www.sentinelone.com
Open in
urlscan Pro
104.26.3.18
Public Scan
URL:
https://www.sentinelone.com/blog/revisiting-the-pyramid-of-pain-leveraging-edr-data-to-improve-cyber-threat-intelligence/
Submission: On November 23 via manual from TR — Scanned from DE
Submission: On November 23 via manual from TR — Scanned from DE
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<span class="light">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg" alt="Search Icon White" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg" alt="Navigation Close" width="18" height="16">
</span>
<span class="dark">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg" alt="Search Icon" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg" alt="Navigation Close Dark" width="18" height="16">
</span>
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1554885499">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087"><input type="hidden" name="dataString"
class="mktoField mktoFieldDescriptor" value="">
</form><form id="mktoForm_2816" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1554856885">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 164px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2816"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087"><input type="hidden" name="dataString"
class="mktoField mktoFieldDescriptor" value="">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Experiencing a Breach?
* 1-855-868-3733
* Contact
* Cybersecurity Blog
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
blog
Platform
* Platform Overview
* Singularity Platform Welcome to Integrated
Enterprise Security
* Singularity XDR Native & Open Protection,
Detection, and Response
* Singularity Data Lake AI-Powered,
Unified Data Lake
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
* Surfaces
* Endpoint Autonomous Prevention, Detection, and Response
* Cloud Autonomous Runtime Protection for Workloads
* Identity Autonomous Identity & Credential Protection
* Platform Packages
* Singularity Complete The Standard for Enterprise Cybersecurity
* Singularity Control Organization-Wide
Protection and Control
* Singularity Core Cloud-Native NGAV
* Package Comparison Our Platform at a Glance
* Platform Products
* Singularity Cloud Workload Security Real-Time Cloud Workload Protection
Platform
* Purple AI Accelerate SecOps with Generative AI
* Singularity Mobile Mobile Threat Defense
* Singularity
Threat Intelligence Comprehensive adversary intelligence
* Singularity Cloud
Data Security AI-Powered Threat Detection
* Singularity RemoteOps Orchestrate Forensics at Scale
* Singularity Identity Identity Threat Detection
and Response
* Singularity Ranger AD Active Directory Attack Surface Reduction
* Singularity Ranger Insights Rogue Asset Discovery
* Singularity Hologram Deception Protection
Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* McAfee Pale Performance,
More Maintenance
* Microsoft Platform Coverage
That Compromises
* Trend Micro The Risk of DevOps Disruption
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Symantec Security Limited
to Signatures
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
Services
* Strategic Services
* PinnacleOne Strategic Advisory Group
Services Overview
* Threat Services
* Vigilance Respond Pro
MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
* WatchTower Pro
Threat Hunting Dedicated Hunting & Compromise Assessment
* Vigilance Respond
MDR Dedicated SOC
Expertise & Analysis
* WatchTower
Threat Hunting Hunting for Emerging Threat Campaigns
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
Partners
* Our Network
* MSSP Partners Succeed Faster
with SentinelOne
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Cyber Response
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
* Brand SentinelOne Brand Guidelines
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
Get a Demo
blog
Back
Platform
* Platform Overview
* Singularity Platform Welcome to Integrated
Enterprise Security
* Singularity XDR Native & Open Protection,
Detection, and Response
* Singularity Data Lake AI-Powered,
Unified Data Lake
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
* Surfaces
* Endpoint Autonomous Prevention, Detection, and Response
* Cloud Autonomous Runtime Protection for Workloads
* Identity Autonomous Identity & Credential Protection
* Platform Packages
* Singularity Complete The Standard for Enterprise Cybersecurity
* Singularity Control Organization-Wide
Protection and Control
* Singularity Core Cloud-Native NGAV
* Package Comparison Our Platform at a Glance
* Platform Products
* Singularity Cloud Workload Security Real-Time Cloud Workload Protection
Platform
* Purple AI Accelerate SecOps with Generative AI
* Singularity Mobile Mobile Threat Defense
* Singularity
Threat Intelligence Comprehensive adversary intelligence
* Singularity Cloud
Data Security AI-Powered Threat Detection
* Singularity RemoteOps Orchestrate Forensics at Scale
* Singularity Identity Identity Threat Detection
and Response
* Singularity Ranger AD Active Directory Attack Surface Reduction
* Singularity Ranger Insights Rogue Asset Discovery
* Singularity Hologram Deception Protection
Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* McAfee Pale Performance,
More Maintenance
* Microsoft Platform Coverage
That Compromises
* Trend Micro The Risk of DevOps Disruption
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Symantec Security Limited
to Signatures
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
Services
* Strategic Services
* PinnacleOne Strategic Advisory Group
Services Overview
* Threat Services
* Vigilance Respond Pro
MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
* WatchTower Pro
Threat Hunting Dedicated Hunting & Compromise Assessment
* Vigilance Respond
MDR Dedicated SOC
Expertise & Analysis
* WatchTower
Threat Hunting Hunting for Emerging Threat Campaigns
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
Partners
* Our Network
* MSSP Partners Succeed Faster
with SentinelOne
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Cyber Response
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
* Brand SentinelOne Brand Guidelines
Get a Demo
* 1-855-868-3733
* Contact
* Cybersecurity Blog
Experiencing a Breach?
