How Security Teams Can Learn to Stop Worrying and Love the OODA Loop

A well-loved military operational strategy is the OODA loop, a learning cycle that helps the operator gain an advantage against their opponent by responding with greater agility to unfolding events. While initially outlined by Colonel John Boyd with the fighter pilot user persona in mind, it is not only applicable to cyberwarfare but also remarkably pertinent for enterprise security programs.

In this post, we’ll delve into the OODA loop and its components — Observe, Orient, Decide, Act — and how they relate to infosec programs. After this neutral exploration, we’ll then show how Capsule8’s product can help security teams adopt this learning cycle in the realm of Linux production security.

So, what is the OODA Loop?

The OODA loop consists of the continuous cycle of Observe — Orient — Decide — Act. The story of why Boyd conceived it may sound familiar to those within information security. Boyd identified that the response to recent military failures was “more and better sensors, more communication, more and better computers” and that “this way of thinking emphasizes hardware as the solution.” Switch out technology for hardware, and it could be describing the coping mechanisms of security operations in many organizations today.

Boyd’s proposed alternative was a way that “emphasizes the implicit nature of human beings” — the OODA loop. Variety and rapidity are needed to embrace the natural chaos of the surrounding environment, but they must be tempered with unity and initiative towards a goal — that way operators do not drift towards the extremes of disarray and rigidity. 

The idea behind this approach is that you can channel the chaos of the operating environment (originally the battlefield) to confuse and disorient your enemy. If you operate at a sufficiently quick tempo, your opponent won’t have the chance to catch up and respond accordingly before you’ve moved on to your next activity — which means they’re likely to play their hand (and reveal their intended behavior) with minimal consequence to you.

Let’s go through each of the loop’s components individually to understand more — first on what OODA loops mean generally so we can dig into what they mean for information security in the next section.

Observe is how one gains insight and vision, which is necessary for orientation. Operators need to paint a picture in the spirit of the Realism movement, capturing the truth and accuracy of a situation. This stage is not simply about collecting information, either — the right information must be collected, and the chaff discarded.

Orientation informs how we interact with our environment, shaping “the way we observe, the way we decide, the way we act” — making it the most important part of the loop according to Boyd. As part of orientation, we must decipher and distill the world around us to fully embrace reality and bask in acute awareness of the situation. Important in this step is removing biases as much as possible — the goal is to disinfect our analysis of subjectivity and polish it into a gleaming pearl of truth.

Decide is, perhaps obviously, when you decide to do something based on your orientation. But, you shouldn’t necessarily be making the same decision over and over — a playbook from 2010 is unlikely to work today. Your decision-making process needs to be flexible, testable, and recorded, rendering it more akin to a hypothesis than how people traditionally think of a decision.

Act is about the ability to actually act upon the hypothesis — and where you’ll receive enormously valuable feedback about how well your hypothesis fared in your environment. This feedback directly feeds into the “Observe” stage for the next OODA loop. Like an Ouroboros, you are digesting the data you produce continuously into infinity (or when you retire, die, or switch jobs).

How does the OODA loop apply to enterprise infosec?

Defenders frequently bemoan their inability to keep up with attackers, and an OODA loop approach can help rectify this grievance. Ideally, commercial information security products should help defenders adopt and rapidly complete OODA cycles so they can be strategic rather than reactive. So, how does each component of the loop manifest within information security?

Observe in the context of infosec involves collecting data from sensors, including netflow, host telemetry, instrumentation of processes, and basically any other accessible system data. While information about specific attack groups may be useful in a cyberwarfare context, it is primarily a distraction for all but the largest and most advanced enterprise security teams. As in any context, the right data must be used and any irrelevant data discarded — and this is where most security products fail out of the gate.

Orient derives meaning from the collected data and makes sense of it in context — ideally fostering deep situational awareness without magnification of existing biases. This is where analytics and fancy math often join the fray (with varying degrees of efficacy). For instance, it’s incredibly useful to correlate multiple malicious events to paint a compendious narrative of an active attack. However, anomaly detection generating numerous false positives will serve to disorient more than orient. Given Orientation is the most critical stage of the OODA loop, ensuring analytic precision is perhaps the most challenging and important task of the security team.

