Introduction to OODA Loop

A military combat offense necessitates quick decision-making, decisions that could mean life or death at any moment. This level of quick thinking and decision making is critical to gaining a competitive advantage on the battlefield and can even determine who ultimately wins. According to Art of war by Sun Tzu “Victorious warriors win first, and then go to war, while defeated warriors go to war first, and then seek to win”. It’s important to remember that success is typically the result of meticulous planning and effective implementation. Simply said, whether on the battlefield or in the marketplace, success is dependent on well-defined insights and strategies prior to taking action. As a result, we must begin to make better decisions in our lives. Allow me to introduce you to the OODA loop which is the method for making better decisions in 4 steps.

History of OODA Loop

The OODA (Observe, Orient, Decide, Act) loop was developed by Military strategist and US Air Force Colonel John Boyd in the mid-20th century. The strategy’s purpose was to develop a model for rational decision making so that the best decisions could be made in the smallest amount of time. The method can be used on a personal as well as a corporate level. It’s especially important in situations when there’s a lot of competition and being able to react to changing conditions faster than your opponent gives you an edge. Most organizations struggle to improve the quality of their decision-making. If a corporation continues to make decisions that do not yield a beneficial result, for example, it is failing to learn from its mistakes. The OODA loop recognizes this pattern and offers a method for addressing it.

OODA Loop in SOC

The OODA Loop is an agile iterative learning and operations cycle that is utilized in the military as well as in cyber security domain. The OODA loop has been converted to general operations connected with establishing and running a SOC (Security Operation Center). The diagram of OODA loop is given below.

OODA Loop Patching

Patching OODA loop can also be used in incident response methodology, it is a set of methods for identifying, investigating, and responding to possible security issues in a way that minimizes damage and allows for quick recovery. Different steps of OODA loop are given below.

1. Observe
   
   The first stage is to identify the problem or threat and get a general sense of the internal and external environments. The more observations you can make and document about your business activities and network during this phase of incident response technique, the more successful your response and defense will be. Tools and techniques used in these stages are Vulnerability Analysis; SIEM Alerts; Application Performance Monitoring; IDS Alerts; Net flow Tools; Traffic Analysis; Log Analysis.
   
   
   
2. Orient
   
   This stage of incident response methodology mainly focuses on data analysis (Correlation, Dashboarding and reporting). It’s critical to think like an attacker in order to tailor your defense strategies to the latest attack tools and tactics. These are constantly evolving, so make sure your security monitoring solutions have the most up-to-date threat intelligence. This ensures that your tools are collecting the correct data and delivering proper context. Tools and techniques used in these stages are Security Research; Incident Triage; Situational Awareness; Security Research.
   
   
   
3. Decide
   
   In this phase of incident response methodology, catalog all areas of incident response process. Communication around data collecting and the decision-making process is maybe one of the most crucial topics to describe here. Tools and techniques used in these stages are hard copy documentation (pen, notebook and clock),company’s corporate security policy.
   
   
   
4. Act
   
   In this phase of incident response methodology, the importance of training, communication, and continuous development in responding successfully during an incident cannot be overstated. Everyone on team should be aware of their responsibilities and expectations. It’s also a good idea to stay up to date on security best practices and empower team members to speak out when they see places where your incident response technique might be improved. Tools and techniques used in these stages are system backup and recovery tools; data capture and forensics analysis tools; patch management and other systems management, security awareness training tools and programs.
   
   

In next blog, I will be focusing on practical implication of OODA Loop in SOC.