Insight by Carbon Black

Defense-tested process enables rapid decision making during cyberattacks

This content is provided by Carbon Black.

Cyberattacks are a protracted exercise – they can take weeks, months or even longer to evolve before finally coming to the attention of cybersecurity personnel. Defending against them, on the other hand, is a rapidly-evolving event that requires rapid situational assessments and decision-making. Toward that end, a concept already popular within Defense spaces is beginning to make its way into the private sector cybersecurity community.

“Within cybersecurity there are a lot of frameworks out there that can be fairly prescriptive, or at least give you a general framework, what to do on the technical side. But thinking about how folks make decisions, I think is often less clear,” said Alec Peiffer, senior federal operations manager at Carbon Black. “If you have a network that’s under attack, if you’re hemorrhaging customer data, you have to quickly act, even if it’s not the perfect action. The saying from the military that was ingrained in me was an 80% solution now is better than 100% solution later. And I think that’s where the OODA Loop can help.”

The OODA Loop was developed by Air Force Col. John Boyd as a model for good, rapid decision-making. It’s a cycle consisting of four stages: Observe, Orient, Decide, and Act. The “loop” comes into play after the decision is acted upon, at which point the decision maker completes the loop by observing the effects of his or her actions, restarting the cycle. In that way, it’s an iterative, evolving process oriented not toward a perfect result, but consistently better results through continuously improving processes.

“It’s not a linear process that I say you start at A and then you go to D, and you have a great decision,” Peiffer said. “It may not be the best decision in the world; it may be a harmful decision. But through these iterations of going through the loop, you’ll ultimately end up in a better situation than you otherwise would, especially if the situation is changing, like security situations.”

So how exactly does it work? Take a hypothetical phishing scenario, for example. In the first stage, “observe,” a cyber professional might receive reports of suspicious emails, and notice an increase in the number that are marked as malicious or anomalous. It’s all about developing a comprehensive awareness and understanding of a situation based on current events, and contextualized by previous experiences.

Once those emails are pulled into the analysis software, the “orient” phase begins. This involves analyzing and evaluating the organization’s digital threat landscape developed in the observe stage with an awareness of biases and informed by the adversary’s perspective. Threat intelligence and security research are key in this stage.

“You have your analysts look through the emails, and they find that there are certain characteristics that are drawn out, like they’re mostly based around the idea of promotions,” Peiffer said, fleshing out the hypothetical scenario. “We know that the promotion list is going to come out at the beginning of Q3. So they’ve timed it accurately to send out around that time.”

At this point, it’s time to decide. Decisions should stem from details observed and oriented upon in the first two stages, and be tested in subsequent loop interactions to identify possible flaws and improve future decision making. In our hypothetical phishing scenario, cyber personnel could decide to institute increased user security training, blacklist certain IPS, update web and email filters, or any number of other responses as appropriate.

Finally, act on the decision.

“Then, once we act, we look back into the observation phase to say, okay, has this had the desired effect?” Peiffer said. “Are we still receiving spear phishing emails or not? If we are, okay, what’s different this time? Take that into consideration, observe what’s different, assess how that’s affecting your environment and in a way that you haven’t already acted on or haven’t yet acted effectively on, decide what the action is going to be, act on it and then just loop it back again. Continue through those iterations until you’re blocking whatever the preponderance of the malicious emails that you’re coming in.”

And these iterations should be rapid; one of the benefits of the OODA Loop is speed to decision making. And that speed allows for adaptation during rapidly evolving situations, allowing organizations to better handle unpredictable situations. And the fact that testability is built into the process in a sort of feedback loop, future actions should account for previous actions and build on them, replicating successes and learning from mistakes.

But the secret to the whole process is its simplicity, which enables the rapid iterations and a broad swath of applications.

“If you’re going to move fast, you need to have some sort of simple decision making cycle to use,” Peiffer said. “If it’s overly complex, if it’s overly difficult to translate, you’re just going to get bogged down in the process instead of acting on it and executing it. Simplicity is key to success here.”

Comments

Sign up for breaking news alerts