Using AI to Predict, Stop and Recover from the Next Ransomware Incident

• Threat actors have predictable tactics that security teams can leverage for better safety protocols.
• AI and ML provide new opportunities for security teams to integrate their learnings into more effective threat detection and disruption.
• Incident Prediction is a new, industry-first security capability that extends Broadcom’s Adaptive Protection technology.

There are many types of hackers, from highly disciplined, well-funded nation-state attackers to ransomware gang members in their teens. While the media often portrays bad actors as unpredictable and volatile, in most cases, they are actually very predictable when it comes to their TTPs (Tactics, Techniques and Procedures). 

In fact, according to our recent report, Ransomware 2025: A Resilient and Persistent Threat, ransomware families may come and go, but TTPs change less frequently. Attackers have refined their toolset, relying on the TTPs that work. And since there are plenty of victims to target, if they hit a hurdle with one victim they can easily roll on to the next. Attackers only change their TTPs when they are forced to do so.  

Our research has found that a large number of attackers use legitimate software, in an approach known as living off the land (LOTL) techniques, to carry out their attacks. Malware tends to be deployed sparingly and may only appear at the conclusion of an attack (such as when a ransomware payload is deployed). In addition to using predictable TTPs, the attackers’ objectives also remain consistent: access the victim’s network, obtain sufficient privileges to move laterally across that network, exfiltrate the data and deploy an encrypting payload on the maximum number of machines within the network.

By coupling this learned predictability of the attackers’ tools and objectives with the capabilities of AI, organizations can take a more granular approach to identify, mitigate and recover from cyberattacks. 

Introducing Incident Prediction

Most remediation tools stop what the attacker has already done, but don’t tell you what they are going to do. Typically, organizations respond to ransomware by shutting down machines and their entire network. Such draconian shutdowns can cause costly operations disruption and other reputational damage.

Today we announced Incident Prediction, an industry-first security capability that extends Adaptive Protection and enables security professionals to predict, stop and recover from incidents. This unique feature of Symantec Endpoint Security Complete leverages AI in a new way to identify and disrupt LOTL attacks, and other cyberthreats, before damage can occur. Trained on a catalog of over 500,000 attack chains built by the world-class Symantec Threat Hunting Team, Incident Prediction puts the advantage back in defenders’ hands by predicting attackers' behaviors, preventing their next move in the attack chain (even when they’re using LOTL techniques), and quickly returning the organization to its normal state.

The inspiration for Incident Prediction came from how Generative AI LLMs (Large Language Models) can “predict” the next word in a sentence when generating text in search engines, email and more. By leveraging our extensive attack chain repository and threat intelligence using advanced AI and ML, Incident Prediction can predict the next four or five moves attackers will take in a customer’s environment with up to 100% confidence, disrupt them and then automatically revert to normalcy right away. 

How it works

When the Symantec Endpoint Security Complete cloud analytics detect an incident, the security analyst is alerted within the Integrated Cyber Defense Manager (ICDM) console and by email. The security analyst can then view details of the incident, including observed behaviors that triggered the incident plus the predicted attacker behaviors and their associated probabilities. This gives the analyst granular visibility into what triggered the incident and the likely next steps the attacker would take. 

For example, let’s take a look at a real-world LOTL attack. Based on our analytics, an attacker is observed downloading and executing a JS file; next step, wscript.exe executes the JS file and launches a PowerShell command; and then PowerShell downloads a zip file over HTTP and extracts its content to the “c:\users\public\” folder. Based on our catalog of over 500,000 attack chains, the attacker’s most likely next step is for PowerShell to execute a VBS file and attempt to steal credentials. The security analyst receives a list of the attackers’ predictive next steps, as well as the probability (by percentage, from zero to 100%) of them happening.

Based on the probability, the security analyst can then select the predicted behaviors to mitigate and apply them to the Adaptive Protection policy. This allows the security analyst to stop further damage by blocking the predicted malicious actions without having to shut down the entire system or network. The Adaptive Protection policy provides this fine-grained control, allowing normal business operations to continue while selectively stopping only the predicted attack behaviors. The system also creates a revert task, giving the analyst the ability to easily undo the mitigation steps if needed, after further investigation.

What’s next

With this granular security control,  security teams now can mitigate and recover from possible ransomware, nation-state and other attacks as they happen as opposed to bringing systems down entirely to tackle the threat. In our real-world deployment of Incident Prediction, high-confidence predictions were made in 80% of the incidents. 

To learn more about Incident Prediction and how it can be used to protect your organization against nation state and ransomware groups, check out our session, “Under Siege: How APTs and Nation-States Are Coming for Everyone,” at RSAC™ 2025 Conference on Tuesday April 29, 2025, from 2:25 PM - 3:15 PM PDT.