"Microsoft Uses Machine Learning to Predict Attackers' Next Steps"
Researchers at Microsoft have built a model that uses Machine Learning (ML) to attribute cyberattacks to specific groups based on Tactics, Techniques, and Procedures (TTPs) and to predict their next steps. The Microsoft researchers are discovering different ways to use ML to transform attackers' specific TTPs into behavior models that can be used for the automation of attack attribution and the prediction of specific actors' next attack steps. Microsoft recently published a research blog post discussing its use of data collected on threat actors via its endpoint and cloud security products to train a probabilistic ML model that can correlate TTPs, extracted from an ongoing cyberattack, with a specific group. The models can reverse the correlation in that the ML model can use what it has learned to predict the group's next steps once attack attribution is achieved. According to Tanmay Ganacharya, the partner director for security research at Microsoft, the use of this ML approach could significantly lessen the time to respond to active threats, improve attack attribution, and enhance the context of ongoing attacks. The company collected data from its Microsoft Defender anti-malware software to generate collections of TTPs, which its researchers then used to implement a Bayesian network model. In cybersecurity, this model is commonly associated with anti-spam engines because it is said to be better suited for handling challenges such as high dimensionality, missing data, interdependencies between TTPs, and more. This article continues to discuss the ML model built by Microsoft researchers to attribute attacks to specific groups and predict their next steps.
Dark Reading reports "Microsoft Uses Machine Learning to Predict Attackers' Next Steps"