Detection strategies based on indicators of compromise (IOCs) are a losing proposition. Attackers can easily change IOC artifacts, making old tools appear new and allowing them to slip past traditional security tools like antivirus software and firewalls. Attackers can automate the process for changing MD5 hash values, for instance, while domain generation algorithms provide adversaries with a nearly endless supply of URLs that can link to command-and-control servers. IOCs are also easy to scale. In fact, there are entire teams dedicated to changing IOCs when the defenders discovers them.
The advantages of detecting attack behavior
A more effective approach to threat detection involves looking for an attacker’s tactics, techniques and procedures, or TTPs. Unlike IOC artifacts, TTPs are very difficult to change and scale. TTPs are based on institutional knowledge and take months or longer to develop. After selecting a specific TTP for an operation, hackers don’t deviate from their plan since they lack the time and resources to develop additional ones during the attack campaign. TTP-based detection targets the behavioral elements of an attack and turns the enemy’s most important assets into vulnerabilities that the defenders can use to their advantage. Detecting just one TTP places the entire attack in jeopardy.
How one company discovered the trouble with IOC-based detection
One Cybereason customer, a large financial services company, discovered the trouble with IOC-based detection first hand. The company spent six months chasing IOCs in an attempt to discover the source of a compromise. This approach proved futile and prevented the bank from discovering how hackers infiltrated its defenses. Each incident was the same: data exfiltration to a location where the bank didn’t conduct business was detected and a forensic investigation revealed the domain names and IP addresses of command-and-control servers. But searching the organization for other PCs with these IOCs only turned up the machines that was already compromised.
The bank turned to Cybereason and its behavioral-based approach to threat detection to figure out what was happening in its environment. Ultimately, Cybereason discovered that the attackers were using only a handful of TTPs, but each machine had a unique set of IOCs that changed daily. Thousands of IOC combinations were used, preventing a remediation approach based on IOC detection from successfully stopping the attack.
Read our latest case study to learn more about our customer’s story as well as the benefits of a TTP-based approach to threat detection.
