OODA Loop for Alert Review

Introduction

Alert reviews are hard. Looking through alerts, not getting sucked in to the gory details, and keeping in mind the why of the work you’re doing is harder to keep up with, especially for newer staff. This issue exacerbated by experienced staff developing a solid “gut feel” for reviewing alerts / investigative leads, and leaving themselves unable to explain, in a repeatable fashion, how they do what they do. An approach I’ve had some success with in giving staff a thought process to keep them on-track is the OODA Loop.

The OODA Loop was created by Colonel John Boyd of the US Air Force, back in 1976. Given the dearth of military terminology in the Cyber Space, I thought this was worth investigation /s. Cyber isn’t the first space to pick up OODA loops outside of a military context, law enforcement, healthcare, legal and even political campaigners have implemented the OODA loops to great effect. So what is the OODA loop?

OODA

OODA is an acronym for Observe, Orient, Decide, Act, one word for each phase of the OODA loop. Originally designed to be super snappy (as is required for fighter pilots doing fighter pilot things), the timeframe of use can be expanded out over days. For an example of the original use of the loop, see this video. Now let’s apply it to alert triage!

Observe

In the observe phase, I like to go a little deeper than just “oh, a new alert”. I like to bound my review phase by only the information in the alert itself. If I have to leave the alert, for example to look up a domain / user / whathaveyou, then I’m no longer observing. but if I look at an IP in the alert itself that is, say, 172.32.14.5, and I go “that’s an external IP address” (it really is), then that’s a valid observation.

Orient

Orientation is where we start gathering additional context to understand the environment and conditions in which the alert fired. I like to bound the entire orientation phase to 5 minutes - if I’m taking more than 5 minutes to look at an alert and make a decision, then I’m investigating without choosing to investigate - also known as falling down rabbit holes! This is what we’re trying to avoid. So maybe I look up the department the user account mentioned in the alert belongs to, because if the user is a developer, the activity alerted on might be allowed. Maybe I look up the IP address to see if it belongs to my organisation. Maybe I search across teams for a filename to see if it’s being discussed / used by design. Most importantly, all of these orientations must be completed in less than 5 minutes - TOTAL.

Decide

You have all of the information you can quickly gather (remember the 5 minutes rule!), so it’s time to decide what to do. While I’m generally against fixed-track outcomes, setting them for alert review has been quite productive, in my experience. In the case of alert review, I tend to encourage my staff to chase one of three outcomes:

  • Close the alert. There’s no risk to our organisation, so no further action is required by our team. This might be supported by adding a detection review request, etc.
  • Escalate the alert. This looks scary and beyond the scope of my team, so it’s time to get the more experienced folks in the next tier involved.
  • Investigate further. There’s definitely something odd going on that may or may not be an incident, let’s use our discretion and investigate further.

Based on what you found in observe and orient, the decision should be pretty obvious, once you get to this step. Note also choosing to investigate is not simply repeating the observe and orient phases, because you’re no longer constrained to things that you can achieve in a single 5 minute window.

Act

I hope you’re ready for this, there’s so much going on in this step: You’ve decided the best course of action with the information available to you. Do it.

Conclusion

I’ve taught this concept to a few different customers, and spoken about it at the mighty CHCon. When the video goes live, I’ll include a link to my talk, as well as the presentation slides, here for you to do whatever you like with. If they’re of value to you or someone you know, please do go forth and spread the good word. I appreciate it!

Slides!

© 2020 - 2024 This Insecure World
Built with Hugo
Theme Stack designed by Jimmy