Using indicators of compromise to detect attacks is a losing strategy. Attackers can easily and quickly change IOCs, allowing them to slip past firewalls, antivirus programs and other traditional security tools.
Additionally, adversaries often use IOCs as a deception technique. They use tools with known IOCs in their attack campaign to distract information security professionals from the real operation, which is carried out with never-seen-before tools. Additionally, chasing IOCs gives security professionals a false sense of accomplishment that could prevent them from fully remediating an operation. While an IR team may think it’s stopped an attack by addressing every detected IOC, in reality it’s only resolved a portion of the campaign.
To gain an advantage over their attackers, companies need a detection strategy that looks for the tactics, techniques and procedures an enemy is using. Unlike IOCs, hackers can’t easily modify TTPs. Once attackers select the tools they’re using for their campaign, they stick with their selections. Hackers spend a substantial amount of time developing TTPs. Modifying them or developing new ones in the midst of an operation is nearly impossible.
With TTP detection, an adversary’s most coveted assets suddenly become a major vulnerability. Instead of going after IOCs that will have little to no impact on the operation if they’re discovered, TTP detection targets the adversary’s behavior.
And organizations are discovering the shortcomings of IOC detection, including a major bank that spent six months chasing IOCs without discovering the attack’s source. But by switching to a detection strategy that looked for attacker behavior, the organization was able to detect the full attack in days.
