Most SOCs can block hashes and IPs. A behaviour-first approach, mapped through ATT&CK, is where resilience starts to compound.
IOCamel sez "Climb the Pyramid. I hear the view is threatening."
When a security operations centre detects suspicious activity at 5 AM, responders are forced to make rapid decisions under imperfect information. Logs may reveal a suspicious executable, an external IP address, and anomalous network traffic patterns. Blocking those indicators may stop the immediate activity, but such actions raise a deeper question: are defenders merely suppressing symptoms, or are they meaningfully disrupting an adversary's operation? The answer determines whether the organisation gains lasting defensive value or delays the next intrusion attempt. This distinction lies at the core of modern cyber threat intelligence.
One of the most influential shifts in cybersecurity thinking over the past decade has been the movement away from purely indicator-driven defence toward behaviour-focused analysis. Central to this evolution is the MITRE ATT&CK Framework. Developed by MITRE Corporation, a nonprofit research organisation, ATT&CK—short for Adversarial Tactics, Techniques, and Common Knowledge—was introduced in 2013 to systematically document how adversaries behave after gaining access to an environment. Rather than cataloguing malware signatures or static indicators, the framework models the actions attackers take as they pursue their objectives inside compromised systems.
The ATT&CK Framework organises adversary behaviour into a matrix that represents the lifecycle of an intrusion. At the highest level are tactics, which describe the goals an adversary seeks to accomplish at each stage of an operation. These include objectives such as initial access, execution, persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact. Each tactic encompasses multiple techniques that describe the methods adversaries use to achieve those goals. Many techniques are further divided into sub-techniques to capture implementation variations that matter for detection and analysis.
A defining strength of ATT&CK is its grounding in real-world observations. Techniques are documented based on evidence from incident response investigations, malware reverse engineering, threat intelligence reporting, and security research. Each technique entry references known threat groups that have employed it, tools or malware families associated with it, and known detection or mitigation strategies. This evidence-driven approach allows security teams to reason about threats that have been observed in practice rather than hypothetical attack scenarios.
The framework is not monolithic. It exists as several matrices tailored to different environments. The Enterprise matrix covers common enterprise platforms, including Windows, macOS, Linux, and cloud environments. The Mobile matrix focuses on threats targeting Android and iOS ecosystems. The Industrial Control Systems matrix addresses operational technology environments in which availability and safety considerations differ substantially from those in traditional IT networks. This separation reflects the reality that adversaries adapt their techniques based on platform constraints, defensive controls, and mission objectives.
ATT&CK has become a shared language across the cybersecurity community. Security operations teams use it to assess detection coverage and identify blind spots in telemetry and alerting. Threat intelligence analysts rely on ATT&CK terminology to describe adversary behaviour consistently across reports. Red teams and penetration testers use the framework to design realistic attack scenarios that emulate known threat actors. Security vendors map product capabilities to ATT&CK techniques to communicate coverage and value. As a result, ATT&CK enables structured comparison, collaboration, and prioritisation across organisations and roles.
Understanding ATT&CK requires a clear grasp of the concepts of Tactics, Techniques, and Procedures (TTPs). These three layers represent different levels of abstraction for describing adversary behaviour, and each plays a distinct role in threat intelligence and defence.
Tactics occupy the highest level of abstraction and describe the purpose behind an adversary's actions. They answer the question of why an attacker performs a particular action at a given point in an operation. For example, an adversary may seek persistence to survive system reboots, escalate privileges to gain administrative control, or move laterally to reach sensitive systems. Tactics are relatively stable over time because adversary objectives change slowly, if at all. In ATT&CK, tactics form the columns of the matrix and collectively represent the stages of an attack lifecycle.
Techniques sit below tactics and describe how adversaries achieve their tactical objectives. They answer the question of what the adversary does to accomplish a goal. Under the persistence tactic, for example, techniques include creating scheduled tasks, modifying startup registry keys, installing services, or abusing legitimate system features. Multiple methods may fulfil the same tactic, giving adversaries flexibility to adapt based on environmental constraints and defensive controls. Techniques are more detailed than tactics but remain general enough to apply across different tools and campaigns.
Procedures represent the most concrete layer of TTPs. They describe the specific implementation details of a technique as used by a particular threat actor, malware family, or campaign. Procedures capture details such as command syntax, file names, registry paths, scheduled task names, network parameters, and operational timing. Because procedures reflect exact implementation choices, they change frequently. Attackers can modify procedures with minimal effort to evade detections that rely on static patterns.
This hierarchy has important defensive implications. Because tactics reflect enduring goals, they are the hardest for attackers to change. Techniques change less frequently than procedures but still evolve over time as new methods are developed or older ones become less effective. Procedures are the most volatile layer, making them a weak foundation for durable detection strategies when used in isolation.
