Beijing A corner of the park. Nov. 4, 2017.
The OODA cycle was first used in the field of information warfare to see who could complete the "Observe-Adjust-Decide-Act" cycle faster and better when the opposing sides in an air-to-air armed conflict were battling each other.
Both sides start by observing, observing themselves, their environment and their enemies. Based on observations, relevant external information is obtained, and based on the perceived external threats, the system is adjusted in time to make response decisions and take action.
I. OODA Loop Cybersecurity Application Scenarios Assumptions
The definition of the OODA cycle shows that it is also applicable to the cybersecurity field with its "adversarial" character, and is particularly suitable for organizations entering the proactive security defense phase to focus on. This is because the active defense phase itself is centered on real-time security analysis, driven by continuous rapid response, with internal and external intelligence-driven decisions and actions to counter threats and dynamically adapt to adjust security policies.
We assume that the scenario elements include an aircraft carrier, a fighter, and a pilot, and that the scenario is that the pilot is maneuvering to cruise into combat in a fighter. Isn't it exciting to imagine? And the goal of the operation? To win in battle, of course, on merit, cleanly on merit.
In a battlefield where you live and die, everyone wants to take out the other side to achieve victory, but it's not the want that matters but how do you do it? The key to winning in the rapidly changing air war is to be able to spot the enemy, to be able to quickly spot the enemy, to be able to quickly spot the enemy's behavioral intentions, to understand self, understand the enemy, understand the environmental situation at the same time, to make adjustments in their favor, to make fast and accurate decisions, to take targeted action to kill the enemy in one move.
Second, OODA circular network security operation platform construction application
The OODA cycle is divided into four phases, Observe-Oberve-Adjust-Orient-Decide-Act, by which we describe its specific application in the construction of cybersecurity operation platforms.
2.1 Observation of the Oberve phase
The observation of Oberve includes three parts: observation of oneself, observation of the enemy, and observation of the environment. In cybersecurity, observation of oneself includes asset management and vulnerability management, observation of the enemy includes various threat analysis and detection technology applications, and observation of the environment includes overall cybersecurity situational awareness and visualization.
The observation of yourself is like the instrument panel of an airplane, allowing you to see your altitude, flight speed, fuel left, and various other flight states. On the one hand, it is the management of information assets in network security, including asset identification inventory, asset importance assignment, asset management baseline and change, asset and network topology display, etc. On the other hand, it is vulnerability management, including operation platform docking vulnerability scanning tools, threat intelligence warning, industry vulnerability notification, vulnerability risk assessment and display, etc.
The observation of the enemy is like an aircraft's onboard radar, allowing for quick detection and location of the enemy's position as well as the enemy's state of activity. Corresponding in network security are various threat analysis and detection technologies, including network traffic analysis, user behavior analysis, sandbox, honeypot, threat intelligence, etc., and can be used to improve the effectiveness of detection (depth, anomaly) and detection efficiency (fast) through various correlation analysis rules to solve the problem of false positives and missed positives of traditional devices and discover various unknown threats.
The observation of the environment is like an aircraft's optoelectronic distributed aperture system, which provides high-resolution dynamic imaging of the environment in which the aircraft is located, providing high separation rate imaging warning and improving battlefield situational awareness. Corresponding in cybersecurity is the sensing and display of overall security posture, external attack posture, internal security posture, asset and risk posture, and the provision of various monitoring dashboards and automated reporting reports.
2.2 Adjustment of Orient phase
The prerequisite and basis for the adjustment phase is the results of the observation phase, and the more in-depth and precise the observation phase is, the more effective the activities of the adjustment phase will be. Conversely, if there are deviations and problems in the observation phase, adjustment activities may also be problematic. Adjustments during combat include adjustments to combat strategy, which are primarily made by the pilot (frontline personnel) to suit the situation. In addition to this, two rear realignment activities are included, the rear intelligence center realignment, and the rear command center realignment.
Corresponding to network security, the adjustment of combat strategy is a prior defense measure, including regular vulnerability scanning, patching, security configuration baseline, black and white list adjustment, etc.; the rear intelligence center is equivalent to threat intelligence platform (TIP), including multi-source threat intelligence data aggregation, threat intelligence multi-system sharing, threat intelligence data update, threat intelligence warning, etc.; the rear command center is equivalent to optimizing real-time security analysis engine (radar), including new security analysis scenarios, adjusting security rules and machine learning algorithms, etc.
2.3 Decision-making Decide stage
When you get to the decision-making stage, there is a special emphasis on human interaction, because the decision may be a split-second thing, and also the decision may be linked to the next stage of action.
Decision-making in combat includes enemy identification, intelligent decision making, security investigation and analysis corresponding to cyber security, and security disposal recommendations. Security investigation analysis includes event analysis and retracing, attack chain reduction, and attack traceability scenario; security disposal recommendations include alert/risk prioritization, attack behavior prediction, and solution recommendations.
2.4 Action Act phase
The operational phase consists of three types of activities, including combat, communications, and cooperative combat activities, as in the case of the aircraft's fire control system, information and communications system, and cooperative combat system. Combat operations are activities between the enemy and us; information communications and cooperative operations are activities between combat units and between combat units and command.
In network security, fire control system refers to security device linkage, such as SIEM linkage with FW and IPS; information communication system refers to security warning notification system, including information warning notification (SMS, email, etc.), security operation platform and work order system docking, etc. Collaborative operations refers to security emergency response, including emergency response and system recovery.
III. Summary of key points of OODA cycle and cybersecurity operation platform
OODA is characterized by a long observation phase cycle with short or even overlapping later phases; the more basic the earlier phase is, the more critical the later phase is as an input; the need for human-computer interaction, with a focus on dynamics, linkage, and closing the loop to improve overall capabilities.
The key words that correspond to the cybersecurity operation platform are: fast: big data platform, accurate: in-depth analysis and detection, and full: comprehensive reports and element combinations.
>>1、Handson selenium2python automation testing 7 locating a set of objects2、Get hidden WiFi SSID with one click discover hidden wireless hotspots with Python and Scapy3、Baidu takeaway officially renamed hungry star todays headlines launched ecommerce App value point Jingdong into the personal courier business4、Linuxshell implementation of HTTP services5、Things you didnt know about hacking the highest number of hackers are Virgos