Understanding Secure Out-of-Band Collaboration in Incident Response

In Out-of-Band Communications vs. Secure Out of Band Collaboration we examined how Secure Out of Band Collaboration™ addresses security, transparency, and independence to deliver a variant of out-of-band communications better suited for enterprise use cases like incident response.

But, it is also helpful to look at this topic through the lens of real life attacks that have taken place over time, highlighting changing conditions in the threat landscape.

Private sector organizations intuitively moved out-of-band during 2017 NotPetya ransomware attacks

In 2017, the NotPetya ransomware attacks served as a grim reminder of our increasing dependency on interconnected digital systems. Entire corporate networks were brought to their knees, illustrating not just the need for robust cybersecurity measures but also for effective redundancy in communications. The primary goal of most threat actors during this period was to disrupt the operations of their victims, which, in the case of NotPetya, resulted in complete communication outages.

Companies like Mondelez, Norsk Hydro, Maersk, and Merck were among those severely impacted. These organizations faced a common critical challenge: the loss of internal communications systems. This disruption severely hampered executive communications, incident response efforts, and general operations, underlining the importance of having a resilient out-of-band communication strategy.

Mondelez, a global leader in the food and agriculture sector, experienced particularly devastating losses. The company reported the loss of 1,700 servers and 24,000 laptops, effectively losing access to all internal communication channels. The severity of the situation forced the organization to adopt unconventional methods to maintain operations and incident response:

  • WhatsApp Phone Trees: Mondelez resorted to creating WhatsApp phone trees, which enabled operational communications and facilitated out-of-band communications for incident response, showcasing the adaptability required in the face of such crises.
  • Yammer for Executive Communication: To ensure the broad dissemination of executive and senior leadership messages, Mondelez stood up Yammer as an emergency communication platform. This served as a critical tool for maintaining leadership directives and company morale during the recovery process.
  • Financial Impact: The financial toll on Mondelez was staggering, with losses exceeding $100 million. It took six years to recover a portion of these losses through cyber insurance, highlighting the long-term financial ramifications of such attacks.
  • Operational Disruptions: While the direct loss of systems critical for production was a significant issue, the unavailability of communication channels to coordinate recovery efforts posed an equally daunting challenge. The inability to use normal communication channels exacerbated the difficulty of both bringing production facilities back online and efficiently utilizing them while other core systems remained compromised.

The NotPetya attacks of 2017 demonstrated the practical necessity for out-of-band communications. If this had been addressed as a part of incident response preparedness companies would have saved considerable time spent on re-establishing communications.

But, today’s attackers are all about reconnaissance

In our previous discussion on Guarding The Guardians: How Secure Comms Outwit Cyber Spies, we highlighted the strategic importance of safeguarding pre-incident communications. Recent cyber incidents involving threat actors like Ragnar Locker, Lapsus$, and Scattered Spider have demonstrated that the most popular enterprise communication suites can all be similarly compromised, so the broad adoption of multiple enterprise communication tools for redundancy has paradoxically created significant vulnerabilities.

The misconception harbored by many organizations is that diversifying communication platforms across similar cloud-based services like Email, Slack, Teams, Zoom, and WebEx, inherently strengthens their cyber defense. Contrarily, the very features that make these platforms user-friendly and integral to everyday operations become their weak points. Adversaries exploit these platforms to perform detailed reconnaissance, aiming to uncover and monitor critical communications related to incident response, security operations, and executive decisions.

In scenarios devoid of secure out-of-band communications, adversaries not only gain substantial advantages through observing incident response communications, but also leverage this access to taunt and demoralize their victims. By infiltrating remediation and response coordination channels, attackers can assert their presence, disrupt the response process, and gain insights into sensitive areas of operation, including ransomware negotiation strategies.

The US Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and Microsoft have both recommended out-of-band communications as a necessary response to modern attacks, underscoring that a mere diversity of communication options is insufficient to counteract the evolving threat landscape.

CISA recommends government and private sector entities adopt out-of-band communications

In December of 2020, thought leaders from the US Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) publicly recommended the adoption of out-of-band communications. In an alert directed at federal, state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations, CISA stated they had “observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.”

The alert went on to clarify that “discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures,” which were to include, among other things, “out-of-band communications guidance for staff and leadership.”

Since then, this recommendation has been repeated in the wake of Ragnar Locker, LAPSUS$, and Scattered Spider.

