Incident Response Methodology: The OODA Loop Explained

January 24, 2019  |  James Fritz

An incident response methodology can be explained as a collection of procedures aimed at identifying, investigating and responding to potential security incidents in a way that minimizes impact and supports rapid recovery.

In this blog, we'll explain how to use the OODA Loop, developed by US Air Force military strategist John Boyd, to create your own incident response methodology. The OODA loop stands for Observe, Orient, Decide and Act.

OODA Loop in your incident response methodology

The OODA Loop in Your Incident Response Methodology

Understand the observe phase of incident response methodology.

Tools and Tactics – Vulnerability Analysis; SIEM Alerts; Application Performance Monitoring; IDS Alerts; Netflow Tools; Traffic Analysis; Log Analysis

Questions to Ask – What does normal activity look like on my network? How can I find and categorize events or user activity that aren’t normal? And which require my attention now? Finally, how can I fine-tune my security monitoring infrastructure?

Key Takeaways – In this phase of incident response methodology, the more observations you can make, and document, around your business operations and network, the more successful you’ll be at response and defense

Understand the orient phase of incident response methodology.

Tools and Tactics – Security Research; Incident Triage; Situational Awareness; Security Research

Questions to Ask – Is your company preparing for a new software package or planning layoffs? Have you or anyone else in the wild seen attacks from this particular IP address before? Do you know what the root cause is? How large is the scope and impact?

Key Takeaways – In this phase of incident response methodology, it’s important to try and think like the attacker so that you can orient your defense strategies against the latest attack tools and tactics. These are always changing so make sure you have the latest threat intelligence for your security monitoring tools. This will ensure that your tools are capturing the right information and providing accurate context.

Understand the decide phase of incident response methodology.

Tools and Tactics – Hard copy documentation (pen, notebook and clock), your company’s corporate security policy

Questions to Ask – Once you have all the facts, then it’s time to ask yourself and your team how to act.

Key Takeaways – In this phase of incident response methodology, catalog all areas of your incident response process. Perhaps one of the most important areas to document here are communications around data collection and the decision-making process.

Understand the act phase of incident response methodology.

Tools and Tactics – System backup and recovery tools; data capture and forensics analysis tools; patch management and other systems management, security awareness training tools and programs

Questions to Ask – How can I quickly remedy the affected systems and get them back online? How can this be prevented in the future? What are ways that we can educate users so these things don’t happen again? Should we fine-tune our business process based on these lessons?

Key Takeaways – In this phase of incident response methodology, training, communication, and frequent improvement are important to success in reacting effectively during an incident. Everyone on your team should know their roles and what is expected of them Also, it’s recommended to keep up to date on security best practices and empower team members to speak up when they identify areas for improvement in your incident response methodology.

Note:

This blog was created from a section of the AlienVault Insider’s Guide to Incident Response eBook. To read or download the full eBook, visit:

AlienVault IR Guide Processes and Procedures

AlienVault IR Guide Intro

Share this with others

Get price Free trial