Out-of-Band Communications [out-əv-band kə-myo͞o-ni-kā-shəns]
noun
- Any alternative channel for communications operating outside the standard, primary network or systems used by an organization for everyday operations.
- Channels providing an alternative pathway for data transmission, especially crucial during times when the main channels are compromised, unavailable, or unsuitable due to security concerns.
- While these provide a crucial alternative, their inherent security is not guaranteed.
Communications lie at the heart of all operations within modern enterprises, affecting everyone from the factory floor to the C-suite. A breakdown in communication can severely disrupt an organization’s functionality. This was true when email was the primary form of enterprise communication, and even more so today with the proliferation of Microsoft SharePoint, Microsoft Teams, Zoom, Slack, and Google Meet.
Modern enterprises depend on communications technologies to function. While disruptions to any part of a business can impact the bottom line, an inability to communicate is especially detrimental when it hinders key personnel responsible for restoring operations during a crisis. Until those tasked with incident response and remediation are able to communicate, collaborate, and coordinate their efforts — whether the underlying cause is a simple network outage or a more nefarious ransomware attack — teams will be unable to implement plans to bring businesses back online.
It should come as no surprise, then, that thought leaders from the US Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) recommend organizations reassess their communication plans for times of need, especially when core communications are disrupted or compromised.
In its assessment of attacks levied by Lapsus$ and related threat groups, CISA’s Cyber Safety Review Board (CSRB) states: “Highly effective organizations employed mechanisms such as out-of-band communications that allowed incident response professionals to coordinate response efforts without being monitored by the threat actors.”
They’re not alone. Thought leaders from Microsoft, MIT, Accenture, DXC, TrustedSec and many others have come to similar conclusions and have shared their insights, as evidenced on ArmorText’s Look Who’s Talking About Out of Band Communications page.
So, just what are out-of-band communications?
Out-of-band communications are alternative technologies that differ from normally utilized communications platforms.
For a team that usually relies on Teams, email, and SharePoint, even unconventional methods such as smoke signals, telegraphs, and tin cans connected by string would qualify as out-of-band communications. While absurd, they fit the technical definition: they are not used daily and are not connected to routine communications platforms or infrastructure.
Herein lies the challenge. Just about anything that allows you to communicate outside your normal go-to solutions could be considered out of band, and, in a pinch, may be okay. But, enterprises have a responsibility to think through this issue, especially as it pertains to the communications their security and incident response teams will use during attacks.
How should organizations think about out-of-band communications for incident response?
Secure Out of Band Collaboration™ is a specific implementation of out-of-band communications, tailored for sensitive enterprise scenarios like incident response. It surpasses even broader secure communications technologies, let alone basic, less secure alternatives.
While we cover nuances of this specific implementation in much more detail in Out-of-Band Communications vs. Secure Out of Band Collaboration, the analysis can be summarized as:
-
- Consumer Privacy Technologies (e.g. Signal or WhatsApp) lack user management, policy enforcement, and governance and native business records retention capabilities.
-
- General Enterprise Communications Solutions (e.g. Teams if you are normally on Slack, and vice versa) are no more secure than the potentially compromised systems they replace.
-
- Secure Out of Band Collaboration™ (e.g. ArmorText) stands apart as a standalone solution. It offers more security (i.e. end-to-end encryption) than standard communications platforms but still provides controls like user management, policy enforcement, and governance without reintroducing on-premise/self-hosted dependencies or sacrificing the security of retained records.
More specifically to incident response, reasons for adopting out-of-band communications — and, even more so, secure out-of-band collaboration — have evolved with the changing threat landscape. In 2017, NotPetya ransomware attacks brought down entire corporate networks, immediately emphasizing the need for redundancy. But, during more recent attacks by the likes of Ragnar Locker, Lapsus$, and Scattered Spider, the proliferation of multiple communications technologies across the enterprise, seemingly solving for redundancy, has paradoxically introduced tremendous vulnerability. We examine this evolving threat landscape to develop an Understanding Secure Out-of-Band Collaboration in Incident Response.
