The concept of the OODA was developed to aid in the military strategy. It is similar to the combatoperations process, often found at the operational level during military campaigns. It is now oftenapplied tounderstand commercial operations and learning processes. By rapidly observing and analyzing thebehavior of adversaries; strategists such as Infopercept could use the OODA decision-making processto gain significantadvantage.
The OODA loop is a four-stage process of decision making: Observe, Orient, Decide & Act.Infopercept will cycle through the phases strategically and rapidly as part of the analysis anddecision-making process.During a cybersecurity incident, acting quickly is crucial. The OODA loop is designed to help peoplemake decisions and take action rather than freezing up and doing nothing. At its core, the OODA loopis a processfor identifying and analyzing how a person thinks, acts, responds, and adapts to stimuli. Thisprocess can be invaluable to an information security practitioner and has numerous applications,both offensive anddefensive.
The first stage of the OODA loop is focused on gathering information about the environment,the adversary, and the decision-maker.
Observation is done with the use of Security Monitoring tools to identify anomalous behaviorthat may require an investigation. With the use of tools such as Log Analysis, SIEM Alerts,IDS Alerts, TrafficAnalysis, Netflow tools, vulnerability analysis, Application performance monitoring and manymore; Infopercept is able to document more observations about the client's network and theclient's businessoperations, so that we will be more successful at defense and response.
Orientation is the most important part of the process.
Orient evaluates what's going on in the cyber threat landscape & inside the client's company. With orient, Infopercept is able to make logical connections and real time contextto focus on. With the use oftools such as Incident Triage, Situational Awareness, Threat Intelligence and Security andResearch; Infopercept is able to get inside the mind of the attacker so that the defensestrategies could be orientedagainst the latest attack tools and tactics. Since these are constantly changing,Infopercept ensures that it has the latest Threat Intelligence feeding the securitymonitoring tools. This further guaranteesthat the right information is being captured and the necessary context is provided.
The purpose of the first two stages of the OODA loop is to place the analyst in the rightposition to complete this stage of the process: deciding on a course of action to pursue.Making a decision within theOODA loop involves balancing the need to make rapid decisions and the need to make choicesusing the information gleaned in the Observe and Orient phases.
The "Decide" phase is governed by the observations and the context. Infopercept SecurityExperts choose the best tactics for minimal damages and fast recovery. All the aspects ofthe Incident Response processare documented; and special attention is given to communications regarding data collectionand the decision making processes. Infopercept uses incident response checklists formultiple response and recoveryprocedures.
Once a decision is made, it is vital to act on it. The goal of an OODA driven analysis israpid decision-making and causing confusion to the adversary. Taking the time toexhaustively analyze a decisionbefore acting on it increases the probability that the adversary will act more quickly andrender the decision meaningless. Acting quickly and immediately returning to the Observationstage allows the analystto learn about their adversary based on the reactions to past actions.
Act remediates and recovers by improving the incident response procedures based on thelessons learned. With the use of Data capture tools and forensics analysis tools, systembackup and recovery tools, patchmanagement and other systems management tools, Infopercept ensures continual improvement inacting effectively during incidents since they are the keys to success.
With the learning from the above, the client's team members and Infopercept learn toadapt. Team members should be aware of what's expected from them, which could beachieved through in-depth training,detailed run-throughs and many more.
Watch this video to gain insights that will help you stay ahead of the curve.