Cyber Threat Intelligence
General

IOCs vs. TTPs: The Pyramid of Pain Explained

20 views 2 min read Updated Feb 13, 2026

A mature CTI program moves beyond blocking IPs (Tactical) and focuses on hunting TTPs (Operational).

IOCs vs. TTPs: The Pyramid of Pain

In Cyber Threat Intelligence, not all data is created equal. Distinguishing between simple Indicators of Compromise (IOCs) and complex Tactics, Techniques, and Procedures (TTPs) is essential for a mature defense.

To visualize the value of these indicators, David Bianco introduced the Pyramid of Pain. The pyramid illustrates the relationship between the type of indicator you detect and the amount of "pain" it causes the adversary when you deny it.

Levels of the Pyramid (From Bottom to Top)

1. Hash Values (Trivial)

  • Definition: MD5, SHA1, or SHA256 hashes of specific malware files.
  • Pain to Adversary: Trivial. Attackers can change a file hash by modifying a single bit of the code.

2. IP Addresses (Easy)

  • Definition: The IPv4 or IPv6 address used for Command and Control (C2).
  • Pain to Adversary: Easy. Attackers can proxy traffic or rent new IPs in seconds using automated cloud services.

3. Domain Names (Simple)

  • Definition: The web address (e.g., malicious-site.com).
  • Pain to Adversary: Simple. Attackers often use Domain Generation Algorithms (DGAs) to register thousands of domains automatically.

4. Network & Host Artifacts (Annoying)

  • Definition: User-agent strings, specific registry keys, or file paths created by the malware.
  • Pain to Adversary: Annoying. The attacker must rewrite parts of their code to stop leaving these traces.

5. Tools (Challenging)

  • Definition: Software used by the attacker, such as Cobalt StrikeMimikatz, or custom remote access trojans (RATs).
  • Pain to Adversary: Challenging. If defenders can detect the tool itself, the attacker must develop or acquire a new toolset, which requires significant time and money.

6. TTPs (Tough)

  • Definition: Tactics, Techniques, and Procedures. This describes the behavior of the attacker (e.g., "Pass-the-Hash" or "Spearphishing").
  • Pain to Adversary: Tough. Detecting TTPs forces the adversary to learn new behaviors and fundamentally change how they operate. This is the goal of Operational Intelligence.

Key Takeaway: While blocking IPs is necessary for immediate defense, a mature CTI program focuses on hunting TTPs mapped to the MITRE ATT&CK Framework.

Share This Entry

X (Twitter) LinkedIn
Previous Entry Initial Access Brokers (IAB): The Middlemen of Cybercrime
Next Entry Living off the Land (LotL): The Art of Fileless Malware