Tag Archives: John Richard Boyd

Threat Intelligence – What is it good for?

31 August 2019

I attended a virtual summit on threat intelligence this week. I watched two interesting presentations and found that I am still not convinced of the value of threat intelligence.

In vulnerability management for example threat intelligence speeds up decision making. But is speed in the decision-making phase of vulnerability management an issue?

OODA Loop

OODA Loop

When we deal with critical vulnerabilities, e.g. vulnerabilities of the WannyCry Class, speed is crucial. The OODA procedural model is perfectly suited as execution procedure for environments where speed is crucial for survival.

OODA, an acronym for Observe, Orient, Decide, Act, was developed by John Richard Boyd in the 1950’s as survival strategy in aerial combat. Colonel Boyd, one of the most influential military strategists ever, transferred OODA to other domains after he retired from the US Air Force.

The picture below shows the OODA procedural model adapted for vulnerability management.

OODA for Vulnerability Management

OODA for Vulnerability Management

We must decide whether urgent action is required if a new critical vulnerability is published. Data collected from OSINT sources, asset details, and experience in the evaluation of vulnerabilities are required for creating a well-founded decision.

Threat intelligence speeds up the Observe and Orient phase by e.g. providing data on exploits seen in the wild. But threat intelligence will neither replace current asset data, which are crucial for the Orient phase, nor speed up the Act phase, where the affected assets are patched, and their correct operations is verified.

So, if you decide on investing in threat intelligence ask yourself the question: What benefits do I expect to gain from threat intelligence in what use cases? Otherwise, it is very likely that you get disappointed.

Have a good weekend.

Senators accuse Yahoo of ‘unacceptable’ delay in hack discovery

4 October 2016

Six Senators demanded that Yahoo should explain why it took about 2 years before the massive data leak came to light.

In Reuters Technology News of 27 September 2016 Dustin Volz and Lisa Lambert wrote:

The lawmakers, all Democrats, said they were “disturbed” that the 2014 intrusion, which was disclosed by the company on Thursday, was detected so long after it occurred.

“That means millions of Americans’ data may have been compromised for two years,” the senators wrote in a letter to Yahoo Chief Executive Marissa Mayer. “This is unacceptable.”

This is a very interesting turn on events, but entirely justified.

In report ‘Yahoo breach calls into question detection and remediation practices’ published on SearchSecurity on 28 Sep 2016, Michael Heller discussed the question about Yahoo’s detection and response practices. I haven’t seen any discussions about missing preventive controls, although these are the foundation for the rapid detection of cyber-attacks.

The goal of prevention is to force the attacker to make errors by isolating him from his and our environment. A well-tuned SIEM system should then rapidly detect such anomalies and create incidents from them. A good mixture of detection and prevention is required for the rapid detection of cyber attacks.

For a comprehensive discussion on prevention and detection see post Cyber Security Investments: Experts Discuss Detection vs. Prevention published in the Digital Guardian blog.

In briefing document ‘The Strategic Game of ? and ?’ John Richard Boyd shows the direction to cyber security:

The Strategic Game is one of Interaction and Isolation. A game in which we must be able to diminish adversary’s ability to communicate or interact with his environment while sustaining or improving ours.

Have a good week.

Lessons learned from Tom Clancy’s ‘Novel Red Strom Rising’

14 December 2015

In the past weeks I listened to Tom Clancy’s ‘Novel Red Strom Rising’ during my ride to the office. Red Storm Rising is about a Third World War in Europe around the mid-1980s. From a IT security point of view one of the most impressive scenes is about a missile attack against the carrier Nimitz.

Nimitz has a layered defense system which successfully destroys all missiles except of two which cause severe damage. However, the continual emergency drill was successful, the carrier achieves the dry dock under its own steam and is soon back in combat.

In the IT world we are facing similar problems when a cyber attacker manages to get across first line of defense, i.e. the firewall which separates the company network from the internet. In the best case, if a Information Security Management System (ISMS) is in place, everyone reacts the right way and serious damage is prevented.

But reacting the right way requires some practice, and the lack of practice is the crux of the matter. Is all software available to rebuild a system from scratch? Have you ever performed a restore test to make sure your backup concept works and your business critical systems could be restored to the required point in time, and in the defined time frame?

Practicing of security procedures is often avoided because of the risk for the systems and the costs. But without practicing you cannot ensure the effectiveness of your ISMS. It is all a question of finding the proper balance.

I digged somewhat deeper into military strategy in the past weeks. In publication ‘The Strategic Game of ? And ?‘ John Richard Boyd shows the direction to a strategic approach to defense in cyber war:

The Strategic Game is one of Interaction and Isolation. A game in which we must be able to diminish adversary’s ability to communicate or interact with his environment while sustaining or improving ours.

Seems to be a good motto for 2016.

That’s it for today, and for this year. I will take a Christmas break.

A merry Christmas to you all and the best wishes for health, happiness and prosperity in the New Year.

Christmas Trees