Introduction
Patterned, predictive, and purposeful – the future of cybersecurity that Group-IB is helping envision and build.
New and evolving cyberattacks are forcing us to move away from being random and reactive in our cyber defenses. Soon, traditional defenses won’t cut anymore. The shift toward predictive analytics marks a critical change: one where cyber defense becomes intentional, intelligence-led, and always a step ahead.
But what exactly is predictive analytics in cybersecurity? And how does it power new-age defenses?
Predictive analytics in cybersecurity refers to the use of Machine Learning (ML), Artificial Intelligence (AI), User Behavior Analytics (UEBA), and statistical algorithms that are continually refined to identify patterns indicating potential attacks targeting a region, business, or industry. It hinges on:
Data Collection and Mining: Relevant sources, including network logs, system logs, external threat intelligence feeds, and user behavior and activity, are utilized to collect an extensive and infrastructure-rich volume of data. This includes both historical and real-time telemetry, which is essential for short-term threat prediction. Internal telemetry from XDR, EDR, NDR, and external telemetry from sources like Threat Intelligence (TI), Digital Risk Protection (DRP), Attack Surface Management (ASM), and Fraud Protection (FP) provide the necessary visibility. The collected data is then analyzed using clustering, classification, and correlation techniques to uncover historical patterns and anticipate future threats.
Predictions Built on Probability Models: Probability models help identify potential threats before they can escalate. Basing their findings on historical data and patterns, the models improve over time as new data is introduced through retraining. Accuracy is enhanced and limitations are mitigated through error analysis, determining the proportion of true positives among predicted positives.
Machine Learning Algorithms: Algorithms such as neural networks, including deep learning models and decision biases, are designed to recognize complex patterns and relationships in data that may not be captured through traditional methods. These algorithms are constantly revised through supervised (uses labeled data to train models) and unsupervised (identifies hidden patterns in unlabeled data) learning, continuously enhancing predictive accuracy.
Why is predictive analytics incomplete without AI?
Cyber threats don’t come with notice, so the response needs to be adaptive, real-time, and relevant. While predictive technology alone holds promise and the potential to revolutionize the threat detection and response domain, without AI, statistical and rule-based models can offer insights but remain limited in scale and depth.
It is the integration with AI that enables pattern recognition at scale, dynamic risk prioritization, continuously updated contextual insights, and faster time-to-response — all critical for staying ahead of modern threats.
Predictive AI outsmarts conventional intrusion management measures, helping identify suspicious attack patterns or network anomalies that traditional systems might not signal; however, it is not a plug-and-play solution. Instead, it is an acquired capability that evolves, with accuracy only as strong as the quality, volume, and maturity of the data and threat feeds it’s trained on, and the contextual interpretation and trainability that human experts help it develop.
Predictive AI vs expanding global attack surface
Artificial intelligence (AI) is being increasingly integrated into our processes, operations, technologies, and daily lives. However, it comes with security risks that threat actors are already exploiting on a larger scale. According to the ITRC Annual Data Breach Report, there are as many as 11 victims of malware attacks per second worldwide. This amounts to 340 million victims annually, a figure expected to grow exponentially as AI-driven malware attacks become more common.
These all introduce new and novel attack vectors and complexities that are not part of the traditional definition of an enterprise attack surface and transcend current cybersecurity capabilities.
The intriguing paradox is that while AI is creating new attack vectors and TTPs that are unprecedented, the defenses against these attacks can be made targeted, predictive, and effective by using artificial intelligence itself.
Nevertheless, the reality of fully autonomous AI-enabled attacks remains a future possibility rather than an immediate reality, as most real-world attacks today involve manual orchestration combined with AI support to enable high-impact breaches and threats. Want to see one in action?
Scenario: AI-Driven Multi-Channel Fraud Campaign Using “Cloning Infrastructure”
Phase 1: AI-Powered Identity Fabrication
Fraudsters are now able to successfully circumvent defenses by submitting AI-altered deepfakes, effectively breaching an institution’s multi-layer security approach.
The attackers obtain the victim’s ID through various illicit channels, including malware, social media, social engineering schemes, or the dark web. They manipulate the image on the ID, altering features, and use the fake photo to bypass the institution’s biometric verification systems.
Phase 2: Synthetic Account Creation
Group-IB’s Fraud Protection team assisted the Indonesian financial institution in identifying over 1,100 deepfake fraud attempts, in which AI-generated deepfake photos were used to bypass their digital KYC process for loan applications.
Phase 3: Cloning Infrastructure Activation
Our investigation revealed that many Android devices involved in deepfake fraud were highly likely to have been created using app cloning techniques. App cloning tools allow users to duplicate installed applications on their devices, allowing users to log into different accounts simultaneously
Furthermore, a detailed analysis of device attributes uncovered identical attributes among multiple Android deepfake devices, strongly indicating the use of a single physical device hosting multiple cloned instances in a virtual environment.
Phase 4: Mimicking real faces to build fake credibility
Fraudsters exploited virtual camera software to manipulate accounts’ biometric data, using pre-recorded videos to mimic real-time facial recognition during KYC processes, deceiving institutions into approving fraudulent transactions.
Think ahead: Leverage Predictive AI to have an upper hand, always
| INDUSTRY CHALLENGES | PREDICTIVE SOLUTIONS | DIRECT USE CASES OF PREDICTIVE ANALYTICS |
| Legacy SOC tools and under-trained resources cannot scale to manage a growing attack surface | Models are designed to learn and fit an organization’s technology stack through active learning and contextual awareness | – Predictive Asset Risk Scoring
– Vulnerability Prioritization by likelihood of exploitation |
| Detection and response are sluggish, with high dwell time and slew of overwhelming alerts | AI-powered platforms are revolutionizing risk management through automating threat correlation and speeding up triage | – Automated Incident Prediction & Triage
– Correlated Alerting to mitigate noise and false positives |
| Failure to foresee emerging threats and infrastructure changes | Behavioral and trend analysis of the infrastructure to identify new threats and associated Techniques and Tactics (TTs) early | – Attacker infrastructure setup detection
-Early identification of unusual domain/IP behavior – Preemptive blocking measures |
| Chasing low-risk alerts, deprioritising important ones | Predictive scoring models prioritize alerts based on risk, severity, and business impact | – Business impact-ranking
– Risk-adjusted response SLAs – Smart ticketing/escalation in SOAR systems |
| Incomprehensive view of possible business impact and exposure risk | Predictive Risk Assessment models combine technical telemetry with business context to predict breach likelihood and impact | -Threat exposure predictions
-Threat risk heatmaps (e.g., Top 10 risks, TTs, etc) for C-level Planning -Proactive controls based on risk forecasts |
The scope is massive, but here’s why current predictive capabilities will lead you nowhere, if…
You depend on it as a sure-shot foresight rather than a probability
Can you really predict the kind of attack you’ll face this month — and from whom?
Predictive analytics isn’t premonitions or certainty. It doesn’t offer a sure-shot statement about the exact threat you’ll face. Instead, it’s about narrowing down likelihoods based on behavioral trends, infrastructure shifts, and threat actor patterns.
While predictive analytics is a powerful tool for proactive threat management, it should not be viewed as a guarantee. Its true value lies in enabling actionable threat prioritization, risk-informed decision-making, and adaptive defenses that evolve with the threat landscape.
You do not prioritize business context in predictions
Some might argue that predictive analytics often lacks industry, region, or infrastructure-specific insights. Most predictive tools rely on generalized threat intelligence feeds or open-source indicators. They might say:
“We’re seeing a rise in phishing campaigns targeting cloud accounts.”
But they don’t say:
“As a regional fintech company using Azure, you are likely to be targeted with a credential phishing campaign similar to one used in Southeast Asia last quarter.”
Predictive analytics, with the help of AI, is moving towards tailored and real-time recommendations based on your unique risk profile, infrastructure, and attack surface.
For example, Group-IB Threat Intelligence provides contextual, actionable insights by mapping threat actor TTPs, sector-specific threat feeds, regional IOCs and dark web, social media, dark web chatter, and infrastructure telemetry.
Instead of generic alerts like “deepfake attacks are rising,” it delivers tailored intelligence such as:
“A [threat actor] is using AI-generated deepfake videos to impersonate executives in social engineering campaigns targeting fintech organizations in Southeast Asia. Your infrastructure and employee roles show similar exposure.”
This level of specificity helps organizations prioritize response, close vulnerable entry points, and improve teams’ response against precise attack methods.
AI-driven cross-correlation is added to deliver campaign-specific warnings before attacks unfold. Example: detecting similar phishing kits used in Southeast Asia, now being registered in your region.
You look at predictions as just noise.
Can you predict the specific cyber threats your organization faces, such as anticipating a DDoS attack, an attempt to phish Azure credentials, or a brute-force attack aiming to gain initial access to your network?
You may wonder if these predictions will be useful for you. Can you trust such predictions? What key elements would make these predictions actionable and valuable for your organization?
A lot of tools today offer predictive “trends” like:
“Ransomware will target healthcare more in Q3.”
While helpful for board-level awareness, high-level predictions rarely translate into actionable defense steps unless correlated with internal telemetry — exposed assets, misconfigurations, or past behaviors — turning noise into tailored early warnings.
These need to be enriched with TTPs, infrastructure, and timelines.
Real predictive models flag emerging infrastructure (domains, IPs, malware variants) before they’re used in active campaigns.
They associate those assets with known TTPs, which are mapped to MITRE ATT&CK, and give a risk score and timeframe of it being active. That level of intelligence helps security teams prioritize defenses, simulate attack paths, or patch at-risk assets before the attack.
You don’t take predictions with a grain of salt human intelligence.
AI can cue, but we need human layer analysis to confirm. The predictive models aren’t built to know what’s important — humans still have to tell them. That means AI isn’t fully autonomous in this space; it needs validation and guidance.
Data without contextual prioritization, such as business-critical assets, threat actor intent, or industry relevance, produces alerts that overwhelm or mislead defenders. Too often, predictive analytics skips this human intelligence layer.
Predictive intelligence must evolve beyond macro threat forecasting into business-specific early warning systems, especially when powered by a blend of AI, contextual enrichment, and human expertise.
Reinforce the human-in-the-loop model: AI does the heavy lifting, but analysts interpret, validate, and act — especially when the decisions have high operational or financial stakes.
Group-IB’s stance: Many predictive tools over-promise and under-deliver due to poor data quality. Group-IB’s intelligence is backed by human analysts, real campaign telemetry, and threat actor profiling — not just machine learning guesses.
Real cases where AI + human predictive insights help indicate and mitigate attacks
Predicting cyber incidents isn’t as straightforward as one may think. It doesn’t mean stating, “Hey, your company is most likely to be attacked using XYZ on [date],” but rather matching live infrastructure with a cluster of behaviors attributed to the threat actor, dark web chatter, historical TTPs, and tracking how threat tools evolve. This translates into actionable, targeted alerts—often weeks before an attack surfaces.
While the predictive capabilities of tomorrow seem promising — helping not just anticipate incidents predicated on data, but also the chain of activities taken by threat actors to initiate and materialize the attack—predictive intelligence is already a powerful and essential capability.
It is evolving from macro threat forecasting to business-specific early warning systems, especially when powered by AI, contextual enrichment, and human analysis.
At Group-IB, we build intelligence-informed defense through the synergy of the three, which we believe acts now as the preface to building complete predictive capabilities in the future.
It helps us identify potential threats and respond to them in real-time through automation, correlating historical TTPs, infrastructure, and exploit usage to forecast targets and alert authorities, regions, and clients before they can be attacked.
See it in action
Case 1: Attributing threat actors through semantic and NLP analysis in underground forums
What Group-IB tracked:
After scraping large datasets from the dark web and underground forums, Group-IB analysts applied Natural Language Processing (NLP) and semantic analysis to find overlaps or repetitions in certain phrases, grammar, and sentence syntaxes linked to specific threat actors.
These linguistic signatures helped recognize adversaries and their movements — names and aliases, which threat activity they gravitate towards (exploits, ransomware, or RaaS, data leaks, IABs), brand/platform references, victims, etc.
What it indicated:
These patterns allowed analysts to track multiple accounts across forums and attribute them to one threat actor or group (e.g., ShinyHunters), even when the accounts were designed to appear unrelated on the surface.
How Group-IB concluded:
Using machine learning models trained on historical underground forum data and writing styles, Group-IB:
- Linked linguistic similarities to previously tracked threat actors
- Cross-referenced with known attack timelines
- Identified cryptocurrency wallets and Telegram handles previously mentioned and reused in posts across platforms.
Outcome: By uncovering the threat actor activity on underground forums through dark web monitoring, we were able to profile the actor and attribute cyber threats before they escalated, and also provide informed response and aid to impacted parties.
Case 2: Behavioural Analysis to the recuse: Identifying “Card Testing Attacks”
What was tracked: Group-IB’s Fraud Protection solution continuously monitors user behavior across payment authorization and authentication environments.
Group-IB analysts observed unusual spikes in Three-Domain Secure (3DS) channel transactions across several banking clients. These spikes were concentrated around two specific e-ticket merchants—Taiwan High Speed Rail Corporation and CHAT.VERSAILLES — raising concerns of card details leakage, potential card testing, and bot-driven fraudulent attempts.
What it indicated:
These anomalies were early signs of card testing campaigns, where attackers use automated bots to validate stolen credit card numbers before launching large-scale fraud or selling validated data on dark markets.
How Group-IB concluded:
Using real-time AI models trained on known card testing behavior, the system:
- Flagged the pattern of test charges and velocity anomalies.
- Correlate these with toolkit behaviors (e.g., fraud scripts) seen in previous campaigns.
- Identified coordinated activity across multiple merchant platforms and user agents.
Outcome: Attacks were stopped at the verification stage, preventing fraud. Fraud teams were notified instantly, and additional anti-fraud rules were enabled to stop repeat behavior.
Case 3: SIM Swapping Pattern Detection and Infrastructure Takedown
What was tracked:
Group-IB analysts detected a network of phishing domains impersonating well-known insurance providers. These sites:
- Harvested sensitive data like phone numbers, OTPs, and national IDs
- They were hosted on infrastructure previously linked to SIM swap fraud
- They were spread through social engineering schemes and smishing (SMS phishing) campaigns
What it indicated:
The infrastructure, techniques, and tactics all pointed towards a planned SIM swap campaign where attackers gather and then use victims’ personal information to convince telco services to perform SIM replacements and then intercept 2FA codes to take over victims’ banking or crypto accounts.
How Group-IB concluded:
- Correlated phishing kits, domain registrants, and infrastructure with earlier SIM fraud campaigns in the region
- Identified new users associated with existing accounts
- Identified targeting logic and data used through script assets
Outcome
The wide-scale phishing campaigns were taken down before they became live due to preemptive threat analysis. We were also able to issue a warning to he company of the potential fraud scenario so they could respond early and inform their at-risk customers before their SIMs could be hijacked.
Persistently witnessing the rise in SIM-swap, ATOs, and other risks around user authentication and transaction authorization processes, Group-IB has built a new feature, “BioConfirm,” which enables organizations to prevent fraud related to high-risk transactions through token-based, real-time user authentication.
Implementing predictive analytics as a part of your defense strategy: Where to start?
Today’s security teams are expected to move beyond detection and into proactive prevention.
This shift demands a strategic, continuous approach — one that turns raw data into predictive insight.
However, everyone wants to immediately jump to advanced analytics and ML (the predictive side of the maturity curve) because of the competitive edge it provides, the high-ROI yields it promises, or simply because it’s an enticing technology attracting investor interest.
But in practice, most organizations are likely to fail to gain any real benefit. Why? Data.
The foundations are often non-agreed-upon, unclear, with a lack of data to support the capability, low accuracy/confidence in the data, no unified data model, or a lack of ownership and governance.
The problem of “not enough data” for better situation awareness can likely be solved with external Threat Intelligence providers (eg, Group-IB Threat Intelligence platform) offering automated, real-time intelligence from the widest, relevant sources, correlated TTPs, threat actor profiles, and IOCs that an internal team may find hard to capture and detect.
The predictive signals are built with industry/region-wide threat awareness through our TI platform and Digital Crime Resistance Centers (DCRCs) across regions, which support our threat-hunting capabilities.
Also, our AI-human collaboration model is truly a powerful pact, essential in solving issues like low confidence in data, false positives, or errors in early AI models, and contextual understanding.
AI’s forte is scale and the speed of insights, while human experts deduce them, validate insights, flag anomalies, and feed corrections back into the system. This ensures the AI continuously learns and improves.
Key Tools for Implementing Predictive Analytics in Cybersecurity
AI-Driven Network Management Solutions: Solutions that utilize machine learning to analyze infrastructure-level data and identify anomalies early.
Real-Time, Infrastructure-Wide Data Influx: Accurate predictive modeling relies on continuous analysis of network traffic, application performance, endpoint behavior, user behavior, and external threat signals (e.g., phishing infrastructure, dark web chatter), etc.
Threat Intelligence Integration: Raw data from endpoints, networks, and users must be contextualized using a threat intelligence platform to provide actionable insights. This enables the mapping of suspicious activity to threat actor TTPs (e.g., via MITRE ATT&CK or Group-IB actor profiling) and prioritization based on severity, likelihood, and business impact.
Enriched Context and Feedback Loop Through Human Analysis: Human analysts complete the loop by validating AI detections, enriching models with feedback, and refining the system’s accuracy.
Important to note:
Not all predictions are equal: Some insights are too vague, while others may offer actionable foresight if the confidence score is high. Here comes the importance of confidence metrics and thresholds in AI-driven predictive models to avoid alert fatigue or misallocation of resources.
Predictive technologies need organizational readiness: Without clear processes, trained teams, and response mechanisms, even good predictive systems can confuse or lead to false decisions.
Predictive Intelligence is the future – but only if used right: While predictive analytics offers promising avenues for preempting cyber threats, its efficacy largely depends on the quality of data, the confidence in predictions, and the integration of human expertise to interpret and act upon these insights. You can use this to argue that technology alone doesn’t solve the problem – preparedness and operational integration are crucial for success.
Enable its value as a strategic, not just technical, tool:Predictive analytics must be advanced by AI, grounded in human expertise, and aligned with real-world threats.
Group-IB’s Predictive Advantage
At Group-IB, we’re constantly evolving our predictive intelligence capabilities to catalyze proactive cybersecurity. Our strength lies in an extensive threat data lake, deep regional and industry research, and the synergy between our technologies. This enables predictive monitoring and action that go beyond endpoints and internal networks to include:
- External digital signals as early indicators—these lie outside the perimeter, especially when tied to fraud or credential theft. We monitor data points such as domain registration behavior and SIM swap patterns to anticipate campaigns.
- Real-time mapping of threat actor TTPs to detect and disrupt emerging threats.
- Behavior-based alerting to act on early signals of credential theft, social engineering scams, or fraud attempts. (See: Fraud Protection)
- Predictive analytics that aren’t just retrospective analysis, complementing historical analysis (“what happened?”) with forward-looking insights, helps stay ahead of adversaries who operate in real-time.
- Automated first response, tailored to each organization’s risk profile and unique vulnerabilities.
This ecosystem is powered by our global threat hunting operations, regional Digital Crime Response Centers (DCRCs), and continuous enrichment of our threat data lake, ensuring our models adapt to ever-evolving threats.
By infusing Threat Intelligence and Fraud Intelligence, Group-IB delivers insights against blended attacks (increasingly being used by threat actors), cybercrime and financial crime vectors, empowering organizations to prevent breaches and fraud before they occur.
Predict. Prevent. Protect with Group-IB Threat Intelligence
Comprehensive Intelligence Collection
- Diverse Sources: Aggregates data from open sources, dark web forums, paste sites, and proprietary research.
- Real-Time Insights: Delivers continuously updated threat intelligence for timely awareness.
AI-Powered Analysis
- AI Assistant: Uses natural language processing to provide context-rich intelligence that enhances analyst decision-making.
- Automated Threat Hunting: Detects and prioritizes high-impact threats with minimal manual input.
- Interactive Mapping: Reveals connections between threat actors, infrastructure, and attack patterns.
- Infrastructure Analysis: Identifies hidden links and helps assess the broader threat landscape.
Seamless Integration
- API-Friendly: Easily integrates with SIEM, SOAR, TIP, and other security tools.
- Automated Workflows: Enables real-time threat detection and response through intelligent automation.
- Pre-Fraud Indicators: Detects early warning signs of fraud to minimize financial and reputational loss.
- Comprehensive Protection: Covers a wide range of fraud techniques across digital touchpoints.
Also, learn more about our future-driven growth and cybersecurity ethos: “Built to Predict, Wired for Autonomy, Powered by AI.”
