Introduction

MITRE ATT&CK, the industry-recognized knowledge base of adversary tactics and techniques, emphasizes the importance of out-of-band communication as a mitigation strategy under Mitigation M1060. This guideline helps security teams ensure reliable and secure communications during specific cyberattack scenarios.

In this article, we explore the attack techniques where out-of-band communication is crucial, the benefits of out-of-band channels, and actionable steps IT and cybersecurity professionals can take to implement them effectively.

‍

Why Out-of-Band Communication Matters in Incident Response

During a cyberattack, standard communication channels such as corporate email, collaboration tools, and internal messaging platforms may be compromised or unavailable. Attackers often target these tools to extract data, disrupt response coordination, and prolong their presence within the system – normally as part of larger, more sophisticated attack.

Out-of-band communication serves three key purposes:

1. Maintains security & control during a breach: it allows incident response (IR) teams to collaborate securely without adversaries eavesdropping or blocking communications.
2. Ensures operational continuity: IT, security, and business stakeholders can coordinate effectively even when core infrastructure is affected.
3. Speeds up response and recovery: clear communication prevents confusion, accelerates decision-making, and reduces downtime.

‍

MITRE ATT&CK Techniques Requiring Out-of-Band Communication

MITRE ATT&CK identifies three key adversary techniques that may necessitate the use of out-of-band communication. These techniques include multiple sub-techniques detailing when teams should switch to alternative communication channels.

Technique 1: Data from Information Repositories

Adversaries may exploit information repositories to gather valuable data. These repositories store a wide range of information, from credentials to internal documentation, which can be leveraged for further attacks, such as:

• Credential access
• Lateral movement
• Defense evasion
• Direct access to sensitive information

‍

Common types of compromised information include:

• Policies, procedures, and security standards
• Network and system architecture diagrams
• Testing and development credentials
• Source code snippets
• Internal resource links
• Personally identifiable information (PII) of employees or customers

‍

‍

Attackers can also abuse external sharing features to exfiltrate sensitive data. Common information repositories targeted include:

• Storage services (e.g., IaaS databases, CRM platforms)
• Collaboration platforms (e.g., SharePoint, Confluence, Git repositories)

‍

In August 2024, sub-technique .005 was introduced to address the growing risk of adversaries exploiting chat and messaging applications to extract sensitive information, such as:

• Microsoft Teams
• Google Chat
• Slack

‍

‍

Beyond data exfiltration, attackers can leverage insights from chat messages to refine their tactics. This includes gathering intelligence on an organization’s environment, identifying key personnel, and adapting their strategies to evade active incident response efforts.

‍

Technique 2: Email Collection

Adversaries may target email accounts to harvest sensitive data. Three sub-techniques observed:

• Collecting emails from compromise individual email clients
• Collecting emails remotely from mail servers
• Collecting emails by forward them covertly

‍

‍

Emails often contain trade secrets, personal information, and details of ongoing incident response efforts. Attackers can use this information to:

• Maintain persistence
• Evade detection
• Counteract security responses

‍

Technique 3: Service Stop

Adversaries may disable critical system services to disrupt operations. This tactic can:

• Hinder incident response efforts
• Prevent security tools from functioning
• Cause operational downtime

‍

By stopping essential security services, attackers create blind spots, making it difficult for security teams to detect and mitigate ongoing threats.

‍

‍

MITRE ATT&CK Mitigation M1060: Best Practices for Out-of-Band Communication

To mitigate the techniques listed above, here are key recommendations for organizations to establish secure alternative communication methods:

‍

1. Establish Pre-Defined Out-of-Band Channels

• Set up an out-of-band communication platform before an attack occurs.
• Options include secure messaging apps or external collaboration tools not tied to internal IT infrastructure.
• Store emergency contact lists outside corporate systems.

‍

2. Use Secure and Isolated Communication Platforms

• Choose cloud-based messaging solutions with end-to-end encryption for secure team collaboration.
• Ensure out-of-band communication tools operate independently from corporate networks.
• Implement multi-factor authentication (MFA) to prevent unauthorized access.

‍

3. Pre-Assign Communication Roles and Protocols

• Clearly define who has access to out-of-band channels and when they should be activated.
• Establish escalation procedures to ensure key stakeholders are informed promptly.
• Regularly update incident response playbooks to incorporate out-of-band communication strategies.

‍

4. Test and Train Teams on Out-of-Band Communication Procedures

• Conduct regular incident response drills incorporating out-of-band communication scenarios.
• Ensure key personnel know how to access and use alternative channels.
• Simulate cyberattack scenarios where primary communication systems are compromised.

‍

5. Continuously Monitor and Improve Out-of-Band Strategies

• Regularly assess the security and effectiveness of out-of-band communication tools.
• Update configurations, access controls, and security policies to address evolving threats.
• Gather feedback from incident response exercises to refine processes.

‍

Implementing Out-of-Band Communication in Your Organization

For IT and cybersecurity professionals looking to enhance incident response capabilities, adopting a structured approach to out-of-band communication is essential. Here’s how to apply MITRE ATT&CK’s M1060 recommendations:

‍

1. Assess Your Current Capabilities

• Identify gaps in your incident response plan where communication breakdowns may occur.
• Evaluate which out-of-band solutions best fit your organization’s size, infrastructure, and security needs.

‍

2. Select the Right Communication Tools

• Choose a secure platform with end-to-end encryption, multi-device access, and offline capabilities.
• Ensure the platform functions independently from corporate networks.
• Implement role-based access control to maintain security integrity.

‍

3. Develop an Out-of-Band Communication Policy

• Define when and how out-of-band channels should be used.
• Assign access privileges to key team members.
• Integrate out-of-band communication into business continuity and disaster recovery plans.

‍

4. Integrate Out-of-Band Communication with Incident Response Playbooks

• Ensure all playbooks include clear instructions on switching to out-of-band channels.
• Define alternative communication methods if the primary out-of-band channel is unavailable.

‍

5. Test and Validate Out-of-Band Communication Regularly

• Conduct tabletop exercises to ensure IR teams are comfortable using out-of-band channels.
• Simulate different attack scenarios to test communication effectiveness.
• Regularly audit and update out-of-band channels to reflect current threats.

‍

Conclusion

Out-of-band communication is not just a best practice - it’s an essential component of an effective incident response plan. MITRE ATT&CK’s Mitigation M1060 underscores the importance of ensuring alternative communication methods remain secure, functional, and readily available during an attack.

By proactively establishing secure, pre-configured out-of-band communication channels, IT and security teams can maintain coordination, reduce response times, and minimize the impact of cyber incidents. Organizations that take these measures today will be far better prepared for tomorrow’s cybersecurity threats.

Does your organization have an out-of-band communication strategy in place? If not, now is the time to implement one.