This week, we are proud to present part I of a two-part thought leadership paper on the OODA Loop and how it may be successfully applied to cybersecurity. Cliff Kittle, a retired Marine Corps Captain knows a thing or two about war-time decision making, does a great job of simplifying the ideas behind OODA and why each component is important and must work with the others to be effective.
A brief excerpt:
“Perhaps the greatest value in executing the Observe phase of the OODA Loop can be found in the ability to perform “danger management.” Based on observation of the external operating environment and adversary Tactics, Techniques, Procedures (TTPS), a determination of the attack surface (i.e., data, applications, assets, services) where the greatest current danger might exist can be made. With this knowledge, the organization would be better prepared to orient the focus of its defensive effort. The current defense-in-depth philosophy often does not achieve such focus and, as a result, falls victim to the organizational situation, “Preparedness everywhere means lack everywhere.” In other words, a strategy that of preparing and reacting, no matter how comforting it may seem to the organization, contains inherent vulnerabilities.”
*Danger Management is a phrase John Kindervag created to identify that moment when, pre-risk, a threat situation is harvesting data elements that will assure a successful attack – Risk Management is the act of dealing with the probability of such an event.
Part 1
“War will be reborn in another form and in another arena, becoming an instrument of enormous power in the hands of all those who harbor intentions of controlling other countries or regions.”[1]
Data weaponization has become a tactic, in this rebirth, of attackers seeking to establish control of a conflict situation. The data weaponization may be used in a political conflict, the economic war we have been participating in for years or as a complement to traditional physical war tactics as we have recently witnessed in Ukraine.
Regardless of the situation, time is not on the side of the defender. Any conflict is a series of moves and counter moves in which decision making must be executed at a Tempo[2] that enables the organization to control the event and force the adversary to respond to their tactics. A strategy model that capitalizes on innovation, maneuverability and creativity is a must if such a tempo is to be achieved.
The competitor who is able to act faster than the opponent will identify opportunities and make decisions that force the opponent into a constant state of reaction. Currently, the cyber adversary you are competing with is more skilled in all facets of strategy and tactics and is setting the tempo.
A perfect decision, which is often the goal of analytical decision making models, isn’t possible in cybersecurity. The continuous evolution of the threat environment results in multiple variants of the original problem, each requiring a decision on the appropriate action necessary to remediate the risk it presents to the critical assets.
Bruce T. Blythe, Chairman of R3 Continuum once said that decision making in a crisis is “located somewhere between analysis and intuition.” It is, therefore, a combination of science and art. The science is the information available at a given time. The art is determining if that information falls within an acceptable percentage of the required information to make a decision, regarding an action to be taken, with an acceptable probability of success.
Lt. Colonel John Boyd, U.S. Air Force, designed a decision making model to improve the art and increase the tempo of decision making in order to improve the probability of success and cause the opponent to have to respond to your actions.
The model, known as the “OODA Loop” has four steps: Observe, Orient, Decide, & Act. Over the years, this mental process has been adopted by businesses to help them thrive in a volatile and highly competitive economic environment and more recently in the asymmetric cyber threat landscape. It encourages decision makers to think quickly and fast, anticipate threats and neutralize them before they become critical.
Observe
The first O in OODA is Observe. Observe means more than just “See.” It’s something more like “actively absorbing the entire situation,” both internally and externally. In order to absorb the entire situation, information channels that include your situation, your opponent’s situation and all the dimensions of the operating environment (i.e., physical, mental and moral) must be mined for the purpose of gaining an overall awareness of the Condition[3]. The data gathered in this mining effort encompasses not only numbers on a screen but includes the observation of the emotional context, industry trends and the cybercriminal moves.
The objective in this step, as a decision maker, is to ingest all the information possible with the aim of using the increased awareness to build and develop as complete of an understanding of the vulnerabilities and related risks as possible.
The pursuit of this knowledge, to be done appropriately, includes the mindsets (perspective) of multiple disciplines (i.e., academics, other industries, intellectuals, peers and trusted partners). In this information collection phase, the prospective observation of these differing mindsets, both the internal and external environments causes the character or nature of the abstract complex operating environment to be determined with greater consistency.
When used properly, the Observe step allows an organization to avoid the entropy that results when a closed system is the source of all information considered in the development of a security plan. Entropy is a concept that represents the potential for doing work, the capacity for taking action or the degree of confusion and disorder associated with any physical or information activity. Viewed in the context of the 2nd Law of Thermodynamics, all observed natural processes generate entropy resulting in low potential for taking action or a high degree of confusion and disorder as the level of entropy increases.
Entropy, in regards to the capacity for taking action or the increase in confusion and disorder, is relevant to cybersecurity defense as organizations remain predominantly mired in a closed system of defense-in-depth perimeter security. A steady state continuous analysis in a closed perimeter defense is a weakness in any system that cannot communicate in an ordered fashion with other systems or environments external to itself. In this type of environment, we should anticipate an increase in entropy leading to an increase in confusion and disorder when there is an attempt to do work or take action such as matching a concept with the reality of a situation. In general, as the system moves toward a higher, yet unknown, state of confusion and disorder brought about by the continuously increasing complexity of the operating environment, the character or nature of the abstract system cannot be determined with consistency.
If the organization is to counter the rapid changes in both the digital transformation of the business operating environment and the evolving threat environment a holistic view, that includes multiple sources of knowledge, enables the organization to remain in a “relaxed” but constant alert security status with respect to any anomalous activity within the operational environment.
