The Fog of Cyberwar
When Uncertainty Meets Cyber Defense
Also, you can find my book on building an application security program on Amazon or Manning
The term "fog of war" is attributed to the 19th-century Prussian military strategist Carl von Clausewitz. Although he doesn’t use the term “fog of war” in his writings in “On War”, he introduced the idea that there is an uncertainty and confusion that commanders face on the battlefield.
“The great uncertainty of all data in war is a peculiar difficulty, because all action must, to a certain extent, be planned in a mere twilight, which in addition not infrequently—like the effect of a fog or moonshine—gives to things exaggerated dimensions and unnatural appearance.”
According to Clausewitz, in war, information is often fragmentary, contradictory, or outright false and commanders must make critical decisions with incomplete knowledge about the enemy's strengths, positions, and intention as well as the condition of their own forces.
And when you have this lack of clarity, mistakes happen, and the outcome can be uncertain.
The cybersecurity fog
This fog extends to cybersecurity as well. If you’ve ever been involved in an incident response, you’ll know that the information moves quickly and it’s not always evident what the issue is and what the appropriate response should be.
“Everyone has a plan until they get hit.” – Mike Tyson
While a strong incident response plan can help lift some of this fog, teams are often left to think on their feet considering that cyber incidents are often unpredictable and opaque in nature. Just as military leaders grapple with limited and unreliable information, cybersecurity professionals must contend with:
Advanced Persistent Threats (APTs): Attackers who can stealthily infiltrate networks and remain undetected for extended periods.
Zero-Day Exploits: Vulnerabilities that are unknown to vendors and have no immediate fix, leaving defenders blindsided.
Sophisticated Evasion Techniques: Methods like polymorphic malware, fileless attacks, and encrypted command-and-control channels that obscure malicious activities.
These factors create a fog that can challenge any well-equipped team to detect intrusions, assess the scope of breaches, and respond effectively. Bottom line, it creates an uncertainty and a veil over the operations of the security team leading them to often operate without a complete picture of the threats targeting their organization. And attackers actively employ stealthy tactics to create this fog. Tactics like encryption, obfuscation, and zero-day exploits can be used to conceal their activities, making it challenging to detect and understand the full scope of an attack.
Imagine your network starts showing signs of something unusual: erratic spikes in outbound traffic, failed login attempts from odd locations, or systems behaving out of character. But perhaps, your logs and monitoring tools aren't painting a clear picture. Your team may be forced to make decisions with incomplete information. This balancing of the need to act swiftly against the risk of misjudging the situation can be costly when time is of the essence and attacks can unfold at the speed of technology.
To cut through this fog, cybersecurity teams rely on several strategies:
Situational Awareness: Maintaining a real-time understanding of the network environment. Tools like Security Information and Event Management (SIEM) systems aggregate and analyze log data from across the network to identify anomalies.
Threat Intelligence: Leveraging information about known threats helps anticipate attacker behavior. Sharing intelligence across organizations can provide insights into the tactics, techniques, and procedures (TTPs) used by adversaries.
Incident Response Planning: Developing and rehearsing response plans ensures that when uncertainty strikes, there's a structured approach to handle it. Regular drills and simulations can prepare teams to make swift decisions despite limited information.
Anomaly Detection with Machine Learning: Advanced algorithms can identify patterns and deviations that might be invisible to the human eye. By learning what's "normal" for a network, these systems can flag subtle irregularities that suggest malicious activity.
Let’s dive into each of those next.
Situational Awareness
You may have heard of the term situational awareness used before. In the real world this is the concept that you have an awareness of your surroundings and able to respond or remove yourself from danger if needed. An example would be if you are walking through a dark parking lot at night, you may quicken your pace to the car or look around to see who or what is sharing the parking lot with you.
In cybersecurity, situational awareness can be achieved through visibility of the organization’s resources and assets. In most organizations this is completed through the implementation of a Security Operations Center (SOC) where security issues in the organization are tracked and managed by a dedicated team that provides 24/7 coverage. In some cases, these teams can be completely outsourced or a combination of internal and external resources. The SCO team can specialize in incident response and security analysis as well as threat hunting.
