Imagine these scenarios:
- You follow your incident response plan to a tee, but you find that during your first IR team meeting, the attack has escalated exponentially. How could this happen? Chances are that attackers are several steps ahead. Attackers could be listening in on your team call, following your email discussions about the investigation, or taking advantage of your preoccupation to launch secondary attacks.
- You suffer a ransomware incident that completely disables all of your systems, including your VoIP phone system. Employees cannot access email accounts or boot up laptops and don’t have access to a company directory to contact one another. The company website is down, so posting a message there is not possible.
Quick communication is crucial during an incident response.
Companies have had to resort to posting signs outside their offices instructing employees to go home and not turn on any devices. Employees waste hours trying to find contact information for their colleagues and customers by searching social media.
Out of band communication, also called off band communication, offers a critical solution in these situations.
By using non-standard communication methods and following protocols that only a select few team members are aware of, you’ll have a better chance of staying ahead of the game and both thwarting attackers’ attempts to learn your strategy in responding to the incident, and being able to communicate quickly with colleagues during an incident..
In this article, we'll delve deeper into what out of band communication is, why it’s an important part of the incident response communication plan, and best practices for implementing it during your next incident response.
If you’re unsure of any of the terms used in this article, visit our Cyber Law Glossary.
What is Out Of Band Communication?
Out of band communication is a type of communication that occurs outside the structure of an organization's primary communication channels. This may include face-to-face conversation, phone calls, text messages, email, slack channels and more.
The purpose of out of band communication is to provide an alternate means of communication in cases where your company has zero access to devices or where adversaries might be listening in or reading your primary channels.
While out of band communication can be useful in certain situations, it's important to note that it can also create challenges. For example, if alternative methods are used too frequently, it’s more likely attackers will become privy to their use, and implement measures to monitor them.
Another factor to bear in mind when using off band communication methods is the legal requirements that need to be upheld. These communication methods will normally be subject to the same litigation hold requirements as normal communication channels, such that potential evidence can not be destroyed. It’s important to consult legal counsel to find out which protocols should be followed.
Additionally, out of band communication can be abused by those in positions of power, who may use it to circumvent rules or avoid accountability. As a result, it's important to use out of band communication wisely and only in situations where it truly is the best option.
Why Is Out Of Band Communication Critical During A Cyber Incident?
During a cyber incident, there are various scenarios in which using out of band communication methods can be beneficial.
As mentioned above, during a severe ransomware incident, email, phone and other forms of communication may be completely unavailable for hours, days or even weeks.
With modern tactics, if attackers own your network or your email administrator’s account, it’s highly feasible that attackers are monitoring company emails, including those sent among incident response team members. They may even have access to the IR team’s meeting invites and corresponding passwords, and could be listening in on meetings. This can expose a treasure trove of valuable information, including details of the company’s tactical response plans, how the investigation is progressing, and what efforts are being made to halt the attack.
Threat actors could also learn these details if they manage to obtain a copy of your IR playbook through some means. Then they’ll know where you will be most likely to look and deduce which areas you might miss. Even if attackers know that an incident response meeting is taking place, they could assume that key players are distracted and frequently leverage this opportunity to implement additional attacks. In fact, in some instances, the first attack is intended solely as a distraction to initiate a secondary, larger scale attack. Attackers may also use the meetings as an opportunity to impersonate incident response team members via email.
Incident response correspondence problems can be avoided by using off band communication techniques that operate outside the company’s usual methods. These can include alternative internet service provider connections, separate email accounts not through company email, prepaid mobile devices and more.
While off band methods can be vital tools in your incident response communication plan, it’s important to follow a couple of best practices. The out of band protocol and associated information such as phone numbers and email addresses should not be published in the IR playbook. If attackers gain access to a playbook that includes these details, the concept of off band communication becomes moot.
What are the six data privacy best practices every business should know? Read our blog to find out!
It’s also worth bearing in mind that the more people who know about the off band communication methods, the less effective the tactics become. In most cases, it’s inappropriate to communicate out of band communication details to the entire IR team; only a small subset of key individuals should have access to this information.
Out Of Band Communication Examples
Out of band communications are an important part of any incident response plan. They provide a way for responders to stay in touch with each other and with key stakeholders in the event of an emergency. There are many different out of band communication methods available, and choosing the right ones can be critical to the success of an incident response.- First, consider the needs of your organization. What type of information do you need to communicate, and who needs to receive it? Next, think about the infrastructure that you have in place. Is there a way to use existing communications systems, or will you need to set up new ones?
