During the Korean War, John Boyd, an Air Force pilot and military strategist, studied why the F-86 Sabre was so successful in shooting down the Russian MiG-15 of that generation. Boyd discovered that the U.S. planes, while inferior to the Russian MiG in terms of speed, range, and altitude, were more maneuverable and therefore able to act faster than the MiG could react.
Boyd characterized the Sabre’s ability to turn in rapid response to the more cumbersome MiG as thinking and reacting ahead of the enemy. His system was to gather all the facts, observe the way the target reacted, process all the information, and then make lightning decisions. He called this an OODA loop – Observation, Orientation, Decision, and then Action. The strategy? The decision maker that moves fastest through the OODA loop beats their opponent by acting first and thereby changing the situation for an adversary.
John Boyd’s strategy resonates when thinking about cybersecurity. I’ve often compared cybersecurity professionals to spy hunters that deploy effective counterintelligence to beat rival attackers. For some time now, I’ve preached that we must hunt the threats before they hunt us. These ideas mirror Boyd’s strategy for modern times. A cyberattack places the target in an OODA loop that requires a lightning fast response. Reacting to a cyberattack will always be too late.
In order to win the OODA loop paradigm, security teams must make a superior, faster decision than the attacker using only the information directly at hand. Boyd’s theory centered on how we view the world around us as we insist it should be rather than shifting our perceptive to incorporate circumstances as they change. In the world of cyberattacks, circumstances, attack vectors, different malware and new exploits change on every day that ends in a Y. If we are not able to think with flexibility, adapt quickly to changing circumstances and make a decision that beats our attacker to the punch, a catastrophic breach may occur.
Effective cybersecurity will orient faster to an actionable decision than an attacker. Such cybersecurity will focus on a few critical areas to always win the OODA loop:
Security will focus on the endpoint. This moves security and response closest to the most common point of attack – the human that makes a mistake.
Decisions will be made with the best available information. During an attack there is no time to conduct research or ask for help. Security will leverage big data and analytics, instantly updated from the cloud to make the best decisions.
Security will move to a collaborative approach. When threats and exploits are shared among many people, the potential attack surface is mitigated. If one member on an ecosystem is attacked, all other members will know about the attack and immediately orient to act to prevent future attacks. This will make the cost of designing an attack higher than the gains from successfully attacking many consumers.
Security operations will be simplified. Recall that the first party to effectively orient to a situation, decide and act wins. By simplifying operations, security can move protection through the process faster than the attacker.