In its July 2023 publication Review of the Attacks Associated with LAPSUS$ and Related Threat Groups, the CISA Cyber Safety Review Board stated “highly effective organizations employed mechanisms such as out-of-band communications that allowed incident response professionals to coordinate response efforts without being monitored by the threat actors.”

Wakeup call: Ragnar Locker’s breach of a French retail company

Ragnar Locker’s breach of a French retail company’s internal Microsoft Teams-based incident response chatroom stands as a stark wakeup call to organizations worldwide. Ragnar Locker attackers not only infiltrated the company’s defenses but also accessed their incident response communications, demonstrating control over the situation. They made it clear that any attempts to negotiate or reduce the ransom demand were futile, as the attackers were privy to the company’s entire incident response strategy.

The breach’s impact was magnified when Ragnar Locker went further, publicly embarrassing the company by posting live screenshots from inside their incident response chat. This act of psychological warfare highlighted the severe consequences of inadequate secure communications and showcased both a loss of control over the situation and a significant compromise of the company’s negotiation position and strategy.

This incident, echoed by similar actions against Western Digital’s incident response team, serves as a compelling reminder that reliance on common communication platforms without adequate security measures can lead to disastrous outcomes, including public embarrassment and compromised incident response efforts.

After becoming a victim of Lapsus$, Microsoft made the same recommendation

In its 2022 briefing in the wake of being attacked by Lapsus$, Microsoft’s Threat Intelligence Center stated, “the actor has been observed then joining the organization’s crisis communication calls and internal discussion boards (Slack, Teams, conference calls and others) to understand the incident response workflow and their corresponding response.”

Microsoft also made clear that Lapsus$ was after “the victim’s state of mind, their knowledge of the intrusion and a venue to initiate extortion demands.”
Microsoft ultimately recommended: “organizations should develop an out-of-band communication plan for incident responders that is usable for multiple days while an investigation occurs. Documentation of this response plan should be closely held and not easily accessible.” They later repeated this recommendation in their end of year review post on 6 Ways to Protect Your Organization Against LAPSUS$ published in Dark Reading.

Today, Scattered Spider has Microsoft doubling down on Its OOB recommendation

In the fall of 2023, in the wake of Scattered Spider’s crippling attacks on MGM, reporting by SC Magazine confirmed Microsoft’s assessment that the threat actor had infiltrated its victims communications, stating, “Microsoft warned network defenders that Scattered Spider’s use of social engineering and living-off-the-land techniques, together with its strong capabilities across a wide range of toolsets, could necessitate a “slight unorthodox” approach to hunting the group.” Followed by: “They also warned the group had been observed joining, recording and transcribing calls, and sending messages, on its victim’s corporate communications platforms. This activity was used to taunt and threaten staff, and to gain insights into incident response operations and planning.”

Embracing secure out of band collaboration for resilient incident response

The imperative for secure, resilient communication channels in incident response cannot be overstated. Lessons learned from the Mondelez incident during the NotPetya attacks and the sophisticated reconnaissance and psychological warfare tactics employed by Ragnar Locker, Lapsus$, and Scattered Spider underscore two critical realities. First, that the loss of core communications can severely hamper incident response efforts, and second, that redundancy in communication options, including cloud-based platforms, is insufficient in the face of adversaries poised to exploit these same channels against us.

These real-world examples highlight a pivotal gap in our current cybersecurity defenses—one that Secure Out of Band Collaboration™ is uniquely designed to fill.

As detailed in our piece Out-of-Band Communications vs. Secure Out of Band Collaboration, Secure Out of Band Collaboration™ offers a purpose-built solution that not only ensures continuity of communication when traditional channels fail but does so with the security and governance needed during incident response.

The time to reinforce your incident response communications with Secure Out of Band Collaboration™ is now.

Ready to learn more? Check out our other posts in this series...

What are Out-of-Band Communications?
Out-of-Band Communications vs. Secure Out of Band Collaboration
Understanding Secure Out-of-Band Collaboration in Incident Response
Evaluating Secure Out-of-Band Options: A 3-Point Checklist
Enterprise Use Cases for Secure Out-of-Band Collaboration
Why ArmorText’s User+Device Specific End-to-End Encryption Beats Other Options

Share on social

Let’s see what Armortext can provide for your company.