Microsoft's recent 8-K filing following an attack by Midnight Blizzard underscores a stark reality: Breaches are inevitable. It also proves that even incident response and crisis communications infrastructure are vulnerable—that adversaries may linger in your systems and monitor your recovery efforts. If incumbents like Microsoft aren’t able to secure their own comms, what does that mean for other, smaller organizations?
If you are in the midst of an incident or recovering from one, taking secure communications out-of-band on an enterprise-grade solution is indispensable, said Navroop Mitter, CEO of ArmorText, a company that provides such communications services.
While no one wants to be the victim of an attack, there is a silver lining here for MSPs and MSSPs—a secure, out-of-band communications solution can be a great value-add offering to help customers in the event of an attack and keep incident response and recovery comms safe from attackers. That, in turn, makes it easier to recover and restore operations after a ransomware attack and simplify compliance with regulators.
Compliance issues are growing in importance for all businesses. For instance, the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA) was signed into law in March 2022. Under the proposed rules, covered entities (those organizations subject to the regulation) must report major cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransom payments within 24 hours. While this regulation is unlikely to take effect until late 2025 at the earliest, and possibly not until 2026, CISA said, compliance drives other business needs.
Even before CIRCIA takes effect, businesses are still bound by statutes around things like records retention and data breach notification procedures, said Mitter.
How Businesses Handle Secure Comms Now
In the event of a breach, many organizations shift to using secure, end-to-end encrypted messaging tools like Signal, Telegram or WhatsApp to coordinate secure incident response and recovery communications, but those can introduce their own set of challenges, Mitter explained.
“The typical go-to solution is, ‘We'll just jump over to Signal or WhatsApp—that’s out-of-band and end-to-end encrypted. We feel safer there.’ In theory, that makes sense, but you still have user management, policy enforcement, and also business records and retention requirements. At the end of 2021 into 2022, we started to get more clarity from DOJ and SEC, the FTC and others that these consumer-grade privacy apps create liabilities because the communications are ephemeral—they disappear. So that means you can’t maintain and retain any of those communications,” Mitter explained.
Governance: Incident Response and Recovery Comms
While incident response and cybersecurity professionals have understood for years that attackers can and do compromise incident response and recovery communications, it’s only been recently that the topic has been explored from a governance standpoint.
“For the longest time, leadership folks have taken the attitude of, ‘Let 'em do whatever they can to figure out it—just get us back online as quickly as possible,” said J. Matthew Calligan, director, incident response and threat sharing markets, ArmorText.
That is all changing—and the stakes have never been higher for organizations to get out-of-band communications right. What’s changed, Calligan said, is the understanding that any business, of any size and in any industry, is vulnerable to an attack and could be a target.
Assume Breach Mindset
“The ‘assume a breach’ mindset has changed things. In the past, the assumption was that ‘We’re too small or insignificant; attackers don’t care about us.’ And that’s not the case anymore,” Calligan said. “And regulators are saying, ‘If you’re going to assume you’ll be attacked, you must have a plan and that plan must include adherence to these requirements. You don’t get a mulligan anymore,” he said.
Regulators are increasingly saying that if organizations use consumer-grade products like WhatsApp, Signal, or Telegram and if it can be proven that organizations did so deliberately to avoid compliance, then additional penalties will be levied, Calligan said.
The commodification of cyberattack tools and availability of ransomware-as-a-service (RaaS) are key factors driving the increase in cyberattacks worldwide, but AI in the hands of attackers is also creating opportunities for attackers to leverage deepfakes to impersonate executives and drive spear phishing and BEC attacks.
Secure, enterprise-grade, out-of-band communications solutions can also play a role in independent identity verification to help prevent these attacks in the first place, Mitter said.
"It's easier, thanks to AI, to impersonate key personnel and executives. So, suddenly, now your common communications mediums are easily compromised and attackers can perfectly impersonate someone who would actually have access to that account legitimately. So you need an out-of-band channel through which to validate identity," he said.
Besides the compliance and cybersecurity use cases, Mitter added that, for MSPs and MSSPs that want to differentiate themselves, secure, out-of-band communications solutions can play a key role in helping facilitate information-sharing in industry verticals.
Many critical infrastructure sectors have dedicated information sharing analysis centers (ISACs), he explained, within which the goal is for organizations and vendors to share threat intelligence information and coordinate collective defense. For the most part, these ISACs are effective, but there's more that can be done, he said.
"As an MSP or MSSP, you can actually take your clients of a particular sector type, like financial services or electricity or whatever, and actually create your own inter-sector information sharing networks. And if you're using the same MSP or MSSP, you have the ability to potentially participate in a threat intel sharing or collective defense or knowledge sharing community that is itself secure, and create those kind of networks for your clients of a particular sector or a particular geography," Mitter said. From there, you can disseminate best practices, highlight collective defense efforts and more.
For security-focused MSPs, offering a secure, out-of-band communications solution can be a great way to differentiate and deliver increased value to their customers.