Artifacts and types
Last updated
Last updated
David Bianco created the Pyramid of Pain to show the different types of indicators that might be used to detect adversary activities
He also points out the associated pain you would cause adversaries if you are able to deny these indicators
The Pyramid of Pain demonstrates that denied indicators are more troubling for attackers to handle as you move up the Pyramid
Hash values: SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious files. Used to provide unique references to specific samples of malware or to files involved in an intrusion
IP addresses: As the name suggests, but may also include netblocks
Domain names: This could be either a domain name itself, sub-domains or even lower-level domains
Network artifacts: Adversaries' network activities that are observable. Typical examples include URI patterns, C2 information embedded in network protocols, distinctive HTTP User-Agent or SMTP Mailer values, etc
Host artifacts: Observables caused by adversary activities on one or more of your hosts, such as registry keys or values known to be created by specific pieces of malware, files or directories
Tools: Software used by attackers to accomplish their mission. This includes utilities designed to create malicious documents for spearfishing, backdoors used to establish C2, password crackers or other host-based utilities
Tactics, Techniques and Procedures (TTPs): How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between