Evaluating your options
Working alongside industry experts and thought leaders from across critical infrastructure, we helped develop a method for Evaluating Secure Out-of-Band Options: A 3-Point Checklist as a vendor-agnostic approach to understand potential suitability or shortcomings. At a high level, the checklist distills down to:
-
- Requirement #1: It must be standalone
-
- Requirement #2: It must be more ecure
-
- Requirement #3: It can’t sacrifice controls
For each of these three requirements, we provide three criteria to help determine whether it has been met. This framework is highly adaptable and can easily be abstracted to help consider other technologies that may also be required when operating out of band.
But, for those who either a) believe the end-to-end encryption offered by Signal or WhatsApp is enough or b) are being forced because of cost concerns to use Signal, WhatsApp, or similar offerings, we’ve also developed a Checklist of 16 Compliance and Security Considerations that should be addressed before adopting consumer privacy solutions in the enterprise. Broadly, the compensating controls to be addressed fall under the following categories:
-
- Onboarding/Offboarding
-
- Collection/Reconstruction of Audit Trails
-
- Remediation/Risk Reduction
-
- Policy Enforcement
-
- Federation Governance/Participant Management
When else are Out-of-Band Communications (or Secure Out-of-Band Collaboration) necessary?
If out-of-band communications, particularly the Secure Out of Band Collaboration variant, come with so many benefits over traditional communications platforms, are there other use cases within an enterprise that warrant exploration of out-of-band options in lieu of normal day-to-day channels?
Enterprise Use Cases for Secure Out-of-Band Collaboration exist across the enterprise, including:
-
- Incident Response
-
- Security Operations
-
- Vulnerability Management
-
- Boards, C-Suite, and Senior Leadership Communications
-
- Threat Intelligence Sharing
-
- Managed Services
-
- Internal Investigations
-
- Mergers & Acquisitions
-
- Finance (i.e. validation of high value transactions)
In each of these use cases, there’s a need for a parallel communications platform that operates outside traditional systems and delivers heightened security while still enabling organizations to meet governance requirements driven by regulatory, statutory, and legal concerns.
The ArmorText Advantage
From smoke signals and tin cans to WhatsApp, there are plenty of out-of-band communications options, but when heightened security without sacrificing enterprise controls and governance is warranted, ArmorText’s Secure Out of Band Collaboration™ fills the critical gaps left by other communication solutions.
ArmorText provides the only end-to-end encrypted, 100% cloud-based platform for messaging, file sharing, voice, video, and screen sharing with end-to-end encrypted governance. Our unique offerings extend beyond out-of-band communications to include a business Continuity and Disaster Recovery (BCDR) solution in Crisis Response Reserve Capacity and an out-of-band management and integration pathway via our Secure Gateway.
ArmorText was built from the ground up as a secure out-of-band collaboration solution, not a general secure messaging solution shoehorned to fit a new market need. To understand the distinction, it’s crucial to examine Why ArmorText’s User+Device Specific End-to-End Encryption Beats Other Options. In this analysis, benefits stemming from ArmorText’s patented user+device specific / scope-of-review specific end-to-end encryption are discussed in comparison to solutions leveraging:
-
- End-to-end encrypted (2EE) communications, but relying on on-premise hosting of exported audit trails
-
- Enterprise key management
-
- Shared seeds, keys or recovery codes
-
- The check-in and check-out system for keys from key escrow
-
- Sole reliance on encryption-in-transit and encryption-at-rest
Conclusion
The evolution of cyber threats and increasing regulatory compliance demands make it clear that out-of-band communications are an indispensable facet of enterprise security strategy. However, it’s secure out-of-band communications that truly empower organizations to withstand and respond to cyber adversities effectively. Through Secure Out of Band Collaboration™, ArmorText not only defines but exemplifies the standard for secure, compliant, and efficient organizational communication, ensuring that enterprises are not just connected but protected.