Hit enter to search

What is OODA in Cyber Security?

On January 19, 2021

In this Digital Warfare , Infopercept as an Ally to our clients , has developed unique “Invinsense Strategies” to combat the battle of cyber security.

The word has been derived from the Latin word invincibilis, which means, "unconquerable", a thing that cannot be conquered.

Over the years, as the Infopercept team has gained insightful experience in the field of cyber security, they are now in a position to anticipate in advance the types of attacks and also identify vulnerable areas in the network. They have developed unique “senses” in targeting the hacks and rectifying them before it causes grievous damage. Combining this developed “Sense” along with the term invincible, comes the term "Invinsense".

Infopercept has developed a series of "Invinsense" strategies to counter the attacks. These strategies are detailed below.

The first strategy to counter the attacks or threats is the OODA strategy.

OODA is a very popular strategy used in war and battles by the military.

John Boyd is described by some as the greatest military strategist in history that no one knows. He began his military career as a fighter pilot in the Korean War, but he slowly transformed himself into one of the greatest philosopher-warriors to ever live.

The idea centers on an incredible strategic tool: the OODA Loop — Observe, Orient, Decide, Act. Nation-states around the world organizations use the OODA Loop as part of their military strategy. It has also been adopted by businesses to help them thrive in a volatile and highly competitive economy.

"Under the OODA loop theory every combatant observes the situation, orients himself…decides what to do and then does it. If his opponent can do this faster, his own actions become outdated and disconnected to the true situation, and his opponent’s advantage increases geometrically." -John Boyd

Using similar analogy, we have designed a strategy called Security Data Lakes- "Invinsense OODA Strategy", to combat the digital warfare.

  • Observe:


    "If we don’t communicate with the outside world–to gain information for knowledge and understanding–we die out to become a non-discerning and uninteresting part of that world." –John Boyd

    The first step in the "Invinsense OODA" strategy, is to observe. By observing and taking into account new information about our changing environment, our minds become an open system rather than a closed one, and we are able to gain the knowledge and understanding that’s crucial in forming new mental models. As an open system, we’re positioned to overcome confusion-inducing mental entropy.

    The above narration goes well with any situation, let’s see how we can deploy the "INVINSENSE OODA strategy" in the context of Digital Warfare.

    We can say that in OBSERVE, we use the tool "SIEM-OBSERVE".

    By using SIEM deployed tools we can observe and analyze the reports, dash boards, links and alerts. Furthermore we can observe how Vulnerability Management is being done, analyze Cyber Threat Intelligence, understand the Network Model/ Hierarchy, Behavioral Analytics etc.

    To get the optimum results , the best SIEM tool would be WAZUH, which has the power of the ammunition to fight digital warfare; and the ammunition used by WAZUH will give a quick view of vulnerability management, suggesting the behavior of adversaries.

    Further the attributes of WAZUH will help in the observation of

    1. Signature-based log analysis.
    2. File integrity monitoring.
    3. Rootkits detection.
    4. Active Response.
    5. Security Configuration assessment
    6. System inventory.
    7. Vulnerability detection.
    8. Cloud security monitoring.
    9. Containers security monitoring.

    In short Wazuh is distributed with a set of policies, most of

    them based on the CIS benchmarks, a well- established standard for host hardening.

  • Orient:


    The next most important step in the INVINSENSE OODA strategy is Orient:

    Boyd called this step the schwerpunkt (a word he borrowed from the German Blitzkrieg), or focal point of the loop.

    "Orientation shapes the way we interact with the environment…it shapes the way we observe, the way we decide, the way we act. In this sense, orientation shapes the character of present OODA loops, while the present loop shapes the character of future orientation."

    Once we receive the SIEM-ALERTS it’s time for SOAR orientation. We then instantly deploy the Automated Play Books either fully automated or semi automated.

    These are deployed to give immediate responses to the cyber security alerts, which will automatically detect the threats and respond to it.

