Explanation of John Boyd's OODA Loop for better decision making in life and how we can first take action to gain better visibility with cyber intelligence that will help us make risk decisions. http://www.cactuscon.com/not-your-grandmas-cti-ooda-loop

1. OODA Loop for Life and CTI
(originally slated as “Not Your Grandma's CTI OODA Loop”
Dave Eilken - CactusCon 2017

2. Intro / Agenda
- About Me
- OODA in Detail
- Cyber Intelligence Processes
- A Different Perspective
Presentation Scope
➔ 30,000 ft. View
(Across Disciplines)
➔ Top of Mind
(Day-to-Day)
➔ Academic
(Deep Dive)

3. Mental Models
Multi-Disciplinary / Multi-Cultural - jack of
all trades master of none or renaissance man?
➔ Designer & Builder
Architect, Project Manager
➔ Old-China Hand
10 years over the span of 20 in Shanghai
➔ Technologist
Childhood hobby turned profession
➔ Arm-Chair Economist
Go-to-Market Business Strategist

4. The Original Revised OODA Loop

5. OODA
Observe
Through Sensory Inputs
Orient
Understand via Mental Models
Decide
Guess at Best Approach
Act
Test the Hypothesis
John Richard Boyd - distinguished fighter
pilot, developed military theories in the ‘60s

6. Observe Orient Decide Act
Unfolding
Circumstances
Outside
Information
Unfolding
Interaction With
Environment
Implicit
Guidance &
Control
Implicit Guidance
& Control
Feedback Loops
Unfolding
Interaction With
Environment
Simple OODA (maybe)

7. Your Sensory Inputs
We have five senses but we should be
open to other options that provide
additional context
CTI Note
Intelligence sources can
be both internal and
external.
Know what you’re
processing and limit
black box sources.
OBSERVE

8. ISACs & ISAOs
ISACs - Information Sharing and Analysis Centers.
Nonprofit organizations that act as a central
resource for gathering information on cyber threats
to critical infrastructure and providing two-way
sharing of information between the private and
public sector
ISAOs - Broader designation encompassing all
industries
➔ Build Trust
➔ Gather & Analyze
➔ Communicate

9. Understanding Us
How we understand the world based
on mental models
● Cultural Traditions
● Genetic Heritage
● Previous Experience
● Analysis & Synthesis
● New Information
CTI Note
Personal and procedural
biases can distort
orientation
ORIENT

10. Schwerpunkt Focus
Gödel - information is always incomplete
Heisenberg - the physical world is always uncertain
2nd Law of Thermodynamics - closed system entropy

11. You’ve got to have models in your
head and you’ve got to array your
experience - both vicarious and
direct - onto this latticework of
mental models.
- Charlie Munger

12. Mental Models
“All the wisdom of the world is not to be
found in one little academic department.”
“When we try to pick out anything by itself,
we find it hitched to everything else in the
universe.”
Build a Toolkit Across Disciplines
● Math & Logic
● Physics
● Thermodynamics
● Biology
● Psychology
● Anthropology
● Conflict (Game Theory)
● Engineering
● Economics
● Statistics
● History

13. Destroy & Create
Rebuild, Retire, Reposition
Skis, Bicycle, Motorboat, Tank
=
ABO
Always Be Orienting
Validate Mental Models
Practice, Practice, Practice until you have
Fingertip Feel

14. doubt, mistrust, confusion, disorder, fear, panic, and chaos
Tempo (be unpredictable)
● Fast alone is not good enough - changes in rhythm
put the opponent off balance. Sends them back to
square one.
● Great for 1 on 1 competition, not so good when
multiple parties / external partners are involved
Get inside your opponent's OODA Loop

15. What are your mental models for…?
Are you continually (re)orienting?
Hackivists
Political issue
agenda
Nation
States
IP, technology,
political, military
Cyber
Criminals
$$$ for PII, direct
attacks to financial
Insiders
Revenge, $$$ in
coordination with
criminals
Decide - Act ➤ Observe - Orient

16. Too Slow = More Risk
Choose the best mental model and go
with your best guess.
CTI Note
Analyzing intelligence
data can cause decision
paralysis.
DECIDE

