OODA and Cybersecurity
The OODA Loop
U.S. Air Force Colonel John Boyd created the concept of the OODA loop to aid in the development of military strategy. By rapidly observing and analyzing an adversary’s behaviors, Col. Boyd believed that a strategist using the OODA decision-making process could gain an advantage. Accepting the chaos associated with rapid analysis and working more rapidly than the opponent allows a decision-maker to appear unpredictable and cause chaos in the adversary’s decision-making.
The OODA loop is a four-stage process for decision-making: observe, orient, decide and act. A strategist should cycle through these phases often and rapidly as part of their analysis and decision-making process.
Observe
The first stage of the OODA loop is focused on gathering information about the environment, the adversary and the decision-maker.
The goal of OODA is to allow the decision-maker to make and act upon rapid decisions and create chaos in the mind of their adversary by hiding their intentions and appearing to be unpredictable. The need for speed in decision-making means that the analyst does not have the time to collect and analyze all possible information about the situation, their adversary and their possible actions and outcomes. To effectively operate within the context of an OODA loop, an analyst needs to learn to identify the most important pieces of information to collect, do so rapidly and move on to the next stage.
Orient
In a presentation about the OODA loop, John Boyd stated that Orientation was the most important part of the process:
The second O, orientation—as the repository of our genetic heritage, cultural tradition, and previous experiences—is the most important part of the O-O-D-A loop since it shapes the way we observe, the way we decide, the way we act.
In the Orientation phase of the OODA loop, an analyst uses cultural context to extract useful information about their adversary’s worldview and their own. The rapid pace of analysis in the OODA loop means that acting without taking the time to build a partial worldview increases the probability of taking the wrong action. However, an analyst using the OODA methodology does not have the time to exhaustively analyze the collected data and must accept some chaos in their analysis and proceed anyway. As the analyst cycles through multiple iterations of the OODA loop, the analysis will be refined based on additional observations of the environment and the adversary’s response to actions taken.
Decide
The purpose of the first two stages of the OODA loop is to place the analyst in the right position to complete this stage of the process: deciding on a course of action to pursue. Making a decision within the OODA loop involves balancing the need to make rapid decisions with the need to make choices informed by the information gleaned in the Observe and Orient phases. The goal of the OODA loop analysis methodology is to build up a plan of action from many quick decisions rather than a single over-analyzed scheme of attack.
Act
Once a decision is made, it’s vital to act on it. The goal of an OODA-driven analysis is rapid decision-making and causing confusion to the adversary. Taking the time to exhaustively analyze a decision before acting on it increases the probability that the adversary will act more quickly and render the decision meaningless. Acting and rapidly returning to the Observation stage allows the analyst to learn about their adversary based on the reactions to past actions.
Applying OODA to Cybersecurity
During a cybersecurity incident, acting quickly is crucial. Over half of phishing emails are clicked within an hour and 11% of phishing emails are clicked within a minute of being sent. The OODA loop is designed to help people make decisions and take action rather than freezing up and doing nothing. In a world where network defenders or CISOs can be fired for failing to prevent or mitigate an attack, the risks of taking the wrong action may seem greater than the risks associated with doing nothing at all. During a cyberincident, doing something — even if it isn’t the best thing — is better than doing nothing.
At its core, the OODA loop is a process for identifying and analyzing how a person thinks, acts and responds to stimuli. This process can be invaluable to an information security practitioner and has numerous applications, both offensive and defensive.
When a hacker is testing a network’s defenses, he is testing his knowledge and skills against those of the network defender. Anything that the defender can do to sow confusion or uncertainty in the mind of the attacker pays huge dividends. Observing the hacker’s attack methodologies and orienting oneself in the hacker’s worldview (learning why they’re attacking, what they know about the network and what they’re likely to do next) allows a defender to decide on a course of action and act upon it before it’s too late. Many cyberattacks are won in minutes or seconds, not hours or days. The more quickly a defender can respond to an attack, the less it costs the enterprise.
OODA loops are applicable in non-adversarial contexts as well. Our experiences shape how we act, down to the smallest detail. Understanding someone’s thought processes (even our own) can be extremely valuable in quality assurance and vulnerability assessment exercises. The knowledge of how the developer thinks a system works helps highlight the differences from how it really works. Identifying these gaps and rapidly acting upon analysis of them allows an auditor to efficiently find the vulnerabilities that these differences create and decreases the probability that over-analysis will cause them to be overlooked.
Improving Decision-Making with OODA
The OODA loop is an analysis tool designed to aid with rapid decision-making in an adversarial situation. By accepting the chaos inherent in the situation and making decisions quickly with imperfect information, the analyst can create additional chaos in the mind of their adversary and gain an advantage. While originally designed for military strategic decision-making, an information security professional can, with sufficient practice, use this method to improve their decision-making when dealing with situations requiring rapid decisions like a suspected cyberattack.
FREE role-guided training plans
Sources
- Boyd, John R., A Discourse on Winning and Losing, Air University Press, 2018
- 52% of phishing victims click within one hour, IT Governance USA
- When a Cyber Crisis Hits, Know Your OODA Loops, SecurityIntelligence
In this Series
- OODA and Cybersecurity
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security