* 1-855-868-3733
* Contact
* Cybersecurity Blog
LEVERAGING EDR DATA TO IMPROVE CYBER THREAT INTELLIGENCE
September 21, 2020
by Yotam Gutman
PDF
Producing and consuming actionable Cyber Threat Intelligence is a large part of
a security analyst’s daily work, but threat intelligence comes in many forms. As
most experienced analysts’ know, some forms of threat intel are more useful than
others, but that usefulness tends to be inversely proportional to availability.
File hashes and IP addresses for the latest campaigns are usually the first to
be shared among security researchers, but they are also rapidly changed by
attackers, limiting their utility. This relationship between availability and
usefulness was nicely illustrated by David J Bianco’s Pyramid of Pain. The
general points of the Pyramid still hold true, but security solutions have not
stood still in the intervening years, and with the right technology to hand,
producing and consuming high-value indicators like TTPs can be a whole lot
easier than it once was. Let’s see how.
REVISITING THE PYRAMID OF PAIN
Let’s recall how Bianco’s Pyramid of Pain works. The ‘pain’ here is supposed to
be the pain felt by attackers once a particular kind of indicator for their
attack becomes known. However, as we’ll see, the pyramid also describes parallel
difficulties for defenders in terms of availability of each class of indicator.
At the base, or widest part, of the pyramid, we have file hashes – the kind of
IoCs that we are all used to dealing with on a daily basis. These are easy to
acquire and widely shared, so availability of these is typically good. The
problem, though, is that it is also relatively painless for attackers to change
a file’s hash; indeed, much modern malware even does this “autonomously” –
so-called polymorphic malware – and it’s comparatively easy to write malicious
software that creates copies of itself with a different file hash each time.
Thus, as the pyramid graphic suggests, discovery of particular malicious file
hashes causes the attacker virtually no pain at all in terms of adapting to and
evading solutions that rely on detecting file hashes.
Source
Much the same can be said of IP addresses and even domain names, which nowadays
can be changed even more easily and rapidly than back in 2013 when Bianco first
developed the Pyramid of Pain concept.
Network and Host artifacts – distinguishing characteristics of network traffic
or host activity – increase the pain for attackers somewhat once these become
known. Defenders can use technologies such as Suricata rules and Snort to
identify known malicious network traffic, and tools like Yara rules and
ProcFilter can similarly match malicious patterns in files and processes
executing on a device.
For attackers, getting around these kinds of “signatures” involves some work
(aka ‘pain’). First, they have to determine what pattern matching rule or rules
are being used; since different security solutions may employ different or
multiple rules, that in itself can be a difficult process. Second, once the
attackers have determined how they’re being detected, they need to refactor
their code in order to avoid the patterns used in the signatures.
Despite that, the pain isn’t that great if you’re a full-time threat actor
outfit – it’s just part of the job. A good example of malware that continuously
iterates in this way is the script-based Shlayer and ZShlayer malware that
targets macOS. Part of the attraction of using scripts, from the malware
authors’ point of view, is it’s much easier and much faster to iterate with
shell scripts than compiled binaries. Scripting allows far more flexibility in
achieving malware objectives than a lot of compiled programming languages, and
many binary scanning engines don’t know how to handle scripts anyway, which can
also be executed in memory with relative ease.
Things get tougher for threat actors when defenders have a good handle on what
particular tools are being used to attack them – these can range from
custom-made frameworks to publicly available and open-source toolkits. Switching
out one tool – or more likely, set of tools – for another increases the burden
on cyber threat actors because it is not always easy to find or introduce tools
into a victim’s environment that have the desired capabilities.
For example, if the threat actor is making heavy use of LOLBins like PowerShell
and CertUtil, or relying on publicly-available tools like Cobalt Strike or
Mimikatz, it may be very a tough challenge to obtain the same functionality with
different tools.
Finally, TTPs, which we’ll discuss in more detail in the next section, cause the
greatest pain for threat actors because they hone in on the attacker’s actual
objectives and seek to block behaviour that attempts to execute those
objectives.
INTELLIGENT TOOLS THAT PRODUCE ACTIONABLE INTELLIGENCE
From the above discussion, it should be clear that, from a defender’s point of
view, developing awareness of attackers’ tools and TTPs (Tactics, Techniques,
and Procedures) – those which cause the threat actor the most pain – is where we
should focus our efforts for the most gain. The problem is that Bianco’s Pyramid
of Pain also paints a picture of just how easy-to-come by each of those threat
intelligence indicators typically are for most enterprises: easy at the bottom,
tough at the top.
File hashes are widely available in most threat intel reports but are
time-consuming to digest and have a short shelf life. At the other end of the
scale, TTPs return the most value, but they are not so widely known or
distributed.