    The best solutions we suggest would be "The Hive", "Cortex" and "MISP".

    In the above solutions, incident responses shall spearhead the frameworks as under:

    "The Hive" will work as the central Case Management platform, it shall receive the alerts from the SIEM tools, IDS, email etc.

    "Cortex" will provide Analyzers & Responders for automation and shall work as an analysis engine, which will go hand in glove with the Hive & the MISP.

    MISP can be used to centrally store & use threat intelligence. MISP will work as a search Analyzer, when the observation is sighted in the event, and the Cortex shall return the number of observables found and act accordingly.

    The above three put together fits very well. It will definitely take care of Defensive Enrichment Automation, Forensic Enrichment Automation, Defensive Mitigation Automation, and Automation Forensic Analysis Automation as well as cornering the threats from all the corners.

    Now we come to the next stage of DECIDE, in the "Invinsense OODA Strategy". It’s interesting to note that in his final sketch of OODA Loop, Boyd put "Hypothesis" in parentheses next to "Decide", suggesting the uncertain nature of our decisions.

  • DECIDE:


    When we decide, we’re essentially moving forward with our best hypothesis — our best "educated guess" - about which mental model will work , means which best EDR solutions will work.

    Hence to take the best decision, we suggest the deployment of Endpoint Detection and Response solution. For this purpose Infopercept suggests the use of "SentinelOne".

    The great attributes that SentilOne has to offer are as under:

    1. Prevention: Static AI on the endpoint prevents attacks in-line in real time. Consistently ranked for highest efficacy and lowest false-positives, Sentinel One static AI model replaces legacy antivirus.
    2. Detection: Patented Behavioral AI recognizes malicious actions regardless of vector. Sentinel One is the only endpoint security vendor to detect file less, zero-day, and nation-grade attacks in real-time.
    3. Response: Sentinel One’s patented Behavioral AI fuels Active EDR, surgically reversing and removing any malicious activity. Now, every device heals itself in real-time. Never reimage the system again.
    4. Threat Hunting: It’s the industry’s fastest query times and longest data retention. Advanced actions such as full native remote shell, memory dumps, and pre-indexed forensic context. Hunt more, pivot less.

    Now once decision has been taken in the parameter of DECIDE and to find out if our hypothesis is correct; we have to test it, which takes us to our next step of "Invinsense OODA Strategy" Action.

  • ACTION:


    Once you’ve decided on a mental concept to implement, you must act. In his final sketch of the OODA Loop, Boyd has "Test" next to "Act," again indicating that the OODA Loop is not only a decision process, but a learning system; we are all like scientists perpetually testing our new hypotheses in the real world.

    Finally as we begin to get positive results with the use of the "Invinsense OODA Strategy", what remains for us is to "Adapt" it.

CONCLUSION

For us it’s not conclusion per say it is the beginning of the "INVINSENSE OODA STRATEGY".

We should all be constantly "experimenting," and gaining new "data" that helps us improve how we operate in every facet of our lives. As Osinga notes, "In Science, Strategy, and War; actions feed back into the systems as validity checks on the correctness and adequacy of the existing orientation patterns."

But the tool can also be used in situations of conflict and competition, where it’s your INVINSENSE OODA STRATEGY going head-to-head against someone else’s. Indeed, this is what the INVINSENSE OODA STRATEGY is most intellectually employed for. Each individual or group is trying to work its way through the Loop more quickly and effectively than their competitors.

So fast cycling of your INVINSENSE OODA STRATEGY can allow you to get inside cyber security threats, or reset, your opponent’s, which allows you to complete your Loop first and win the fight. Speed is relative in the INVINSENSE OODA STRATEGY. You just have to be faster than the threats you’re competing against.

In addition to using a Solution Architecture to vanquish your foe, the INVINSENSE OODA STRATEGY is a learning engine that allows an individual or organization to thrive in a changing environment.

Hail INVINSENSE OODA STRATEGY!