The Cyber Safety Review Board (CSRB) and Microsoft reported on cyberattacks perpetrated by the advanced threat group Lapsus$, also known as DEV-0537 or Strawberry Tempest, emphasizing the growing need for out-of-band communication during cyber incidents. The problem is that out-of-band communication — any communication separate from the primary channel — needs to be used both after an attack (“right of bang”) and before (“left of bang”) to be most effective.

Staying Safe: Left of Bang and Right of Bang

Attackers are listening in well before they’re discovered. They’re surveilling executive communications and discussions between security and technical personnel, looking for information that helps them now while laying the foundation for future exploits. Later, they’re listening in on incident response and remediation communications, taunting and demoralizing those tasked with bringing organizations back online and gaining leverage for ransom negotiations.

When presented with a scenario where their enterprise email or chat tools can’t be trusted, many chief information security officers would be tempted to fire up end-to-end encrypted messaging applications like Signal and Whatsapp. End-to-end encryption ensures that only the right parties can read a message, blocking out even service providers. But, for an enterprise, the right parties can also include legal, compliance and e-discovery teams.

These apps, which they use daily in their personal lives, play an indispensable role in personal privacy but were designed for consumers and not enterprise needs, so they lack centralized enterprise controls — crucial for regulatory, statutory and legal compliance — as well as best practices for organizational security and policy requirements.

While I firmly stand by my belief that organizations should adopt platforms specifically for left-of-bang and right-of-bang needs, we recognize this isn’t always feasible. Budgetary and political considerations are real, and not all organizations will be able to get past one or the other. With some (or a lot of) elbow grease, organizations can adapt consumer privacy-focused messaging apps for enterprise use. Here’s a link to a handy checklist of what you’ll likely want to address if your teams insist on using Signal, WhatsApp or similar applications for security operations, threat intelligence sharing or incident response.

The Makings of a Comprehensive Solution

For organizations that know going offline isn’t an option and recognize the value in improved incident response preparedness and prophylactic protection, it’s important to understand what constitutes a comprehensive solution for protecting communications both left of bang and right of bang.

Here’s a summary of a framework that can be helpful when assessing your options for out-of-band collaboration. In my opinion, the current, common definition of “out-of-band” needs to be expanded because of the enterprise and situational complexities of an adversary that can listen in. An enterprise out-of-band solution should meet the following three requirements:

1. It cannot rely upon self-hosted or in-network infrastructure.
2. It must be end-to-end encrypted and provide greater protection from adversaries than in-band solutions.
3. Audit trails — digital records that chronologically document communications for actions like post-incident investigations — must be present and better protected than communications on in-band platforms without relying on self-hosted or in-network infrastructure.

Those engaging in collective defense measures (e.g. threat intelligence sharing) should be able to maintain their unique governance controls while engaging without impacting others.

Take Immediate Action

1. Evaluate existing channels: Are they secure enough to withstand a sophisticated cyberattack?
2. Consult a framework or checklist: Ensure your current or prospective out-of-band communication platforms meet requirements or that you’ve solved for the right compensating controls.
3. Run Drills: Simulate both left-of-bang and right-of-bang scenarios, such as with tabletop exercises, to test the effectiveness of your communication platforms and procedures.

CSRB and Microsoft’s message is clear: Out-of-band communication is vital for cyber threat response. But both of these reports missed the primordial importance of having certain communications already established in your out-of-band platform before the attack or left-of-bang. As Lapsus$ has already proven, if it’s worth protecting after the attack, it’s worth protecting before it.