The Information Security OODA Loop Part Three - Orient

Tuesday, April 03, 2012

Rafal Los


Here we go on part 3 of the OODA Loop series (part one)(part two), this time tackling the second O - Orient.

We'll be covering how our ability to act or react is influenced by outside factors coming at us from the Information Security profession, and where we can provide good orientation and what negative influences exist already. 

Given how critical orientation is to correct decision making in a timely manner, it's imperative to understand how orientation applies in information security, first and foremost.

In traditional application of the OODA Loop principles, orient deals with orientation through genetics, culture, capability and previous experience but this doesn't completely apply to our application of the OODA Loop. 

While the human performing analysis on a situation using the OODA Loop is likely to be influenced by previous experience, culture, capability and maybe even genetics - the automated scripts and technologies will likely not be... at least not directly. 

While we can agree that automation will always be influenced by those who write the code, and that those who write the code are influenced by those things mentioned previously - directly, automation is only oriented by the facts presented to it.  So let's look at this from both a human and automation perspective.

On the human side, we can probably quickly agree that humans are influenced heavily by past experience, their own capabilities, their genetics, and even the culture they've been living and working in to a great extent. 

As an example - a person who grew up here in the United States is probably less likely to be suspicious of a 'backfire' of a car which sounds like gun fire than someone who grew up in a war-torn region of the middle east... agreed? 

Such as in information security, if you've worked a long time in companies who are constantly doing security poorly and getting ravaged by hackers the first inclination you may have is desperation and despair when it looks like your digital assets are under attack.  It's really hard to walk into any situation and completely wipe the slate clean from previous experience, employers and personal pre-dispositions. 

It's darn near impossible to walk into any corporate role without carrying the baggage from your previous, or things you've heard, learned, or read.  Given all that, how can we possibly use orientation in our favor to make good, intelligent decisions... this is a tough question.

On the automation side, technology tends to be poor at making decisions on its own based purely on fact (hence, lacking context) but when human influences are added the effect is exacerbated because the humans bring their own prejudices and pre-conceived notions into the situation. 

I will argue that technology has a much better chance of being objective on any given issue than a human, but if you're looking for someone to make a 'gut call' I'm pulling for the human being.

Applying the orientation component of the OODA Loop to information security is as easy (or difficult) as translating orientation to the principles that guide the digital world and criminal/attacker mindset. 

Based on what I've learned from the information security incident response exercises I've been a part of over the last two decades here are some things that I think belong in the orient component of the OODA Loop for Information Security:

  • External-Environmental: What is the climate of the environment the organization in question (presumably the one you're a part of, or defending) belongs to.  To be more specific, if you're working for a defense contractor which manufactures tear gas, just as an example, you know that you've got "hacktivists" likely targeting you, as well as state-sponsored attacks because you're part of the defense department network, and of course the standard barrage of nastiness because of all of your Internet-connected assets.  This we all know from reading news, sentiment analysis of your sector, and current published and unpublished threats and incidents.  Don't forget to factor in things like geo-political sentiment, global economics, etc.
  • Internal-Environmental: Every company has a complex internal environment.  No organization is free of politics, technical and organizational complexity, as well as evolutionary (strategy) complexity.  All of these things together provide a glimpse into the items provide context to internal environmental orientation component and must be considered. 
  • Organization-Historical: The history of the organization in terms of security and risk, defensive posture is critical.  One must be aware of what issues have transpired in the past in order to understand what the current situation is.  Has the organization been breached before?  If so, how and why?  Root cause analyses from past events are extremely critical in this respect.  It is not out of the realm of possibility that an attacker would go back to an old avenue of exploitation that worked well in the past - especially if discovery and response was less than stellar.
  • Personal-Historical: Keep in mind that your personal history and pre-dispositions will creep into any situation and decision you try to make.  When you're on a network suspected of being under attack, your natural inclination is to recall a past experience and draw upon it to make conclusions about what can possibly be the events of right now.  This is natural, but it can be detrimental to the overall OODA Loop process as it can lock you into processing current events through the lenses of past experiences.
  • Organization-Technical: Knowing the technical layout and limitations of the current organization is critical to having a strong orientation.  Knowing technical processes, tools, vendors, applications, systems, networks and other details of the organization enable you to quickly process details you've observed into context that allows for a smart and proper decision.  Technical components of the orient piece of the OODA Loop are easy to make front-and-center, and only focus on those bits, but be aware that there are other pieces, as described here, beyond the technical.
  • Organization-Situational: In addition to having a strong understanding of your organization's history, one must also understand the current situation.  Are there layoffs planned, or unhappy employees?  What is the general sentiment internally?  Are there major changes both operational or technical, or even dealing with personnel that are taking place or have just taken place?  Is the organization going through an acquisition, divestiture or other behavior-modifying change right now?  Knowing the current situation of the organization is critical to decision-making and contextualizing events for processing.

There you have it... a deep dive into the orient component of the OODA Loop as it applies to information security.  There are many sub-components to being oriented well, and these above are just some that I recommend from an experience and historical perspective. 

Many of these things can't be easily found in reports, tools, or other easily digestible bits - but rather require trained intelligence analysts inside your organization (or your security provider) to be able to gleam and decode.

Next we will tackle perhaps the most complex component of the OODA Loop - decide.  Stay tuned!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Security Strategies Methodologies Incident Response Attacks Network Security hackers Information Security IT Security OODA Loop
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.