Open in app

Sign in

Write

Sign in

OODA Loop in Cyber Threat Intelligence

Chad Warner
2 min readJan 18, 2022

The OODA Loop is a decision-making cycle for use in situations where one has limited time for gathering and analyzing info. OODA is an acronym for “observe, orient, decide, and act,” the steps of the OODA Loop. It was developed by John Boyd, a military strategist and US Air Force colonel.

Although CTI analysts would prefer to have ample info and time for analysis, there are situations where info and time are limited, yet a decision must be made quickly. Analysts will find the OODA Loop useful in such cases.

Photo by Somruthai Keawjan on Unsplash

OODA Loop Steps

Observe

Gather info about the situation, including about yourself, your environment, and your adversary(s). Take advantage of technology that monitors your network and systems, as well as available threat intel. Note anything unusual that requires investigation.

Orient

Consider the context of your observations and draw on your experience to make sense of your observations and gain situational awareness. Evaluate what’s happening inside and outside your organization that may be relevant. Hypothesize about the situation, and predict what may happen next.

Decide

Choose how to respond to the situation, based on what you learned in the Observe and Orient steps. Balance the need to act quickly with the desire to minimize risk. Realize that there’s a danger to not acting, and to not acting quickly enough. Communicate the decision to those who need to know.

Act

Quickly implement the decision.

After you act, repeat the loop by observing how your action has changed the situation, and proceeding with the remaining steps.

Battle of the OODA Loops

Defenders use the OODA Loop to detect and respond to attacks, but threat actors use the OODA Loop for attack. They observe a situation to exploit, orient themselves to it, decide how to exploit it, then act on the exploitation.

When defenders observe indicators of compromise, they begin their OODA Loop. As they cycle through their loop, the attackers also cycle through their loop. Each side attempts to cycle faster in hopes of reaching their objective before the other does.

By understanding and using the OODA Loop, you can help your organization defend itself more effectively.

Additional Resources

OODA and Cybersecurity - Infosec Resources

U.S. Air Force Colonel John Boyd created the concept of the OODA loop to aid in the development of military strategy…

resources.infosecinstitute.com

Incident Response Methodology: The OODA Loop Explained

An incident response methodology can be explained as a collection of procedures aimed at identifying, investigating and…

cybersecurity.att.com

How to Orient During the Incident Response Process: OODA for DFIR 2020 - Cyber Triage

In this post, you'll learn how to approach the "Orient" phase of OODA during your incident response process. This post…

www.cybertriage.com

Cti
Cyber Threat Intelligence
Threat Intelligence
Cybersecurity
Information Security

--

--

Chad Warner

Written by Chad Warner

1.1K Followers

Web Strategist at OptimWise. Cybersecurity & privacy enthusiast. Bookworm. Fan of Tolkien & LEGO.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams