Written by Tony Cole, CTO – Last week, I spent some time with Matt Devost of OODAloop.com in a webinar on BrightTalk discussing deception and how it allows a defender to shrink their OODA loop. If you’re not familiar with the OODA loop concept and how it applies to cyber defense, let me elaborate.
The OODA loop stands for Observe-Orient-Decide-Act and is a cycle developed originally by US combat pilot Colonel John Boyd. The idea is simple, to ‘Observe’ everything applicable to the situation, ‘Orient’ yourself based on that data and incorporating your own background that helps you identify how you shaped that data (biases, cultural, etc.), then ‘Decide’ how you’re going to respond, and then ‘Act.’ The point is to be able to do this faster each time you do it and to always do it faster than your enemy.
Figure 1OODA loop, courtesy Wikipedia, https://en.wikipedia.org/wiki/OODA_loop
Obviously, this is a gross simplification of an important concept that has been applied to many things today outside of just a fighter pilot school. However, it has significant applicability to the cyber realm. Now, back to our conversation last week on how deception allows you to shrink your OODA loop.
Matt brought up several interesting points that were very applicable to the conversation. We talked about the challenge with dwell time today. The point from which an adversary compromises a system until the breach is discovered is still measured in weeks, not minutes. This means an adversary has significant time inside your system before discovery, allowing for maximum impact where they could steal, modify, leak, encrypt, or even destroy YOUR data. Insert deception here. Adversaries typically use deception against us in almost every successful attack. Deception is simply changing up your enterprise environment where the adversary no longer knows what’s real and what isn’t real, giving the advantage back to the defenders. Let me explain.
Deception breadcrumbs, lures, and bait are layered across your production assets to draw attackers into a decoy environment that looks just like your real environment. Why does it look like a valid environment to an attacker? Because it uses real operating systems, and real applications, in fact, the same ones running in your environment to fool the adversary. As Matt brought up, this means the adversary that may have specific goals in mind when compromising your system is now in a decoy environment, and they don’t realize it. You’re notified immediately as soon as the decoy environment is touched, and attacker activity inside this decoy enterprise environment has no impact in your real production enterprise. This means you have disrupted their actions on goals, their decision cycle, and started gathering intelligence on their capabilities. You have, in essence, impacted their OODA loop for the worse and shrunk your OODA loop in the process.
Matt asked about lessons learned as well, and this is an important area. We’ve found that the more time an organization spends with deception, the more they understand how they can negatively impact an adversary. In fact, their feedback to us, as customers, has given us the inspiration to provide new capabilities for this very reason. We now have ADSecure, which allows a company to put it in place and give an attacker inside a compromised system deceptive data on Active Directory (AD) all without putting any agents on an AD server. Lessons learned from attacker activity not only allows our customers to improve their OODA loop cycle, but it also allows us to improve our capabilities and provide them back to customers, coming full circle!
I’d like to thank Matt Devost and the team at OODAloop.com for the great conversation last week. The video is available here.
If you haven’t checked out deception yet, well, you should. Listen to the team at OODAloop.com, Gartner’s Gorka Sadowski, on why it’s “Simple, inexpensive, and works.” Or why IDG says it’s the second most researched subject in cybersecurity this year. Check it out.