Black Swans and Unknown Unknowns: Preparing for Unrecognizable Threats

JOE CISO on February 07, 2019 | 265

A Black Swan Event:

Definition: A very unlikely occurrence that meets the following criteria:

- Cannot be predicted
- Brings with it a large organizational impact
- Once it has occurred, people try to rationalize it in hindsight


Not to be confused with a swanky black tie affair or a session at the famed Black Hat annual security conference, a black swan event is something for which there is no precedent, making planning for it nearly impossible. The September 11th attacks, the 2008 housing market crisis, and the 2011 earthquake-tsunami-Fukushima nuclear plant disaster in Japan are all examples of recent black swan events that hit everyone, from organizations to individuals, like a ton of bricks. No one was prepared to deal with the events or their fallout, figurative or actual.

Most critical, formative, world-shaking events can be seen as black swans. Nassim Nicholas Taleb, author of The Black Swan asserts that “A small number of Black Swans explains almost everything in our world, from the success of ideas and religions, to the dynamics of historical events, to elements of our own personal lives.... Almost everything in social life is produced by rare but consequential shocks and jumps.” According to Taleb, the “normal” is very often irrelevant. It’s where organizations tend to focus energies because this is what they have the tools to prepare for. But they fail to prepare for outliers, mainly because these scenarios cannot be predicted or planned for.

Unknown Unknowns

In security – both military and cyber – we have a similar concept, that of “unknown unknowns”. Although there are minute differences in meaning, the idea behind both is that these are life/situation altering events that the “victim” did not anticipate, nor could they have. When it comes to unknown unknowns, we are in the proverbial dark; we know nothing about how to prepare for these events or when they might happen, leaving us at the mercy of our adversaries.

Cryptojacking is a prime example. Before it became a common exploit, it would have been hard to posit that some day in the future, attackers might try to steal your CPU power over the Internet to mine bitcoin. Thus, victims were left defenseless against CPU theft when attacks began. Yet, just as in hindsight, the housing crisis seemed inevitable, cryptomining now seems like the logical outcome of soaring virtual currency values.

Protecting against the “normal”

Instead of focusing on unknown unknowns, we typically protect networks against more common, “normal” threats – the “known knowns” and “known unknowns”.

“Known knowns” as they are called, are the most basic of threats. When networking was in its infancy, threats such as worms and viruses plagued organizations. Firewalls were designed to filter elements known to be malicious and became an indispensable tool for protecting data. Complemented by anti-virus (AV) solutions, they formed a strong basic layer of perimeter protection against known malware. With known knowns, analysts knew just what to look for and how to defend against them.

But as technology progressed, the complexity and number of threats grew apace. Seeing that firewalls were able to catch less complex threats, malware developers began to make sophisticated new threats that are harder to detect. Analysts began to incorporate more advanced tools such as sandboxes and URL filters to route them out. These tools are familiar with this kind of “known, yet unknown” threat; they might not fully recognize them, but they know enough to be wary of the general profile and can provide some level of protection from them.

Black swans and unrecognizable threats

Today, we are up against far more sophisticated, elusive variants – these are the black swans of cyber threats; the unknown unknowns that organizations cannot predict and therefore, seemingly, against which they cannot arm themselves. Today, the Internet is rampant with fast-evolving threats that have never been seen before and are unrecognizable. Traditional heuristic and signature-based approaches which, as mentioned above, depend on recognition of the threat pattern, are powerless to defeat these highly complex variants. These unknown threats can slip past AV, intrusion detection/prevention systems, network filters and, of course, firewalls.

Preventing the next event with Remote Browser Isolation

If unknown unknown threats are impossible to prevent or detect, what can be done to keep them from getting onto networks and doing their worst?

The truth is that there is nothing any individual or organization can do to prevent unknown unknowns from happening. What’s more, the focus should be not on trying to account for every black swan event / unknown unknown that might occur – it’s not time or cost effective, and anyway, due to their very nature, it won’t work.

Instead, organizations need an approach that is proactive and does not depend on recognizing threats. With remote browser isolation, no browser-borne executable code ever reaches your networks or employees devices, so your organization is protected against all threats: known knowns, unknown knowns and even unknown unknowns.

It does this by rendering all executable web code remotely in the cloud or in the DMZ in a disposable isolated container, far away from all endpoints and networks. A clean data stream allows the user to interact with any website he or she needs, without the threat of unknown malware variants. Then, when the session is over or the user stops browsing, the container is disposed of along with all its contents. Anything malicious, even zero-day exploits, that might have made their way into that browsing session are thrown away and destroyed.

There are always going to be browser-based threats that simply cannot be anticipated ahead of time. Attackers have already learned that these unknown unknowns are the most powerful tools in their arsenal and chances are that unrecognizable threats will only become less predictable as time goes on. That’s why the best form of protection is one that doesn’t need to “know” anything about an exploit to keep it from harming your networks.

If you liked this article you might also be interested in some of our latest blog posts:


Classic detect-and-block security offerings, such as anti-virus and URL filtering, are simply unable to cope with the rapid evolution and proliferation of attack signatures and patterns to which the average web browser is exposed on a daily basis.
Get the free on-demand webinar to learn more about  proactive endpoint security through threat prevention.


 

Author | 19 Blog Posts

Joe CISO

Joe CISO is the information security professional responsible for protecting the organization from all cyber threats, including ransomware, dirve-by donwnloads and zero-day exploits. | Ericom Software

Recommended Articles