In the Pyramid of Pain, David J. Bianco urges defenders to detect behavior — Tactics, Techniques, and Procedures (TTPs) — rather than indicators alone. The core idea is that indicators can be trivially changed, but TTPs cannot. Forcing attackers to change their TTPs costs them time and resources, which limits their effectiveness over time.
Examples
- attackers are avoiding EDR
- Requiring signed macros by default on MS Office files killed a primary phishing vector