OODA Loop in Cyber Threat Intelligence
The OODA Loop is a decision-making cycle for use in situations where one has limited time for gathering and analyzing info. OODA is an acronym for “observe, orient, decide, and act,” the steps of the OODA Loop. It was developed by John Boyd, a military strategist and US Air Force colonel.
Although CTI analysts would prefer to have ample info and time for analysis, there are situations where info and time are limited, yet a decision must be made quickly. Analysts will find the OODA Loop useful in such cases.
OODA Loop Steps
Gather info about the situation, including about yourself, your environment, and your adversary(s). Take advantage of technology that monitors your network and systems, as well as available threat intel. Note anything unusual that requires investigation.
Consider the context of your observations and draw on your experience to make sense of your observations and gain situational awareness. Evaluate what’s happening inside and outside your organization that may be relevant. Hypothesize about the situation, and predict what may happen next.
Choose how to respond to the situation, based on what you learned in the Observe and Orient steps. Balance the need to act quickly with the desire to minimize risk. Realize that there’s a danger to not acting, and to not acting quickly enough. Communicate the decision to those who need to know.
Quickly implement the decision.
After you act, repeat the loop by observing how your action has changed the situation, and proceeding with the remaining steps.
Battle of the OODA Loops
Defenders use the OODA Loop to detect and respond to attacks, but threat actors use the OODA Loop for attack. They observe a situation to exploit, orient themselves to it, decide how to exploit it, then act on the exploitation.
When defenders observe indicators of compromise, they begin their OODA Loop. As they cycle through their loop, the attackers also cycle through their loop. Each side attempts to cycle faster in hopes of reaching their objective before the other does.
By understanding and using the OODA Loop, you can help your organization defend itself more effectively.
OODA and Cybersecurity - Infosec Resources
U.S. Air Force Colonel John Boyd created the concept of the OODA loop to aid in the development of military strategy…
Incident Response Methodology: The OODA Loop Explained
An incident response methodology can be explained as a collection of procedures aimed at identifying, investigating and…