In March of 2022, Microsoft confirmed it had been tracking a threat group known as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. While their initial targets were in the UK and South America, they globally. The threat actors behind DEV-0537 focused their social engineering efforts around intimate knowledge about employees, team structures, help desks, crisis response workflows, and supply chain relationships.
DEV-0537 / LAPSUS$: Brazen in All Phases of an Attack
What stands out about DEV-0537 / LAPSUS$ is how brazen they are both before, during, and after attacks. Before attacks DEV-0537 / LAPSUS$ will go so far as to announce their intentions on social media or advertise their intent to buy credentials from employees of target organizations. During attacks, DEV-0537 / LAPSUS$ will intrude on ongoing crisis-communication calls of their targets, impeding remediation efforts as well as spying on incident responders as they discuss ransom payment negotiation strategies, etc.
Regardless of how the threat actor gains initial access, reconnaissance & privilege escalation and ultimately, Exfiltration, destruction, and extortion are their aim. As a part of this, if they successfully gain privileged access they will attempt to modify Office 365 tenant level mail transport rules to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access.
Spying on Incident Response Workflows
To make matters worse, DEV-0537 / LAPSUS$ joins its victims’ crisis communication calls and internal discussion boards (Slack, Teams, conference calls, and others) to understand the incident response workflow and their corresponding response. This provides DEV-0537 insight into the victim’s state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands.
Microsoft’s Recommendation for Improved Operational Security
In light of this, even Microsoft has advised organizations adopt improved operational security practices when responding to intrusions that include out of band communications. The implication being, that Slack, Teams, conference calls, and other channels used normally, cannot play this role.
Out-of-Band Communication for Incident Response: Not a New Idea
But, these recommendations aren’t novel or new. Recommendations to adopt out-of-band comms channels for incident response go back years. CISA, an agency of the United States Department of Homeland Security (DHS) responsible for strengthening cybersecurity and infrastructure protection across all levels of government, has been recommending organizations “establish communication channels (chat rooms, phone bridges) and method for out-of-band coordination” since November 2021.
CISA’s other recommendations on this matter include:
- Segmenting and managing SOC systems separately from the broader enterprise IT systems
- Preparing for managing sensors and security devices via out-of-band means
These recommendations are part of CISA’s Cybersecurity Incident & Vulnerability Response Playbooks, covering areas like communications & logistics and OPSEC.
Microsoft Repeats its Recommendations for LAPSUS$ Protection
As we rolled into 2023, Microsoft repeated its recommendation on December 29th, 2022 when it recapped 6 Ways organizations can help protect against LAPSUS$. In its repeated recommendation, Microsoft acknowledged that incidents will occur, and that out of band preparedness is a must. Out of band communication solutions provide an alternative way for organizations to communicate during incidents.
Moving Left of Bang
But, this recommendation lacks specifics and falls short. So, what’s missing? A clear statement on how out of band solutions should differ from day-to-day communication platforms and acknowledgement that use of these platforms needs to move left of bang!
Adversaries in Enterprise Collaboration Environments
Adversaries or hackers can often go undetected for long periods of time within enterprise collaboration environments, using this time to perform reconnaissance and gather information on security operations and decision making processes. Your out of band collaboration solution should therefore provide more security than your already breached in-band solutions, not just for incident response but also for day-to-day security operations and executive communications.
DEV-0537 / LAPSUS$ aren’t the only threat actors infiltrating communications. Ragnar Locker infiltrated a French retail company’s Microsoft Teams incident response chat and posted screen shots for the world to see, making it clear who was in charge and revealing their victim’s ransom negotiation strategy. During the Solarwinds incident, attackers performed reconnaissance on the communications of their target’s security, incident response, and executive personnel before, during, and after the breach, leading CISA to recommend that all remediation efforts be moved out of band.
The Limitations of Signal and WhatsApp
While apps like Signal and WhatsApp may offer end-to-end encryption, they are often short sighted solutions for enterprise out of band communication needs. These apps lack important features like user management, policy enforcement, and governance, which are critical components of enterprise-level security. Without these features, organizations may be at risk of further security lapses and non-compliance with industry regulations.
What Makes an Ideal Secure Out of Band Solution?
So, what makes an ideal secure out of band solution?
- E2EE collaboration (messaging, file sharing, voice, video, and screen sharing)
- E2EE data sovereignty and E2EE retention and review
- Trust relationships enabling connections with your ecosystem
- The ability to work alongside existing collaboration investments rather than replace them
- A secure out of band channel for sensitive communications (SOC, IR, Threat…)
ArmorText Secure Out of Band Collaboration™ offers all of these features and more which is why Forrester Research says “ArmorText excels at enabling out-of-band communications… [and] is a great fit for security operations and incident response communications and collaboration, as well as multi-organization threat intelligence sharing.“