FBI’s Latest Cyber Advisory and the Growing Mandate for Out-of-Band Communications

Attackers Are Eavesdropping on Your Incident Response

A new FBI Cyber Division alert warns that during a cyber incident, the attackers might be listening in on your organization’s every move. In a July 29, 2025 joint advisory, the FBI and international partners reported on the ongoing activities of the “Scattered Spider” threat actor. The report made it evident that day-to-day enterprise communications tools should not be trusted during a breach, noting that Scattered Spider, “…targeted organization’s Slack, Microsoft Teams, and Microsoft Exchange Online for emails [T1114] or conversations regarding the threat actors’ intrusion and any security response.” They also mentioned tools like Zoom and Webex stating the hackers, “…frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion.”

The FBI’s update urges organizations to prepare out-of-band communication channels for use when normal networks are compromised. The rationale is clear: if hackers gain access to a corporate network, in-network email or messaging cannot be trusted to coordinate a response. Any sensitive discussion about containment or recovery – even SOC alerts and telemetry – must take place where the attacker cannot intercept, overhear or observe. Treating communications as potentially compromised is quickly becoming a best practice in incident response planning.

Rising Regulatory Pressure to Preserve Incident Communications

But when looking for a secondary out of band communications tool, too many confuse privacy with security and assume they can use consumer privacy apps like Signal or WhatsApp. Using consumer apps for official communications in fact, creates a new set of risks, as regulations increasingly require companies to properly manage and record incident communications. Regulators worldwide, such as U.S. financial authorities, who are now penalizing firms for failing to keep official records.

More broadly, regulators are incorporating incident response governance into their rules. The U.S. National Credit Union Administration now instructs credit unions to “document all cyber incidents… and maintain records” as part of standard incident response practice. EU laws like NIS2 and DORA require organizations to quickly report cyber incidents and keep evidence for review, including communication logs and decision records, especially for cross-border events. Similarly, regulators in the Middle East and Asia-Pacific are adopting frameworks that stress incident response oversight and audit trails. Companies must be able to show regulators clear records of who knew what, and when, during major incidents.

Organizations need incident communications that are secure from attackers but still are accessible for audits. Personal devices or consumer apps may offer end-to-end encryption for privacy, but they lack proper record-keeping for compliance. Regulated industries are moving to enterprise platforms with end-to-end encryption and archiving to meet these needs. The challenge is balancing invisibility from attackers with thorough internal logging, as boards must ensure regulatory requirements are met during cyber crises.

Out-of-Band Communication: The New Incident Response Imperative

Leading security authorities echo the FBI’s guidance. Establishing secure out-of-band communications at the outset of an incident is now critical. CISA’s best-practice guides warn against using the compromised network for coordination and insist that “all communications are held out-of-band” during incident response. That can mean using alternate devices such as personal or burner phones, encrypted collaboration tools outside corporate IT, or even face-to-face meetings.

What does this mean for your organization? Evaluate your organization and decide which roles, conversation topics, documentation, security alerts, data feeds – anything that hackers would actively seek out to help them – require that higher level of security of an out-of-band tool. Select a tool that meets both that higher level of security and also your governance and audit requirements. Build out-of-band communication plans directly into incident response playbooks. Run drills that assume email is unavailable so responders can practice switching to alternative channels under pressure. Give key teams, including executives, IT, SOC analysts, and legal, direct access to the out-of-band channel. Pre-install secure chat applications or set up emergency conference lines so they are ready to go. The FBI alert stresses that speed is crucial during a breach, so having ready-to-use communication saves valuable time.

The “Cyber Trifecta”: Three Essentials for Incident Response Communication

In light of the FBI’s alert and these broader trends, every CISO and incident responder should focus on a “cyber trifecta” of communication capabilities when preparing for the next incident:

1. Requirement #1: It Must Be Out of Band Part of any incident response playbook is to assume the network you use everyday is no longer trustworthy, so in order to truly be out of band, your communications tool should have no dependencies on that network. No hosting or backups to network hardware, no software dependencies that create cascading failures, nor should it be a copy of the same tool that you’re assuming will be compromised when your network is.
2. Requirement #2: It Must Be More Secure. Your most business critical communications require stronger security, but anything less than end-to-end encryption is just another set of credentials that can be compromised. End-to-end encryption is the only way to truly up-level security and access to something stronger than a password. And if implemented correctly, end-to-end encryption can also protect against common attack vectors such as insider threats and 3rd-party risk.
3. Requirement #3: It Can’t Sacrifice Controls. Security is also about control. End-to-end encryption is only an asset if it doesn’t force you to abandon your security policies, user controls or retained records. And if, in order to maintain those controls, your out-of-band communications tool relies on your network (the one you’re assuming is compromised) for hosting or records exporting, then its not really an out of band solution to begin with (See Requirement #1).

By focusing on this trifecta, organizations can dramatically strengthen their incident response posture. With this foundation in place, the communication backbone of the response remains reliable and is less likely to be compromised or called into question during a cyber emergency.

Ready to Evaluate Secure Communications Options? Forrester Recognized ArmorText as a Leader

Forrester’s comprehensive evaluation of secure communications solutions positioned ArmorText as a Leader. The Forrester Wave™: Secure Communications Solutions, Q3 2024 report cites how ArmorText “outclasses for SecOps, incident response, and threat-intel-sharing use cases.”

Further, the report states “ArmorText’s platform is purpose-built for out-of-band collaboration to meet the unique needs of security operations teams.”

So, if you’re thinking that reviewing any number of technologies that meet these requirements requires significant effort, you don’t need to start with a blank slate. Get your copy of The Forrester Wave™: Secure Communications Solutions, Q3 2024 report here.

Strengthen Your Incident Communications Now

The FBI warns that communication can make or break your cyber incident response. Secure your communication now: update IR plans with out-of-band procedures, train teams on using them, and assess solutions for secure crisis collaboration. Anyone looking for a best of breed out-of-band communications tool would do well to take into account what Forrester had to say,

“Organizations requiring out-of-band communications for incident response, security operations, or threat intel sharing should consider ArmorText.”