Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • Pyramid of Pain
  • Indicators in the Pyramid of Pain
  1. Threat Hunting Artifacts and Types

Artifacts and types

PreviousBenefits of threat huntingNextIOCs and IOAs

Last updated 9 months ago

Pyramid of Pain

David Bianco created the Pyramid of Pain to show the different types of indicators that might be used to detect adversary activities

He also points out the associated pain you would cause adversaries if you are able to deny these indicators

The Pyramid of Pain demonstrates that denied indicators are more troubling for attackers to handle as you move up the Pyramid

Indicators in the Pyramid of Pain

  1. Hash values: SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious files. Used to provide unique references to specific samples of malware or to files involved in an intrusion

  2. IP addresses: As the name suggests, but may also include netblocks

  3. Domain names: This could be either a domain name itself, sub-domains or even lower-level domains

  4. Network artifacts: Adversaries' network activities that are observable. Typical examples include URI patterns, C2 information embedded in network protocols, distinctive HTTP User-Agent or SMTP Mailer values, etc

  5. Host artifacts: Observables caused by adversary activities on one or more of your hosts, such as registry keys or values known to be created by specific pieces of malware, files or directories

  6. Tools: Software used by attackers to accomplish their mission. This includes utilities designed to create malicious documents for spearfishing, backdoors used to establish C2, password crackers or other host-based utilities

  7. Tactics, Techniques and Procedures (TTPs): How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between