By Ben Kast   /   Jun 30th, 2021

5 Tips for Using Out-of-Band Communication to Bolster Your Incident Response Capabilities

encrypted systems imageIn follow up to my last blog post on Data Encryption Best Practices, I wanted to write about how secure out-of-band communication methods can bolster incident response capabilities. Reflecting on a ransomware themed tabletop exercise I recently facilitated reminded me how important encrypted communications capabilities and systems are – not only for incident response, but in general. Let’s look at the key issues around encrypted systems and what it means for incident response.

What Will Happen if Your Systems Are Encrypted with Ransomware?

Imagine this: all the critical systems on your network are encrypted with ransomware. Further, to the degree that any of your in-band communications systems are still working, since eradication of the ransomware has yet to occur, the perpetrators likely still have access to your network and may well be snooping on your communications. If you use encrypted email, the attackers may even have already exfiltrated encryption keys and be in a position to decrypt your encrypted email messages. Due to all this, you may have already cut your WAN uplink or are about to do so, further limiting network communications capabilities.

How is Your Incident Response Team (IRT) Going to Securely Communicate?

During an attack, your organization is in a state where downtime operational procedures need to kick in. If you have not planned appropriately, you may not have these procedures in place. In which case, not only is your response team having to come up with procedures on the fly, but your organization’s operations are effectively down, with no path to coming back up until systems are restored. As my colleague Dan Featherman pointed out in his recent blog To Pay Or Not To Pay Ransomware Demands, That is The Question this can take some time, even in best case scenarios.

The Importance of Secure Out-of-Band Communication Methods

Out-of-band communication tools can be a life saver. Especially if they have been identified and tested prior to an incident occurring. Operating during an incident like this will be challenging, even for organizations that have planned extensively. If you are flying by the seat of your pants, the level of challenge will be unsettling. Not only does your IRT need to communicate with each other to respond, they also need to communicate with staff members and third parties, as well as be prepared to communicate with partners, customers, media and the public at large.

Miscommunications during an event can make a difficult situation all the more dire. Any obstacles to authorized team members’ abilities to communicate will only increase the risk of miscommunications.

Here are five tips for using out-of-band communications tools to minimize miscommunications during an event and bolster overall incident response capabilities.

  • Establish, approve, and test out-of-band communication methods for use by the IRT once the Incident Response Plan (IRP) has been invoked. These should include:
    1. An encrypted messaging service (my favorite encrypted messaging service is Signal, which comes with smartphone and desktop applications)
    2. An email service where email addresses for IRT members have been established (services like Gmail may be sufficient, but for added security consider an encrypted email service)
    3. A secure file sharing platform for sharing information with the IRT and approved third parties (I am a fan of ShareFile, which also has secure email features), as well as a place to securely store your response plans off network
    4. A secure incident response event tracking log for tracking all response activities
  • Ensure that your IRP, Business Continuity Plan (BCP), and contact lists (for both internal and external entities) are securely stored. Remember, if attackers have already infiltrated your network and your response plans are stored on that network, they likely already have access to them. In which case, they may be at least one step ahead of each of your actions. Therefore, consider storing these in a secure online file sharing service that enables each IRT member to have unique credentials and is protected by MFA. Of course, the credentials should be stored in an encrypted password manager. Further, consider having up-to-date hard copies of the response plans securely stored in locations that are accessible to your IRT. Bottom line, anything stored on in-band systems must be assumed to already be compromised. Plan accordingly.
  • Establish alternative computer hardware (and network connections to the degree needed) for use by IRT members during downtime operations. Ideally, these systems will have hardened configurations, strong access controls, and be equipped with the agreed upon out-of-band communications systems outlined in your response plan (see tip number one). There are options on how this can be done – you can even leverage virtual desktops. Just be sure that whatever solution you go with, you have risk-rated the approach and approved the solution.
  • Factor in how you will communicate with team members outside of the IRT. During downtime operations, it is very important to maintain strong messaging with team members. Team members are often the source of leaks. To minimize the risk of these types of leaks, maintain strong and effective messaging with team members. In your emergency planning, factor in how the messaging will occur during downtime operations. Depending on the size of the organization this may be best handled in different ways. The key is making sure that the methods are established and tested and that team members are trained on the protocols prior to an incident. Any out-of-band communication methods that will be required for these purposes (i.e., cloud-based portal, etc.) should be identified and approved as part of the BCP.
  • Similar to tip four, factor in how you will communicate with partners, customers, media and the public at large. This may be more nuanced depending on which group, but having a plan and methods identified for how these communications will occur in advance, will reduce the time spent finding the solutions during the response, and allow incident responders to stay focused on the response and ultimately recovery.

Incident response is difficult. It presents obstacles for every part of an organization. This makes it inherently stressful. The more you can anticipate how your organization will operate during an incident the better you will be able to implement processes, policies and procedures that will be up to the task of meeting those obstacles. No one wants to dwell on worst case scenarios but having the right plans in place ahead of time is another way to use security to enable your business by further reducing risk. Leveraging secure out-of-band communication methods to facilitate those operations securely can reduce the risk of missteps during the response lifecycle, which is where victims frequently make already bad situations much worse.

If you need help creating an incident reponse plan or assistance with an active cybersecurity incident, please contact us. We can help.

About the Author

Ben Kast

Ben Kast is a Senior Security Consultant at LMG Security. He has conducted penetration testing engagements for companies ranging in size from multi-billion dollar publicly traded companies to small and medium sized organizations. He has over 20 years of IT experience that includes software product development, project management, implementation and consulting. He has a degree from the University of Montana, and is a GIAC-certified penetration tester (GPEN).