The organization maintains visibility and awareness using tools such as a SIEM (security information and event management), IDS/IPS (intrusion and detection/prevention systems), EPP (end-point protection), and scanning tools. Each of the tools, combined with asset management and discovery, provide valuable information to the SOC team so that they can make informed decisions on an active attack and its risk to the organization.
However, sifting through the noise to get to a signal can be a challenge when a multitude of tools and data points are utilized. Each beaconing back to the SOC and potentially overloading it with information. An average SOC can receive hundreds or even thousands of alerts on a daily basis, many of which are false alerts. This is where a well-designed SOC will focus their efforts on having processes in place that will help provide actionable insight, cut down on the noise, and allow the personnel to focus their efforts on what matters in the moment. In any cybersecurity event, time is of the essence.
Threat Intelligence
Rather than simply reacting to security incidents as they occur, organizations can leverage threat intelligence to anticipate and prevent attacks by understanding the specific tactics, techniques, and procedures that threat actors commonly employ. Organizations leverage threat intelligence as a critical tool in their cybersecurity arsenal, much like having an early warning system for potential threats. I’ve written about "The more you know" in a previous release which highlighted how knowledge sharing plays a vital role in helping organizations face common adversaries.
Threat intelligence comes in three distinct flavors that serve different purposes within an organization. Strategic threat intelligence helps executives understand broader trends and make informed decisions about security investments. Tactical intelligence focuses on the specific techniques attackers use, helping security teams strengthen their defenses against known attack patterns. Operational intelligence provides real-time information that security teams can act on immediately to detect and respond to active threats.
The real power of threat intelligence emerges through collaboration. Organizations can participate in Information Sharing and Analysis Centers (ISACs) specific to their industry or broader Information Sharing and Analysis Organizations (ISAOs) that span multiple sectors. This collaborative approach means that when one organization encounters a new threat, others can learn from that experience and better prepare their defenses. This sharing ecosystem includes valuable resources like CISA's Known Exploited Vulnerabilities (KEV) catalog, which helps organizations prioritize which vulnerabilities need immediate attention among the thousands that emerge each year.
With threat intelligence in hand, security teams can better understand not just what attacks might occur, but why they might be targeted and who might be behind them. This contextual understanding helps organizations make smarter decisions about where to focus their security efforts, ensuring that limited resources are deployed where they'll have the greatest impact. This is felt most acutely in vulnerability management where having the right context regarding possible attacks can reduce the churn and wasted effort on non-consequential vulnerabilities. By analyzing indicators of compromise (IOC) and other threat data, organizations can spot potential attacks in their early stages, significantly reducing the time and resources needed for incident response.
One of the most practical applications of threat intelligence is in vulnerability management. Rather than trying to address every possible security weakness, organizations can prioritize fixing vulnerabilities that are actively being exploited "in the wild." This targeted approach extends beyond an organization's own systems to include monitoring risks associated with third-party vendors and supply chain partners, an increasingly crucial consideration as many modern attacks exploit these relationships.
Incident Response Planning
Incident response planning serves as an organization's playbook for managing cybersecurity crises where it provides structure and clarity during moments of chaos. And you’ll want these plans well described and vetted long before you need them. The worst time to test your plan is during an incident. Think of it like a fire evacuation plan. You hope you'll never need it, but when smoke appears, you'll be ready to act. A well-crafted incident response plan should outline the actionable steps needed to respond, contain, and recover from an incident.
As I mentioned, having a plan is just the first step. Regularly testing the plan is the key to effective incident response. Testing the plan can be through drills and simulations and these practice sessions help teams identify gaps in their response procedures and build muscle memory for making critical decisions.
Some common methods of testing a plan are:
Tabletop Exercises: These are discussion-based sessions where team members walk through various incident scenarios to understand their roles and responsibilities and practice their responses.
Simulated Attacks: Realistic simulations of cyberattacks can be conducted to test the team's response capabilities and identify areas for improvement.
