The End of IOCs: A Case Study on Resolving Persistent Attacks Using Tactics, Techniques, and Procedures (TTPs)

  • Webcast Aired Wednesday, 22 Jun 2016 1:00PM EDT (22 Jun 2016 17:00 UTC)
  • Speakers: Dave Shackleford, Israel Barak

The Cybereason team recently reviewed a customer case in which the attackers established a persistent hold in the customer's environment, and even though the company had a skilled IR team, they were not able to fully remediate the attack.

The failure was due to the attacker's use of evolving tools that were designed to cripple, confuse and slow down traditional IR tools and methodologies. The company's IR approach revolved around IOCs (Indicators of Compromise); a flawed approach that uses static indicators (e.g. IP addresses, domain names, file names and hashes) which the attacker easily overcame by constantly modifying their tools.

Cybereason joined the company's IR team and deployed its TTP-based approach (Tactics, Techniques and Procedures - TTPs), which is based on the detection and rapid tracking of an attacker's method of operation.

TTP-based detection looks for the overall behavior stemming from the attacker's training, processes and underlying assets in their possession, and are therefore harder for the attacker to change. These tactics are far more effective in unraveling and neutralizing the entire adversarial operation.

Join Cybereason CISO and Head of IR, Israel Barak and SANS expert, David Shackleford to:
  • Review the attack's profile and the IR challenges of the customer
  • Highlight the shortcomings of IOCs in detecting and responding to such attacks
  • Discuss TTPs as an alternative; a more successful approach for detection and response of persistent threats
  • Demo how Cybereason helps security teams detect and remediate attacks