Understanding Cybersecurity Threats Through the Known-Unknown Matrix
In today’s digital landscape, organizations face a myriad of cybersecurity threats that range from commodity malware to sophisticated, targeted attacks. As cybercriminals evolve their tactics, it becomes imperative for businesses to reduce their exposure to these threats. The risks can vary significantly, from well-known vulnerabilities that linger on networks to novel attacks aimed at critical control systems, potentially causing real-world harm. A valuable tool for understanding and detecting these threats, particularly in Operational Technology (OT) environments, is the Known-Unknown Matrix.
What Is the Known-Unknown Matrix?
The Known-Unknown Matrix, also referred to as the Uncertainty Matrix, is a strategic risk assessment tool commonly used in corporate planning. This matrix categorizes challenges based on what is known and unknown about them, thereby aiding decision-making processes. It provides a structured approach to understanding the landscape of cybersecurity threats, allowing organizations to prioritize their defenses effectively.
The Four Quadrants of the Known-Unknown Matrix
The matrix consists of four quadrants that help categorize different types of cybersecurity threats, particularly in OT and Internet of Things (IoT) environments. This categorization is crucial for ensuring that the right detection techniques are employed to minimize risks early on. The two primary detection techniques are:
-
Rule-Based Detection: This method is effective for identifying threats with easily observable indicators. It relies on predefined patterns—known as signatures—such as file hashes, IP addresses, and domain names. By comparing these attributes against a database of known threats, organizations can swiftly identify and mitigate risks.
- Behavior-Based Detection: This more sophisticated approach analyzes how threats behave and interact with the network. It employs heuristic rules or machine learning algorithms to identify anomalies, such as unauthorized access or file modifications. This method is particularly useful for detecting novel threats that do not have established signatures.
Known Known: Commodity Malware – Conficker
One of the most notorious examples of a known known threat is the Conficker worm (CVE-2008-4250). Emerging in 2008, Conficker quickly infected millions of Windows computers globally and continues to affect tens of thousands of legacy systems each year. Its behavior is well-documented, making it relatively easy to detect and mitigate.
Organizations can leverage publicly available databases, such as the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) database, to stay informed about known threats like Conficker. Cybersecurity vendors often integrate these threat intelligence sources into their platforms, enabling real-time identification of vulnerabilities and threats.
Known Unknown: Credential Access Exploitation – BlackEnergy
Known unknowns represent risks that organizations are aware of but do not fully understand. A prime example is the BlackEnergy attack, which targeted a power grid in Western Ukraine in December 2015. This incident demonstrated how credential access exploitation could lead to significant operational impacts, leaving hundreds of thousands without power.
While credential access exploitation is a recognized threat, its specific impacts can vary based on the targeted infrastructure. To defend against such threats, organizations must gather extensive threat intelligence about the tactics, techniques, and procedures (TTPs) employed by adversaries. Static reference tools are insufficient; a live feed of aggregated threat research is essential for timely detection and response.
Unknown Known: Destructive Wipers – NotPetya
Destructive wipers like NotPetya exemplify unknown knowns—threats that are recognized but whose full capabilities remain elusive. In 2017, NotPetya wreaked havoc on numerous organizations worldwide, causing over $10 billion in damages. It utilized zero-day exploits to disrupt systems without offering any recovery options.
To combat such threats, behavior-based detection informed by asset intelligence is crucial. Since unknown knowns exploit vulnerabilities that are not yet publicly disclosed, organizations must employ advanced detection methods, including machine learning, to identify anomalies and potential threats in real-time.
Unknown Unknown: Hijacking Native Functionality – INCONTROLLER
The most challenging category of threats is the unknown unknowns, which present the highest level of uncertainty and risk. An example is INCONTROLLER, a set of tools designed for automated exploits against specific vendor systems. Although it has not yet been exploited in the wild, its existence underscores the growing sophistication of OT attackers.
The best defense against unknown unknowns is proactive monitoring and threat intelligence. By leveraging AI to analyze process variables and detect anomalies, organizations can establish a baseline of normal behavior, enabling them to identify potential threats before they manifest.
Accurately Detecting Known and Unknown Threats in Your Environment
Utilizing the Known-Unknown Matrix as a framework for understanding cybersecurity threats is a strategic approach that can enhance an organization’s defense posture. Regardless of their classification, all anomalies—whether security-related or operational—must be continuously monitored and prioritized.
To achieve this, organizations should implement a live intelligence feed that encompasses both OT and IoT threats, coupled with an AI-powered detection engine. This engine should utilize a combination of rule-based and behavior-based techniques, specifically tailored to understand OT/ICS protocols. By doing so, organizations can accurately detect threats across the spectrum, from known knowns to unknown unknowns, without overwhelming their security teams.
In conclusion, as cyber threats continue to evolve, employing tools like the Known-Unknown Matrix can provide organizations with a structured approach to understanding and mitigating risks. By prioritizing threat detection and response, businesses can better protect their critical infrastructure and maintain operational integrity in an increasingly complex digital landscape.
About the Author
Sandeep Lota is a Network Security Expert with over two decades of experience in designing and architecting system breakthroughs. He has supported national and global projects for some of the world’s largest companies and is recognized as an industry thought leader. Sandeep holds advanced certifications from leading security and networking vendors and has served as an instructor for various advanced networking and security courses.