The Fog of War is a military concept but has its place in non-military analysis as well, particularly in threat intelligence. It is about uncertainty in situational awareness, and whether you are performing business forecasting or trying to figure out if the latest phishing you received is a threat, its place in analysis is relevant.
In 2002, Secretary of Defense Donald Rumsfeld gave speech referencing the fog of war.
“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.”
Socrates more formally indicated a similar line of thinking much earlier when he said,
“I know that I know nothing.”
Both Socrates and Rumsfeld are referencing uncertainty and its effects on their analysis of the world. The impact of each statement is different, however. Mr. Rumsfeld is acknowledging that the amount of things one doesn’t know is indeterminate, e.g., it is bigger than anyone can measure. Socrates’ dictum may be wise, but differs greatly, e.g., Socrates’ assertion that, for him, everything falls into that category, or is indeterminate.
These are two different ways of looking at the concept of uncertainty. Returning to phishing as an example, you could say, “If we had only known the phishing email we had prioritized last due to our risk matrix would cause the incident that happened over night.” Equally you could say, “Any phishing email could lead to a compromise, if not mitigated. The phishing that led to the incident last night could not have been predicted.”
Both are examples of life not coming installed with a crystal ball foretelling the future. Life is uncertain — there’s no way of knowing what the future holds, or to be cognizant of something we are unaware of in the present.
Here is where Fog of War and your analysis methodology enter the conversation. If you don’t include uncertainty — or enough uncertainty — in your analytical process you are failing to observe the fog of war. A common task, and frankly great example for Threat Intelligence of this concept, is the ubiquitous question all leaders ask, which is “who is targeting us?” The answer is never simple or the output of a math equation. You can’t buy this answer with hardware or software. AI won’t give you the answer to this question — at least, not until they learn to incorporate Friston’s Free Energy Principle and then, only maybe at that point.
Determining an adversary’s mental model, their decision-making process, capability and intent and then balancing that against your (the defender’s) own equivalents is bit more than reading a couple of reports about them from security companies and being proud of your own “good security.” It requires the layers of analysis on each of those concepts that is then interwoven and stacked to reach a conclusion, which in turn is subject to expert judgement at a measurement of likelihood of targeting, e.g., answer with uncertainty incorporated.
For the raconteurs cajoling about, “the enemy you know is the one that has attacked you,” my response is, “the enemy you know today could be your friend tomorrow.” Both are fun and pithy to say as rejoinders, but irrelevant to the concepts of Fog of War and threat intelligence. The job of analysis and threat hunting, especially when it comes to prediction is to define a measure of certainty out of the unknown future. The past is an indicator of the future, but not its sole determinate. Threats are not necessarily causal in nature, e.g., they attacked us in the past, so they will again in the future. Most are a-causal instead, or the past and present influence that possibility, but there are unknown variables at play that will influence that outcome. Any human threat is more than a collection of facts and data; instead, they are a collection of behaviors and their high frequency behaviors are the most accurate predictions of future outcomes.
The Fog of War means including uncertainty in your analysis. Especially, that you haven’t observed enough to say yes or no, but maybe — with a sliding rule of percents of possibility — is a wise move. The CISO who requests an answer to whether the threat they are reading about in the news is a problem for the company may want a definite answer — straight yes or no. Having a defined risk evaluation matrix helps counter that ask with something realistic. Saying no and then suffering an attack from that threat could mean a quick trip to the unemployment line. Saying yes and eating up resources unnecessarily could lead to the same location. Having a process that can be debated and worked — even if dissension exists — leads to buy-in by participants and greatly reduces the possibility of negative reactions based solely on outcome. It is also just plain wise.