We covered a newly-released challenge, named Summit, into the SOC level 1 track in TryHackMe. The challenge wraps blue teamers and red teamers together into one scneario where a red teamer executes threat simulation and malware samples against the user environment and the blue teamer works on developing detection rules and security controls to detect and block the attacker’s methods. The challenge shows when the security rules develop and improve, the attacker has to go through more pain and develop more sophisticated methods to make the malware stealthier and evade the defences.

OSCP Study Notes

Web Hacking & Pentesting Study Notes

What is Pyramid of Pain in Cybersecurity

This well-renowned concept is being applied to cybersecurity solutions like Cisco SecuritySentinelOne, and SOCRadar to improve the effectiveness of CTI (Cyber Threat Intelligence), threat hunting, and incident response exercises.

Understanding the Pyramid of Pain concept as a Threat Hunter, Incident Responder, or SOC Analyst is important.

In the pyramid of pain, the layers represent the level of effort and difficulty the attacker has to go through in order to evade the security defences. The higher we go up in the pyramid, the more difficult for the attacker to breach the network due to higher security controls and detection rules.

Enterprise network defenders can find useful reference material in The Pyramid of Pain.

For example, the Pyramid informs us that a defender will know they’ll need to employ more than file hash values to detect such behavior if an attacker is utilizing malware to infect an endpoint within their attack chain. This is due to the fact that attackers can “trivially” circumvent the approach by simply recompiling the malware sample, rendering the file hash value the defender used to detect the original sample meaningless.

In a similar vein, the Pyramid indicates that even if a defender uses IP address, CIDR block, or even ASN range blacklists to prevent malicious network communication, they may still be vulnerable because these security measures are “easy” to get around (the attacker could simply relocate their operations center or command-and-control infrastructure to a different network server).

What are the Indicators Used in the Pyramid of Pain?

  1. Hash values: SHA1, MD5, or other similar hashes that correspond to specific suspicious or malicious files.
  2. IP addresses
  3. Domain names
  4. Network Artifacts: URI patterns, C2 Domains, HTTP User-Agent, or SMTP Mailer values, etc.
  5. Host Artifacts: Registry keys, file names, network connections,etc.
  6. Tools: Software used by attackers to accomplish their mission.
  7. Tactics, Techniques and Procedures (TTPs): as in MITRE ATT&CK.

Task Scenario

After participating in one too many incident response activities, PicoSecure has decided to conduct a threat simulation and detection engineering engagement to bolster its malware detection capabilities. You have been assigned to work with an external penetration tester in an iterative purple-team scenario. The tester will be attempting to execute malware samples on a simulated internal user workstation. At the same time, you will need to configure PicoSecure’s security tools to detect and prevent the malware from executing.

Following the Pyramid of Pain’s ascending priority of indicators, your objective is to increase the simulated adversaries’ cost of operations and chase them away for good. Each level of the pyramid allows you to detect and prevent various indicators of attack.

Room Prerequisites

Completing the preceding rooms in the Cyber Defence Frameworks module will be beneficial before venturing into this challenge. Specifically, the following:

Room Answers | TryHackMe Summit

What is the first flag you receive after successfully detecting sample1.exe?
THM{f3cbf08151a11a6a331db9c6cf5f4fe4}

What is the second flag you receive after successfully detecting sample2.exe?

THM{2ff48a3421a938b388418be273f4806d}

What is the third flag you receive after successfully detecting sample3.exe?

THM{4eca9e2f61a19ecd5df34c788e7dce16}

What is the fourth flag you receive after successfully detecting sample4.exe?

THM{c956f455fc076aea829799c0876ee399}

What is the fifth flag you receive after successfully detecting sample5.exe?

THM{46b21c4410e47dc5729ceadef0fc722e}

What is the final flag you receive from Sphinx?

THM{c8951b2ad24bbcbac60c16cf2c83d92c}

Video Walkthrough | TryHackMe Summit

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles