Exact Extract: “The Pyramid of Pain illustrates why focusing on adversary TTPs is important: They are the most descriptive IOCs of a given adversary and the toughest for threat actors to change.” The guide ranks Domain Names as “Simple” and IP Addresses as “Easy,” while TTPs are “Tough.”
Exact Extract: “As you progress from the top of the pyramid to the bottom, the disruption of an element becomes easier for the adversary to recover from… once those IP addresses start to be widely recognized as malicious and potentially blocked, it is easy for the attacker to start using other IP addresses.”
The correct answers are C and D . Blocking IP addresses and domains is useful, but it targets low-level observable indicators, not the adversary’s deeper behavior. In the Pyramid of Pain, IP addresses and domain names sit near the bottom because attackers can replace them quickly by rotating infrastructure, registering new domains, using compromised hosts, or changing hosting providers. Therefore, this approach focuses on network indicators and creates only limited disruption.
Option A is too strong. IPs and domains may reveal infrastructure, but blocking them does not necessarily identify strategic weaknesses in the adversary’s operation. Option B is wrong because high operational cost is associated with forcing adversaries to change tools or TTPs, not merely rotating IPs and domains.
Technical Deep Dive: In a Fortinet SOC, blocking phishing IPs/domains can be automated through FortiSOAR playbooks using FortiGate address objects, DNS filtering, FortiMail blocklists, or FortiGuard threat intelligence enrichment. That is good hygiene, but it is reactive. Higher-value hunting looks for reusable phishing tradecraft: lure themes, sender infrastructure patterns, attachment behaviors, command-and-control sequence, credential collection workflow, and post-compromise TTPs. ASIC offloading is not the key issue here; the security value comes from intelligence quality and detection depth, not packet acceleration.