Why They’re Easy to Beat#

All an attacker needs to do is make a tiny change to their malware – even altering a single character – and the hash completely changes. The malware still works exactly the same, but your security tools won’t recognize it anymore!

Real-World Example#

Imagine your security tool blocks a ransomware file with the hash 8b88dd36cee24090a76d9e18cde611cc. The attacker simply makes a small tweak to their code, and now it has a completely different hash like 7a9d8ca69f114de6745248b07b65a726 – and it sails right past your defenses.

Still Useful, But Limited#

Hash values do help identify known threats exactly and are great for sharing in threat intelligence. Just don’t rely on them as your only defense – smart attackers will always find ways around them.

How Attackers Get Around IP Blocks#

Attackers have several tricks to bypass IP-based blocks:

• They switch to services that give them new IPs regularly
• They use hacked computers as middlemen
• They leverage cloud services where getting new IPs takes minutes
• They set up networks that constantly shuffle their addressing

Real-World Example#

An attacker running a command server at 192.168.1.100 gets blocked. No problem – they just spin up a new server in AWS or Azure with a fresh IP address in minutes, and they’re back in business.

Still Worth Doing#

Despite these limitations, tracking and blocking suspicious IPs is still valuable. IP reputation services help identify known bad addresses so you can block them before they cause harm.

Common Evasion Tactics#

Attackers use several methods to get around domain blocking:

• They create algorithms that automatically generate thousands of random domain names
• They register look-alike domains (like “g00gle.com” instead of “google.com”)
• They hide behind legitimate services
• They compromise legitimate websites temporarily

Real-World Example#

When “malicious-site.com” gets blocked, an attacker quickly registers “ma1icious-site.com” (note the number “1” instead of letter “l”) or simply adds a different extension like “malicious-site.net” and continues their campaign.

Proactive Defense#

Monitoring for suspicious domain registration patterns can help you spot potential attack infrastructure before it’s even used. This gives you a head start in protecting your systems.

Why They Matter#

These artifacts tell you exactly how malware operates within your environment. When you detect these patterns, you’re not just finding individual instances of malware – you’re uncovering their methods.

Why They’re Harder to Change#

For attackers to change these, they must modify their actual code and how their tools work – not just surface details like what server they use. This requires real programming effort and testing.

Real-World Example#

Imagine malware that creates a specific registry key at “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SuspiciousService” to automatically start when your computer boots up. If your security tools detect this specific pattern, the attackers must rewrite their code to use a completely different method of persistence.

The Security Advantage#

By looking for these types of indicators, you can still catch attackers even when they’ve changed their IP addresses and domain names. However, determined attackers with enough technical skill can still modify these with some effort.

The Big Challenge for Attackers#

When you can detect their specific tools regardless of how they’re delivered or how they communicate, attackers face a major hurdle. They must either heavily modify their tools or build new ones from scratch – both requiring significant expertise, time, and resources.

Real-World Example#

If your security team can reliably detect Cobalt Strike (a popular attack tool) based on how it behaves rather than just its basic indicators, attackers face a serious problem. They must either significantly rework their attack tools or completely switch to different ones – neither option is quick or easy.

Modern Protection#

Today’s advanced security tools use behavioral detection to identify malicious software based on what it does rather than static properties like file sizes or names. This approach significantly raises the difficulty level for attackers.

The Ultimate Defense#

When you can detect attackers based on their methodologies and behaviors, you’ve reached cybersecurity nirvana. At this level, you’re not just finding their tools – you’re recognizing their entire playbook.

Maximum Pain for Attackers#

Changing TTPs is extremely painful for attackers because it requires them to:

• Completely rethink their attack strategies
• Learn entirely new skills and techniques
• Develop and test new operational methods

This process can take months and may require them to start from scratch – an expensive and frustrating ordeal.

Real-World Example#

If your security team can detect attackers moving laterally through your network using Windows Management Instrumentation (WMI) techniques – regardless of what specific malware they’re using – the attackers must now develop entirely new methods for expanding their access. This might require extensive research, testing, and possibly abandoning techniques they’ve relied on for years.

The MITRE Connection#

The MITRE ATT&CK framework works perfectly with the Pyramid of Pain by cataloging these TTPs in detail. This framework helps you understand and defend against specific attack methods rather than just looking for individual malicious files or connections.

5 Ways to Implement the Pyramid of Pain#

1. Create Multi-Layer Detection Don’t just look for known bad files (hashes) – also watch for suspicious behaviors. When your security tools can detect the patterns of an attack rather than just specific files, attackers have a much harder time getting around your defenses.
2. Use Smart Threat Intelligence Go beyond simple blocklists. Look for threat intelligence that explains the “how” and “why” behind attacks, not just the “what.” This context helps you spot new attacks that use similar methods.
3. Invest in Better Tools Choose security tools that can detect suspicious behavior patterns, not just match known bad signatures. Modern solutions like EDR (Endpoint Detection and Response), UEBA (User and Entity Behavior Analytics), and network traffic analysis see attacks based on how they behave, not just what they look like.
4. Build Skills, Not Just Systems The highest level of the pyramid requires human intelligence. Train your team to understand attack techniques so they can spot unusual activities that automated systems might miss.
5. Join the Community Share what you learn with other security professionals and learn from them too. When everyone contributes knowledge about attack methods, the entire community becomes stronger against threats.

Speed Matters#

The time between detecting an attack and responding to it can make all the difference. Automated systems can block attacks at the lower levels of the pyramid before they even have a chance to advance to more sophisticated stages.

Balancing False Alarms#

As you move up the pyramid, detection methods tend to trigger more false alarms. Finding the right balance between effective detection and manageable alert volumes is crucial. Implement good triage processes to handle potential false positives efficiently.

Attackers Evolve Too#

As defenders get better at detecting TTPs, sophisticated attackers will continue to innovate. Stay vigilant and keep learning about new attack methods as they emerge.

New Work Environments#

With cloud services and remote work becoming the norm, traditional network boundaries are disappearing. Modern security strategies need to adapt the Pyramid of Pain concept to environments where the old idea of a secure perimeter no longer applies.