The concept of the OODA was developed to aid in the military strategy. It is similar to the combat operations process, often found at the operational level during military campaigns. It is now often applied to understand commercial operations and learning processes. By rapidly observing and analyzing the behavior of adversaries; strategists such as Infopercept could use the OODA decision-making process to gain significant advantage.
The OODA loop is a four-stage process of decision making: Observe, Orient, Decide & Act. Infopercept will cycle through the phases strategically and rapidly as part of the analysis and decision-making process. During a cybersecurity incident, acting quickly is crucial. The OODA loop is designed to help people make decisions and take action rather than freezing up and doing nothing. At its core, the OODA loop is a process for identifying and analyzing how a person thinks, acts, responds, and adapts to stimuli. This process can be invaluable to an information security practitioner and has numerous applications, both offensive and defensive.
The first stage of the OODA loop is focused on gathering information about the environment, the adversary, and the decision-maker.
Observation is done with the use of Security Monitoring tools to identify anomalous behavior that may require an investigation. With the use of tools such as Log Analysis, SIEM Alerts, IDS Alerts, Traffic Analysis, Netflow tools, vulnerability analysis, Application performance monitoring and many more; Infopercept is able to document more observations about the client’s network and the client’s business operations, so that we will be more successful at defense and response.
Orientation is the most important part of the process.
Orient evaluates what’s going on in the cyber threat landscape & inside the client’s company. With orient, Infopercept is able to make logical connections and real time context to focus on. With the use of tools such as Incident Triage, Situational Awareness, Threat Intelligence and Security and Research; Infopercept is able to get inside the mind of the attacker so that the defense strategies could be oriented against the latest attack tools and tactics. Since these are constantly changing, Infopercept ensures that it has the latest Threat Intelligence feeding the security monitoring tools. This further guarantees that the right information is being captured and the necessary context is provided.
The purpose of the first two stages of the OODA loop is to place the analyst in the right position to complete this stage of the process: deciding on a course of action to pursue. Making a decision within the OODA loop involves balancing the need to make rapid decisions and the need to make choices using the information gleaned in the Observe and Orient phases.
The “Decide” phase is governed by the observations and the context. Infopercept Security Experts choose the best tactics for minimal damages and fast recovery. All the aspects of the Incident Response process are documented; and special attention is given to communications regarding data collection and the decision making processes. Infopercept uses incident response checklists for multiple response and recovery procedures.
Once a decision is made, it is vital to act on it. The goal of an OODA driven analysis is rapid decision-making and causing confusion to the adversary. Taking the time to exhaustively analyze a decision before acting on it increases the probability that the adversary will act more quickly and render the decision meaningless. Acting quickly and immediately returning to the Observation stage allows the analyst to learn about their adversary based on the reactions to past actions.
Act remediates and recovers by improving the incident response procedures based on the lessons learned. With the use of Data capture tools and forensics analysis tools, system backup and recovery tools, patch management and other systems management tools, Infopercept ensures continual improvement in acting effectively during incidents since they are the keys to success.
With the learning from the above, the client’s team members and Infopercept learn to adapt. Team members should be aware of what’s expected from them, which could be achieved through in-depth training, detailed run-throughs and many more.