Sign In
In this module

OD0.3 The Pyramid of Pain — Why Operational Patterns Matter

3 hours · Module 0 · Free
What you already know

You've encountered David Bianco's Pyramid of Pain — hash values at the bottom, TTPs at the top. You know the concept: detecting higher up the pyramid is more valuable because those indicators are harder for attackers to change. This sub operationalizes the pyramid for campaign detection — moving from "I know the concept" to "I use it to prioritize what I build detections for."

Operational Objective

Your threat intelligence feed delivers hundreds of IOCs per week. Your detection rules catch specific hashes, domains, and IP addresses. When the attacker changes infrastructure — which takes hours — your detections are worthless. Meanwhile, the attacker's operational patterns — how they chain techniques, how they time their movements, how they structure their infrastructure — stay consistent across campaigns.

Most detection engineering effort targets the bottom of the pyramid: the indicators the attacker can rotate with minimal effort. Campaign detection targets the top: the operational patterns embedded in tradecraft that persist across infrastructure rotations, tool changes, and campaign restarts. This sub connects the Pyramid of Pain to detection engineering investment and shows you what detection at each level actually looks like in your SIEM.

Learning Objectives

By the end of this sub you will be able to:

  • Classify any detection rule by pyramid level (IOC, technique, or TTP) based on what it matches and what the attacker would need to change to evade it. This matters because most environments run 60–80% IOC-level rules — quantifying the imbalance is the first step toward fixing it.
  • Explain the economic logic behind the pyramid — why each level costs the attacker progressively more to change — using the same framework that Mandiant uses to track threat group persistence across campaigns in their annual M-Trends report. This matters because detection investment should follow attacker economics: spend the most effort on detections that are the most expensive to evade.
  • Write a TTP-level detection rule description that catches a multi-step operational pattern (not an individual technique or indicator) and explain why it survives infrastructure rotation, tool changes, and technique substitution. This matters because TTP-level detection is the capability gap between SOCs that catch individual alerts and SOCs that detect campaigns.
THE PYRAMID OF PAIN — OPERATIONALIZED FOR DETECTION INVESTMENT
TTPs
TOOLS
NETWORK / HOST ARTIFACTS
DOMAIN NAMES
IP ADDRESSES
HASH VALUES
↓ Where most detection effort goes
IOC feeds, hash blocklists, IP denylists
↑ Where detection effort should go
Behavioral rules, campaign correlation
This course teaches detection at the TTP level — the top of the pyramid

Figure OD0.3 — The Pyramid of Pain, operationalized. Most detection effort targets the bottom (hashes, IPs, domains) where the attacker changes indicators in seconds to hours. Campaign detection targets the top (TTPs) where changes take weeks to months — because operational patterns are embedded in tradecraft, not in disposable infrastructure.

The bottom of the pyramid is where IOC feeds live

Most threat intelligence consumption happens at the bottom three levels. The detections are real but disposable.

Your threat intel platform ingests feeds from multiple vendors, extracts IOCs, and pushes them into your SIEM as watchlists, blocklists, or analytics rules. When a hash, IP, or domain from the feed appears in your environment, an alert fires.

This works — for the specific indicators in the feed. The problem is lifespan. A hash value changes when the attacker recompiles the binary with one byte modified. An IP address changes when the attacker spins up a new VPS. A domain changes when the attacker registers a new one through an automated registrar.

The detection effort at the bottom of the pyramid is real but disposable. You're building detections against the most temporary part of the attacker's operation. The moment they rotate infrastructure — which they do routinely — your detections are inert.

The top of the pyramid is where campaigns live

TTPs are expensive to change because they're embedded in tradecraft, not in infrastructure.

TTPs — tactics, techniques, and procedures — are at the top because they're expensive for the attacker to change. Not expensive in money. Expensive in tradecraft development time, operational testing, and capability engineering.

An attacker group that uses AiTM credential phishing as their primary initial access method has invested months in developing their phishing kit, testing it against various security stacks, refining the proxy infrastructure, and training operators. Switching to a fundamentally different initial access method requires a different skill set, different tooling, different infrastructure, and different operational procedures. The switch isn't impossible, but it's expensive in time and effort.

Campaign-level patterns are even more persistent than individual techniques. The sequence in which an attacker chains techniques, the timing between phases, the infrastructure architecture they use, the credential strategies they employ — these are operational habits that persist across campaigns, across infrastructure rotations, and across individual tool changes.

What TTP-level detection looks like in practice

Three examples at three pyramid levels — same attack, different detection durability.

IOC-level detection (bottom): "Alert when any process communicates with IP address 198.51.100.47." This detects one campaign, one infrastructure setup, one time. When the attacker rotates to 198.51.100.48, the detection is dead.

Technique-level detection (middle): "Alert when any process opens a handle to lsass.exe with access rights 0x1010." This detects LSASS credential dumping regardless of the tool used. It survives tool changes. Purple Teaming teaches this level.

TTP-level detection (top): "Alert when the same user identity produces a credential-access event followed by a new authentication from a different source IP within 4 hours, followed by persistence installation on the authenticated system within 2 hours." This detects the credential-harvest → replay → persist campaign pattern regardless of which credential technique, which authentication method, and which persistence mechanism the attacker uses. It survives tool changes, technique changes, and infrastructure rotations.

This course teaches TTP-level detection. Not instead of technique-level detection — on top of it. Your Purple Teaming Sigma rules catch individual techniques. Your campaign correlation rules catch the operational patterns that connect them.

