This blog post is part of an ongoing series discussing the problem of operationalizing threat intelligence and how best to derive value from industry intelligence

Climbing That Pyramid of Pain

IOCs vs TTPs

A lot is made of indicators of compromise (IOCs) within the cyber threat intelligence industry. IP addresses, domains, and hashes are these atomic indicators of badness that as an industry we have been trained to love and crave. This universally understood metric of threat intelligence has correctly pushed the security industry toward prioritizing faster consumption of these easily utilized bits of information. However, when you stop to think about the full scope of the issue for most organizations, is this really where prioritization should be taking place?

Think of this flow of intelligence like a watershed with malicious activity falling like rain and the industry (the environment) utilizing this intelligence (the rain) to fill various spots. Public and private threat intelligence researchers, and often the automated systems they have developed, then do the legwork to attempt to catalogue these IOCs. These IOCs are normalized into datasets that enter threat intelligence feeds and suddenly that legwork ends up being used in every blocklist utilized by most security vendors, trickling into their customer’s environments.

Watershed Illustration

Most are aware of the pyramid of pain. It is a simple pyramid-style diagram that displays categorically what threat actor behaviors are dug up during investigations and has each mapped to a corresponding “pain” level of replacing this piece of evidence for the threat actor. If an actor burns an IP address during a campaign this is trivial to solve and there are likely automated processes already set up to continue operational activity. The inverse is of course a situation where a threat actor needs to adjust their tools, or worse, their techniques, in the middle of a campaign.

Watershed Illustration

The lesson of the pyramid of pain can be taken further by mirroring it back on the industry. It’s easy to ingest hashes, IP addresses, and domain names into the security appliances and agents organizations rely on. These are essential problems in the security industry that by and large have been mitigated with a proper budget. Any organization with a sufficient baseline investment into their security program should easily prevent cyber-attacks that are utilizing known bad IOCs.

By understanding what problem spaces are better “solved” within the industry, analysts can prioritize how best to spend their time, efforts, and resources. A threat intelligence program not focused on creating intelligence can instead create value for an organization through effective consumption of intelligence.

The approach being advocated for here is that analysts can begin by enumerating what sort of visibility is currently possible within the environment, but also keeping an eye peeled for enhancement opportunities for greater visibility. This gives the institutional contextualization for what the security organization is capable of, discarding what is great research and detail, but ultimately unusable for detection building at the specific organization. After gaining environmental awareness the next step is to begin consumption of intelligence by reading blogs, threat reports, and articles written by incident responders and threat intel analysts. The focus during this ingestion being tactics, techniques, and procedures that can be used to build relevant detections based on a modern adversary’s toolkit. By climbing that pyramid of pain toward more robust and significant detections, internal security programs mature and become more effective at countering advanced threat actors.