Implementing The OODA Loop in Cyber Warfare

Synergy is defined as the interaction or cooperation of two or more organizations, substances or other agents to produce a combined effort greater than the sum of their separate effects. Combined arms is the integration of complementary weapons in a manner that creates a synergistic effect and places an opponent in an inescapable, hopeless situation, otherwise known as the horns of a dilemma.1 In this paper, we will briefly examine how the synergy between the strategic initiative of Zero Trust and the OODA Loop creates such an effect.

Action Absent Strategy

The cyber warfare environment is like no other competitive environment confronting corporate America today. The competitive mindset necessary for winning the battle to protect data and critical digital assets, threatened by the evolving cyber threat environment, requires an entirely different mindset than that found in most organizations today. Yes, there is acceptance that the threat is real and there is agreement that the risk must be mitigated, but taking action has been slow and, in too many instances, absent a sound strategy.

The competitive environment in cyberwarfare is the internet. It is a guerrilla war environment that favors the cybercriminal. This operational battlefield continues to evolve as the use of IoT and IIoT results in a continuously broadening attack surface, increased vulnerability and questionable confidence in a remote workforce that often cannot be properly authenticated. The remote workforce, combined with the growing cybersecurity skills gap, demands improved situational awareness across the enterprise if the increased risk is to be offset and mitigated.

Defending against attacks in this environment is synonymous with boiling the ocean. Failure in this effort can lead to long-lasting brand damage, lost revenue and, in a worst-case scenario, can result in going out of business.  

This asymmetric threat environment requires an organization to prepare for an attack from any vector and be flexible and adaptable in the response. The Zero Trust architecture security model and the OODA Loop, a learning and decision-making strategy model, can work synergistically in aiding an organization in their efforts to mature the cyber model of the organization’s culture and, as a result, change the mindset and perspective regarding how to best defend data and critical assets.

The multiple discipline inclusion of this approach encourages the creativity and innovation in strategy development necessary to successfully compete with and defeat the cybercriminal.

Our Mental Models Make Decisions

The OODA Loop has been adopted by businesses to improve the Tempo2 in decision-making regarding an external problem on the horizon and positioning the organization’s solution to improve market competitiveness.

In regards to cybersecurity, it can be a learning and strategy model used to improve decision-making based on the data and information gained through the observation of external factors that may not be considered in Zero Trust. The result is a more informed mindset and improved situational awareness.

In general, humans lack situational awareness and our cognitive limitations cause us to lose a sense of our surroundings. One of the four skills of a leader is knowledge. Leaders today must seek information in their operating environment, their industry, what is happening in the broader economy, the business world and the larger world. While it is human nature to develop tunnel vision, this oftentimes leads to our forging ahead using what has worked in the past without considering different and opposing points of view.

The leader must understand and improve their knowledge in multiple disciplines in order to build mental models to add to the latticework of their and the organization’s mindset if it is to be changed as advocated. The product of this effort is the ability to create a vision of the future. This enhanced perspective is key to the evaluation of possible decisions that determine and guide action going forward.

The OODA Loop forces the organization out of the thinking mind and directly into action. The actions of the loop constitute a continuous behavior aimed at better positioning against a situation created by the previous loop.

The Four Phases Of The OODA Loop

1. Observe

The continuous gathering of information and data in the Observe phase provides intelligence, based on observation of the external world and internal environment, to gain an overall understanding of the condition and the organization’s situation relative to that condition over which you have no control.  

2. Orient

If, as repeatedly stated as a requirement to a successful Zero Trust journey, the mindset must be changed, the organization must be able to set aside the biases created from the current perspective on cyber defense. The Orient phase has become known as “the main emphasis phase” for decision-making.

This is the most important part of the OODA Loop. The goal in this phase is to find mismatches – errors in your previous judgment or in the judgment of others. The sooner you identify a mismatch that creates a vulnerability, the sooner you can reorient the protect surface to strengthen its security relative to a DAAS element of Zero Trust.

Creativity and innovation are the key products of this phase and are based on all the data gathered in the Observe phase, breaking it down into its constituent parts (i.e., elements of the existing Defense-in-Depth as an example), and recombining these parts through creative synthesis to form a new model to consider in the Decide phase.

Decisions on actions to be taken are shaped for the rest of the OODA Loop which subsequently shapes future loops. Done correctly, orientation compounds positively, but done poorly, it compounds negatively.

3. Decide

The best decision-makers are confident in the choice made but are flexible and adaptive to change based on the new mental models developed through the added knowledge, experience gained from executing the action of a previous loop and the change in situation relative to the condition over which you have no control.

In this phase, a series of meetings may be required to discuss options presented in the orient phase and adjust the strategy and action chosen as a product of the new orientation.

4. Act

The success or failure of a given decision will depend on the quality of the decision itself, but equally important is the mental toughness of the team members responsible for bringing the decision to life and their decision to remain committed.

Tying Zero Trust and OODA Together

Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating digital trust from your organization and, through the design of “protect surfaces,” reduces the attack surface of an organization in a way that favors the defender.

