reusing them in Pass-the-Hash attacks” would be a TTP. Notice we’re not talking about specific tools here, as there is any number of ways of weaponizing a PDF or implementing Pass-the-Hash.
So in order to conclude the overall discussion. Hash Values, IP Addresses, and Domain Names are the most common IOCs. These can be generated via Static Analysis or can be ingested via the Threat Intelligence Feeds. These are the quick wins. Once we are done blocking these, our focus should move towards the Network and Host Artifacts, these can be generated by Dynamic Analysis and can vary from organization to organization.
We need to start working on the attacker’s Tools, we need to block the working of their tools, thus, this will add pain to attackers and they will have to change their technology which is not easy in this case.
Finally, we are left with the TTPs. We can follow the MITRE ATT&CK to create rules, perform threat hunting based on the known Adversarial TTPs and can generate a hypothesis which will eventually lead to performing the Threat Hunting of unknown adversaries.
In simple words, the Pyramid of Pain provides a systematic method to be followed in order to add more pain to adversaries i.e. making it more difficult to compromise you. This can only be done when the quick wins are followed on a quick basis and all the focus is then diverted to understanding the adversaries TTPs.