Search

Look Who's Talking About
Out of Band Communications

CISA, Review Of The Attacks Associated with Lapsus$
Effective Incident Mitigation
"Highly effective organizations employed mechanisms such as out-of-band communications that allowed incident response professionals to coordinate response efforts without being monitored by the threat actors."
CISA, Review Of The Attacks Associated with Lapsus$
MIT Sloan Management Review, An Action Plan for Cyber Resilience
Continuity of Operations
"Typically, either email is no longer functional or, if it is, the adversary is reading emails and thereby staying steps ahead of the defense. Diverse and secure communication methods across various stakeholder groups — employees, suppliers, customers, shareholders, law enforcement, and regulators — are critical for the organization to be able to absorb the attack and continue business operations."
MIT Sloan Management Review, An Action Plan for Cyber Resilience
Microsoft, DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction
Compromised Crisis Comms
“[Lapsus$] has been observed then joining the organization’s crisis communication calls and internal discussion boards (Slack, Teams, conference calls, and others) to understand the incident response workflow and their corresponding response.”

Accordingly, Microsoft went on to recommend that “organizations should develop an out-of-band communication plan for incident responders.”
Microsoft, DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction
The Forrester Wave™: Secure Communications, Q3 2022
Industry Analysts
ArmorText excels at enabling out-of-band communications… [and] is a great fit for security operations, incident response communications and collaboration, as well as multi-organization threat intelligence sharing.”
The Forrester Wave™: Secure Communications, Q3 2022
Tyler Hudak, To OOB, or not to OOB?
Unavailable Comms
"If you cannot coordinate, collaborate, and inform actions and information about an incident, the incident response will eventually fail. Normally, this isn’t an issue, as organizations have resources like Microsoft 365 email, SharePoint, Slack, and Teams to use to communicate with each other. However, what happens when those technologies are unavailable? That is where OOB communications come in."
Tyler Hudak, To OOB, or not to OOB?
CISA, Review Of The Attacks Associated with Lapsus$
Resiliency
"In instances where the threat actors took over internal communications used by the response teams, organizations that had previously setup out-of-band communications were able to avoid having their activities monitored or interrupted."
CISA, Review Of The Attacks Associated with Lapsus$
InfoSec Twitter
Expert Dialogues
@briankrebs: LAPSUS$ didn't publicize all of its successful intrusions. E.g., it stole gobs of source from SASCAR, a vehicle/fleet tracking company owned by Michelin. The LAPSUS$ leader spent days on the company's incident response bridge, taunting IT pros as they tried to evict the group.

@CommieGIR: The fact that their incident team was not working out of band....You know they are in the network, you know your ops systems are likely compromised. Why would you use those?
InfoSec Twitter
CISA, Review Of The Attacks Associated with Lapsus$
Planning for Disruptions
"Develop an internal communication plan that includes how to contact personnel, how to proceed if they are unreachable, and backup, out-of-band communication mechanisms personnel can use if routine lines of communication are disrupted or if their integrity is compromised by the attackers."
CISA, Review Of The Attacks Associated with Lapsus$
InfoSec Twitter
Expert Dialogues
@NicoleBeckwith: Follow on to last tweet: What is something that you have seen included in an incident response plan that you really liked?

@dwmetz: Pre-established out of band communications plan, and off network digital copies of the critical playbook(s).
InfoSec Twitter
CISA, Review Of The Attacks Associated with Lapsus$
Operational Security
"Some organizations also made use of 'out-of-band communications'...an incident response procedure best established ahead of attacks, to improve response operations by prohibiting threat actors from observing incident response communications and activities or taunting response teams."
CISA, Review Of The Attacks Associated with Lapsus$
Microsoft, 6 Ways to Protect Your Organization Against LAPSUS$
Operational Security Processes for Response
"One hallmark tactic of DEV-0537 is to monitor and eavesdrop on incident response communications in the event of a cybersecurity breach... [companies should] develop an out-of-band communication plan for incident responders that can be used for multiple days while an investigation occurs, and ensure response plan documentation is closely guarded and not easily accessible."
Microsoft, 6 Ways to Protect Your Organization Against LAPSUS$
InfoSec Twitter
Rough Times
@vxunderground: Ragnar Locker ransomware group took screenshots of their targets Cybersecurity Incident Response meeting mid-breach.

(screenshot redacted)

@BushidoToken: Lesson 1. always secure comms channels at the beginning of an IR
InfoSec Twitter

ArmorText gives you confidence that your most sensitive information is secure.

Search