In a previous blog I discussed how businesses need a simple and cost effective way of building an incident response plan. However, before looking at how such a plan can be implemented, let’s take some time to consider the notion of cyber situational awareness. Situational awareness is a term with its origins in military doctrine but is especially applicable in the context of developing an incident response plan.
What do we mean by situational awareness? Well, a common definition of situational awareness goes as follows:
the perception of elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future
However, what does that mean?
Situational awareness is an element of understanding the state of a particular scope, which is combined with using that understanding to make decisions about how to proceed and respond to events. There are different models and frameworks for situational awareness in the computer networks field, but there is general agreement that its core consists of three levels: [i] Perception: becoming aware of situational events; [ii] Comprehension: interpreting what is happening to form a situational understanding of the events; [iii] Projection [i.e., prediction: using the understanding to inform what actions [if any] should be taken to control the network.
So in essence situational awareness is a process, consisting of [i] becoming conscious of the immediate environment, [ii] and understanding how temporal/spatial events [which you may or may not control] will impact on that environment. It is generally understood that inadequate situational awareness is an element of poor decision-making, especially in those situations that are composed of high information flow; a typical incident response scenario, in which a successful response to some malicious activity, would require a more detailed and informed situational awareness. In securing a cyber incident, situational awareness represents a way of perceiving the threat activity to a business information infrastructure.
So far we have looked at the theoretical aspects of situational awareness, but a practical perspective comes from John Boyd. Whilst the above is useful for understanding the levels of situational awareness, an example will illustrate how it adds value in a practical context. So let’s take a brief side step into kinetic military doctrine, and if we view the computer incident response process in the context of Boyd’s OODA loop theory, then we find a useful model to review the practical relevance of situational awareness in a cyber incident response situation.
John Boyd was commissioned by the US Department of Defense in 1976 to analyze why US pilots in Korea were so successful despite the fact that the opposing Chinese MiG15 aircraft were technically superior in many respects. His simple theory, which postulated that certain aspects of the US aircraft design enabled the pilots to react more quickly to the changing battle, has gained much traction since.
Boyd theorized that combat pilots made decisions using a cycle comprising four steps: Observe, Orient, Decide, and Act [OODA]. In a contest between two opposing pilots the individual who could complete this cycle the quickest would have the advantage. Boyd suggested that the increased speed at which the US pilots could react and reorient themselves outweighed the technical superiority of the MiG15.
Refinements have since been made to Boyd’s OODA model and it is now particularly pertinent in the context of cyber security, especially when responding to an incident.
In the next blog I will demonstrate how OODA loop can be incorporated into an incident response plan.