OODA and Cybersecurity
The OODA Loop
U.S. Air Force Colonel John Boyd created the concept of the OODA loop to aid in the development of military strategy. By rapidly observing and analyzing an adversary’s behaviors, Col. Boyd believed that a strategist using the OODA decision-making process could gain an advantage. Accepting the chaos associated with rapid analysis and working more rapidly than the opponent allows a decision-maker to appear unpredictable and cause chaos in the adversary’s decision-making.
The OODA loop is a four-stage process for decision-making: observe, orient, decide and act. A strategist should cycle through these phases often and rapidly as part of their analysis and decision-making process.
The first stage of the OODA loop is focused on gathering information about the environment, the adversary and the decision-maker.
The goal of OODA is to allow the decision-maker to make and act upon rapid decisions and create chaos in the mind of their adversary by hiding their intentions and appearing to be unpredictable. The need for speed in decision-making means that the analyst does not have the time to collect and analyze all possible information about the situation, their adversary and their possible actions and outcomes. To effectively operate within the context of an OODA loop, an analyst needs to learn to identify the most important pieces of information to collect, do so rapidly and move on to the next stage.
In a presentation about the OODA loop, John Boyd stated that Orientation was the most important part of the process:
The second O, orientation—as the repository of our genetic heritage, cultural tradition, and previous experiences—is the most important part of the O-O-D-A loop since it shapes the way we observe, the way we decide, the way we act.
In the Orientation phase of the OODA loop, an analyst uses cultural context to extract useful information about their adversary’s worldview and their own. The rapid pace of analysis in the OODA loop means that acting without taking the time to build a partial worldview increases the probability of taking the wrong action. However, an analyst using the OODA methodology does not have the time to exhaustively analyze the collected data and must accept some chaos in their analysis and proceed anyway. As the analyst cycles through multiple iterations of the OODA loop, the analysis will be refined based on additional observations of the environment and the adversary’s response to actions taken.
The purpose of the first two stages of the OODA loop is to place the analyst in the right position to complete this stage of the process: deciding on a course of action to pursue. Making a decision within the OODA loop involves balancing the need to make rapid decisions with the need to make choices informed by the information gleaned in the Observe and Orient phases. The goal of the OODA loop analysis methodology is to build up a plan of action from many quick decisions rather than a single over-analyzed scheme of attack.
Once a decision is made, it’s vital to act on it. The goal of an OODA-driven analysis is rapid decision-making and causing confusion to the adversary. Taking the time to exhaustively analyze a decision before acting on it increases the probability that the adversary will act more quickly and render the decision meaningless. Acting and rapidly returning to the Observation stage allows the analyst to learn about their adversary based on the reactions to past actions.
Applying OODA to Cybersecurity
During a cybersecurity incident, acting quickly is crucial. Over half of phishing emails are clicked within an hour and 11% of phishing emails are clicked within a minute of being sent. The OODA loop is designed to help people make decisions and take action rather than freezing up and doing nothing. In a world where network defenders or CISOs can be fired for failing to prevent or mitigate an attack, the risks of taking the wrong action may seem greater than the risks associated with doing nothing at all. During a cyberincident, doing something — even if it isn’t the best thing — is better than doing nothing.
At its core, the OODA loop is a process for identifying and analyzing how a person thinks, acts and responds to stimuli. This process can be invaluable to an information security practitioner and has numerous applications, both offensive and defensive.
When a hacker is testing a network’s defenses, he is testing his knowledge and skills against those of the network defender. Anything that the defender can do to sow confusion or uncertainty in the mind of the attacker pays huge dividends. Observing the hacker’s attack methodologies and orienting oneself in the hacker’s worldview (learning why they’re attacking, what they know about the network and what they’re likely to do next) allows a defender to decide on a course of action and act upon it before it’s too late. Many cyberattacks are won in minutes or seconds, not hours or days. The more quickly a defender can respond to an attack, the less it costs the enterprise.
OODA loops are applicable in non-adversarial contexts as well. Our experiences shape how we act, down to the smallest detail. Understanding someone’s thought processes (even our own) can be extremely valuable in quality assurance and vulnerability assessment exercises. The knowledge of how the developer thinks a system works helps highlight the differences from how it really works. Identifying these gaps and rapidly acting upon analysis of them allows an auditor to efficiently find the vulnerabilities that these differences create and decreases the probability that over-analysis will cause them to be overlooked.
Improving Decision-Making with OODA
The OODA loop is an analysis tool designed to aid with rapid decision-making in an adversarial situation. By accepting the chaos inherent in the situation and making decisions quickly with imperfect information, the analyst can create additional chaos in the mind of their adversary and gain an advantage. While originally designed for military strategic decision-making, an information security professional can, with sufficient practice, use this method to improve their decision-making when dealing with situations requiring rapid decisions like a suspected cyberattack.