Reading is one of my passions – thrillers and military history books are among my favorite genres. One term that frequently comes up in both of these types of books is “the fog of war.” The term originates from the 19th century Prussian general and military analyst Carl von Clausewitz in his book Vom Kriege (“On War” in English). This phrase typically refers to the challenges that commanders face before and during battle; namely how to achieve one’s goals when certainty is not possible. So, what happens when the fog of war occurs in cybersecurity incidents?
How does the fog of war apply to cybersecurity incidents?
In cybersecurity, we regularly see situations where complete information is not available initially. It may take hours, days, weeks, months or years to reveal the full information – in some cases it’s NEVER available. Sometimes, information changes so frequently there’s not enough time to catch up. We have to make decisions based on the potentially limited information that we have, combined with the historical knowledge (and sometimes gut instinct) that we have developed along the way.
When ADNET hears about a new threat, we examine it as a team – asking ourselves the following questions (among others):
- How significant is the cybersecurity incident?
- Is this critical, medium or low risk?
- Who is affected?
- Which systems/software/organizations have been compromised?
- If the threat is exploited, what could happen?
- What does the threat do when exploited, and what does that mean for anyone who is affected?
- What does ADNET recommend?
- How can we provide guidance to people either looking to remediate the threat on their own or looking to an IT partner for help.
Once we have evaluated the information we have on the threat and its potential impact, it’s time to make decisions.
Making tough cybersecurity decisions
ADNET’s security team recently faced a situation that put the “fog of war” concept to the test. We received intelligence regarding a possible threat against a commonly used platform. The warning was written in a way that was alarming, yet very vague. It left a lot of room for interpretation and worry.
ADNET gathered our team and started doing additional research as soon as we heard about the threat. Through different contacts in our MSP and security communities we sought clarifying information. Unfortunately, there wasn’t any at the time and we knew the most important thing was to act to protect our clients.
What do we do now? In the absence of information confirming that these systems were safe, we assumed the worst-case scenario. We decided to take action. Over the next several hours, our service operations, security and engagement teams (a quarter of the entire company) did work tirelessly to make sure these systems were secure, and our clients were aware of the threat and the actions we were taking.
In the end, clarifying information came out 24 hours later. This new information provided more guidance and allowed us to ease up on some of the restrictions we had implemented to protect our clients. Security vulnerabilities are always evolving situations, and they require flexibility and frequent review.
Cybersecurity can’t wait
I’ll be the first to admit, cybersecurity isn’t always convenient. Decisions like turning off certain programs, systems or access for organizations – especially when so many people are working remotely – have impact. That’s why we don’t make these decisions lightly. However, ADNET believes that taking proactive action is often the right approach to prevent cybersecurity incidents.
As in combat, with cybersecurity you can’t stand still. While sometimes waiting for additional information is possible, that’s not always the case. You have to be willing to make decisions based on partial information and accept what comes of that. Because as a great Canadian philosopher once said, “if you choose not to decide, you still have made a choice”.
If you have questions or concerns about cybersecurity, reach out to us – we’re here to help.