17. Fingerspitzengefuhl
Fingertip Feel
Robert Greene - expands in book, Mastery
Decisions can be made instantaneously, moving from
Orientation to Action immediately
TRY AND SKIP DECIDE

18. Just Do It
Trust your mental models and put fear
of failure aside
CTI Note
Action is required to
reduce risk and
feedback from the
ongoing environmental
response is critical
ACT

19. Take Jabs
Make a lot of small quick
moves that test out ideas and
see what happens in response
- Position for the big blow
- Take baby-steps in the form of minimal viable
products / projects (MVPs) to optimize test -
response feedback
CTI Note
Balance small (less risky
initiatives with larger
(riskier ones)...but
remember there are
large projects that have
less risk

20. Traditional CTI Lifecycle
PHASE 1
Plan & Direction
PHASE 5
Dissemination & Integration
PHASE 2
Collect / Aggregate Sources
PHASE 4
Analysis & Production
PHASE 3
Process & Exploitation

21. Challenges
Mostly linear process, one-way external interface
➔ Relatively Slow
Intelligence must be vetted prior to action.
No velocity to repeat OODA loop.
➔ High Entropy
Limited external communication causes
stale information
➔ Disjointed Decision-Makers
CTI products delivered to SecOPS may
have additional rounds of review and
reorientation.

22. A New Approach
Information
Sharing (ISACs)
Continuous
Monitoring
PHASE 1
Collect / Aggregate Sources
(Automated)
PHASE 5
Remediate / Mitigate
PHASE 2
Correlate External Against Internal Data
(Automated Action)
PHASE 4
Triage Events
PHASE 3
Review Events

23. Advantages
Skip data analysis - Act to gain ability to Observe
➔ Much Faster Observations
Intelligence is utilized instantly to “see”
potential risks. Automation is highly leveraged
➔ Open & Integrated
Internal SecOPS & External Communities are
holistically intertwined
➔ Better Context
Internal & external monitoring and feedback
➔ Scaling Potential
Involves entire communities crowdsourcing
Orientation

24. Requirements
Although better for many, some will resist
➔ Openness & Trust
Sharing intelligence with a community.
Works best if everyone sees events on
everyone’s network in real-time
➔ Integrated Intelligence Team
CTI can’t operate outside of SOC.
(Isolated CTI has shown little value)
➔ Capabilities
Build automation and managed SOC or
buy a platform and outsource to MSSP

25. Sensors
Understand
Models Decide Act
Internal Data
Network, Logs,
Hosts, etc.
External
Intelligence
ISACs, ISAOs,
Professional &
OSINT Feeds
Unfolding
Interaction With
Environment
Implicit
Guidance &
Control
Implicit Guidance
& Control
Feedback Loops
Unfolding
Interaction With
Environment
CTI OODA
External / Internal Correlation ➤ Events Triage Remediate / Mitigate
Tools to See & Organize Algorithms, Human Mental Models Tools to Block, Rebuild, Etc.

26. Structured Threat Information Expression (STIX™) is a language
and serialization format used to exchange cyber threat
intelligence (CTI) - Graph based
● XML can still be used but JSON is mandatory
● SROs - Relationship & Sightings
Trusted Automated Exchange of Intelligence Information
(TAXII™) is an application layer protocol for the communication
of cyber threat information in a simple and scalable manner
● Works over HTTPS
● Collections & Channels
Note about STIX and TAXII 2.0
STIX Domain Objects (SDOs)
Attack Pattern
Campaign
Course of
Action
Identity
Indicator
Intrusion Set
Malware
Observed Data
Report
Threat Actor
Tool
Vulnerability
www.oasis-open.org/committees/cti/
www.us-cert.gov/ais

27. Lessons
● Traditional CTI Lifecycle is too slow and creates more risk
● Practice, test & revise mental models often
● Don’t allow fear to get in the way of action
David Eilken
eilken@gmail.com
“Don't be too timid and squeamish about your actions. All life is an
experiment. The more experiments you make the better.”
― Ralph Waldo Emerson