Already a member?  Sign in to your account.

Become a member: Join here.

The research and reporting on cybersecurity topics at OODA is informed by decades of real world leadership level experience in mitigating risks and improving the functionality of technology. OODA principles Bob Gourley and Matt Devost are both recognized expert leaders and accomplished entrepreneurs in the domain and bring their experience into every research report we publish. The result is research that can drive informed decisions.

What is the value of an informed decision? At OODA Loop, we seek to surface decision intelligence that provides meaningful perspective for leaders and analysts looking to make the most informed decisions possible. Subscribing will give you access to research reports designed to improve your competitiveness and help you operate in a VUCA world, identify and respond to Gray Rhino risks, and find opportunities from advancements in emerging technology domains. Subscribers also receive access to our special continuously updated OODA C-Suite Report which is designed to provide busy decision-makers with a quick overview of the most critical topics for informed strategic planning.

OODA members can find research existing research and reporting a number of ways, including visiting our OODA Member Resources Page, our Sensemaking Series, or using the search function on our site.

As an OODA Network Member you help support our continued research into topics designed to optimize decision-making and inform your strategy. In return you receive full access to all specialized reports on the site including insights into Cybersecurity, Artificial Intelligence,  COVID-19, SpaceQuantum ComputingGlobal Supply ChainsGlobal Risk and Geopolitics, Advanced Technology, Corporate GovernanceDue Diligence Federal Markets.

The list of cybersecurity related research below is broken into two major parts, Research and Analysis on Threats and Research and Analysis on Defensive strategies

 

Research and Analysis on Threats


Google Cybersecurity Action Team Releases First Cloud Threat Intel Report

Google’s Cybersecurity Action Team was launched in early October of this year, as part of the company’s $10 billion pledge to strengthen cybersecurity, all of which grew out of the launch in August, by CISA Director Jen Easterly, of the CISA JCDC (Joint Cyber Defense Collaborative). Google is a partner company with CISA in the JCDC. The Cybersecurity Action Team’s efforts begin with Google Cloud. They recently released their first publicly available intelligence offering – Threat Horizons, Cloud Threat Intelligence, November 2021, Issue 1.


Cybersecurity, like Espionage, Is an Infinite Game

Game theory, the study of competition and conflict, tells us there are two types of games: Finite Games and Infinite Games. Knowing which one you are playing is key to making optimal decisions. Finite games are those that have a beginning and an end. The objective of a finite game is to win. The game ends when all sides know who the winner is. Examples of finite games include most battles in a traditional war; they end when there is a decisive victory. Sporting events are examples of more peaceable finite games. For more see: Cybersecurity, like Espionage, Is an Infinite Game


Ransomware: An update on the nature of the threat

The technology of ransomware has evolved in sophistication and the business models of the criminal groups behind it have as well. The result: The threat from ransomware has reached pandemic proportions.

This post provides an executive level overview of the nature of this threat. It is designed to be read as an introduction to our accompanying post on how to mitigate the threat of ransomware to your organization. See: Ransomware, an update on the nature of the threat


China’s Plan for Countering Weaponized Interdependence

In an article entitled “The international environment and countermeasures of network governance during the “14th Five-Year Plan” period” by Xu Xiujun (徐秀军) in the February 27, 2021 edition of China Information Security, we see the continuation of China’s concerns over Weaponized Interdependence and China’s desire to shape a global technology and economic environment that is less influenced by Western power. Xiujun identifies concerns in several interconnected areas including cybersecurity, economic centralization, and advancement in technologies like AI, Quantum, and 5G. See: China’s Plan for Countering Weaponized Interdependence


If SolarWinds Is a Wake-Up Call, Who’s Really Listening?

As the U.S. government parses through the Solar Winds software supply chain breach, many questions still remain as to the motive, the entities targeted, and length of time suspected nation state attackers remained intrenched unseen by the victims.  The attack stands at the apex of similar breaches in not only the breadth of organizations compromised (~18,000), but how the attack was executed.

See: If SolarWinds Is a Wake-Up Call, Who’s Really Listening?


From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice

While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things? See: Solar Sunrise to Solar Winds


Russian Espionage Campaign: SolarWinds

The SolarWinds hacks have been described in every media outlet and new source, making this incident perhaps the most widely reported cyber incident to date. This report provides context on this incident, including the “so-what” of the incident and actionable insights into what likely comes next.

Russian Espionage Campaign: SolarWinds


The Cyber Threat to NASA Artemis Program:

NASA is enabling another giant leap for humanity. With the Artemis program, humans will return to the Moon in a way that will enable establishment of gateways to further exploration of not just the Moon but eventually the entire solar system. The initial expenses of the program will return significant advances for scientific understanding and tangible economic returns. As Artemis continues, the project will eventually deliver improvements for humanity that as of yet have only been dreamed of. But there are huge threats. For more see: The Cyber Threat To Artemis


Security In Space and Security of Space:

The last decade has seen an incredible increase in the commercial use of space. Businesses and individual consumers now leverage space solutions that are so integrated into our systems that they seem invisible. Some of these services include: Communications, including very high-speed low latency communications to distant and mobile users. Learn more at: OODA Research Report: What Business Needs To Know About Security In Space Also see: Is Space Critical Infrastructure, and the special report on Cyber Threats to Project Artemis, and Mitigating Threats To Commercial Space Satellites


Mitigating Cyber Risks: Four real world practitioners exchange views at OODAcon

This panel at OODAcon brought together pioneering experts with ideas we believe hold the potential to cause order of magnitude improvements in cybersecurity posture. We the ensuing discussion resulted in actionable insights you can put in place in your organization immediately to kickstart your journey in mitigating cyber risk.


Additional Insights:

Quick Hits from the 2020 Verizon Data Breach Report– We track yearly.

Is Organized Crime Using Ransomware To Take Real World Competitors Offline? – Sure looks like it. Examine why and how here.

Observations From America’s Most Public Cyber Attacks: Lessons for all of us

Here’s What the New U.S. Intelligence Strategy Says About Cyber Threats


 

Research and Analysis on Defensive Strategies


The New Enterprise Architecture Is Zero Trust

Enterprise technologists use the term “Zero Trust” to describe an evolving set of cybersecurity approaches that move defenses from static attempts to block adversaries to more comprehensive measures that improve enterprise performance while improving security. When the approaches of Zero Trust are applied to an enterprise infrastructure and workflows, the cost of security can be better managed and the delivery of functionality to end users increased. Security resources are matched to risk. Functionality, security and productivity all go up.


Zero Trust Will Yield Zero Results Without A Risk Analysis

Over the past four years there has been an avalanche of new Zero Trust products. However during the same period there has been no measurable reduction in cyber breaches. Zero Trust is a concept where an organization has Zero Trust in a specific individual, supplier or technology that is the source of their cyber risk. One needs to have Zero Trust in something and then act to neutralize that risk. Thus buying a Zero Trust product makes no sense unless it is deployed as a countermeasure to specific cyber risk. Buying products should be the last step taken not the first. To help enterprises benefit from Zero Trust concepts here is a modified OODA loop type process to guide your strategy development and execution.


The False Pundits of Cyber Will Lead Us Astray If We Let Them

They’re not cybersecurity experts, but they did stay at a Holiday Inn Express last night. Because we have no common body of knowledge from which to explore and learn from prior art, you can predict like the seasons when another cohort of professionals from other disciplines will attempt to tell


Want To Reduce Risk? It Is Time To End Cybersecurity Awareness Month

Management guru Peter Drucker said, “what gets measured gets managed.” Which helps to explain why Cybersecurity Awareness Month is such a bad idea.


NIST Cybersecurity Framework Gains Private Sector Traction and Other Noteworthy Cyber Efforts from the Institute

In our recent OODA Loop Stratigame – Scenario Planning for Global Computer Chip Supply Chain Disruption – in all four scenarios we determined that public-private partnership in the cybersecurity marketplace, including the establishment of industry-wide frameworks and standards, will be crucial. Organizations like the National Institute of Standards and Technology (NIST) will figure prominently in such efforts – and that means scanning the horizon for worthwhile government cybersecurity efforts which make sense for your company’s design innovation process, business models, and ideas around value creation and capture. To start, there is plenty of activity over at NIST related to cybersecurity worth a review.


Mitigating Cyber Risk In An Age of Continuous Crisis

In early May we began a discussion with our OODA Network members that started with an observation. About six months prior we had been through the Solar Winds attack, which from our perspective was clearly one of the most damaging attacks/espionage operations in history. Soon after that, the attack series named Hafnium by Microsoft was revealed. Hafnium had started as espionage but then turned into a Gold Rush of criminal activity, one of the worst attacks in history. Then the Codecov attack hit.  This is a widely used tool for software developers that is used for managing continuous integration and continuous deployment of code. Turns out some nation state level actor modified this tool so that all code that was used by it was also copied off and sent to the bad actor. It was brilliant and absolutely one of the worst in history.


The Executive’s Guide To Mitigating The Ransomware Threat

This is the second part of our special series on Ransomware. The first provided an update on the nature of the threat, including an anatomy of a modern attack. This post, produced with inputs from real world cybersecurity practitioners Matt Devost, Bob Flores, Junaid Islam and Bob Gourley, provides information for Corporate Board of Directors and the CEO. In our experience, the guidance provided here can mitigate the existential risks of a ransomware infection to a low level.


Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities

This post provides executive level context and some recommendations regarding a large attack exploiting Microsoft Exchange, a system many enterprises use for mail, contact management, calendar/scheduling and some basic identity management functions. This attack is so large and damaging it is almost pushing the recent Solar Winds attacks off the headlines. Keep in mind that till this point, the Solar Winds attack was being called the biggest hack in history. So this is a signal that the damage from this one will also be huge. See:

Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities


Cybersecurity and Cyber Incidents: Innovation and Design Lessons from Aviation Safety Models and a Call for a “Cyber NTSB”

In a recent 4-month long workshop, over 70 experts explored the concept of creating a “Cyber NTSB”. This workshop topic is consistent with themes like innovation and design processes for innovation, which cut across much of our recent OODA Loop research and analysis.  It all starts with a design metaphor. This recent workshop used the National Transportation Safety Board as a design analogy/metaphor for a National Cyber Safety Board/National Cyber Security Board (NCSB). Specifically, innovation in “lesson-learning systems” for cybersecurity and cyber incidents – taking design process inspiration from the aviation safety models of the NTSB – was the goal of this “Cyber NTSB” workshop.


National Cyber Ranges: Virtual environments that enable government organizations to test their cyber capability

National cyber ranges are virtual environments that enable government organizations to test their cyber capability.  It’s important to rehearse military operational plans and develop new tactics, techniques, and procedures (TTP’s) that can work in a contested cyber landscape. These ranges are distributed computing environments with technical experts that can support exercises and operational planning. See: National Cyber Ranges: Virtual environments that enable government organizations to test their cyber capability


From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice

While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things?  See: From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice and At Black Hat Conference 2021, CISA Director Jen Easterly launches CISA JCDC


The OODA Almanac – 2021 Edition

The OODA Almanac proposes to identify those topics and patterns we see having significance in 2021 to guide your short and long-term decision making. Over the course of 2021, we will continue to inject additional observations on these topics into our analysis or as stand-alone tidbits of observed intelligence (OODINT). See: The OODA Almanac – 2021 Edition


Meet the New Boss: Context on Cybersecurity and US Federal Leadership

Noted cybersecurity expert Mike Tanji provides context on what to expect from the cybersecurity actions and policies of the Biden Administration. His insights are based on thirty years in the field. He cautions us all to maintain a level of hope, but to not get too worked up about transitions and talk of change. Everyone is all talk until they sit down in the chair and begin to understand exactly what it takes to govern. That said, there are changes that can be expected. Here are a few signals to watch for to see if they will stick.

See: Meet the New Boss: Context on Cybersecurity and US Federal Leadership


Expert Practitioner and QuintessenceLabs CEO Vikram Sharma on Quantum Effects and Quantum Security

Vikram Sharma is the CEO of QuintessenceLabs, a company he founded to leverage an understanding of how physics works at the quantum level to address some of the biggest issues in cybersecurity. In this discussion at OODAcon, Vikram provided a high level overview of what years of quantum theory and 1000’s of experiments on the nature of reality tell us about the nature of reality, especially reality when measured at the smallest scale.

See: Expert Practitioner and QuintessenceLabs CEO Vikram Sharma on Quantum Effects and Quantum Security


Junaid Islam Discusses 5G Security and Functionality at OODAcon

Junaid Islam has 30 years of experience in secure communications. His protocols, algorithms and architectures have been incorporated into a broad range of commercial and national security systems. In the 90s he developed the first implementation of Multi-Level Precedence and Preemption (MLPP) for US Department of Defense C2 applications. He developed the first working Mobile IPv6 client to enable fast hand-off as well as IPv6 address scrambling for high side networks for the DoD’s Netcentric Warfare program. He developed the first network-based Zero Trust Architecture using Software Defined Perimeter (SDP) which was adopted by NIST for their Zero Trust specification 800-207. See: Junaid Islam Discusses 5G Security and Functionality at OODAcon


Mitigating Cyber Risks: Four real world practitioners exchange views at OODAcon

OODAcon brought together pioneering experts with ideas we believe hold the potential to cause order of magnitude improvements in cybersecurity posture. We the ensuing discussion resulted in actionable insights you can put in place in your organization immediately to kickstart your journey in mitigating cyber risk. This captures:

– Insights from behavioral science and human nature relevant to organizational leadership, career development and training for mitigating risks
– Why modern red teaming provides the only useful security metric today
– Ways to make cyber threat intelligence actionable
– How to automate actions in the network

See: Mitigating Cyber Risks: Four real world practitioners exchange views at OODAcon


Seeking Security Alpha

In cybersecurity, it has long been assumed that the attacker has the advantage and that defenders must deploy a disproportionate amount of resources (time, money, etc.) to even try and maintain some parity. In this piece, we’ve conducted interviews with two successful CISOs to provide insight into how they view security alpha issues. Mark Weatherford is a highly experienced and successful CISO who has worked in the public sector at both the state and federal level and also as a CISO for multi-billion dollar commercial organizations. Our Global FS CISO currently works as the Global CISO at one of the largest financial services firms in the world and has 25 years of experience working on cybersecurity and risk management issues.

See: Seeking Security Alpha


Cyber: The Art Of War

Foreign bad actors are conducting a covert cyber war. The pace, frequency, and intensity of cyberattacks are now greater than ever. As the physical realm inevitably merges with the cyber one, forming a new kind of infrastructure, cyberattacks on this infrastructure can have a catastrophic impact on our energy, waste, water, transportation, and telecommunications facilities. Examples include potential attack on infrastructures like distributed control system (DCS) and supervisory control and data acquisition (SCADA) that monitor and control processes and plant with many control loops. Additionally, exploitation of supply chain vulnerabilities can substantially disrupt the way we live, work, and play.

See: Cyber: The Art Of War


What Executives Need To Know About The Report of the Cyberspace Solarium Commission

In 2019 Congress passed legislation signed into law by the President establishing the U.S. Cyberspace Solarium Commission, chartered to develop a consensus on a strategic approach to defending the US against cyber attacks of significant consequences. The commission was established to be bi-partisan and also staffed and chartered to be as informed as possible by experts who really know the state of technology and cyber defense today. The commission executed its charter through extensive outreach and dialog with leaders in industry, academia, non-profits and government and produced deliverables that will make a positive change in our nation’s defense.

See: What Executives Need To Know About The Report of the Cyberspace Solarium Commission


Cyberwar Was Coming: A Reflection on the 25 Year Old Thesis that Predicted a Generation of Cyberconflict

“You’ve got to read what this kid is writing out of his basement at the University of Vermont…” – recently retired CIA officer to intelligence and military colleagues in 1994. A candid 25 year retrospective on a thesis that launched a tremendous amount of dialogue and action on the issues of information warfare, cyberterrorism, and cybersecurity. See:

Cyberwar Was Coming: A Reflection on the 25 Year Old Thesis that Predicted a Generation of Cyberconflict


Deception Needs to be an Essential Element of Your Cyber Defense Strategy

In the cyber defense community, we talk about a wide-range of risk mitigating technologies, strategies, and activities.  We talk about attacker deterrence and increasing costs for the attacker.  We invest in endpoint agents, threat intelligence, DLM, and other mitigating technologies on a daily basis. Here’s why one of the most compelling emerging use cases for increasing attacker costs is through the use of deception. For more see: Deception Needs to be an Essential Element of Your Cyber Defense Strategy


The Executive’s Guide to Cyber Insurance

This special report provides an overview of the dynamic trends underway in the cyber insurance market, including actionable information that executives can put to use right now in determining the right approach to using cyber insurance to transfer risk. The report also provides insights which can be of use to any tech firm seeking to partner with insurance companies to enhance services to the market. For more see: The Executive’s Guide to Cyber Insurance


What You Really Need To Know About the California Consumer Privacy Act (CCPA)

There is something you really need to know about the State of California. They have optimized around a key function that they do very very well. They know how to collect money from corporations. They know how to collect taxes, and know how to levy large fines and collect on them. The business that owes California money will pay, and the State will likely do everything in their power to make sure they pay as much as the law allows. Keep this in mind as you read our guidance on the CCPA. For more see:  What You Really Need To Know About the California Consumer Privacy Act (CCPA)


Traveling Executive’s Guide to Cybersecurity:

Traveling executives are frequent targets for cyber espionage. This report provides guidance for executives and their security teams on how to protect their information and technology while on the go. Produced by OODA co-founders Matt Devost and Bob Gourley, the report provides best practices, awareness of threats, and a deep understanding of the state of technology. A tiered threat model is provided enabling a better tailoring of actions to meet the threat. For more see:  OODA Releases a Traveling Executive’s Guide to Cybersecurity


For Executive Protection, Physical and Cyber Security Have Fully Converged

Managing the nexus between physical and cyber security is possible with a deliberate mindset and full cooperation and integration between the two teams.  Physical security practitioners should view cyber defense experts as a vital component of their risk management strategy. For more see: For Executive Protection, Physical and Cyber Security Have Fully Converged


OODA Best Practices for Agile Cybersecurity:

Members of the OODA expert network continuously track best practices for policy, procedures, technology and governance related to cyber defense.  We work directly defending enterprises in cyber defense and maintain an always up to date list of actions in a form designed to help any organization stay as agile as possible in the face of dynamic adversaries. Read more at the OODA Special Report on Best Practices for Agile Cybersecurity


USG Cybersecurity Initiatives and Updates | OODA Loop

Updated quarterly.  For More See:  USG Cybersecurity Initiatives and Updates | OODA Loop


Additional Cyber Security Reporting and Analysis:

Mitigating Risks To America’s Cognitive Infrastructure: Our most important infrastructure is also our most neglected.

11 Habits of Highly Effective CISOs: What does it take to be a highly effective CISO?

Making Sense of Cyber Lessons : Lessons for enhanced cybersecurity across multiple domains including government, corporate, think tank and academic.

The CMMC: What business needs to know about how DoD will measure your security posture

Essential Management Strategies for Cybersecurity: Management lessons learned and essential actions to mitigate risks

10 Red Teaming Lessons Learned Over 20 Years – Red teaming is one of the most valuable things you can do within your organization.  OODA CEO and Co-Founder Matt Devost offers up his top ten red teaming lessons learned from over two decades of red teaming across hundreds of engagements.

The Five Modes of HACKthink – Explores how to use a hacker mindset to solve complex problems and unlock opportunity.

Email – The Often Overlooked Cybersecurity Risk – Are silly email mistakes putting your sensitive data and customer PII at risk or in violation of GDPR. Matt Devost breaks down four real life examples that highlight inadvertent email risks.

Def Con – The highest yield cyber security event of the year.

The 5G Supply Chain Blindspot – This is the place few are looking regarding 5G security

Flaws In The U.S. Vulnerabilities Equities Process: Deep insights from our own expert Cindy Martinez.

Vulnerabilities, the Search for Buried Treasure, and the US Government: Analysis from noted expert and cybersecurity thought leader (and OODA network member) Jason Healey.

Here is How the FBI Wants You To Protect Your Audio/Visual Devices: From an FBI bulletin

CISA Outlines Agency’s Strategic Intent: Vision of the Cybersecurity and Infrastructure Security Agency

The Key To A Defensible Cyberspace: A look at the work of Jason Healey and the NY Cyber Task Force

How a Presidential Commission Was Tracking Hackers in 1996: New insights into the President’s Commission on Critical Infrastructure Protection

Maturing The Cyber Threat Intelligence Field into a Discipline: based on a career in operational intelligence

Cybersecurity and Technology Due Diligence: Resources that will keep you informed before and during due diligence

Want more insight? Log in for the full report

This content is restricted to OODA Network members only. Members get access to all site content plus access to exclusive reports and events. Please consider becoming a member. For more information please click here. Thanks!

Already a member?  Sign in to your account.