Picture this, you are an analyst working in a large security operations center (SOC) responding to an overwhelming amount of alerts each day. A large portion of the alerts are false positives, but you have to be sure so each one requires your attention. After a while, complacency sets in, and impactful alerts are missed. This is known as alert fatigue. If not addressed, alert fatigue can lead to mental exhaustion and decreased motivation. Burnout affects performance and productivity which can impact the entire organization. 

SOC analysts are not the only ones that experience alert fatigue. System administrators or those responsible for vulnerability and patch management can experience it as well. Keeping up with vulnerabilities can feel like an uphill battle. It also seems like there is always a zero-day vulnerability that is announced before every major holiday which also does not help prevent burnout. 

There are several steps an organization usually takes before rolling a patch into production. Patches can break existing tools or business-critical functionalities. Vulnerabilities need to be assessed and prioritized. This blog will review how leveraging the OODA Loop decision-making framework for vulnerability management can be beneficial and potentially prevent vulnerability fatigue.  

Digital Shadows (now ReliaQuest)’ Vulnerability Intelligence solution provides immediate alerting of newly discovered vulnerabilities with rich context that allows users to prioritize patching. This blog is a monthly vulnerability intelligence roundup. If you haven’t already, check out our roundup from May, The Good, the Bad, and the Risky.  

OODA Loop Overview

US Air Force Colonel John Boyd created the decision-making framework known as the OODA Loop after serving as a pilot during the Korean War. Boyd was inspired to create the mental model after experiencing several dogfights, or aerial battles, during the war. The framework is broken down into four steps: Observe, Orient, Decide, and Act (OODA). You observe what is happening, then orient yourself based on your observations and personal experiences, before making a decision and acting. The original framework which was used for training pilots in air-to-air combat had regular feedback embedded within each step. (See Figure 1)

Figure 1: The original OODA Loop model. Source: John Boyd’s OODA Loop

Eventually, a simpler version of the framework leaked into the corporate world and became one of the most popular decision-making processes in the world. (See Figure 2) The less detailed version can be applied by a wide range of professions across several industries including healthcare, law enforcement, and technology. 

Figure 2: The OODA Loop decision making process.

OODA Loop for Vulnerability Management

Observe:

The first step in the vulnerability management process is similar to the first step in OODA Loop, which is observing, or identifying, relevant vulnerabilities. Vulnerabilities can be disclosed in security bulletins, vendor email notifications, news articles, or general chatter in the tech community. There is typically a lot of noise when a high-risk vulnerability is announced, such as the recent zero day dubbed “Follina”. 

Follina is a remote code execution (RCE) vulnerability, tracked as CVE-2021-30190, that impacts Microsoft Support Diagnostic Tool (MSDT). Unless you have been living under a rock, you have probably seen Follina all over headlines since it was being actively exploited before the patch was ultimately released by Microsoft on 14 Jun 2022. 

When high-risk vulnerabilities are announced, it can quickly become chaotic when you try to collect information from multiple sources to get a holistic view of what the vulnerability impacts and if it’s relevant to your organization. Vulnerability intelligence exists to provide actionable insights for vulnerability management. Learn more about the differences between vulnerability intelligence and vulnerability management in our blog Vulnerability Intelligence: A Best Practice Guide

Digital Shadows (now ReliaQuest)’ SearchLight platform has a vulnerability library that is a “one-stop shop” for all the information you need to know about any given CVE. (See Figure 3) There are several helpful filters that help you in your journey traversing the library such as product family, risk level, and exploit availability. 

Figure 3: Two very high-risk vulnerabilities as seen in the vulnerability library in SearchLight.

Orient:

The second step in the OODA Loop is orient, which is essentially the analysis stage. Within this step, you will analyze the information observed within the first step to help you make an informed decision in the next step. During the analysis stage, it is a good idea to draw on your existing knowledge gained from previous experience.

In terms of vulnerability management, once a vulnerability is identified a risk assessment should be performed to determine the potential impact on the organization. This will help make the business decision to apply a patch. If a patch is not yet released for a vulnerability, a similar risk assessment can be performed for workarounds. A workaround is typically a manual configuration provided to mitigate the vulnerability temporarily until an official patch is released. 

Here are some key questions that should be considered during the orient stage to be able to make an informed business decision:

  • Is the vulnerability exploitable?
    • Are there any exploits available?
  • How many devices will this impact in the organization?
  • Given available resources, how long is it going to take to patch?
  • Was there any breakage during the testing process? (i.e. did any applications or business functionalities stop working as expected) 

Not all vulnerabilities are exploitable. There are also vulnerabilities that, if exploited, an attacker couldn’t do much given the overall attack surface. So it’s important to determine the potential blast radius of exploitation. Once an exploit is available in the threat landscape, it is typically not long before attackers take advantage and perform opportunistic attacks. Using the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) platform, you will be able to identify when exploits become available and which threat actors or groups have been attributed to exploitation attempts. (See Figure 4)

Figure 4: Associations with CVE-2022-30190 as seen in our SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) portal.

Asset management plays a part in determining how many devices are impacted. It is impossible to protect what you can’t see. There is nothing worse than thinking you have mitigated an issue only to find out an attacker exploited an unknown asset to gain initial access. Identifying the total number of devices impacted will help calculate how long the patching process will take. 

Ideally, patches should be tested in a development environment to identify if any core business applications or functionalities break or malfunction. Breakage can disrupt business operations and lead to significant financial loss. Depending on the industry, downtime can impact customer relationships and the reputation of the organization.

Decide:

The time has come to make an informed business decision now that you have observed a vulnerability and reflected on the key findings during your risk assessment. Have a meeting to discuss the risk factors and potential outcomes to reveal the overall business impact. Additional analysis may be required if information gaps are identified. The Vulnerability Intelligence solution in the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) platform summarizes all of the risk factors associated with each CVE to help organizations make a threat-informed business decision on whether to apply a patch and when. (See Figure 5) 

Figure 5: Some risk factors associated with CVE-2022-30190 as seen in our SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) portal. 

Act:

Patch management teams can now take action. This can include applying a patch in production or accepting the risk associated with withholding the patch. Even if a patch is tested, it is still realistically possible there will still be breakage when pushed to production. This is due to several reasons, such as the development environment is not identical to the production environment. If breakage does occur, you can start a new OODA Loop. 

  • Observe
    • How many devices are impacted?
    • What are the dependencies?
  • Orient
    • How long is it going to take to fix?
    • Does the patch need to be rolled back to ensure business continuity?
    • Could the issues potentially be fixed after hours?
  • Decide
    • Discuss findings and make an informed decision.
  • Act
    • Carry out the appropriate actions

The OODA Loop can be a valuable tool for several aspects of business operations. Stay calm and assess your surroundings. Leaping into action before analyzing a situation in depth can lead to costly errors and poor outcomes. 

Final Thoughts

One of the potential causes of vulnerability fatigue is decision fatigue. Having to make complex decisions over and over can be exhausting. At the end of the day, determining whether or not to apply a patch is a business decision that should not land on a single individual’s shoulders. The mental workload should be shared with a team or at least with management. Collaboration provides insight from different perspectives and can potentially reduce burnout.

The OODA Loop framework allows decision-makers to take a step back and get a holistic view of complex problems. Even if you are faced with a high-risk vulnerability, such as Follina, there is always time to assess the situation and make an informed decision.   

Digital Shadows (now ReliaQuest)’ Vulnerability Intelligence capability can help organizations make timely, threat-informed decisions during the vulnerability management process. You can test drive SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) and see the rich context available for each CVE, including risk factors, threat actor and malware associations, exploits, news, and much more. 

The traditional, sometimes chaotic approach to vulnerability patching is not sustainable anymore. Look here to read our Vulnerability Intelligence report on common challenges and mitigation strategies.