If you follow the world of Jocko Willink or listen to his podcast, especially the one with Andrew Huberman, then you will have heard about the Observe, Orient, Decide and Act (OODA) loop.
Willink used this model during his time in the Navy Seals to help him overcome challenges. This article explores how the OODA loop can be utilised in cyber response, especially in highly stressful situations, to enable you to see the woods from the trees.
What is the OODA loop?
The first step in the OODA loop is observation. In the context of cybersecurity, this involves actively monitoring our network, systems, and external threat intelligence sources. Key activities include:
Security Bulletins and Advisories: Regularly track security bulletins and advisories from trusted sources. Stay informed about vulnerabilities and emerging threats.
Threat Intelligence: Gather information on adversary tactics, techniques, and procedures (TTPs). Understand their modus operandi to anticipate their moves.
Incident Detection: Implement robust detection mechanisms, including network intrusion detection systems (NIDS), firewall logs, and user behaviour analytics.
Orientation is about making sense of the observed data. Here’s how it applies to cyber defence:
Assess Applicability: Evaluate how the observed threats align with your organisation’s assets and operations—Prioritise based on criticality.
Operational Issues: Consider operational constraints, resource availability, and potential impact. What can realistically be addressed?
Risk Assessment: Quantify the risk associated with each threat. Understand the potential consequences of inaction.
Decisiveness is crucial in the face of cyber threats. Make informed decisions:
Prioritise Remediation: Decide which vulnerabilities or incidents require immediate attention based on your risk assessment. Create a remediation strategy.
“Duelling” OODAs: Recognise that adversaries also operate within their own OODA loops. Act swiftly to disrupt their plans.
Execution is where the rubber meets the road:
Rollout and Monitor: Deploy patches, updates, and security controls. Continuously monitor for any “breakage” caused by changes.
Active Defences: Implement active defences such as honeypots, sinkholes, and application whitelisting. Deceive, degrade, and disrupt adversary actions.
Continuous Cyber Loop
Remember that the OODA loop is iterative. As you act, new observations emerge, leading to further orientation, decisions, and actions. Adaptability and agility are essential.
Organisations face an ongoing battle to protect their digital assets in the volatile landscape of cyber threats. Initially developed by military strategist Colonel John Boyd, the OODA loop provides a robust framework for decision-making and response. Let’s explore how this loop can be applied to enhance our defences against cyber-attacks.
In an outbreak or live cyber-attack, it can be challenging to remain calm whilst taking the first steps to deal with the situation and do the right thing. We recommend taking time to run an OODA loop model in your mind. In doing so, you can find a better, more effective way to tackle the challenges.
Those of us who are often in a position where a decision needs to be made fast, risk missing alternative more effective ways due to time pressure. However, this model will give you the best chance to see a clearer picture, so you can make more informed decisions.
Application Of the Loop in Cyber Security
The first step is to observe the incident and analyse your data:
- What has happened?
- Calmly analyse the facts and the unknown.
- Assess the worst possible scenario and the potential impact on your business.
- Think of your next steps.
Once facts have been established, decide on the action and how you will proceed with the informed decision. Hopefully, the decision stemmed from the Observe and Orient model.
The Act is the last step which puts the plan into action. At this point, you should also be planning to perform another OODA loop to cover the previous loop; sometimes, you may even be running multiple loops at once. The ability to place a cognitive weight on having time to make the right decision is key in a high-pressure scenario.
If you are looking for further reading, then you can also look at the following:
Mandiant APT1 Model: Map control implementations to the adversary model. Identify opportunities to detect, deny, and disrupt attacks.
MITRE ATT&CK Matrix: Align techniques with tactics. Understand where defences are effective and where gaps exist.
By embracing the Cyber OODA loop, organisations can transform reactive responses into proactive defences. Rapid decision-making, continuous adaptation, and a deep understanding of the threat landscape empower us to stay ahead of cyber adversaries. Remember: in cyberspace, surprise favours the prepared mind.
If you want to talk to Planet IT experts about how we can help you with your cyber security, planning and innovation, then please call 01235 433900, or you can email [email protected], or if you would like to speak to me directly, you can reach out to me via DM or at [email protected].