Not all indicators are equal. Blocking an IP the attacker can change in 30 seconds is low-value work. Detecting their TTPs forces them to rewrite their playbook β high-value work. The Pyramid of Pain, introduced by David Bianco, is the framework that organises this difference. This module covers the pyramid, the IOC lifecycle, and how to structure detection priorities around both.
The Pyramid of Pain β David Bianco’s framework
β² TOUGH! TTPs (Tactics, Techniques, Procedures)
β
β Tools
β
β Network / Host Artifacts
β
β Domain Names
β
β IP Addresses
β
β Hash Values
βΌ TRIVIAL
β attacker cost to change β β defender value β
Indicators at the bottom are cheap for attackers to change. Indicators at the top are expensive. Defenders who focus energy on blocking hashes and IPs are making the attacker’s life marginally inconvenient. Defenders who detect TTPs force the attacker to redesign their operation.
Walking up the pyramid
Hash values (SHA256, MD5)
Attacker recompiles the binary; new hash. Cost to attacker: near zero. Defence utility: short shelf life, good for known-malware blocking in AV.
IP addresses
Attacker rotates infrastructure (VPS, cloud, Tor). Cost to attacker: dollars and minutes. Defence utility: fires on the specific campaign’s current infrastructure.
Domain names
Attacker registers a new domain ($10). Cost: marginally higher than IP rotation. Defence utility: domain reputation data is robust; DNS queries are hard to hide entirely.
Continue reading with Basic tier (βΉ499/month)
You've read 28% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.