The Pyramid of Pain, introduced by security researcher David Bianco, provides a complementary model for understanding which types of detections impose the greatest cost on adversaries. The pyramid organises indicators and behaviours into layers based on how difficult it is for attackers to change them. As defenders move up the pyramid, the operational burden placed on adversaries increases significantly.
At the base of the pyramid are hash values. Cryptographic hashes uniquely identify specific files, making them precise indicators for identifying known malware samples. However, hashes are trivial for attackers to evade. Minor changes to a binary, recompilation, or simple obfuscation techniques completely alter a file's hash. As a result, hash-based detection provides limited long-term value against adaptive adversaries.
These hashes are IP addresses. Blocking malicious IPs forces attackers to shift infrastructure, which introduces some friction. However, the widespread availability of cloud services, compromised hosts, and disposable virtual machines means attackers can often rotate IP addresses quickly. While IP-based controls are helpful for immediate containment, they rarely impose lasting disruption.
Domain names occupy the next layer of the pyramid. Domains require registration, incur costs, and leave records with registrars, making them more burdensome to replace than individual IP addresses. Some adversaries invest time in building domain reputation or maintaining long-lived command-and-control infrastructure. Losing domains can therefore have a greater operational impact, particularly when detection relies on behavioural patterns rather than static blocklists.
The middle layers of the pyramid consist of network and host artefacts. These include registry modifications, file system paths, service names, mutexes, user-agent strings, and characteristic network traffic patterns. Artefacts often arise from how malware is designed to function. Changing them may require code changes, testing, and retooling, thereby increasing the effort needed to evade. Detection based on artefacts begins to shift the burden meaningfully onto the attacker.
These artefacts are tools. When defenders detect and disrupt the tools adversaries use, whether custom malware, modified open-source utilities, or dual-use administrative tools, the cost to attackers increases substantially. Tool development, customisation, and operational testing represent significant investments. Forcing attackers to abandon tools can delay campaigns and reduce operational effectiveness.
At the top of the pyramid are Tactics, Techniques, and Procedures. Detection at this level focuses on recognising behaviours and methods regardless of the specific tools or infrastructure used. When defenders reliably detect techniques such as credential dumping, lateral movement via remote services, or the abuse of authentication protocols, attackers are forced to alter their operations rather than simply swapping indicators. Such changes may require new skills, new tooling, or fundamentally different operational approaches. This level also involves understanding what the attacker ultimately seeks to achieve, whether data theft, espionage, financial gain, or operational disruption, and denying those outcomes.
Achieving this level of impact often requires combining technical controls with intelligence analysis, organisational resilience, and sometimes legal or diplomatic actions.
The relationship between the Pyramid of Pain and the ATT&CK Framework is direct. ATT&CK's emphasis on adversary behaviour aligns with the upper layers of the pyramid, where defensive actions impose the greatest cost. By mapping detections and mitigations to ATT&CK techniques, organisations can intentionally design defences that target behaviours rather than brittle indicators.
This behavioural focus reflects the maturation of cybersecurity defence. Traditional security models relied heavily on signature-based controls such as antivirus databases and static blocklists. While these controls remain useful as part of defence in depth, they are insufficient on their own against modern adversaries. Attackers routinely modify malware, rotate infrastructure, and adapt procedures to evade static detections. Behavioural detection, by contrast, remains effective across these changes because it targets the underlying methods required to achieve adversary goals.
Operationalising these concepts requires investment in visibility and expertise. Organisations must collect comprehensive endpoint, network, identity, and cloud telemetry. They must develop analytics capable of correlating events into meaningful behavioural patterns. Threat hunting programs play a critical role by proactively searching for ATT&CK techniques that may evade automated alerts. Equally important is analyst training: defenders must understand adversary TTPs well enough to interpret ambiguous signals and distinguish malicious activity from benign behaviour.
Mapping detection coverage to ATT&CK techniques enables organisations to systematically assess their defensive posture. Gaps can be identified, risks prioritised, and investments aligned with the behaviours most relevant to the organisation's threat model. Over time, this approach enables a shift from reactive incident response toward proactive disruption of adversary operations.
Taken together, the MITRE ATT&CK Framework, the concept of Tactics, Techniques, and Procedures, and the Pyramid of Pain form a cohesive model for modern threat intelligence and defence. ATT&CK provides a structured catalogue of adversary behaviour. TTPs offer a layered language for describing how attacks unfold. The Pyramid of Pain guides prioritisation by highlighting which defensive actions impose the most significant cost on attackers. Together, these frameworks support a security strategy that moves beyond chasing indicators toward sustained, behaviour-driven defence.