Microsoft Uses Machine Learning to Predict Attackers' Next Steps

Microsoft Uses Machine Learning to Predict Attackers' Next Steps
Researchers build a model to attribute attacks to specific groups based on tactics, techniques and procedures, and then figure out their next move.

Microsoft is developing ways to use machine learning to turn attackers' specific approaches to compromising targeted systems into models of behavior that can be used to automate the attribution of attacks to specific actors and predict the most likely next attack steps. 

In a research blog published earlier this month, the software giant stated it has used data collected on threat actors through its endpoint and cloud security products to train a large, probabilistic machine-learning model that can associate a series of tactics, techniques and procedures (TTPs) — the signals defenders can glean from an ongoing cyberattack — with a specific group. The model can also reverse the association: Once an attack is attributed to a specific group, the machine-learning system can uses its knowledge to predict the most likely next attack step that defenders will observe.

The machine-learning approach could lead to quicker response times to active threats, better attribution of attacks, and more context on ongoing attacks, says Tanmay Ganacharya, partner director for security research at Microsoft.

"It's critical to detect an attack as early as possible, determine the scope of the compromise, and predict how it will progress," he says. "How an attack proceeds depends on the attacker's goals and the set of tactics, techniques, and procedures that they utilize, [and we focus] on quickly associating observed behaviors and characteristics to threat actors and providing important insights to respond to attacks."

In the early April blog post, Microsoft described the research into machine learning and threat intelligence that uses TTPs from the MITRE ATT&CK fr ..