OODA LOOP: The Security Operation Framework
The OODA loop, also known as Boyd’s Cycle, is a decision-making model created by military strategist and US Air Force Colonel John Boyd to describe how people and organizations may win in an unpredictable and chaotic environment. Col. Boyd thought that a strategist employing the OODA decision-making process may gain an edge by swiftly observing and understanding an adversary’s behavior. Accepting the chaos associated with quick analysis and learning is more effective than the opponent helps a decision-maker to look unpredictable and induce chaos in the decision-making of the adversary.
The OODA loop is a four-stage process for decision-making: observe, orient, decide and act. A strategist should cycle through these phases often and rapidly as part of their analysis and decision-making process.
Observe
This stage is all about the collection of information from the environment.
For a SOC, this translates to the collection function, the ability to
see the network and endpoint data required to spot an attack.
Orient
Of all the phases, the orient phase has one of the largest impacts as
it is where we try to interpret the situation given the data presented
to us. For security operations, this is taking the content from the
available network and endpoint data and using it to form a hypothesis
of what might be occurring. Without a team trained to understand
attacks or the available information, this stage may lead to an incorrect
interpretation of the data or a slower-than-necessary response.
Decide
In this stage, it is time to decide, given your interpretation of events from the
orient stage, the next best move to take against your opponent. For security
operations, this is deciding on how to best disrupt attackers such that we
will be able to have an advantage over them in the coming loop iterations.
For a SOC, effectiveness in this stage often comes down to experience and
training on how to best respond to any given situation. Playbooks and
incident response procedures may be of large assistance at this stage.
Act
The action stage is all about following through on the course of action
decided upon at the deciding stage. In the SOC, this can be translated
to your ability to quickly respond to an attack. Do you have the
permission and tools and procedures in place to act fast and minimize
damage? The act stage leads to the feedback of the impact of your
action to the next iteration of the observer step, where the SOC will
need to see if the action taken had the desired consequences.