In the Observe step, the organization is closely monitoring activities such as:
- Unfolding circumstances;
- Gathering outside information such as up-to-date threat intelligence;
- The unfolding interaction with the environment related to laws and regulations;
- Potential new or increased exposure to the risk brought to light by the most current risk analysis.
There are two problems frequently encountered in the Observe phase:
- The organization observes imperfect or incomplete information. This is common in any environment that involves data. There will always be a limit to the precision with which values can be known. This can cause hesitation during the Decide step of the Loop.
- The organization can be inundated with so much information that separating the signal from the noise becomes difficult. In the case of cybersecurity, this becomes an even larger issue due to the shortage of skilled security personnel and is considered one of the two major factors in the volume of successful breaches that continue to occur across all industries.
Perhaps the greatest value in executing the Observe phase of the OODA Loop can be found in the ability to perform danger management. Based on observation of the external operating environment and adversary Tactics, Techniques, Procedures (TTPS), a determination of the attack surface (i.e., data, applications, assets, services) where the greatest current danger might exist can be made. With this knowledge, the organization would be better prepared to orient the focus of its defensive effort. The current defense-in-depth philosophy often does not achieve such focus and, as a result, falls victim to the organizational situation, “Preparedness everywhere means lack everywhere.”[4] In other words, a strategy that of preparing and reacting, no matter how comforting it may seem to the organization, contains inherent vulnerabilities.
Orient
The second O in OODA Loop is for Orient and has become known as “the main emphasis phase.” It is the most important step in the learning/strategy model because Orientation shapes the way the security team positions its security resources within its operational environment, provides alternatives to consider in the Decide phase and subsequently determines the way the organization “Acts.”
The goal you are striving to achieve in this phase is to prove your previous beliefs (perspective[5]) wrong by finding mismatches. The greater your understanding of the mismatches and the vulnerabilities they create, the sooner you are able to re-orient controls in order to strengthen the organization’s security posture. Orienting can provide the security team with an edge over the adversary and can help overcome a disadvantage in terms of fewer resources and less information than the adversary may have. The creation of a more accurate model of the reality of the condition enables better decision making regarding actions necessary to mitigate the risk of a breach and be better prepared to respond should an event occur.
The asymmetric operational threat environment of the cybercriminal requires the defender to employ a maneuver warfare strategy supported by the insights of the orientation phase of the OODA Loop. It should be noted here that the cybercriminal is using the Observe stage in this asymmetric environment to gain information through IoT devices, guaranteed to have some level of vulnerability from the day they roll off the manufacturing floor. These devices are often designed and built in nations that are known to have adversarial ties to government hacking organizations. From these observations, the cybercriminal orients their attack vector(s) against the devices, applications, services and data.
The information collected in the Observe step, is used in the Orient step to create mental models for consideration and are tactics in support of the strategies for achieving the objectives of the Cybersecurity Action Plan. They shape how everything in the OODA Loop works.
Orientation shapes the character of the current loops and the current loops shape the character of future orientation efforts. These “stored” mental models[6] can be broken apart and elements of them used to create a new mental model for a new situation created by the continuously evolving threat environment. The security team must have, at their disposal, as many potential mental models in the latticework of their collective mindset as possible. In order to expand the latticework, examining current models and breaking them down into components that could be used in the creation of new models, to consider in the decision phase of the OODA Loop, the process of “Destruction and Creation” must be implemented.
The ability to destroy previous patterns, break them into components and create new patterns that permit the organization to both shape and be shaped by the changing environment is critical to surviving on your terms and not the adversary’s terms.
The Destruction and Creation activity is dialectic in nature[7] generating both disorder to what is being done and order that emerges as a changing and expanding universe of mental concepts matched to the changing and expanding universe of observed reality. It is a reality that our biases have failed to accept.
Through dialectic mental operations we must first shatter the rigid conceptual pattern or patterns of the existing mindset. We then find some common qualities, perceptions, ideas, impressions, interactions and observations together as possible concepts to represent the situation caused by the condition we are facing. A new concept is forged by applying the destructive deduction and creation induction mental operations.
Human behavior is the product of the mindset that has set patterns developed through education, experiences and the environment in which the individual is currently operating. That mindset is frequently the source of, “We have always done it this way!”, response to the suggested change. The ability to destroy existing patterns, break them into components and create new patterns that permit individuals and organizations to both shape and be shaped by the changing environment is critical to survival on our terms.
To Be Continued…
In order to develop a strategy for the current threat event, the strategist must have a familiarity with numerous disciplines and use them as sources of the knowledge needed to form a winning cybersecurity defense strategy. Disciplines from which to draw knowledge for the creation of mental models are many. For creativity and innovation to occur, as a purposeful process to maximize the benefits gained, the perspectives of multiple disciplines of the highly creative and innovative people involved in the situation must be included in the orientation phase. By using information from multiple disciplines, the security team’s mindset is broadened and opened by the addition of new “mental models” to both support the business objectives and the strategies being implemented in the cybersecurity action plan. The cognitive biases that cause a person to make bad decisions must be considered. All conflict distills to a battle of wills. It must be understood that the battle of wills in information security will most often exist between the security team and the business units and can create friction which leads to a mental state of indecision relative to the operational procedure needed to affect the necessary orientation change.