- Finally, consider the environment in which you will be operating. Will you be able to rely on landline phones, or will you need to use satellite phones? Is your VoIP phone system vulnerable in a ransomware attack that hijacks your systems? How difficult will it be to implement each system? While the security of the system is important, it also needs to be relatively simple to set up and use.
- Below is a list of some potential options, but it’s a good idea to consult with a technical security expert to determine the ideal methods for your unique situation.
Email and Messaging
If you are lucky enough to have access to email during an incident, other problems can arise. There are a number of ways in which attackers can access regular email accounts including learning credentials through brute force attacks, phishing schemes or spyware. They might even have control over devices employees use to access their email.
Multi-factor authentication can significantly reduce the likelihood of compromising an email account.
If your information security and privacy program is designed to make risk-based decisions, you would consider the likelihood and feasibility of the attack, the potential harm or damage that could be caused, and the cost and effort involved in developing a solution. If you have multi-factor authentication required for all users’ email accounts, the likelihood and feasibility of this attack is low, the potential harm or damage is relatively high, and the cost and effort involved in solving the problem is relatively low.
Off band communication could include alternative non-company email addresses for select IR team members, used exclusively in incident response situations. These should have two-factor authentication activated as an extra layer of security.
Email addresses should be shared with and stored by required parties via secure methods, for example, hard copy printouts that are stored at home or on a business card-sized card that can fit in a wallet. They should not be shared using regular company email. New secondary addresses should be used after a major security incident.
It’s a similar situation for text messaging and other forms of instant messaging. Different channels and accounts should be used instead of usual methods. Don’t forget to ask legal counsel about any protocols you should follow
Note that there’s still a possibility that out of band communication could be compromised, so users should be careful about what they write in emails. You can ask a technical security expert about communication encryption methods to help reduce attackers’ opportunities, but users should still assume that an untrusted party will read messages.
Internet
General (unencrypted) internet traffic may be intercepted and viewed by attackers by a variety of means. Of note (considering the increase in remote work), without properly implemented and secured VPNs, home networks can pose security risks as can public WiFi networks such as those found in:
- coffee shops
- hotels
- airports
- libraries.
Off band communication methods should be accessed using alternate networks, for example, MiFi hotspots and VPNs. In a ransomware incident, even if certain components of your environment are not disabled, it may only be a matter of time. Find out the most appropriate methods through consultation with a technical security expert.
Computers
During incident response, users should assume that attackers are monitoring their regular individual devices, including desktops and laptops. These may be compromised through spyware and other types of malware spread through phishing emails, physical devices such as USB keys, or some other means.
Ask your tech and/or forensic team whether—based on the specific incident at hand—critical staff including IR team members and select IS and IT staff should use alternative hardware that is solely reserved for incident response situations. These devices should be stored securely and decommissioned and replaced after an incident. While this sounds expensive, there are lots of simple hardware options that will suffice for this purpose and won’t break the bank.
Phones
Similarly, attackers might be monitoring employee mobile devices and company phone systems. As such, IR team members should use separate phones that are only used in incident response scenarios. One inexpensive option is to use a non-smartphone alongside a prepaid service, while another solution is the use of an encrypted calling app. A technical security expert who understands your company’s phone systems will be able to advise on the optimal system.
Not All Off Band Communication Methods Are Necessary During An Incident
Just because you have out of band communication methods in place doesn’t mean you have to use them all in every incident response situation. Each incident is different and may warrant the use of one or more methods of off band communication.
It’s also worth noting that you should continue to use normal methods of communication to send non-sensitive information during incident response. Failure to do so could raise flags for attackers that you are using off band communications and prompt them to make efforts to uncover those methods.
When implemented properly, out of band communication helps ensure sensitive discussions are carried out securely. It makes communication possible when systems are disabled, helps ensure incident response is efficient and effective, and helps avoid the worsening of an attack.
Before using out of band communication methods it’s important to consult a technical security expert. Without this valuable input you could waste time and resources investing in systems that fail to improve security measures.
Preparing for an incident is more than just developing a list of steps to take in response to general cyber threats. It is an ongoing, robust management process that seeks to reduce reputational harm and business downtime in the event of a cyberattack.
Take Your Incident Response Planning to the Next Level
Discover how a comprehensive approach to incident response planning can protect your organization and minimize business downtime in the wake of a cyberattack. Incident response planning is not just about having a checklist for when threats arise—it's about creating a dynamic, ongoing management process tailored to the unique needs of your business. Learn how to fortify your defenses and ensure a rapid, effective response. Explore our guide to incident response planning now.
Looking for more cyber law, privacy law or technical information? ZeroDay Law can help, take a look at our list of services and contact our team with any questions.