Hunt What Hurts: The Pyramid of Pain

Source: Active Countermeasures

Author: Faan Rossouw

URL: https://www.activecountermeasures.com/hunt-what-hurts-the-pyramid-of-pain/

ONE SENTENCE SUMMARY:

Threat hunting involves proactively identifying threats by prioritizing behaviors hardest for adversaries to change, using models like the Pyramid of Pain.

MAIN POINTS:

1. Threat hunting is proactive, exploring vast data without predefined alerts.
2. The dilemma of infinite choice leads to paralysis without clear prioritization.
3. Reactive hunting for known indicators is ineffective; focus should be on behaviors.
4. The Pyramid of Pain helps prioritize adversary artifacts based on difficulty to alter.
5. Hash values and IPs are easily changed by adversaries, offering limited hunting value.
6. Human hunters excel in identifying patterns and behaviors, beyond automated detection.
7. Tools and TTPs are significantly challenging for adversaries to change.
8. Behavioral analysis of tools strengthens threat detection and resilience.
9. Hunting should integrate findings back into automated systems for continuous improvement.
10. Prioritization of difficult changes by adversaries enhances current and future threat defense.

TAKEAWAYS:

1. Utilize frameworks like the Pyramid of Pain for strategic threat hunting.
2. Focus on behaviors over indicators for lasting security improvements.
3. Integrate human insights into automated systems to enhance defenses.
4. Prioritize detection of TTPs for higher adversary disruption.
5. Effective threat hunting involves creative hypothesis generation and contextual understanding.