The Cybereason team recently reviewed a customer case in which the attackers established a persistent hold in the customer's environment, and even though the company had a skilled IR team, they were not able to fully remediate the attack.
The failure was due to the attacker's use of evolving tools that were designed to cripple, confuse and slow down traditional IR tools and methodologies. The company's IR approach revolved around IOCs (Indicators of Compromise); a flawed approach that uses static indicators (e.g. IP addresses, domain names, file names and hashes) which the attacker easily overcame by constantly modifying their tools.
Cybereason joined the company's IR team and deployed its TTP-based approach (Tactics, Techniques and Procedures - TTPs), which is based on the detection and rapid tracking of an attacker's method of operation.
TTP-based detection looks for the overall behavior stemming from the attacker's training, processes and underlying assets in their possession, and are therefore harder for the attacker to change. These tactics are far more effective in unraveling and neutralizing the entire adversarial operation.