1. Col. Boyd’s OODA Loops
“Speed is the essence of war. Take advantage of the enemy’s un-preparedness; travel by unexpected routes and strike him where he has taken no precautions.” Sun Tzu
An Air Force Colonel named John Boyd achieved a reputation as a talented fighter pilot and then went on to become one of the best pilot instructors at the Fighter Weapons School at Nellis Air Force Base. Col. Boyd earned the nickname, “forty second Boyd” by making a standing offer of $40 for anybody who could survive for forty seconds against him in an aerial dogfight, starting out from a position on Boyd’s tail. He never lost that bet. Boyd went on to become a key figure in the design of both the F-15 Eagle and F-16 Fighting Falcon fighter planes and after he retired, gave briefings and lectured about combat maneuvers to many military groups and training organizations.
What Boyd became most known for was developing a theory of the timing involved in combat maneuvers. He called it “OODA” for; Observe, Orient, Decide, Act. Boyd’s theory says that every combat maneuver has to constantly loop through these actions and whoever can perform the cycle fastest gains a distinct advantage. It’s easy to understand how valuable this theory is when it pertains to aerial combat. Pilots engaged in a dogfight must be able to very quickly transition from seeing an action to making some kind of sense of the action, to making a combat decision, to taking the action necessary to evade an opponent, to reverse positions, or to kill their opponent. But this theory can also be applied to almost any other form of combat, whether on land or sea, whether it deals with single opponents or large groups. In this case, it can also be applied to information warfare.
Although speed was clearly at the core of OODA loop theory, Boyd went beyond that to also focus on variety, harmony and initiative as opponents continuously cycled through their combat loops. Variety in your techniques makes it difficult for your opponent to orient and slower to decide. Harmony across your techniques increases your speed of response. Initiative can put you in the aggressive lead of the loop and force your opponent to a defensive position where a mistake can become fatal.
While most military training focuses on a two dimensional landscape, Boyd’s experience as a fighter pilot required that he think in three dimensions. It is logical to extend this to include time. In other words, you must learn to maneuver in time as well as in space. In fighter pilot terms, this means that instead of following the ever curving path of an enemy fighter trying to evade your guns, you have to get “inside” his loop, or anticipate where he will be at a future point and take a shorter path to arrive there in time to destroy him. Boyd’s theory was that all combat maneuvers must be designed to “get inside” the opponents OODA loop, whether in space, time, information, psychology, or combinations of these factors. Boyd once said, “Machines don’t fight wars. Terrain doesn’t fight wars. Humans fight wars. You must get into the minds of humans. That’s where the battles are won.”
In order to create faster speed (as well as increased variety, harmony and initiative), it is necessary to train combatants to high levels of proficiency in each of the phases of the OODA loop. Observation and Orientation come first and enable the Decision and Action phases. Being able to correctly frame and understand what you are “seeing” is also known as Situational Awareness (SA). Having good SA opens up opportunities to maintain harmony within your own actions and introduce variety and initiative that can confuse your opponent and actually slow down their ability to cycle through their own OODA loop process.
2. Situational Awareness Matrix
“So it is said that if you know your enemies and know yourself, you will win hundred times in hundred battles. If you only know yourself, but not your opponent, you win one and lose the next. If you do not know yourself or your enemy, you will always lose.” Sun Tzu
In any combative scenario, situational awareness is a key to the outcome. It’s not just knowing where you are and where your opponent is, but also what condition and state each of you are in and details about the environment and obstacles you both face.
Applied to network cyber attacks, a situational awareness matrix can be developed and filled in as the attack progresses. A simplified version of the matrix might look like this:
The attack begins with external reconnaissance and progresses inward, to intruding across the network with the intention of eventually compromising interior host systems and then beginning a “PIVOT” attack to use the compromised host as a base to attack other systems inside the network. At the same time as the attack penetrates from the exterior to the interior, it also progresses in tactics from reconnaissance to intruding and once they have gained a foothold on a compromised system, they take action to entrench this position and make sure they can regain access to the system at a later time.
Each individual attack would not visit all parts of this matrix, but would follow its’ own unique pathway through the matrix. We can further expand the matrix by adding in tools to be used with each tactic.
[for instance: the scan tactic might use nmap as a tool, the vulnerability scan tactic might use Nessus as a tool, the sniff tactic might use wireshark, while another sniff tactic focused against a wireless target might use kismet instead]
We can also add defensive tactics and tools that are anticipated and the appropriate counter measures. An attack “war-board” based on the situation matrix could be set up in a command and control facility to track the progress of an attack and collect information regarding the target and defenses as it is learned. In a team situation, being able to quickly relay such information from one unit to another in a live attack is critical.
Members of the attacking units need to be trained to constantly think about the situational awareness matrix and ask themselves the questions:
• Where are you? In a cyber sense, where on the network are you, what system are you on, what kind of system is it?
• What do you know? What can you “see”, what network protocols are being used, what services are running, what ports are open?
• What can you access? Where can you reach from where you are, what limitations are there on what you can access?
• What can you control? What can you take control of, what can you not take control of?
• What do the defenders know about you? Do they have any information that might indicate that you are on their network, what tools are at their disposal that might disclose your activity?
• How will the defenders react if they discover your activity? What do you expect the scaling of their reactions to be and what actions will they take at each level?
The state of situational awareness (SA) will have a great impact on the ability of the team to quickly cycle through Boyd’s OODA loops. This speed advantage creates a competitive edge that allows the attackers to elude detection or eradication and create confusion among the defenders. Tailoring the attack tactics and strategy to facilitate SA and OODA loop theory might mean making email servers a priority target for the purpose of intercepting email that describes defensive activity. Incident response methodology stresses using “out of band” communications mediums for exactly this reason.
3. SCENARIO – “The Academy”
The Chinese Hacking Academy was designed to teach advanced cyber attack and penetration techniques to qualified students. Students were selected based on a mix of fundamental computing and networking skills, an interest in penetration techniques and a unique psychological profile that included a creative element and a viewpoint that saw obstacles as a challenge. This can often manifest itself as an anti-authoritarian attitude and may result in the student being labeled as a trouble-maker. These types of students were sought out and examined carefully for suitability to the program.
The “Master” of the academy was well versed in Sun Tzu, the theory of maneuver warfare by Clausewitz, Boyd’s OODA loop theory, and the U.S. Marine Corp manual called, “FMFM1 Warfighting”. He taught the philosophy of cyber attacks as much as tactics and technique and oversaw the other instructors in the school.
- Network protocols refresher
- Beginning packet analysis
- Basics of intrusion detection signatures
- Anti virus signatures
- Intro to reverse engineering
- Fundamental reconnaissance
- How email servers work
- IIS versus Apache – web server basics
- Incident handling methodology
- Datagram fields
- Advanced IDS analysis
- Port scanning and assessing vulnerabilities
- Passive fingerprinting
- Wireless security assessment
- Buffer overflows and format strings
- Penetration tools (metasploit, canvas and core impact)
- Web and SQL attacks
- Botnet command and control and DDOS attacks
- VPN technology
- Sessions: Man In The Middle attacks and hijacking
- Password cracking
- Using fragmentation to elude IDS
- Counter forensic measures
- Root kits: from user mode to kernel mode
- Covert channel communication
- Stealth using polymorphic techniques
- Steganography techniques
In addition to the lectures on cyber attack philosophy and situational awareness, the students were trained in attack techniques and all the commonly available tools plus some custom made versions. They were well schooled on both the attack and defense sides of each phase of cyber conflict. For instance, a student would be taught how to use an exploit to compromise a system, then an intrusion detection system would be introduced that could notice the compromise, then the exploit code was obscured using polymorphic techniques, then IDS techniques were used that can detect payload anomalies statistically. Then the payload was further obscured and the entire exploit was packaged in a wrapper designed to deliberately trigger an old exploit signature such as Code Red from 2001. The assumption was that the defenders were not capable of reacting in real time, giving the attackers time to “dig in” with a stealthy root kit. The defenders would not be likely to investigate very thoroughly, thinking that since Code Red was such an old exploit, and the system was patched against that many years ago, there was no real danger. At each stage in the training, cyber gaming exercises were used to sharpen skills and evaluate progress.
An excerpt from a U.S. Marine Corps manual of military philosophy, “FMFM1 Warfighting” best describes the teaching philosophy of the Academy:
“Maneuver warfare is a warfighting philosophy that seeks to shatter the enemy’s cohesion through a series of rapid, violent, and unexpected actions which create a turbulent and rapidly deteriorating situation with which he cannot cope.
From this definition we see that the aim in maneuver warfare is to render the enemy incapable of resisting by shattering his moral and physical cohesion–his ability to fight as an effective, coordinated whole–rather than to destroy him physically through incremental attrition, which is generally more costly and time-consuming. Ideally, the components of his physical strength that remain are irrelevant because we have paralyzed his ability to use them effectively. Even if an outmaneuvered enemy continues to fight as individuals or small units, we can destroy the remnants with relative ease because we have eliminated his ability to fight effectively as a force.”