• Solutions
    get-secured-now-icon
    ArmorText Suite

    Designed to protect your most critical roles and operations without compromising security or compliance.

    Schedule A Demo
    Products Menu Icon
    Products
    Services Menu Icon
    Services
    Competition Menu Icon
    Competition
  • Use Cases
    Use Cases Menu Icon
    Tier & Protect Strategy™

    Government and defense utilize distinct channels for secret and top secret comms. Your SOC, IR, and Theat communications deserve that same treatment. Deploying an Out of Band comms tool is easy as it runs alongside your day-to-day comms and is only used by a select group of critical roles in your org.

    Schedule A Demo
    Use Case Menu Icon
    Use Cases
    solutions-icon
    Business Case
  • Company
    armortext-footer-logo
    Who We Are
    When a crisis hits, there’s no room for error. You need a partner with proven information security knowledge and real-world problem-solving expertise. ArmorText is here for you.
    About Us
    Company Menu Icon
    Company
  • Resources
    resources-icon
    Resources to
    Keep You Secured
    Keeping your communications safe from the bad guys is an always-moving target. Check out these resources for the latest news, views, and tips on staying safe.
    Learn More
    Resources Menu Icon
    Resources
    Start Here Menu Icon
    Start Here
  • Get Secure Now
    download-icon
    Get Secure Now
    Don’t wait for a cyberattack to put a secure communications plan in place. Get in touch with us today to schedule a personalized ArmorText demo.
    Learn More
    laptop-icon
    Pricing & Downloads
Search
Schedule a Demo

What Makes DEV-0537 / LAPSUS$ So Dangerous?

In March of 2022, Microsoft confirmed it had been tracking a threat group known as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. While their initial targets were in the UK and South America, they globally. The threat actors behind DEV-0537 focused their social engineering efforts around intimate knowledge about employees, team structures, help desks, crisis response workflows, and supply chain relationships.

DEV-0537 / LAPSUS$: Brazen in All Phases of an Attack

What stands out about DEV-0537 / LAPSUS$ is how brazen they are both before, during, and after attacks. Before attacks DEV-0537 / LAPSUS$ will go so far as to announce their intentions on social media or advertise their intent to buy credentials from employees of target organizations. During attacks, DEV-0537 / LAPSUS$ will intrude on ongoing crisis-communication calls of their targets, impeding remediation efforts as well as spying on incident responders as they discuss ransom payment negotiation strategies, etc.

Regardless of how the threat actor gains initial access, reconnaissance & privilege escalation and ultimately, Exfiltration, destruction, and extortion are their aim. As a part of this, if they successfully gain privileged access they will attempt to modify Office 365 tenant level mail transport rules to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access.

Spying on Incident Response Workflows

To make matters worse, DEV-0537 / LAPSUS$ joins its victims’ crisis communication calls and internal discussion boards (Slack, Teams, conference calls, and others) to understand the incident response workflow and their corresponding response. This provides DEV-0537 insight into the victim’s state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands.

Microsoft’s Recommendation for Improved Operational Security

In light of this, even Microsoft has advised organizations adopt improved operational security practices when responding to intrusions that include out of band communications. The implication being, that Slack, Teams, conference calls, and other channels used normally, cannot play this role.

Out-of-Band Communication for Incident Response: Not a New Idea

But, these recommendations aren’t novel or new. Recommendations to adopt out-of-band comms channels for incident response go back years. CISA, an agency of the United States Department of Homeland Security (DHS) responsible for strengthening cybersecurity and infrastructure protection across all levels of government, has been recommending organizations “establish communication channels (chat rooms, phone bridges) and method for out-of-band coordination” since November 2021.

CISA’s Recommendations

CISA’s other recommendations on this matter include:

  • Segmenting and managing SOC systems separately from the broader enterprise IT systems
  • Preparing for managing sensors and security devices via out-of-band means

These recommendations are part of CISA’s Cybersecurity Incident & Vulnerability Response Playbooks, covering areas like communications & logistics and OPSEC.

Microsoft Repeats its Recommendations for LAPSUS$ Protection

As we rolled into 2023, Microsoft repeated its recommendation on December 29th, 2022 when it recapped 6 Ways organizations can help protect against LAPSUS$. In its repeated recommendation, Microsoft acknowledged that incidents will occur, and that out of band preparedness is a must. Out of band communication solutions provide an alternative way for organizations to communicate during incidents.

Moving Left of Bang

But, this recommendation lacks specifics and falls short. So, what’s missing? A clear statement on how out of band solutions should differ from day-to-day communication platforms and acknowledgement that use of these platforms needs to move left of bang!

Adversaries in Enterprise Collaboration Environments

Adversaries or hackers can often go undetected for long periods of time within enterprise collaboration environments, using this time to perform reconnaissance and gather information on security operations and decision making processes. Your out of band collaboration solution should therefore provide more security than your already breached in-band solutions, not just for incident response but also for day-to-day security operations and executive communications.

The Rub

DEV-0537 / LAPSUS$ aren’t the only threat actors infiltrating communications. Ragnar Locker infiltrated a French retail company’s Microsoft Teams incident response chat and posted screen shots for the world to see, making it clear who was in charge and revealing their victim’s ransom negotiation strategy. During the Solarwinds incident, attackers performed reconnaissance on the communications of their target’s security, incident response, and executive personnel before, during, and after the breach, leading CISA to recommend that all remediation efforts be moved out of band.

The Limitations of Signal and WhatsApp

While apps like Signal and WhatsApp may offer end-to-end encryption, they are often short sighted solutions for enterprise out of band communication needs. These apps lack important features like user management, policy enforcement, and governance, which are critical components of enterprise-level security. Without these features, organizations may be at risk of further security lapses and non-compliance with industry regulations.

What Makes an Ideal Secure Out of Band Solution?

So, what makes an ideal secure out of band solution?

  • E2EE collaboration (messaging, file sharing, voice, video, and screen sharing)
  • E2EE data sovereignty and E2EE retention and review
  • Trust relationships enabling connections with your ecosystem
  • The ability to work alongside existing collaboration investments rather than replace them
  • A secure out of band channel for sensitive communications (SOC, IR, Threat…)

ArmorText Secure Out of Band Collaboration™ offers all of these features and more which is why Forrester Research says ArmorText excels at enabling out-of-band communications… [and] is a great fit for security operations and incident response communications and collaboration, as well as multi-organization threat intelligence sharing.

Share on social

Let’s see what Armortext can provide for your company.

Schedule a Demo
Speak to An Expert

Other blog posts

armortext-footer-logo

A Secure Out of Band Collaboration Platform for Critical Communications

Navigation

Download

Get In Touch

Schedule a Demo With Our Team Now

Copyright 2022 ArmorText | All Rights Reserved

Schedule a Demo
Search