Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

The End of IOCs: A Case Study on Resolving Persistent Attacks Using Tactics, Techniques, and Procedures (TTPs)

  • Wednesday, June 22, 2016 at 1:00 PM EDT (2016-06-22 17:00:00 UTC)
  • Israel Barak, Dave Shackleford


  • Cybereason

You can now attend the webcast using your mobile device!



The Cybereason team recently reviewed a customer case in which the attackers established a persistent hold in the customers environment, and even though the company had a skilled IR team, they were not able to fully remediate the attack.

The failure was due to the attackers use of evolving tools that were designed to cripple, confuse and slow down traditional IR tools and methodologies. The companys IR approach revolved around IOCs (Indicators of Compromise); a flawed approach that uses static indicators (e.g. IP addresses, domain names, file names and hashes) which the attacker easily overcame by constantly modifying their tools.

Cybereason joined the companys IR team and deployed its TTP-based approach (Tactics, Techniques and Procedures - TTPs), which is based on the detection and rapid tracking of an attackers method of operation.

TTP-based detection looks for the overall behavior stemming from the attackers training, processes and underlying assets in their possession, and are therefore harder for the attacker to change. These tactics are far more effective in unraveling and neutralizing the entire adversarial operation.

Join Cybereason CISO and Head of IR, Israel Barak and SANS expert, David Shackleford to:
  • Review the attacks profile and the IR challenges of the customer
  • Highlight the shortcomings of IOCs in detecting and responding to such attacks
  • Discuss TTPs as an alternative; a more successful approach for detection and response of persistent threats
  • Demo how Cybereason helps security teams detect and remediate attacks

Speaker Bios

Israel Barak

Israel Barak, Cybereason's CISO and Head of Incident Response, holds more than 15 years of private and public sector security experience. As a cyber-security defense specialist with the Israeli government, he spent nearly a decade working on projects related to defensive cyber warfare. Israel has helped found two companies - Q.rity, a cyber-defense services business that was acquired by a venture capital firm, and Sentrix, which focuses on Web application security.

Dave Shackleford

Dave Shackleford, a SANS analyst, senior instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.