Imagine a detection suite which fingerprints the API calls involved in the transfer of data out of a trusted cloud environment. These are the tactics, techniques, and procedures (TTPs) which are either tough or impossible for the threat actor to modify. Defenders might find some creature comfort in deploying detections targeting indicators low on the pyramid of pain, however they should be aware of the simplicity of evasion.Ĭrowning the top of the Pyramid of Pain are indicators which are fundamental to how an attacker goes about achieving their goals. This includes cloud detections based on source IP address or attack tool signature. Some indicators are trivial for an attacker to modify and evade while other behaviors are core to their stated goal and cannot be altered so easily.Īt the bottom of the pyramid are simple indicators such as IP addresses and hash values. The pyramid of pain recognizes that not all indicators of compromise (and therefore detective capabilities) are created equal. The further you move up the pyramid, the more pain an attacker will feel adapting and necessarily evading the defender’s detective capabilities. First described by David Bianco in 2013, the ‘Pain’ refers to the pain a detective control will inflict on the adversary. The Pyramid of Pain is a conceptual model for classifying the effectiveness of detective controls. For every paragraph, ask yourself ‘Is there anything here I can use to detect the adversary's activity, and where does this fall on the pyramid?’” The Pyramid of Pain for Cloud Indicators This piece is intended to follow closely the advice given by author of the Pyramid of Pain, David Bianco’s “Whenever you receive new intel on an adversary (whether it be APT1/Comment Crew or any other threat actor), review it carefully against the Pyramid of Pain. In this blog I look to outline the intel in the LastPass communiques and enumerate the attacker indicators while framing the discussion around the Pyramid of Pain. Absent from the public discourse has been a discussion of the indicators that can be gleamed from the various LastPass communications. Opinion pieces have been published both addressing the critical remediation steps for customers and doling out deserved criticism of incident communication. Cybersecurity experts have been quick to respond to the details of the LastPass breach in recent months.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |