Full Report
Extensive intel and expert analysis make our Threat Hunters a key component in protecting organizations from today’s critical threats
Analysis Summary
# Threat Actor: Symantec and Carbon Black Threat Hunters (Internal Security Research Group)
## Attribution & Identity
This entity is not a threat actor but rather an **internal threat intelligence and research group** within Broadcom, formed from the Symantec Attack Investigation Team (AIT) founded in 2011.
**Aliases and Associated Groups:**
* Symantec Attack Investigation Team (AIT) (Predecessor)
* Threat Hunters (Current designation)
* Made up of three core teams: Threat Hunting and Research, Security Intelligence and Analytics, and Threat Intelligence Content.
## Activity Summary
The Threat Hunters' primary function is to investigate sophisticated cyber threats, refine Symantec and Carbon Black protection technologies, and share actionable threat intelligence.
* **Catalyst:** Formed in response to sophisticated threats, exemplified by the 2010 discovery of the Stuxnet Trojan targeting the Iranian nuclear program.
* **Core Task:** Tracking known espionage actors and major cybercrime organizations, discovering new campaigns, tactics, techniques, and malware.
* **Recent Development:** Integration of Carbon Black telemetry data to enhance visibility and detection across their research.
* **Key Output:** Development of the AI-powered **Incident Prediction** feature, trained on a catalog of over 500,000 real-world attack chains.
## Tactics, Techniques & Procedures
The article focuses on the group's *research* into TTPs rather than detailing specific TTPs used by an adversary.
- **Investigation:** Investigating incidents on customer networks to identify previously unknown tools and techniques.
- **AI Analytics:** Developing AI-based analytics (e.g., Cloud Analytics) trained on investigation findings to automatically identify malicious behavior.
- **Attack Chain Mapping:** Building detailed catalogs of real-world attack chains (over 500,000 documented cases).
- **Prediction:** Utilizing AI to predict the attacker's next four to five moves with high confidence.
- **Evasion Tactics (Observed):** Adversary techniques observed by the team include the ability to "burrow deep into a target’s network and exfiltrate data without raising suspicions."
## Targeting
The Threat Hunters target organizations where sophisticated attacks occur to improve product efficacy.
- **Sectors:** Targeting involves organizations suffering from sophisticated cyber espionage and major cybercrime intrusions (General targeting scope of advanced persistent threats).
- **Geography:** Not specified, implied globally based on customer base and Stuxnet focus (Iran mentioned historically).
- **Victims:** Customers experiencing *potentially critical attacks*; TTPs are derived from incidents on customer networks.
## Tools & Infrastructure
The summary details the internal tools developed by the group for analysis and defense improvement, not adversary infrastructure.
- **Malware Families Used (Observed):** Stuxnet Trojan (historical point of reference).
- **Infrastructure (Internal Tools):**
- Incident Prediction (AI Feature)
- Cloud Analytics
- Symantec and Carbon Black product telemetry/EDR data.
## Implications
The existence and continual evolution of the Threat Hunters—especially with the integration of AI and Carbon Black telemetry—signify an increased focus on proactive, predictive defense capabilities against advanced, espionage-level threats. Their findings drive high-confidence defensive actions for Broadcom customers.
## Mitigations
Mitigations stem from the group's defensive innovations:
- Utilize the AI-powered **Incident Prediction** capability to anticipate and mitigate future attacker actions.
- Implement **Adaptive Protection policies** based on predicted behaviors identified by the Threat Hunters’ analysis.
- Enhance detection capabilities using unified telemetry, particularly leveraging Carbon Black EDR data.