TTPs & the Pyramid of Pain

Detect behavior, not disposable indicators.

Advanced30 min · lesson 8 of 15

What you choose to detect matters as much as how. Detecting durable adversary behavior (TTPs) rather than disposable indicators (hashes, IPs) is what makes detection resilient — and the Pyramid of Pain explains exactly why.

The Pyramid of Pain

The Pyramid of Pain ranks indicators by how much it hurts an attacker when you detect on them. At the bottom, hash values and IP addresses are trivial to change — a recompile or a new server defeats them, so detections keyed to them are brittle and short-lived. Higher up, domain names and network artifacts cost the attacker more. At the top sit TTPs — tactics, techniques, and procedures — the actual behaviors of an intrusion. Detecting a technique (say, "credentials read from process memory" or "a new admin role bound in the cluster") forces the attacker to fundamentally change how they operate, which is expensive and slow. That is where you want your detections to live.

IOC-based vs TTP-based detection
# BRITTLE (bottom of the pyramid): keyed to a disposable indicator.
# detect: file_hash == "a3f0c7e1..." ← attacker recompiles → defeated
# detect: dst_ip == "203.0.113.5" ← attacker moves server → defeated
#
# DURABLE (top of the pyramid): keyed to the behavior/technique.
# detect: process reads another process's memory (credential dumping)
# detect: a new ClusterRoleBinding grants cluster-admin (K8s persistence)
# → the attacker must change HOW they operate, not just an artifact.

Map to ATT&CK, measure coverage

MITRE ATT&CK is the catalog of those techniques, and mapping your detections to it turns "are we secure?" into a measurable coverage question: for each technique relevant to your environment, can you detect it? The gaps become a prioritized backlog — and a natural source of hunting hypotheses. This behavior-first, ATT&CK-mapped approach produces detections that survive the attacker changing their tools, and gives leadership a real picture of coverage rather than a rule count. Combine it with behavioral analytics (next lesson) to catch technique variants a signature might miss.

Detect behavior, not artifacts
brittle (easy to change)
hashes, IPs
defeated by recompile / new server
domains, network artifacts
somewhat costlier
durable (hard to change)
TTPs
the technique itself — expensive to change
ATT&CK-mapped coverage
measure and close gaps
Detections on behavior survive the attacker swapping tools. Map to ATT&CK to see, and close, coverage gaps.
Hash/IP detections expire the moment the attacker changes anything
Indicator-based detections are useful for known-bad blocking but decay instantly — a new hash or IP evades them. Do not build your coverage on the bottom of the pyramid; invest in behavior/technique detections that force the attacker to change how they operate, not just what they use.