Cyber OODA
Jacob Ukelson
Tailoring Comprehensive Digital Security Solutions for Enterprises and Startups ★ CTO @ Orchestra Group
The OODA (Observe, Orient, Decide, Act) loop is a popular way to describe the benefits of using AI in cyber defense. The OODA loop was originally developed by Colonel John Boyd. Its popularized interpretation is that success in battle depends on the ability to out-pace and out-think the opponent, or put differently, on the ability to go through the OODA cycle more rapidly than your opponent. This description focuses on an introspective process in which faster completion of the loop is the key to victory. The thinking goes that since AI increases the ability to quickly detect and respond to cyber attacks it thereby increases security – maybe even to the point that detect+respond can take the place of identify+protect. So maybe AI is the long sought after silver bullet of cyber defense?
The problem is that OODA is not about the type of introspection provided by AI, it is about using knowledge of the environment to manipulate it and disrupt an adversary’s OODA loop. Success depends on generating friction in the attacker’s OODA loop and increasing the speed of your own OODA feedback loop. So cyber defense must first focus on increasing adversary friction and only then focus on speeding response.
Appropriately most independent cyber defense recommendations focus first on increasing adversary friction. The NSA “Methodology for Adversary Obstruction” provides 4 technology principles to increase adversary friction:
-Reduce the attack surface to reduce external attack vectors into the network
-Harden devices to reduce internal and external attack vectors into the network
-Implement Credential Protections to degrade the adversaries’ ability to maneuver on the network
-Segregate networks and functions to contain damage when an intrusion occurs
Similarly, 4 out of the 5 CIS (Center for Internet Security) Controls also focus on increasing adversary friction:
CSC 1: Inventory of Authorized & Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software
CSC 5: Controlled Use of Administrative Privileges
Friction makes harder for cyber attackers to succeed - causing them to try their luck somewhere else. A valuable byproduct of increased friction is that causes “heat” which can be sensed and used by a cyber defense platform to dynamically increase protection.