The Pyramid of Pain: Advanced Infrastructure-Based Threat Intelligence to Frustrate and Defeat Cyber Attackers

In the relentless battle between cyber attackers and defenders, the complexity and sophistication of threats continue to evolve. Defenders must therefore constantly adapt, utilizing innovative methods to outsmart adversaries. One of the most effective ways to disrupt attackers is by understanding and applying threat intelligence in a way that makes their efforts increasingly expensive and difficult to execute. The Pyramid of Pain, developed by David J. Bianco, offers a highly practical framework that categorizes different indicators of compromise (IoCs) based on the level of disruption they cause to attackers.

At its core, the Pyramid of Pain demonstrates that while some IoCs, such as hash values, are trivial for attackers to bypass, others—such as disrupting Tactics, Techniques, and Procedures (TTPs)—inflict serious operational costs. However, a closer look at infrastructure analysis, including BGP Autonomous System (AS) numbers, associated subnets, and historical IP usage, can significantly elevate the difficulty of even the simpler layers. This column will explore how defenders can use expert-level infrastructure intelligence to make attackers’ lives even more difficult, forcing them to expend resources, time, and effort.

By diving deep into each layer of the Pyramid of Pain, we’ll explore how leveraging network infrastructure—particularly BGP AS numbers, subnets, and historical IP intelligence—enhances defensive strategies. This article will also provide expert insights into how defenders can use a more sophisticated, infrastructure-based approach to challenge attackers at every step of the way.

The Pyramid of Pain: A Deep Dive into Threat Intelligence

The Pyramid of Pain breaks down the challenge of implementing effective cybersecurity into six levels. The bottom layers, such as hash values and IP addresses, are relatively easy for attackers to modify, while the higher layers—tools and TTPs—require significant effort to alter. However, defenders can raise the difficulty at even the lower layers by incorporating infrastructure intelligence, making it much harder for attackers to pivot after detection.

Let’s examine each layer of the pyramid, detailing how an infrastructure-focused approach elevates defenses and imposes real "pain" on attackers.

1. Hash Values: Automating Initial Detection

At the base of the Pyramid of Pain are hash values—unique digital signatures generated for files through cryptographic algorithms like MD5, SHA-1, and SHA-256. Hashes are widely used in detecting known malware by matching them against signature databases. While useful, hashes are easily circumvented by attackers who simply modify the file to change its hash value.

Attacker Response: Attackers can effortlessly modify a file’s hash by altering even a single byte, making it ineffective to rely solely on hash-based detection.

Defensive Strategy: Despite being easy to evade, hash values are useful for identifying known malware or attacks quickly. Integrating hash detection into an automated system that triggers sandbox analysis and behavior-based detection helps mitigate the limitations of hash-based strategies.

Expert Tip: Use hash-based detection in combination with machine learning algorithms that can analyze behavioral patterns of files. By correlating hash-based detections with real-time monitoring of file behavior, defenders can capture unknown variants of malware with similar functionality.

2. IP Addresses: Using BGP AS Numbers and Infrastructure to Complicate Evasion

The next layer of the pyramid, IP addresses, is often used by attackers to host command-and-control (C2) servers, distribute malware, or conduct phishing attacks. Simple IP-based defenses involve blocking known malicious IP addresses, but attackers can easily rotate or change IP addresses, especially in environments like cloud providers or botnets. This is where infrastructure-based analysis, particularly BGP AS numbers and subnets, can make a significant difference.

Attacker Response:

Switching IP addresses is straightforward for attackers. Many use techniques such as fast-flux DNS or dynamically rent new IP blocks from cloud service providers, allowing them to evade simple IP blocking with ease.

Advanced Defensive Strategy: Infrastructure-Focused IP Address Blocking

To significantly complicate attackers' operations, defenders should focus on understanding the infrastructure behind IP addresses. This involves analyzing BGP AS numbers, associated subnets, and the historical behavior of specific IP ranges to block or monitor entire segments of infrastructure. This method forces attackers to abandon well-established infrastructure and seek new hosting providers, which increases both operational cost and complexity.

1. BGP AS Numbers and Subnet-Level Analysis

BGP AS numbers group IP addresses under the control of a specific network provider, such as an ISP or a cloud hosting service. Attackers often use certain AS numbers to rent IP addresses for malicious activity. Instead of just blocking individual IP addresses, defenders should block entire subnets or closely monitor traffic associated with suspicious AS numbers.

BGP AS-Based Blocking: By blocking entire AS ranges, defenders make it difficult for attackers to simply switch to a new IP address within the same infrastructure. Blocking at this level forces attackers to find a completely new provider, adding time and effort to their attack cycle.

