Finally... we've Observed, Oriented, Decided and now it's time to Act - the final chapter in the Information Security OODA Loop.
So far we've gained insight into the 3 other parts of the OODA Loop which are critical and build us up to the final step. To be truthful, there is rarely a sequence to these steps that follow so closely all the way through.
We often find ourselves acting and observing at the same time, while orienting the findings and deciding what to do next. These steps are not prescriptive for a rigid execution path, only for a way to bring these 4 critical pieces of tactical response to hostility together cohesively.
The action is simply a culmination of everything we've done so far, but let's be honest with ourselves, how many times have you performed actions without even taking the time to observe, orient or even decide? We call those reflect reaction, because it's things you've either learned to do (trained yourself) or been taught to do (been trained by someone else) in a given situation.
Let me give you a concrete example - we teach children to do what when a stranger approaches them? What about if you ever find yourself on fire? You most certainly recall the famous "stop, drop and roll" right? Well this same mentality applies to Information Security and incident response - which is really what this is all about. If A then B, else C.
That's just how we are wired, those of us who have been in the job for more than a week, anyway. Much like your reaction if you find yourself aflame, your reaction to an exfiltration of data is to shut down the data steam, block source. It's what we've trained ourselves to do.
The question of these trained responses isn't whether we want to eliminate them or not - but rather - how do we harness them to make better decisions when on the fly. Keeping yourself from going into auto-pilot when seas get rough is difficult, so sticking to the OODA Loop methodology is critical.
Look, I'll be honest, I can say I'll stick to something all day long but unless I actively practice it I'm bound to stumble or simply forget. So actions are your chance to pause - if even for a millisecond - to reflect on the other 3 components of what you are about to do and ask yourself if it's the right tactical and strategic move.
Practice makes perfect. OK, maybe not perfect but practice makes darn near good enough. If you're going to dive into the OODA Loop for Information Security incident handling, you're going ot need to practice... a lot.
Just like the backup that runs for years only to find out it's been failing to capture a critical file when things finally end up corrupt, practicing the OODA Loop for incident response is critical to making sure you avoid panic-induced decisions which could be catastrophic when things actually hit the fanblades. If you're already formulating excuses in your head as to why you won't be able to practice - just forget this altogether.
Assuming you're going to practice to avoid those reflex actions, you should start thinking about what to do "next". As you can probably guess, taking action isn't the end of any OODA Loop, in fact quite the opposite is true. Once you've performed an action it's time to once again observe and orient then decide on the next action.
Sometimes it's a corrective action, sometimes the decision is to stay the course and perform no action, but you must continuously re-evaluate your position post-action. Just like in a real physical kinetic engagement, the cyber world demands this. If you're actively being engaged by an unknown 3rd party you'll be doig the action/counter-action dance a lot with your attacker.
Sometimes an incursion goes on for a few packets, sometimes it goes on for days - or months. The bottom line is that this isn't a one-and-done process. Conditions constantly change both on the field of (virtual) engagement and in business. Budgets change, technology changes, key risks change and business drivers change.
Often times an asset we spend lots of time defending becomes abandoned by the business and we must make our move to abondon and decommission the asset, while disengaging with the attackers.
The problem with actions and attackers is there aren't always clear cause-effect relationships, and attackers don't wear name tags or tag their specific packets or payloads. Often times one 'attacker' is made up of dozens of people, behind millions of possible systems and attack patterns.
It's in understanding what is going on (the Observe, Orient components) that we can unmask the attackers through intent and collective action, targeting, etc - and then decide on what steps to take (if any) to engage and defend.
The Information Security applications of the OODA Loop are absolutely critical to strong incident response capability, and while it doesn't solve every problem the OODA Loop principles provide us with a framework to take more intelligent, more strategic actions.
After all... aren't we all about making IT Security perform better?
Thanks for following along, and if you have any other questions, comments or suggestions on this topic you know how to find me, or simply leave a comment on any one of the first 4 posts!
Cross-posted from Following the White Rabbit