Defense-in-Depth is not a strategy but is a deployment of a number of tactics that, far too often, were deployed rapidly for the purpose of defending against a specific attack vector. The primary focus of Defense-in-Depth was perimeter security and it is proving to present a myriad of vulnerabilities and risks in the asymmetric threat environment in which the cybercriminal operates.

A borderless security strategy, such as the strategy in developing and deploying a Zero Trust architecture is vital for any organization with a global workforce or that offers employees the ability to work remotely. Many of the tactics and technologies deployed in Defense-in-Depth can and will be used in support of the deployment of a Zero Trust strategy.

Zero Trust will not stop all future cyberattacks, but it will make it much more difficult for the malicious attacker to mount a successful attack and, as a result, presents a defense more capable of breaking their will to continue.

Zero Trust is an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources. The OODA Loop is a model developed to assist an individual or organization in being proactive by increasing the Tempo of decision-making causing the adversary to be forced to respond to their actions. This tempo is not a frenetic movement but is varying in what has been referred to as “Fast Transient.” This transient is the change between maneuvers with the ideal transient being an abrupt, unexpected, disorientating change (such as denying access when it would otherwise be implicitly expected) resulting in confusion on the part of the adversary.

One of the major factors challenging an enterprise’s implementation of Zero Trust networks is visibility and control. At each step of the five-step design process of Zero Trust, the OODA Loop can contribute to improving visibility through the Observe and Orient phases of the loop. In doing so, understanding of the current situation is improved, positioning to improve the situation is enhanced and alternatives are provided for consideration in the Decide phase prior to taking action.

In Zero Trust, the OODA Loop concepts function primarily within Step 5 – Monitor and Maintain: identify ways to make policies more secure, determine what should be included in a protect surface and what are the interdependencies of the DAAS.

As a learning strategy model, The OODA Loop concepts integrate well with this process to better inform and provide invaluable insight to the data and information gathering effort.

Observe

Observe can be succinctly defined as the event collection process. This is an iterative process of inspecting and logging all of the telemetry an organization is able to collect into a big data lake for the purpose of using a learning system to gain insights into how to improve over time.

Orient

Collected data must be contextualized in order to extract insights that can be acted upon. For example, what is the protect surface that the packet is accessed, what DAAS element is in the protect surface.

Every resource request should trigger a security posture evaluation. This includes continuously monitoring the state of enterprise assets that have access to the environment, whether they are owned by the organization or another entity, if they have access to internal resources. This includes quickly applying patches and vulnerability remediations based on insight gained from the ongoing monitoring and reporting.

Decide

The Decide phase uses automation to determine what needs to happen to a packet. The weight of importance for each data source may be a proprietary algorithm or may be configured by the enterprise. These weight values can be used to reflect the importance of the data source to an enterprise.

The creation and innovation of potential decision models, based on a more informed understanding of what controls should be included in the protect surface, provide decision models for improved policy and procedure creation. Computational systems are very good at quickly analyzing the data points so that the Act phase can begin.

Act

Act is for Action. Insight gained from the system needs to automatically take an automated action, if possible. The OODA is about reducing the time from observation to action. This means that automation must happen. To send this back to a human for a decision obviates the value of the OODA loop. Luckily advances in technology have made cybersecurity automation not only possible, but preferable to human interaction because of the time to action reduction and the fidelity of the response.

The completion of this loop initiates a new loop and the process continues in order to stay current and address changes that occurred in the prior loop.

A Holistic View of Security

The combination of the OODA Loop and Zero Trust models provides a holistic view of the operating environment for a protect surface and the enterprise.

All cybersecurity plans are inherently limited. Problems and failure are inevitable in any plan and there are always events that no one foresees. The ability to put aside the plan, adapt to the unexpected and proceed is the product of training, preparation and continuous testing of a strategy. Zero Trust, integrated with the OODA Loop, improves an organization’s ability to be flexible when the unexpected is encountered.

The strategy for executing a plan should be developed around insights that enable the creation of a competitive advantage. Information from all channels will impact observations and the orientation regarding decisions. This updated information and subsequent action are the keys to seizing control of a situation and causing the opponent to respond to your actions.

Integrating the OODA Loop with the Zero Trust strategy model will ensure information from all channels is considered in the orientation phase where creativity and innovation regarding decisions and action are formed. It is the foundation for setting the vision to achieve the major change necessary to secure the operational environment of digital transformation and the remote workforce.

The mindset and perspective regarding decision-making that leads to improved and focused action regarding systems, processes and policies of the Zero Trust strategy are paramount, but a strategy developed by the OODA Loop will enable action before the conscious mind pulls the emergency brake. That transient response is critical in a rapidly evolving situation such as that found in the cyber threat environment.


[1] Santamaria, Jason, et al., The Marine Corps Way: Using Maneuver Warfare to Lead a Winning Organization, McGraw Hill Books (2004), p. 123

[2] Tempo is relative speed in time. Any competition is a series of moves and countermoves in which the tempo of execution is important.

By Cliff Kittle and John Kindervag.

Previous Post
Zeroing In On The Zero Trust Model Via Simulation Platforms
Next Post
The Zero Trust Dictionary
Menu