However, initiatives like MITRE ATT&CK have added a new dimension to cyber
threat intelligence, and security tools with features like SentinelOne’s Rapid
Threat Hunting put new-found power into the analyst’s hands.
In the image above, we can see how the SentinelOne Threat Center displays all
the behavioral indicators associated with a particular detection, with links to
MITRE ATT&CK TTPs, for the analyst’s convenience.
Similarly, suppose you have seen a new threat intelligence report indicating a
particular TTP. You could immediately search your entire fleet for any process
or event with behavioral characteristics that match that TTP simply by entering
the MITRE ID in the SentinelOne console’s Deep Visibility query box.
Focusing on TTPs in particular gives you a great advantage when defining
rulesets or watchlists for added protection. For example, you can automate hunts
using particular behavioral indicators that belong to known attacks seen in your
own environment or in the environment of others. Since Bianco published the
influential Pyramid of Pain concept, many threat intelligence researchers,
including SentinelOne’s own SentinelLabs, include MITRE ATT&CK TTPs at the end
of their reports along with other IoCs. With the right tools to hand, you can
easily consume this kind of threat intel directly into your solution for both
automated detection and rapid threat hunting.
Rapid Threat Hunting with Storylines
Time always seems to be on the attacker's side, but security analysts can get
ahead by hunting threats faster than ever before.
Read More
CONCLUSION
Utilizing detailed, actionable and effective intelligence is key to thwarting
cyber attacks. File hashes, IP addresses and domain names have increasingly
limited use as both attackers and malware have evolved to produce campaigns in
which these traditional IoCs are rapidly disposed. However, by focusing on
indicators that are difficult for attackers to change with technology that can
both consume and produce these much sought after indicators, we can increase the
cost of business for attackers while improving our ability to detect and defeat
the cyber menace.
If you would like to learn more about how SentinelOne’s Singularity platform can
help improve your threat intelligence and protect your business, contact us
today or request a free demo.
--------------------------------------------------------------------------------
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see
the content we post.
READ MORE ABOUT CYBER SECURITY
* 5 Ways Security Leaders Can Tackle the CyberSecurity Skills Shortage Now
* Inside the Mind of a Cyber Attacker | Tactics, Techniques, and Procedures
(TTPs) Every Security Practitioner Should Know
* Power for the People | Cyber Threats in the Energy Sector and How To Defend
Against Them
* Defending Cloud-Based Workloads: A Guide to Kubernetes Security
* Why Governments and Agencies Are Targeted by Cyber Attacks | A Deep Dive into
the Motives
* Navigating the CISO Reporting Structure | Best Practices for Empowering
Security Leaders
READ MORE
Get a demo
Defeat every attack, at every stage of the threat lifecycle with SentinelOne
Book a demo and see the world’s most advanced cybersecurity platform in action.
Get Demo
SentinelLabs
SentinelLabs: Threat Intel & Malware Analysis
We are hunters, reversers, exploit developers, & tinkerers shedding light on the
vast world of malware, exploits, APTs, & cybercrime across all platforms.
VISIT SITE
Wizard Spider and Sandworm
MITRE Engenuity ATT&CK Evaluation Results
SentinelOne leads in the latest Evaluation with 100% prevention. Leading
analytic coverage. Leading visibility. Zero detection delays.
SEE RESULTS
LISTEN TO THIS POST
Table of Contents
Revisiting the Pyramid of Pain
* Revisiting the Pyramid of Pain
* Intelligent Tools That Produce Actionable Intelligence
* Conclusion
SEARCH
Search ...
SIGN UP
Keep up to date with our weekly digest of articles.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thanks! Keep an eye out for new content!
RECENT POSTS
* The Physics of Information Asymmetry | Juan Andrés Guerrero Saade’s Keynote
at VB2023
November 21, 2023
* Black Friday & Cyber Monday | A Guide to Avoiding Cyber Scams During the
Holidays
November 20, 2023
* The Good, the Bad and the Ugly in Cybersecurity – Week 46
November 17, 2023
BLOG CATEGORIES
* Cloud
* Company
* Cyber Response
* Data Platform
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Integrations & Partners
* macOS
* The Good, the Bad and the Ugly
Company
* Our Customers
* Why SentinelOne
* Platform
* About
* Partners
* Support
* Careers
* Legal & Compliance
* Security & Compliance
* Contact Us
* Investor Relations
Resources
* Blog
* Labs
* Hack Chat
* Press
* News
* FAQ
* Resources
* Ransomware Anthology
Global Headquarters
444 Castro Street
Suite 400
Mountain View, CA 94041
+1-855-868-3733
sales@sentinelone.com
Sign Up For Our Newsletter
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thank you! You will now receive our weekly newsletter with all recent blog
posts. See you soon!
English
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
©2023 SentinelOne, All Rights Reserved.
Privacy Policy Master Subscription Agreement
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button Back
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Cookies Settings Accept All Cookies
We'd like to show you notifications for the latest news and updates.
AllowCancel