Any organization that conducts business on the internet is at risk of a cyberattack. The constant barrage of threats can be as minor as phishing emails or dangerous as an advanced persistent threat (APT). These threats can make working in cybersecurity feel a lot like fighting on a battlefield. That’s why the OODA loop process (originally conceptualized as a way for fighter pilots to deal with high-risk combat scenarios) has gained popularity in the information security industry.
What is the OODA Loop Process?
The OODA loop process consists of four steps: Observe, Orient, Decide, and Act. It helps organizations respond to high-risk situations faster and more intelligently. Like any good combat plan, the OODA loop process out-maneuvers your attackers by anticipating their next moves and decisively taking action to thwart them.
The first step in the OODA loop is to gather data about the threat incident. You need an understanding of the problem, the environment, and other related factors. The key is to conduct this observation as quickly as possible by filtering out the irrelevant information from the relevant information so you can react before too much damage is done.
In a network security incident, observation involves collecting and sorting logs from your SIEM (Security Information and Event Management) or monitoring tools. Often, these tools generate a lot of irrelevant data that must be filtered out to identify the problem. Luckily, AI and machine learning analytics tools can weed out this irrelevant info much faster than humans. Still, verifying that your logs provide as much coverage as possible and that your log collection is working correctly before an incident occurs is important. This will ensure you have complete and accurate information to orient yourself during an attack.
In the second step, you must analyze the data collected during observation to make sense of what’s happening. The goal is to conduct this analysis with as little bias as possible to ensure you have an objective view of the threat and your options.
In network security, orientation is much easier when you have a baseline for comparison. You should have baselines for account behavior, system state, and application performance to tell when something unusual is happening and understand what caused the change.
Next, it’s time to decide based on a swift but thorough analysis of your observations. You need to devise a flexible plan for responding to a breach that allows you to adapt quickly to unpredicted actions by the attackers. This plan also needs to be documented to use what you’ve learned to improve future decision-making.
When responding to a cybersecurity incident, your plan should include all the workflows needed to repel the invaders, repair the damage they’ve done, patch the vulnerability they exploited, and thoroughly document the incident. This plan should be testable (for example, with A/B testing) to ensure that your actions will not cause any additional issues. It should also allow digital forensics to investigate the attack's source, cause, and effects, which means fixing the problem without wiping all traces of what has happened. This can be very valuable for your future cybersecurity strategy and might even be legally required in some cases.
The fourth step is to act upon the decision you’ve made. Your goal is to reach this step as quickly as possible to limit the damage done by the attack. Again, a series of actions and workflows will likely occur at this stage. Thoroughly document each of these workflows and their results, as this will help build out cybersecurity incident playbooks you can use to respond to similar events in the future.
If your plan effectively neutralizes the attack, then the results of this OODA loop will help you deal with future cybersecurity incidents. If your proposed plan fails, you’ll still utilize the results to form new observations, make a more informed analysis, change your decisions, and implement a new plan.
How the OODA Loop Process Can Improve Decision-Making and Network Security
The OODA loop process can help your organization respond to threats much quicker. It trains the individuals on your security team to react to attack indicators faster and more intelligently. It also creates a flexible decision-making process that adapts to an attacker’s strategy as it unfolds. This process enables you to anticipate how an attacker will behave, thereby turning the tables on them and forcing them to respond to your actions on your terms, with minimal damage to your network.