Drills: Regular drills can be performed to ensure that all team members are familiar with the incident response plan and can execute it effectively under pressure.
After-Action Reviews: Following an exercise or a real incident, teams review what went well and what didn’t and update the incident response plan accordingly.
Training Programs: Continuous training programs are conducted to keep the team updated on the latest threats and response techniques.
Like athletes who practice game scenarios, security teams that regularly rehearse their incident response plans can act decisively even when facing never-before-seen threats or working with incomplete information.
Regular testing also helps break down silos between different departments, fostering collaboration between technical teams, communications staff, legal counsel, and executive leadership. When a real incident occurs, these teams need to work together seamlessly, and practice sessions create the shared understanding and trust necessary for effective crisis management. Of course, this assumes that your testing includes all the relevant departments. The best incident response plans mature based on lessons learned during these exercises and changes in the threat surface of the organization. Maturity allows for continuous improvement of the organization's ability to handle whatever security challenges may arise.
Anomaly Detection with Machine Learning
ML (machine learning) is not new. In fact, it has been involved in security for many years. It has been used as a force multiplier when it comes to anomaly detection which enables organizations to identify and respond to threats more quickly and accurately. These ML tools analyze vast amounts of data in real-time and use algorithms to spot subtle deviations from normal behavior patterns that might indicate a security incident, often much faster than a human can and at larger scale. And scale is needed when there is data coming from thousands of endpoints.
ML can also be integrated into incident response in several ways. First, it can dramatically improve the signal-to-noise ratio by reducing false positives through contextual analysis and pattern recognition. Where traditional monitoring tools might flood the SOC with alerts, ML systems can consider multiple data points to determine which anomalies truly warrant attention. This more nuanced approach to threat detection helps prevent alert fatigue and ensures that security teams can focus their energy on genuine threats.
Within incident response, ML-powered anomaly detection plays several crucial roles:
Automated Triage: ML systems can automatically categorize and prioritize potential incidents based on their severity and likelihood, helping security teams focus their attention on the most critical threats. For example, the system might flag unusual login patterns that suggest credential stuffing or identify data exfiltration attempts hidden within normal traffic.
Pattern Recognition: ML algorithms can discover correlations across multiple data sources, potentially linking seemingly unrelated events into a coherent picture of an ongoing attack. This capability is particularly valuable in detecting sophisticated attacks that unfold across different systems and timeframes.
Response Automation: When integrated with security orchestration tools, ML-based anomaly detection can trigger automated response actions, based on established runbooks, for well-understood threats while escalating unusual or high-risk situations to a SOC analyst. This allows for rapid and automated responses to low-risk items, while ensuring the higher risk scenarios receive appropriate human attention.
ML systems also bring predictive capabilities to incident response. By analyzing historical data and identifying trends, these systems can potentially anticipate security issues before they occur. This proactive capability, combined with dynamic response mechanisms that adapt to evolving attack patterns, creates a stronger security posture. Lastly, after an incident occurs, ML tools provide valuable support for post-incident analysis, helping teams understand root causes and implement preventive measures for the future.
It's important to note that while ML-powered anomaly detection is a powerful tool, it’s not a replacement for hands-on-keyboard human analysts. It works best as part of an overall incident response strategy that includes human expertise, well-defined processes, and regular testing and refinement of detection models.
Cutting Through the Fog
Just as military commanders contend with the fog of war, cybersecurity professionals face their own version of a cloudy environment while defending organizations. However, by implementing an approach that combines situational awareness, threat intelligence, incident response planning, and machine learning-powered anomaly detection, organizations can have a better vision through the uncertainty.
Although we can never completely remove uncertainty, much like we can never remove risk, the key to success is in building resilient systems and teams that can function effectively despite it. Modern security operations centers, with advanced tools and well-practiced response plans, can continue to secure their organization while still adapting to new threats as they emerge.
In cybersecurity as in warfare, the goal isn't perfect clarity. It's building the capability to make informed decisions and take effective action even when facing uncertainty. Through proper preparation, continuous learning, and the right combination of human expertise and technological tools, organizations can be ready with confidence and resilience.