Why Every Business Should Use Cyber Threat Intelligence - Introducing the OODA Loop and CROSSCAT Intelligence Principles

Imagine you have been flung back in time to the days of Sparta. You are in a period where the threats are constant, information is scarce and the ability to anticipate and react quicker than your opponents is literally the difference between survival and extinction. You have recently been promoted after the previous incumbent of your position was caught in a surprise attack and now you oversee the entire security and safety of your faction. What do you do to achieve this you find asking yourself? You have resources such as people, money and situational knowledge sown within the population at your disposal and you also know there are threats all around you, both externally and internally. Do you just sit tight, set out your defences and hope that any threats to the village pass by and don’t spot you? Or do you send out people to find out what is coming, what is taking interest in you and discover their methodologies so you can better prepare your defences?

When you strip it all back and use examples from history, you can see that the principles of security hold true throughout history. In the above scenario, the Spartans knew you couldn’t just remain passive and just react to attacks. You had to remain proactive, gain the upper hand, be faster at completing the OODA loop (more on that later) than the enemy. However, to be proactive you need to gain an understanding of the situation. They realised you need to attain situational awareness so that informed decisions could be made. This is at its essence, threat intelligence. The Spartans, therefore, created a specialised type of scout to achieve this. They were known as Sciritae and were deployed by the Spartans to seek this situational awareness and had a privileged position in their order of battle. The Spartans were so aware of the advantage their scouting operations gave them that they went to great lengths to keep them secret from their enemies. This tactic is not just isolated to the Spartans. Every single military force the world has ever seen has had some form of intelligence gathering operation. So why do we not do it for business? The threats are there, admittedly not in the same bloodthirsty form the Spartans faced but still, they are there, and their aims include to cause harm, instigate destruction and seek advantage over others. If you do not employ some sort of intelligence gathering capability for your business, you are essentially the Spartan village who decided to just sit there and wait for the attack to hit them and hoped it wasn’t too bad.

So, after that introduction and to bring context to their article, this is my second piece regarding Cyber Threat Intelligence and this one will focus on some of the pertinent benefits it has for businesses and introducing the principles of intelligence in the form of CROSSCAT. Please use this as a springboard to look deeper into the concepts and frameworks I raise during this article as I do not want to overload you with pages and pages of theories. It is designed to be read quickly over a break period, inspire some thinking on your current situation and if you wish for more information please do not hesitate to contact me.

So back to it, I mentioned earlier something called the OODA Loop. Now the OODA Loop is a military tool that was developed by John Boyd, a USAF pilot, in the 1970s as a concept to emphasise the importance of correct agile decision making. OODA stands for O – Observe, O – Orientate, D – Decide, A – Act. It is a model you already adhere to every day. You, for example, observe you are hungry. You orientate with your situational awareness (i.e. Subway can provide food but is too far away whereas Waitrose is just down the road, I can make it during the lunch hour and get a sandwich). You decide to go to Waitrose, and you Act by walking down, buying the sandwich and alleviating the hunger.

It seems simple but this concept from Boyd changed the world in terms of how to win. It emphasised that by having the greater situational awareness, it allows a quicker decision-making capability that most importantly means you can react quicker and outmanoeuvre your enemies before they have time to react. This capability has been highlighted throughout history from the revolutionary tactics of Napoleon to Genghis Khan, to the Vietnam War and most recently in Iraq, Afghanistan and Syria.

In terms of threat intelligence supporting a business, if you can understand your environment, understand your threats and make decisions quicker than your opposition can (i.e. place defences before they even attack you), you will remain resilient and operational despite sometimes their best efforts to harm you. Preventing an attack is much easier to manage than attempting to recover from one. The flip side of the coin is that you do nothing, you let your threats have freedom to observe you, orientate themselves to your weaknesses, decide on the best course of action for them and then you feel the brunt of their action which could be in the form of a Denial of Service attack, extracting data from your business or dropping ransomware on your computer devices via a phishing email.

So, I think we can all agree that is not the smartest way to handle your security posture and some form of situational gathering is required to stay ahead of the mounting threats we face in the digital era we are now firmly in. Now, like I said in my previous article, it can seem daunting and even impossible in terms of where to start for developing an intelligence capability. But over the course of the next few articles I am going to outline that is not the case. But first, we will start with understanding the principles of intelligence alongside the OODA Loop. Understanding these and adhering to them as best you can will ensure any capability you do develop is successful. The model we will use is the CROSSCAT model which is from the CREST paper "What is Cyber Threat Intelligence and How it is Used". (https://www.crest-approved.org/wp-content/uploads/CREST-Cyber-Threat-Intelligence.pdf).

Centralised – Centralised control of your intelligence allows for efficient allocation to the right people and departments, a standardised approach and a point of contact for any questions or issues that arise.

Responsive – Intelligence needs to be responsive to the consumers of that intelligence. It needs to be the right intelligence and adapt to their changing needs with a clearly defined method of reporting.

Objective – The analysts in terms of their assessments need to remain as objective as possible, with procedures in place to remove cognitive biases from reports. This is very difficult but achievable if done correctly.

Systematic – The data and information used and turned into intelligence needs to be methodically exploited in a coherent and coordinated fashion so when questioned it stands up to scrutiny and remains reliable.

Sharing – If you have the greatest intelligence but cannot share it, it is therefore worthless. Correct protective procedures and sharing initiatives need to be in place to ensure the effective dissemination of intelligence.

Continuous Review – Intelligence has a shelf-life and will expire after a certain time. Assessments need to be continually challenged when new information is revealed with feedback taken on board at all stages.

Accessible – If your intelligence cannot be accessed in terms of physically and conceptually then it is again worthless. Consideration for the audience consuming your intelligence must be made and different formats made available.

Timely – A 80% solution on time is better than a 100% solution that is late. Intelligence is time sensitive and is only useful when delivered within the effective timeframe.

If you start here, build an understanding of the OODA Loop and the principles of intelligence, your next steps in developing a capability will be made a lot easier with fewer mistakes made. Remember, you wouldn’t go into battle without first trying to discover everything you could about what you were up against would you? So why would you do the same with your business?