Explain the Pyramid of Pain and how it shapes where you invest detection effort.
Short answer
The Pyramid of Pain ranks indicator types by how costly it is for an attacker to change them once you detect on them. Hashes are trivial to alter (bottom), then IP addresses, domain names, network/host artifacts, tools, and finally TTPs at the top — which an attacker can only change by fundamentally re-tooling their behaviour. Detecting on higher levels causes more 'pain' and is more durable, so mature programs invest detection effort toward behaviours and TTPs rather than just IOCs.
The Pyramid of Pain, introduced by David Bianco, is a model for thinking about which kinds of indicators are worth detecting on. Its core insight: not all indicators are equal, because they differ wildly in how hard they are for an adversary to swap out once you start blocking them.
The levels, bottom to top
- Hash values — trivial. A single byte change produces a new hash; attackers recompile constantly.
- IP addresses — easy. Rotate through hosting providers, VPNs, or proxies in minutes.
- Domain names — slightly harder, but cheap with DGAs and bulk registration.
- Network/host artifacts — annoying. User-agent strings, registry keys, file paths the tooling leaves behind.
- Tools — challenging. Forcing an attacker to find or build a new tool costs real effort.
- TTPs — the apex. Tactics, techniques and procedures reflect how an adversary operates; changing them means relearning their craft.
Why height equals pain
If you block a hash, the attacker rebuilds in seconds and you have accomplished little. If you detect a behaviour — say, credential dumping via LSASS access patterns — they must invent a new way to achieve the same goal, which is expensive and slow. Detection at the top of the pyramid is durable; detection at the bottom is brittle and noisy.
Practical implication
Consume IOC feeds, but do not stop there. Spend your detection-engineering effort writing behaviour- and TTP-based rules mapped to ATT&CK.
Why this matters
Interviewers use this to separate analysts who chase ephemeral IOCs from those who understand that durable detection targets attacker behaviour.
Likely follow-ups
- Why are file hashes considered the weakest indicator to detect on?
- Give an example of a TTP-level detection versus an IOC-level one.
- How does the pyramid change how you consume threat intel feeds?