FOR YOUR EYES ONLY

Bruce Williams (see Researchgate)

This is the first of three articles; this is the theory and the second is the practical. For many
years I wanted to test a concept regarding cybersecurity. This concept is duelling loops. It
uses a strategy which emerged from the aerial dogfights in the Korean war. A pilot named
John Boyd developed a way of beating the enemy. He developed the OODA Loop: Observe,
Orient, Decide and Act. It is the D that needs improving. Quick decisions are needed. A
famous Defence pen test succeeded as systems admins failed to act. Boyd taught this
strategy. Let me tell you a short history;
In the '50s, during the Korean War, American pilots were flying aircraft that were less
maneuverable than their opponents'. However, he observed that despite the advantages of
the Russian-made MIG-15s, the American F-86s won a majority of dogfights because they
provided a better field of vision and hydraulic controls that were faster and easier to use.
American pilots had clear advantages in Observing and Acting, the first and last stages of
the OODA Loop.2
So how is cybersecurity related to aircraft in a dogfight? The theory from Boyd is that in
simple terms the side that completes their OODA loop the quickest, wins. Let me repeat
that, if you can get through the loop faster than your opponent then you win. So how do you
train students to see and decide then improve their loop speed?
The real world might not be a good idea. To build better response times in students, we
create a testbed to have the red and blue teams compete against each other. An interesting

1 http://www.richgibson.com/blog/wp-content/uploads/2012/08/spy-eye-code.jpg
2 https://www.forbes.com/sites/davidkwilliams/2013/02/19/what-a-fighter-pilot-knows-about-
businessthe-ooda-loop/#56b93eaf63eb
point I read on the internet was that the USA has red as hostiles and blue as friendlies but in
Russia because red and beautiful were the same word (that would make Red Square make
sense) the reds are friendlies and blue are hostiles.
The diagram below is a cybersecurity testbed, an attacker and a defender.

Attacker Defender

Design of Cybersecurity Testbed1

This is fairly standard and the Cyber Warfare quadrant (Doctrine, Strategy and Tactics) is
where I come in with the OODA approach. Each side is already doing a loop shown below.
The testbed with OODA concept looks like this,

1
Design of Cyber warfare testbed Yogesh Chandra Conference Paper December 2015 page 3
So as soon as the dogfight begins each side starts their loop. The first question is this
strategy suitable for cybersecurity training?
So given that this OODA technique has been around from the 1950’s did anyone else have
this idea?
Well the best explanation is here. The Cyber OODA Loop: How Your Attacker Should Help
You Design Your Defense by Tony Sager.2

2
http://csrc.nist.gov/news_events/cif_2015/security-
automation/day3_securityautomation_930-1020.pdf
I have been in contact with Tony (his bio is here
http://www.healthprivacyforum.com/boston/2016/tony-sager) to see how this idea has
progressed. Well it has different names.
You would have also noticed that Tony has made loops have more familiar the pen testers
with the common terms.

Let us start with the US government to see what is their approach.

Unfortunately, in the cyber security world, our adversaries are oftentimes completing the
OODA loop quicker than an enterprise’s defenders. It’s not uncommon for our adversaries to
have more accurate and timely information about our networks and assets than we do. In
fact, one of the U.S. federal government’s largest cyber initiatives, known as the Continuous
Diagnostics and Mitigation Program, is focused on closing this gap by increasing the speed
at which our information security professionals progress through the OODA loop
(http://www.dhs.gov/cdm).3
The main benefits of this thinking of OODA loops for both attack and defence is to train the
protectors of the system (the attackers are usually already faster). If this training works as
well as the dogfight training in the 1950’s then it is good training.
So the next step was to set up the test bed for students. This required online training so I
approached a web host service which had pen testing tools as instances. Having a website
waiting for attack sorted out many web hosting providers.
Kali or Backbox? A comparison is here https://www.upguard.com/articles/kali-linux-
vsbackbox-pen-testing-ethical-hacking-linux-distros
I chose Backbox. Before I talk about the setup (this will be described in the next article) back
to Boyd.