The economics of attacker adaptation

Every level of the pyramid has a cost to the attacker for changing. Your detection investment should follow the economics.

Hash values cost nothing to change. Recompile the binary, change one byte, repack with a different packer. Zero effort. Hash-based detection is necessary (it catches lazy or automated attacks) but insufficient (it catches nothing else).

Infrastructure costs something to change. New domains need registration and aging. New VPS instances need provisioning. New certificates need procurement. But these are commodity operations — most attacker groups automate them. Days to weeks of effort, mostly automated.

Tools cost more. Developing a custom C2 implant takes weeks to months. Switching C2 frameworks requires retraining operators, re-testing payloads, and re-building infrastructure templates. But it happens — especially when a framework becomes heavily signatured.

TTPs cost the most. Changing how you operate — your sequencing, your timing, your decision logic, your credential strategy, your movement patterns — requires fundamentally rethinking your operational workflow. Groups that invest years in refining their tradecraft don't abandon it because a defender wrote a detection rule. They adjust individual techniques but keep the operational pattern.

Your detection engineering investment should follow the economics: spend the most effort on detections that are the most expensive for the attacker to evade.

STEP 1 — Export your rule list
   In Sentinel:
     Go to Microsoft Sentinel → Analytics → Active rules
     Note the total count of enabled rules.

   In Splunk:
     Go to Settings → Searches, reports, and alerts
     Filter to "Enabled" alerts only.

STEP 2 — Sample 30 rules across categories
   If you have more than 100 rules, sample 30 rules spread across
   different rule categories (threat intel match, behavioral,
   anomaly, scheduled query). If fewer than 100, classify all of them.

STEP 3 — Classify each rule
   For each rule, read the detection logic and assign one level:

   IOC — The rule matches a specific hash, IP, domain, or URL.
         Test: "Would this rule still fire if the attacker changed
         all their infrastructure?" If NO → IOC level.

   TECHNIQUE — The rule matches a behavioral pattern: process
         relationships, command-line arguments, registry modifications,
         file operations. Test: "Would this rule fire regardless of
         which tool the attacker used?" If YES → technique level.

   TTP — The rule correlates multiple events across systems or time
         windows to detect an operational pattern. Test: "Does this
         rule require events from 2+ log sources or a time-window
         correlation?" If YES → TTP level.

STEP 4 — Calculate the distribution
   Count rules at each level. Calculate percentages.
   Typical finding: 60-80% IOC, 15-30% technique, 0-5% TTP.

STEP 5 — Document the gap
   Write one sentence: "Our detection portfolio is [X]% IOC-level,
   [Y]% technique-level, [Z]% TTP-level. The campaign detection gap
   is [100-Z]% of our rules provide no campaign-level visibility."

Hands-on Exercise — Classify Your Detection Rules by Pyramid Level

Objective: Quantify your detection portfolio's distribution across pyramid levels and identify the campaign detection gap.

Prerequisites: Access to your SIEM analytics rules. In Sentinel, this is Settings → Analytics → Active rules. In Splunk, this is Settings → Searches, reports, and alerts. You need the rule name, detection logic or description, and last-modified date.

Success criteria: You've classified at least 30 rules, calculated the distribution, and documented the campaign detection gap as a percentage.

Challenge: For your top 3 confirmed incidents from the last year, check whether any existing TTP-level rule would have detected the campaign pattern (not just the individual techniques). If the answer is "no" for all three, you've identified three campaign-correlation rules to write — and this course teaches you how.

Next
OD0.4 — What This Course Teaches and What It Doesn't. You've established the problem (alert-to-campaign gap), the cognitive difference (defensive vs offensive thinking), and the prioritization framework (pyramid of pain). OD0.4 scopes the course: what you'll learn, what's explicitly out of scope, and how the offense/defense sub structure works.
Operational Artifact — Detection Investment Prioritization Framework

Use this framework when allocating detection engineering time. It doesn't replace IOC-level or technique-level detections — it ensures they're supplemented with campaign-level detections where the return on investment is highest.

IOC-level (automate, don't engineer). IOC matching should be fully automated via threat intel feed integration. Don't spend engineering time writing IOC rules manually — let the feed platform handle it. Engineering effort: zero beyond initial feed integration. Review feed staleness quarterly.

Technique-level (build the foundation). Every ATT&CK technique relevant to your environment should have at least one behavioral detection rule. This is the Purple Teaming course's output. Engineering effort: moderate (write once, tune periodically). Target: one rule per technique in your top-20 ATT&CK techniques.

TTP-level (the campaign investment). For every confirmed incident and every threat intelligence report describing a campaign targeting your industry, extract the operational pattern and build a correlation rule. Engineering effort: high (requires understanding the offensive logic) but the detection persists across campaigns. Target: 3–5 campaign-correlation rules per quarter, each covering a documented campaign pattern.

Checkpoint — before moving on

You should be able to do the following without referring back to this sub. If you can't, the sections to re-read are noted.

1. Explain the economic logic behind the Pyramid of Pain — why each level costs the attacker progressively more to change — with a concrete example at each level. (§ The economics of attacker adaptation)
2. Write a one-sentence description of a TTP-level detection rule that catches an operational pattern and explain why it survives infrastructure rotation. (§ What TTP-level detection looks like in practice)
3. Classify a detection rule as IOC-level, technique-level, or TTP-level based on what it matches and what the attacker would need to change to evade it. (§ Hands-on Exercise)
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of offensive-security-for-defenders

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →