The collection on this page includes content from produced exclusively for OODA members (if you are not a member yet review the benefits of this network and sign up here). Our research team is led by OODA founders Bob Gourley and Matt Devost and they leverage their extensive past performance in operational cybersecurity in the reports presented here. We also provide pointers to the most recent cybersecurity reporting from our Daily Pulse Report, as well as a list of other resources we see as credible on the topic of cybersecurity.
If you would like to recommend a resource for this page, please email us at email@example.com
The list below is broken into two major parts, Research and Analysis on Threats and Research and Analysis on Defensive strategies
Research and Analysis on Threats
Updated quarterly. For More See: USG Cybersecurity Initiatives and Updates | OODA Loop
Game theory, the study of competition and conflict, tells us there are two types of games: Finite Games and Infinite Games. Knowing which one you are playing is key to making optimal decisions. Finite games are those that have a beginning and an end. The objective of a finite game is to win. The game ends when all sides know who the winner is. Examples of finite games include most battles in a traditional war; they end when there is a decisive victory. Sporting events are examples of more peaceable finite games. For more see: Cybersecurity, like Espionage, Is an Infinite Game
Ransomware: An update on the nature of the threat
The technology of ransomware has evolved in sophistication and the business models of the criminal groups behind it have as well. The result: The threat from ransomware has reached pandemic proportions.
This post provides an executive level overview of the nature of this threat. It is designed to be read as an introduction to our accompanying post on how to mitigate the threat of ransomware to your organization. See: Ransomware, an update on the nature of the threat
China’s Plan for Countering Weaponized Interdependence
In an article entitled “The international environment and countermeasures of network governance during the “14th Five-Year Plan” period” by Xu Xiujun (徐秀军) in the February 27, 2021 edition of China Information Security, we see the continuation of China’s concerns over Weaponized Interdependence and China’s desire to shape a global technology and economic environment that is less influenced by Western power. Xiujun identifies concerns in several interconnected areas including cybersecurity, economic centralization, and advancement in technologies like AI, Quantum, and 5G. See: China’s Plan for Countering Weaponized Interdependence
If SolarWinds Is a Wake-Up Call, Who’s Really Listening?
As the U.S. government parses through the Solar Winds software supply chain breach, many questions still remain as to the motive, the entities targeted, and length of time suspected nation state attackers remained intrenched unseen by the victims. The attack stands at the apex of similar breaches in not only the breadth of organizations compromised (~18,000), but how the attack was executed.
While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things? See: Solar Sunrise to Solar Winds
Russian Espionage Campaign: SolarWinds
The SolarWinds hacks have been described in every media outlet and new source, making this incident perhaps the most widely reported cyber incident to date. This report provides context on this incident, including the “so-what” of the incident and actionable insights into what likely comes next.
The Cyber Threat to NASA Artemis Program:
NASA is enabling another giant leap for humanity. With the Artemis program, humans will return to the Moon in a way that will enable establishment of gateways to further exploration of not just the Moon but eventually the entire solar system. The initial expenses of the program will return significant advances for scientific understanding and tangible economic returns. As Artemis continues, the project will eventually deliver improvements for humanity that as of yet have only been dreamed of. But there are huge threats. For more see: The Cyber Threat To Artemis
Security In Space and Security of Space:
The last decade has seen an incredible increase in the commercial use of space. Businesses and individual consumers now leverage space solutions that are so integrated into our systems that they seem invisible. Some of these services include: Communications, including very high-speed low latency communications to distant and mobile users. Learn more at: OODA Research Report: What Business Needs To Know About Security In Space Also see: Is Space Critical Infrastructure, and the special report on Cyber Threats to Project Artemis, and Mitigating Threats To Commercial Space Satellites
This panel at OODAcon brought together pioneering experts with ideas we believe hold the potential to cause order of magnitude improvements in cybersecurity posture. We the ensuing discussion resulted in actionable insights you can put in place in your organization immediately to kickstart your journey in mitigating cyber risk.
Quick Hits from the 2020 Verizon Data Breach Report– We track yearly.
Is Organized Crime Using Ransomware To Take Real World Competitors Offline? – Sure looks like it. Examine why and how here.
Observations From America’s Most Public Cyber Attacks: Lessons for all of us
Research and Analysis on Defensive Strategies
Enterprise technologists use the term “Zero Trust” to describe an evolving set of cybersecurity approaches that move defenses from static attempts to block adversaries to more comprehensive measures that improve enterprise performance while improving security. When the approaches of Zero Trust are applied to an enterprise infrastructure and workflows, the cost of security can be better managed and the delivery of functionality to end users increased. Security resources are matched to risk. Functionality, security and productivity all go up.
In early May we began a discussion with our OODA Network members that started with an observation. About six months prior we had been through the Solar Winds attack, which from our perspective was clearly one of the most damaging attacks/espionage operations in history. Soon after that, the attack series named Hafnium by Microsoft was revealed. Hafnium had started as espionage but then turned into a Gold Rush of criminal activity, one of the worst attacks in history. Then the Codecov attack hit. This is a widely used tool for software developers that is used for managing continuous integration and continuous deployment of code. Turns out some nation state level actor modified this tool so that all code that was used by it was also copied off and sent to the bad actor. It was brilliant and absolutely one of the worst in history.
This is the second part of our special series on Ransomware. The first provided an update on the nature of the threat, including an anatomy of a modern attack. This post, produced with inputs from real world cybersecurity practitioners Matt Devost, Bob Flores, Junaid Islam and Bob Gourley, provides information for Corporate Board of Directors and the CEO. In our experience, the guidance provided here can mitigate the existential risks of a ransomware infection to a low level.
Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities
This post provides executive level context and some recommendations regarding a large attack exploiting Microsoft Exchange, a system many enterprises use for mail, contact management, calendar/scheduling and some basic identity management functions. This attack is so large and damaging it is almost pushing the recent Solar Winds attacks off the headlines. Keep in mind that till this point, the Solar Winds attack was being called the biggest hack in history. So this is a signal that the damage from this one will also be huge. See:
National Cyber Ranges: Virtual environments that enable government organizations to test their cyber capability
National cyber ranges are virtual environments that enable government organizations to test their cyber capability. It’s important to rehearse military operational plans and develop new tactics, techniques, and procedures (TTP’s) that can work in a contested cyber landscape. These ranges are distributed computing environments with technical experts that can support exercises and operational planning. See: National Cyber Ranges: Virtual environments that enable government organizations to test their cyber capability
From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice
While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things? See: From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice and At Black Hat Conference 2021, CISA Director Jen Easterly launches CISA JCDC
The OODA Almanac – 2021 Edition
The OODA Almanac proposes to identify those topics and patterns we see having significance in 2021 to guide your short and long-term decision making. Over the course of 2021, we will continue to inject additional observations on these topics into our analysis or as stand-alone tidbits of observed intelligence (OODINT). See: The OODA Almanac – 2021 Edition
Meet the New Boss: Context on Cybersecurity and US Federal Leadership
Noted cybersecurity expert Mike Tanji provides context on what to expect from the cybersecurity actions and policies of the Biden Administration. His insights are based on thirty years in the field. He cautions us all to maintain a level of hope, but to not get too worked up about transitions and talk of change. Everyone is all talk until they sit down in the chair and begin to understand exactly what it takes to govern. That said, there are changes that can be expected. Here are a few signals to watch for to see if they will stick.
Expert Practitioner and QuintessenceLabs CEO Vikram Sharma on Quantum Effects and Quantum Security
Vikram Sharma is the CEO of QuintessenceLabs, a company he founded to leverage an understanding of how physics works at the quantum level to address some of the biggest issues in cybersecurity. In this discussion at OODAcon, Vikram provided a high level overview of what years of quantum theory and 1000’s of experiments on the nature of reality tell us about the nature of reality, especially reality when measured at the smallest scale.
Junaid Islam Discusses 5G Security and Functionality at OODAcon
Junaid Islam has 30 years of experience in secure communications. His protocols, algorithms and architectures have been incorporated into a broad range of commercial and national security systems. In the 90s he developed the first implementation of Multi-Level Precedence and Preemption (MLPP) for US Department of Defense C2 applications. He developed the first working Mobile IPv6 client to enable fast hand-off as well as IPv6 address scrambling for high side networks for the DoD’s Netcentric Warfare program. He developed the first network-based Zero Trust Architecture using Software Defined Perimeter (SDP) which was adopted by NIST for their Zero Trust specification 800-207. See: Junaid Islam Discusses 5G Security and Functionality at OODAcon
Mitigating Cyber Risks: Four real world practitioners exchange views at OODAcon
OODAcon brought together pioneering experts with ideas we believe hold the potential to cause order of magnitude improvements in cybersecurity posture. We the ensuing discussion resulted in actionable insights you can put in place in your organization immediately to kickstart your journey in mitigating cyber risk. This captures:
– Insights from behavioral science and human nature relevant to organizational leadership, career development and training for mitigating risks
– Why modern red teaming provides the only useful security metric today
– Ways to make cyber threat intelligence actionable
– How to automate actions in the network
Seeking Security Alpha
In cybersecurity, it has long been assumed that the attacker has the advantage and that defenders must deploy a disproportionate amount of resources (time, money, etc.) to even try and maintain some parity. In this piece, we’ve conducted interviews with two successful CISOs to provide insight into how they view security alpha issues. Mark Weatherford is a highly experienced and successful CISO who has worked in the public sector at both the state and federal level and also as a CISO for multi-billion dollar commercial organizations. Our Global FS CISO currently works as the Global CISO at one of the largest financial services firms in the world and has 25 years of experience working on cybersecurity and risk management issues.
Cyber: The Art Of War
Foreign bad actors are conducting a covert cyber war. The pace, frequency, and intensity of cyberattacks are now greater than ever. As the physical realm inevitably merges with the cyber one, forming a new kind of infrastructure, cyberattacks on this infrastructure can have a catastrophic impact on our energy, waste, water, transportation, and telecommunications facilities. Examples include potential attack on infrastructures like distributed control system (DCS) and supervisory control and data acquisition (SCADA) that monitor and control processes and plant with many control loops. Additionally, exploitation of supply chain vulnerabilities can substantially disrupt the way we live, work, and play.
What Executives Need To Know About The Report of the Cyberspace Solarium Commission
In 2019 Congress passed legislation signed into law by the President establishing the U.S. Cyberspace Solarium Commission, chartered to develop a consensus on a strategic approach to defending the US against cyber attacks of significant consequences. The commission was established to be bi-partisan and also staffed and chartered to be as informed as possible by experts who really know the state of technology and cyber defense today. The commission executed its charter through extensive outreach and dialog with leaders in industry, academia, non-profits and government and produced deliverables that will make a positive change in our nation’s defense.
Cyberwar Was Coming: A Reflection on the 25 Year Old Thesis that Predicted a Generation of Cyberconflict
“You’ve got to read what this kid is writing out of his basement at the University of Vermont…” – recently retired CIA officer to intelligence and military colleagues in 1994. A candid 25 year retrospective on a thesis that launched a tremendous amount of dialogue and action on the issues of information warfare, cyberterrorism, and cybersecurity. See:
Deception Needs to be an Essential Element of Your Cyber Defense Strategy
In the cyber defense community, we talk about a wide-range of risk mitigating technologies, strategies, and activities. We talk about attacker deterrence and increasing costs for the attacker. We invest in endpoint agents, threat intelligence, DLM, and other mitigating technologies on a daily basis. Here’s why one of the most compelling emerging use cases for increasing attacker costs is through the use of deception. For more see: Deception Needs to be an Essential Element of Your Cyber Defense Strategy
The Executive’s Guide to Cyber Insurance
This special report provides an overview of the dynamic trends underway in the cyber insurance market, including actionable information that executives can put to use right now in determining the right approach to using cyber insurance to transfer risk. The report also provides insights which can be of use to any tech firm seeking to partner with insurance companies to enhance services to the market. For more see: The Executive’s Guide to Cyber Insurance
What You Really Need To Know About the California Consumer Privacy Act (CCPA)
There is something you really need to know about the State of California. They have optimized around a key function that they do very very well. They know how to collect money from corporations. They know how to collect taxes, and know how to levy large fines and collect on them. The business that owes California money will pay, and the State will likely do everything in their power to make sure they pay as much as the law allows. Keep this in mind as you read our guidance on the CCPA. For more see: What You Really Need To Know About the California Consumer Privacy Act (CCPA)
Traveling Executive’s Guide to Cybersecurity:
Traveling executives are frequent targets for cyber espionage. This report provides guidance for executives and their security teams on how to protect their information and technology while on the go. Produced by OODA co-founders Matt Devost and Bob Gourley, the report provides best practices, awareness of threats, and a deep understanding of the state of technology. A tiered threat model is provided enabling a better tailoring of actions to meet the threat. For more see: OODA Releases a Traveling Executive’s Guide to Cybersecurity
For Executive Protection, Physical and Cyber Security Have Fully Converged
Managing the nexus between physical and cyber security is possible with a deliberate mindset and full cooperation and integration between the two teams. Physical security practitioners should view cyber defense experts as a vital component of their risk management strategy. For more see: For Executive Protection, Physical and Cyber Security Have Fully Converged
OODA Best Practices for Agile Cybersecurity:
Members of the OODA expert network continuously track best practices for policy, procedures, technology and governance related to cyber defense. We work directly defending enterprises in cyber defense and maintain an always up to date list of actions in a form designed to help any organization stay as agile as possible in the face of dynamic adversaries. Read more at the OODA Special Report on Best Practices for Agile Cybersecurity.
Additional Cyber Security Reporting and Analysis:
Mitigating Risks To America’s Cognitive Infrastructure: Our most important infrastructure is also our most neglected.
11 Habits of Highly Effective CISOs: What does it take to be a highly effective CISO?
Making Sense of Cyber Lessons : Lessons for enhanced cybersecurity across multiple domains including government, corporate, think tank and academic.
The CMMC: What business needs to know about how DoD will measure your security posture
Essential Management Strategies for Cybersecurity: Management lessons learned and essential actions to mitigate risks
10 Red Teaming Lessons Learned Over 20 Years – Red teaming is one of the most valuable things you can do within your organization. OODA CEO and Co-Founder Matt Devost offers up his top ten red teaming lessons learned from over two decades of red teaming across hundreds of engagements.
The Five Modes of HACKthink – Explores how to use a hacker mindset to solve complex problems and unlock opportunity.
Email – The Often Overlooked Cybersecurity Risk – Are silly email mistakes putting your sensitive data and customer PII at risk or in violation of GDPR. Matt Devost breaks down four real life examples that highlight inadvertent email risks.
Def Con – The highest yield cyber security event of the year.
The 5G Supply Chain Blindspot – This is the place few are looking regarding 5G security
Flaws In The U.S. Vulnerabilities Equities Process: Deep insights from our own expert Cindy Martinez.
Vulnerabilities, the Search for Buried Treasure, and the US Government: Analysis from noted expert and cybersecurity thought leader (and OODA network member) Jason Healey.
Here is How the FBI Wants You To Protect Your Audio/Visual Devices: From an FBI bulletin
CISA Outlines Agency’s Strategic Intent: Vision of the Cybersecurity and Infrastructure Security Agency
The Key To A Defensible Cyberspace: A look at the work of Jason Healey and the NY Cyber Task Force
How a Presidential Commission Was Tracking Hackers in 1996: New insights into the President’s Commission on Critical Infrastructure Protection
Maturing The Cyber Threat Intelligence Field into a Discipline: based on a career in operational intelligence
Cybersecurity and Technology Due Diligence: Resources that will keep you informed before and during due diligence