3
http://informationassurance.regis.edu/ia-programs/resources/blog/cyber-security-
oodadecision-loop
For yours eyes only - Defence OODA Loop
Fatigue
Colonel Boyd also knew that other factors could affect your O.O.D.A. Loop. During his
research he found that Fatigue was also a factor. He and his pilots were flying F-86’s and
although they were slower and less maneuverable than the Mig 15’s they were flying
against, The F-86 was fully hydraulically controlled and the Mig 15 was only hydraulically
assisted. This meant that Boyd’s pilots could operate their aircraft with easy and gentle
manipulation of the controls, while the Mig pilots had to work harder to maneuver their
aircraft. Boyd found that the more his pilots maneuvered and the longer a dogfight persisted
the more fatigued the Mig pilots became and the slower their reaction time became until the
F-86 pilots were able to maneuverer their aircraft into a position of
dominance.4https://tacticalresponse.com/blogs/library/18649427-boyd-s-o-o-d-a-loop-and-
how-we-use-it
So how long will an attacker keep up an attack? First understand the mindset of the attacker.
Is your attacker a schoolkid or an enterprise state? Will they stay around for a week or a
month?
The really great thing about understanding the O.O.D.A. Loop is the realization that
everybody has one and their O.O.D.A. Loop is affected by the same factors that yours is.
This is one of the reasons why in nearly every drill we teach it incorporates moving. This has
the effect of resetting your opponent’s O.O.D.A. Loop and giving you still another advantage.
Learning how your opponent’s mind works and using tactics that allow you to take
advantage of that knowledge is what we should strive to do. Colonel Boyd had it right, know
your opponent’s mind and then attack it.
Defence team - I would suggest the use of honeypots (a real looking but fake server full of
fake credit cards etc to be the Deceive in the Defenders loop). This is in the mind of the

4
https://tacticalresponse.com/blogs/library/18649427-boyd-s-o-o-d-a-loop-and-how-we-useit
attacker filed under Motive greed, revenge ec. Greed for power could also cover admin
password escalation. So how many times would they fall for it? Let’s tire them out and see
what they do. Let us call the user case – greed hacker.
A great discussion on the history of honeypots is
Although full operating system (“high interaction”) honeypots would always provide the highest quality data, and
were still essential for observing skilled human attackers, low interaction honeypots definitely turned out to be
useful in some deployment scenarios: being particularly well suited for easy, low cost roll outs on a large scale;
for minimizing management effort and reducing the potential attack surface, operating risk and liability; detecting
mass network scanning or compromised internal hosts; tracking network based malware propagation (worms);
studying internet wide threats at the macro level or providing real time alerting for highly automated attacks with
little initial human input (brute force, scanners, etc). 5

Some modern day honeypots are Artillery (https://www.trustedsec.com/artillery/ and Nova

(http://www.novanetworksecurity.com)

Project Nova is another newer honeypot project that took the very popular, but no longer
developed, honeyd, and updated and enhanced it, created a dashboard and wrapper around
honeyd, and made it easy to deploy many honeypots at one time -- all from the same host.
Those honeypots can be made to look similar to existing systems on the network and act as
decoys to the real systems. A machine learning algorithm helps determine whether systems
are hostile or benign, and alert appropriately.

Still not sure where to start? Take a look at the Active Defense Harbinger Distribution
(ADHD) project, which is part of the Samurai family of Linux-based LiveCD distributions.
ADHD provides a bootable ISO that contains the two previously mentioned tools and many
others that are specifically focused on providing early warning detection of attacker activity.
Some of those are more geared toward alerting, because, technically, no computers should
be communicating with the honeypot so all traffic has the potential to be considered
malicious.

In addition to the traditional honeypot solutions that are simply designed to be attacked,
ADHD includes active defense tools that intend to slow down attackers and allow for
detection, or to annoy them to where they're more likely to make a mistake and get caught.
Just be sure you've considered the consequences of what annoying an attacker could lead
to; an angry attacker may quickly become a maliciously destructive attacker causing
massive system failures and data loss.6

Great booklet on the use of honeypots is here

https://www.enisa.europa.eu/publications/proactive-detection-of-security-incidents-
IIhoneypots

5
https://www.honeynet.org/node/1267.
6
http://www.darkreading.com/vulnerabilities---threats/tech-insight-time-to-set-up-
thathoneypot/d/d-id/1139633?itc=edit_in_body_cross
For your eyes only – Attack OODA Loop
Speed
Well you know the drill but why not ask yourself has a backdoor been set up already? A
Remote File Inclusion such as C99 might already be there. Look for their weakest link which
may include weak links created by others..

Firewalls – you might like to read a talk at Def Con 22. Zoltan Balazs, aka @zh4ck and CTO
at MRG Effitas, presented “Bypass firewalls, application whitelists, secure remote desktops
under 20 seconds” at Def Con 22.

For the red team attackers, he released two tools for post exploitation; one drops malware
into the remote desktop. If you have admin privileges on a Windows server, you can
bypass/fool hardware firewalls using his driver. Balazs also noted, “If there is a network
address translation (NAT) between the attacker and the server, the tool won’t work.”7

Observations

The training of pen testers is very interesting. Some students are better at attack than defence.
This approach like most pen testing training is to build ability. The difference is measuring
OODA improvements to see the percentage increase in speed.

7
http://www.networkworld.com/article/2601300/microsoft-subnet/bypassing-hardware-firewalls-in-
20seconds.html
 John Boyd8

8
https://en.wikipedia.org/wiki/John_Boyd_(military_strategist)