Decide involves formulating and documenting hypotheses about how to respond to security events that arise. This often involves not just one action, but a chain of actions — that is, a workflow — that can ameliorate an incident, from investigation to remediation. While some security teams already possess orchestration tools or even automated workflow engines, less frequently seen are revisions to workflows based on feedback about how well the workflow performed in actual scenarios. That is, the “proof in the pudding” is not subsequently digested into a new OODA loop, because the hypothesis wasn’t documented.

Act doesn’t mean take action on the decision one winsome day when all the fires die down, it means prompt execution of a decision (hypothesis). The most common actions within a security context are to block, quarantine, delete, restart, start, stop — whether connections, processes, programs, nodes, instances, etc. Crucially, when action is taken, the outcome must be ingested as relevant data to inform the Observe stage in your next OODA loop. Refinement of strategy simply can’t happen if you aren’t collecting the results of your hypothesis testing — and any results will be irrelevant if you wait too long to act.

Capsule8 & the OODA loop

Here’s where our pitch begins, because we think it’s pretty awesome that Capsule8 can perform a full OODA loop for security teams in the context of Linux production environments.

Capsule8’s open source sensor provides the data needed in the Observe phase, plus a bit of the Orient phase as well. The sensor provides safe visibility into system behaviors, specifically looking at particular spots known to be typical “chokepoints” for attackers, drastically reducing noise relative to a system collecting every datapoint possible without regard to relevancy. We also prejoin metadata to give as much context as possible around an event — answering the question of who, what, where, and how (we don’t pretend we can fully answer the “why”).

Capsule8 Protect, the enterprise edition of our product, enhances the Orient phase and also covers the Decide phase. The ability to create policies allows defenders to formulate hypotheses about unwanted activity in their environment and test efficacy. For instance, from the Orientation phase, a security team may realize that wget can only lead to a path of darkness within their organization’s environment. Thus, defenders can create a policy that blacklists wget, deploy it (the Act phase), and then collect relevant information and context when there is a policy violation (Observe) to refine the policy continuously.

Further, Capsule8’s ability to capture incidents — correlated events that map to a broader attack — and metadata around resources and users involved in them assists in the Decide phase, too. We let users add their own metadata key value pairs (what we call “labels”), which, in essence, lets you create your own context around events. Security teams can formulate hypotheses about which resources, such as specific clusters, services, or containers, might be most prone to specific types of attack, and use Capsule8 to detect whether their suspicions are correct. 

Our Response capability combined with our alert integrations extends defenders’ ability to execute on their decisions in the Act phase. Using Capsule8’s native response capabilities, you can automatically kill or quarantine processes and workloads involved in unwanted activity — no manual effort required. Capsule8 will give you feedback on whether or not the response was successful, allowing you to refine your strategy in the face of similar attacks going forward. 

If you’re already using a tool like AWS Lambda, you can create runbooks by linking up Capsule8 to Lambda via a webhook and performing fancy moves like moving infected VMs out of production and into an investigatory environment, while restarting an uninfected instance in production. These sorts of advanced moves truly embrace Boyd’s ideal of harnessing the chaos of the situation and directing it at your opponent — thereby letting you better understand their behaviors and intentions.

Conclusion

Regardless of what you call it, having a tight, agile feedback loop to ingest data, gain situational awareness, formulate a hypothesis, and test that hypothesis is essential in any sphere with evolving context — including enterprise information security. As Agile methodologies become ubiquitous in enterprises, security needs to keep up and not get stuck in analysis paralysis. By embracing an OODA loop model, security teams can ensure they’re constantly learning and polishing their strategies — meaning they’ll be more resilient in the face of incidents. 

We like to think Capsule8 can help you on your journey to operating within an OODA loop, at least for your Linux production environments, giving you a big boost in your resilience — and ensuring that the only surprise and scrambling happening is on the attacker’s side when they’re sent back to square one after attempting their moves.