Granular Subnet Focus: When dealing with large hosting providers, broad AS blocking may disrupt legitimate traffic. In such cases, defenders should narrow their focus to specific subnets assigned to individual customers (e.g., /29 or /30 subnets). These smaller subnet blocks, often rented by attackers for dedicated operations, can be tracked and blocked without disrupting broader traffic.

2. Historical IP Address Usage

Attackers frequently reuse infrastructure across different campaigns, sometimes recycling IP addresses or entire subnets over time. By tracking the historical usage of IP addresses within specific AS numbers, defenders can build a profile of malicious infrastructure and block new IP addresses as they emerge within that profile.

Historical IP Intelligence: Maintain a historical database of IP addresses used by attackers in previous campaigns. By cross-referencing this database with new traffic, defenders can predict future IPs likely to be used in upcoming attacks, allowing for proactive blocking before attacks fully materialize.

3. Cross-Referencing Legitimate Traffic

Blocking entire AS numbers or subnets can carry the risk of disrupting legitimate services. Cloud providers like AWS, Google Cloud, and Azure host a mixture of legitimate and malicious activities. To avoid collateral damage, defenders should analyze the traffic patterns and services associated with specific subnets before implementing broad blocks.

Cross-Referencing Legit Traffic: Utilize traffic monitoring and behavioral analytics to differentiate between expected, legitimate services and suspicious activity within specific subnets. By identifying deviations from normal behavior—such as unexpected spikes in data transfer or unusual connection times—defenders can focus on truly malicious activity.

Expert Tip: Machine learning models can help detect anomalous traffic patterns within specific subnets, reducing the chance of blocking legitimate traffic while improving the accuracy of identifying suspicious infrastructure.

Domain Names: Leveraging Infrastructure to Disrupt Malicious Domains

Domains are a key asset for attackers who use them to distribute malware, host phishing websites, or run C2 infrastructure. Simple domain-based defenses rely on blacklisting known malicious domains, but attackers can quickly register new domains or use techniques like fast-flux DNS to switch domains frequently. A more advanced approach involves analyzing the infrastructure associated with domains.

Attacker Response:

Attackers can easily switch domains, particularly when using domain generation algorithms (DGAs) that generate a large number of domains automatically. DGAs make it nearly impossible for defenders to blacklist domains individually.

3. Advanced Defensive Strategy: Domain Infrastructure Analysis

Instead of simply blocking individual domains, defenders should investigate the underlying infrastructure behind domains—such as DNS providers, registrar patterns, and the hosting environment—to identify suspicious activity.

• Tracking DNS Infrastructure: Attackers often use specific DNS providers or nameservers known for hosting malicious domains. Monitoring DNS infrastructure can help defenders block entire clusters of malicious domains at once, disrupting the attacker's ability to switch domains easily.
• WHOIS and Registrar Data: Analyzing WHOIS data can reveal patterns in how attackers register domains. Certain registrars or anonymization services may be favored by attackers, allowing defenders to block domains registered through these entities or monitor them for suspicious activity.

Domain Generation Algorithms (DGAs)

Many advanced attackers use DGAs to generate large numbers of domains in an attempt to evade detection. While blacklisting each domain manually is impractical, machine learning models can predict future domains generated by DGAs and block them before they are used in attacks.

• DGA Detection: Use predictive algorithms to analyze the patterns generated by DGAs, allowing defenders to identify and block these domains proactively.

Expert Tip: Focus on identifying patterns in DNS resolution, including the use of unusual or less reputable DNS providers. By analyzing how domains resolve and which DNS services they use, defenders can often detect malicious infrastructure before it's fully operational.

4. Network/Host Artifacts: A Persistent Threat Indicator

Network and host artifacts—such as registry keys, system configuration files, and file paths—are often used by attackers to maintain persistence on compromised systems. Unlike simple indicators like hashes or IP addresses, these artifacts are harder to change and are often integral to the malware's operation.

Attacker Response:

Modifying network or host artifacts without breaking the functionality of the malware requires significant expertise and effort. As a result, attackers are less likely to frequently change these artifacts compared to other IoCs.

Advanced Defensive Strategy: Centralized Logging and Automated Detection

• Centralized Log Management: Centralized logging allows defenders to collect and analyze data across an organization, making it easier to spot changes to key system artifacts. SIEM (Security Information and Event Management) platforms can provide real-time alerts when abnormal changes occur, such as registry key modifications or unauthorized file changes.
• Automated Artifact Detection: Use automated tools to monitor for changes in critical host artifacts. By correlating these changes with external threat intelligence, defenders can build a more complete picture of the attack and respond accordingly.

Expert Tip: Implement host-based detection systems capable of identifying behavioral patterns related to persistence techniques, such as unauthorized privilege escalations or lateral movement within the network.

5. Tools: Disrupting Attackers' Arsenal

Attackers rely on specific tools—such as remote access trojans (RATs), exploit kits, and custom scripts—to carry out their operations. Disrupting or blocking these tools forces attackers to develop or procure new ones, increasing their operational costs and slowing them down.

Attacker Response:

Developing new tools is time-consuming and costly for attackers. While they may switch to modified versions of existing tools, doing so often introduces errors or makes the attack less efficient.

Advanced Defensive Strategy: Tool-Based Intelligence and Behavioral Monitoring

• Tool Signature Tracking: Many attackers reuse the same tools across multiple campaigns. By identifying the signatures of these tools, defenders can detect their use even if the specific campaign has not yet been flagged.
• Behavioral Tool Analysis: Even if attackers modify their tools, many retain the same core behaviors. Advanced behavioral monitoring solutions can detect these behaviors—such as unusual network connections or lateral movement—and flag them for investigation.

Expert Tip: Focus on detecting the use of tools during specific stages of an attack, such as lateral movement or privilege escalation. By analyzing how these tools interact with the network and the host, defenders can identify attack patterns even when the specific tool variant changes.

6. Tactics, Techniques, and Procedures (TTPs): The Top Layer of the Pyramid

At the top of the Pyramid of Pain are TTPs—overarching behaviors and methodologies used by attackers. Disrupting TTPs inflicts the most operational pain, as it forces attackers to completely rethink their approach.

Attacker Response:

Changing TTPs is extremely challenging for attackers. Altering their core strategies requires significant time, effort, and training, making it highly disruptive.

Advanced Defensive Strategy: TTP-Based Detection Using MITRE ATT&CK

• MITRE ATT&CK Mapping: The MITRE ATT&CK framework provides a detailed matrix of TTPs used by attackers. By mapping your defenses to these TTPs, you can proactively detect behavioral patterns associated with different attack stages, such as initial access, persistence, or data exfiltration.
• Behavioral Monitoring: Implement advanced behavioral analysis tools that monitor for deviations from normal activity. By focusing on detecting behaviors associated with known TTPs, defenders can recognize novel attacks even when traditional IoCs like IP addresses or file hashes fail.

Expert Tip: Continuously update your defense strategies to account for new TTPs as they evolve. Proactively adapting to changes in attacker behavior allows you to stay one step ahead and detect emerging threats before they fully develop.

Implementing the Pyramid of Pain with Infrastructure Intelligence

To fully leverage the Pyramid of Pain, organizations must integrate infrastructure analysis into their security operations, elevating even simple defenses into highly disruptive deterrents for attackers.

1. Build a Comprehensive Threat Intelligence Program

Incorporate infrastructure intelligence—such as BGP AS analysis, IP address tracking, and DNS monitoring—into your threat intelligence feeds. This infrastructure context will help you identify patterns and detect malicious activity early in the attack cycle.

2. Prioritize Infrastructure-Based Defenses

Target the most challenging layers of the Pyramid of Pain by focusing on infrastructure IoCs. Blocking or monitoring entire BGP AS ranges or specific subnets forces attackers to rework their infrastructure, increasing their operational costs and slowing them down.

3. Use Automation to Scale Infrastructure Analysis

Leverage machine learning and automation to analyze large volumes of infrastructure-related data, such as IP addresses and DNS traffic. Automation allows you to scale your defenses and quickly identify new patterns of malicious behavior.

4. Train Your Security Team in Infrastructure-Based Detection

Equip your security team with the tools and training necessary to analyze infrastructure-related IoCs, such as BGP AS intelligence, DNS monitoring, and MITRE ATT&CK-based TTP detection. This knowledge will allow your team to detect threats earlier and respond more effectively.

5. Continuously Adapt and Evolve

Attackers are always evolving, and your defenses must do the same. Regularly update your infrastructure intelligence, refine your detection algorithms, and stay informed of the latest trends in attacker TTPs.

Conclusion

The Pyramid of Pain offers a powerful framework for disrupting attackers at every layer, from hash values to TTPs. By incorporating infrastructure intelligence—such as BGP AS analysis, historical IP tracking, and DNS infrastructure monitoring—defenders can elevate their defenses, making even basic IoCs far more difficult for attackers to bypass.

In today's complex threat landscape, adopting an infrastructure-focused approach to threat intelligence is essential. By understanding and applying the principles of the Pyramid of Pain, organizations can not only detect threats earlier but also force attackers to expend time, effort, and resources, ultimately driving them away.