Companies are reluctant to disclose security breaches and share details on how they were hacked. Initially, this may seem like a natural response. What organization would like to admit to its customers or employees that criminals may have sensitive information on them?
Obviously, these disclosures can have negative consequences for a company. People who were impacted by The Home Depot breach filed a class-action lawsuit against the retailer while Target’s CEO lost his job over a breach that exposed personal data on millions of customers. And there’s dealing with the fallout that accompanies having your organization’s sensitive information released to the world, as Sony and the Democratic National Committee discovered.
But what if the hacked businesses made the information about the attack public? Armed with this knowledge, security companies could investigate if similar methods had been used to infiltrate other businesses and immediately stop the attack.
While this idea isn’t new, it’s always worth mentioning, especially after a string of breaches that attack the same target with the same methods. In fact, Brian Krebs brought up this idea on Thursday when discussing the response of retailers and hospitality companies whose point-of-sale (POS) systems have been infected with malware. Eddie Bauer is the latest retailer to admit that hackers had planted malware on its POS system capable of stealing credit and debit card numbers, according to Krebs’ post. The clothing chain joins Wendy’s, HEI Hotels & Resorts and companies that use Oracle’s Micros POS system as organizations that have been victimized by the same kind of attack.
In addition to providing victims with the standard credit monitoring services, Krebs called for breached organizations “to offer the cyber defenders of the world just a few details about the attack tools and online staging grounds the intruders used,” including indicators of compromise, saying that they’re important in helping discover and stop attacks.
While IOCs can help defenders detect attacks, they’re not the only or best way to figure out if adversaries are already in your network. Attackers can easily and quickly modify IOCs to evade detection by security tools. Change the signature on a piece of malware and it becomes new, allowing it to slip past an antivirus program. Or stockpile IP addresses so there are always sites that can readily host malware, sites that aren’t blacklisted by firewalls.
Finding what tactics, techniques and procedures (TTPs) an adversary uses is a much better way to detect and stop breaches. Unlike IOCs, TTPs are much more difficult for an attacker to change. Considerable time and effort goes into developing TTPs, meaning a hacker has a limited set to work with. Once a TTP is detected, the adversary has little to no time to change them.
TTP detection focuses on an attacker’s behavior, which is a much more effective way at figuring out what’s happening on a company’s endpoints. While IOCs can change, behavioral patterns aren’t as easy to adjust. And if the TTPs were successful in one operation, the attackers will undoubtedly use them in another campaign. This allows defenders to search their environments for similar behavior and reveal malicious behavior.
Israel Barak is Cybereason's CISO.