On August 10, 2023, the Cyber Safety Review Board (CSRB) publicly released a critical report detailing cyberattacks perpetrated by Lapsus$ and related threat groups. The report came approximately a year and a half after Microsoft first warned about the advanced persistent threat group they initially dubbed DEV-0537 and later came to call Strawberry Tempest.

One of the most salient points for organizations? Both CSRB and Microsoft highlighted the increasing necessity of out-of-band communication during cybersecurity incidents — out-of-band communication means any alternative system or technology that allows communication separate from the primary channel, prohibiting outsiders from observing internal incident response activities or taunting response teams.

Taking a Step Back: Who Was Lapsus$?

Run by teenagers from their parent’s homes, Lapsus$ successfully targeted high-profile organizations worldwide from late 2021 to 2022. The group focused on extortion, exploiting systemic vulnerabilities in cybersecurity ecosystems to steal source code and disrupt operations. Their activities underline the fragility of global digital infrastructures, as they not only exploited existing weaknesses but essentially laid out a playbook for other cybercriminals to follow. Though they operated amid other criminal groups employing similar methods, Lapsus$ stood out for its effective use of social engineering and supply chain vulnerabilities to gain access to their targets, particularly for using their victim’s corporate communications like Microsoft Teams and Slack to harass and extort them.

The Ongoing Struggle With Communication During Attacks

When Microsoft first rang the alarm bells about Lapsus$, they detailed how the group infiltrated their targets’ communications on tools such as Slack, Teams and conference calls, monitoring an organization’s incident response strategy to gain an unprecedented advantage.

“The actor has been observed then joining the organization’s crisis communication calls and internal discussion boards (Slack, Teams, conference calls and others) to understand the incident response workflow and their corresponding response,” Microsoft stated.

According to Microsoft, Lapsus$ was after “the victim’s state of mind, their knowledge of the intrusion and a venue to initiate extortion demands.”

Microsoft’s advice: “Organizations should develop an out-of-band communication plan for incident responders that is usable for multiple days while an investigation occurs. Documentation of this response plan should be closely held and not easily accessible.”

CSRB Report Brings Renewed Urgency to Out-of-Band Communications Recommendations

Fast forward a year and a half, and now the CSRB has released its comprehensive report on this elusive enemy, confirming and expanding upon Microsoft’s warnings. The CSRB report emphasized the necessity of out-of-band communication — four times, in fact:

● Effective Incident Mitigation: “Organizations that maintained and followed their established incident response procedures significantly mitigated impacts. Highly effective organizations employed mechanisms such as out-of-band communications that allowed incident response professionals to coordinate response efforts without being monitored by the threat actors.”

● Operational Security: “Some organizations also made use of ‘out-of-band communications’ (any alternative system or technology that allows communication separate from the primary channel), an incident response procedure best established ahead of attacks, to improve response operations by prohibiting threat actors from observing incident response communications and activities or taunting response teams.”

● Resiliency: “Having established and practiced response plans was the final important element of resiliency. For example, in instances where the threat actors took over internal communications used by the response teams, organizations that had previously set up out-of-band communications were able to avoid having their activities monitored or interrupted.”

● Planning for Disruptions: “Develop an internal communication plan that includes how to contact personnel, how to proceed if they are unreachable, and backup, out-of-band communication mechanisms personnel can use if routine lines of communication are disrupted or if their integrity is compromised by the attackers.”

What Both Sides Miss: A Comprehensive Strategy

The problem is that this puts organizations “right of bang.” The “bang” is when an organization learns of an attack. On a timeline, everything to the right of it is the response after an incident has occurred. As Lapsus$’s attacks have shown, out-of-band communications plans should extend to left-of-bang preparation, too — meaning, don’t just have a plan in place to ensure communications are protected once you’re responding to an attack (right of bang), but also consider which communications you wouldn’t want the attackers to see while they’re still surveilling your organization undetected (left of bang).

It Takes a Long Time to Discover a Breach

An IBM report in 2023 revealed that it takes over 200 days to identify a breach. During that substantial gap, whose communications might attackers go after, and what would they look for?

Since the advent of the cloud, enterprise software vendors have pushed clients to consolidate office functions under one vendor, but just because Microsoft says to use O365 for all communications doesn’t mean it’s to your advantage to do so. Keeping all communications in one place has real security implications once you consider what an attacker wants once on the inside: Credentials/passwords/API keys, internal procedures, vulnerability information and a whole lot more. Security operations, DevSecOps, and threat intel-sharing communications are potential gold mines for threat actors seeking to continue or perpetuate an attack.

Organizations need to assume the worst. In part two of this series, we will explore solutions to protect communications before and after an attack.