Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Application Security

Breaking the OODA Loop!

The OODA loop is a well established concept often used in security which originated in the military. OODA stands for Observe, Orient, Decide, Act.

The OODA loop is a well established concept often used in security which originated in the military. OODA stands for Observe, Orient, Decide, Act.

OODA is an iterative process because after each action you need to observe your results and any new opposing action. The idea is that if you can consistently get to the action faster than your opponent you can beat them. It is typically described using an airplane dogfight analogy – airplanes try to turn more quickly and sharply than their opponent in order to get off a shot. But, as you turn faster and faster the g-forces build and at this point the ever faster OODA loop is more like a centrifuge crushing us. We need to break out of the loop and find a new way to play the security game.

Lately, every time I hear about the OODA loop I think of the Ouroboros, a snake eating its own tail. Defenders react faster, so attackers do too and they get sneakier, and so on and so on. Like many similar technological races it is hard to get more than an incremental and temporary advantage. It seems to take an enormous amount of effort and money to make even the smallest improvements, and even the biggest and best prepared companies are still regularly falling victim to cyber attacks. It takes revolutionary improvements to make substantial differences to the balance between attackers and defenders.

Consider a typical OODA loop scenario. An attacker sends a phishing email, and someone clicks on a link to a bad website which infects the user’s computer. At some point that attack is detected (observed), often well after the attacker has had a chance to move horizontally through the organization and establish a presence. The victimized enterprise then turns their attention to gathering more data about what has happened and which systems have been compromised, and quickly decides on a plan of action. Finally they start to try to clean up infected systems and prevent further compromise. Of course the attacker may notice that they have been observed and start taking counter measures at the same time. 

How much better would it be if many of these attacks could be stopped or remediated without detection? Could we skip the “OOD” in most cases and move directly to Acting frequently and repeatedly? That can only work if the cost of remediating potentially infected systems can be reduced by many orders of magnitude. Conventionally it might take an IT person an hour or more to clean up a single desktop. If we want to do that every day on every machine, or maybe more often, the cost has to be almost zero.

Virtualization and containerization make it possible to automate this kind of process very effectively. Images of the system, component, or application can be created in a known good and clean condition. The VM or container can be quickly, easily, and cheaply deleted and re-created from that image. That efficiency makes it possible to take this remediation action quite frequently. It is common for such systems to restart the image daily and some do so every few minutes.

Another advantage of bypassing the observe/detect phase is the ability to be secure in the face of undetectable malware. Current generation security tools have a dismal track record for detecting sophisticated attacks. Web interactions require scanners to allow or deny content in milliseconds making detection particularly difficult. With automated restart of the images, all malware gets cleaned up, including the stuff that managed to evade all the scanners. 

Virtualization or containerization of small individual applications provides many advantages over virtualizing the whole system. Isolating individual applications limits the amount of data and resources at risk between the time of any infection and when it is remediated. Strict isolation of the application from file systems, networks, and hardware prevents attacks from reaching their objectives of capturing information or inflicting damage.

Advertisement. Scroll to continue reading.

Applications are too large, too complex, and evolve too quickly to be free of major vulnerabilities any time soon. And attackers continue to develop new tools and techniques to evade immediate detection. This has resulted in businesses spending untold sweat and treasure trying to race faster and faster around an ever tightening OODA loop. If they continue they will be eating themselves alive like the mythical snake.

Isolating those vulnerable applications in highly restricted boxes which are then frequently destroyed and rebuilt whether or not anything has been detected, is an important approach for robust security and survivability in today’s modern threat environment. It can allow us to break out of the OODA loop and cut straight to taking effective action.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.