{
	"id": "6d6267ae-0f6f-46f5-92b5-c28fa6901cb5",
	"created_at": "2026-04-06T00:18:28.804832Z",
	"updated_at": "2026-04-10T03:20:02.124758Z",
	"deleted_at": null,
	"sha1_hash": "bd707c47db0777dec784fcb032927a976dd43c1d",
	"title": "To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential…",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59019,
	"plain_text": "To OOB, or Not to OOB?: Why Out-of-Band Communications are\r\nEssential…\r\nArchived: 2026-04-05 18:54:29 UTC\r\ntl;dr\r\nOut-of-band (OOB) communications are alternative systems or technologies that allow responders to\r\ncollaborate, coordinate, and inform during an incident.\r\nOOB should not use any existing, normal infrastructure.\r\nOOB should provide email, voice, and real-time communications capabilities; mass one-way\r\ncommunications to employees, clients, and the public; and file storage.\r\nEnsure that your OOB solution meets any internal legal requirements.\r\nSet up OOB before an incident occurs.\r\nTest your OOB platforms.\r\nCommunications are critical during an incident. If you cannot coordinate, collaborate, and inform actions and\r\ninformation about an incident, the incident response will eventually fail. Normally, this isn’t an issue, as\r\norganizations have resources like Microsoft 365 email, SharePoint, Slack, and Teams to use to communicate with\r\neach other. However, what happens when those technologies are unavailable? That is where OOB communications\r\ncome in.\r\nOOB communications are alternative technologies that are utilized outside of your normal, existing\r\ncommunications systems to allow response teams to collaborate during an incident. It is important to note that\r\nthese technologies are outsideof your existing infrastructure–they are systems that you do not use daily and are\r\nnot tied to your current communications systems or infrastructure. In other words, if you use M365 and Active\r\nDirectory, then Teams is not OOB and neither is anything that uses AD authentication. OOB needs to be\r\ncompletely separate.\r\nWhen is OOB needed?\r\nOOB communications are commonly used when existing communications are unavailable, or they either are, or\r\nare suspected to be, untrustworthy. Examples of situations that could make systems unavailable include a vendor\r\noutage, a severe storm, a ransomware event, or a DDOS attack. During these times, OOB provides a backup to the\r\nexisting systems’ functionality.\r\nCommunications are considered untrustworthy if you are no longer confident that their confidentiality or integrity\r\nis intact. This often occurs either during an incident where the threat actor has successfully compromised your\r\ncommunications systems (usually email or chat) or when the possibility exists that they may have. Since you\r\nshould keep your incident response actions confidential, organizations should automatically go OOB once an\r\nhttps://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response\r\nPage 1 of 3\n\nincident reaches a high severity level or if they have indicators that their communications systems have been\r\ncompromised.\r\nIt may sound unlikely that an attacker would use your communications systems against you during an incident,\r\nbut it happens more often than many realize. In 2016, Nick Carr described a case he worked in which the attacker\r\nwas targeting the external IR team, which the attacker knew about because they were monitoring the victim’s\r\nemail. In September 2022, an attacker who compromised Uber announced it by sending a message through the\r\ncompany’s Slack. These are not isolated incidents but serve to highlight why OOB is necessary during an incident.\r\nOOB may also be used when you need to reach many people at once. Some organizations have pager systems to\r\ncontact all employees in the event of a disaster or outage. They are usually used for weather events but can also be\r\nused to let employees know the status of a major IT outage or security event.\r\nWhat should OOB do?\r\nOOB requirements look different for every organization. To determine yours, look at how you would need to\r\ncommunicate during an incident to organize, inform, and respond effectively. This should include:\r\nEmail\r\nReal-time chat\r\nVoice\r\nEmergency one-way messages to all employees\r\nFile storage\r\nExternal websites to communicate with clients, the media, or the public\r\nUnderstand that you do not need to set up OOB for every employee, except for maybe having employees opt-in\r\nfor the emergency one-way system. OOB communications should be restricted to only those who need to help the\r\norganization respond and recover from the incident. OOB should be looked at as a temporary system that is used\r\nwhile you recover your normal communications systems and ensure that their integrity has not been compromised.\r\nOne note on OOB file storage–be sure that whatever you choose has sufficient space to store anything within an\r\nincident, such as evidence. Additionally, upload any policies and procedures, such as Incident Response plans or\r\nplaybooks, to the file storage before an incident occurs.\r\nOOB considerations\r\nFor whatever OOB solution you choose, make sure that you meet any requirements from your legal team. Legal\r\nteams may require that OOB can log, save, or back up all communications, or that data is stored for a specific\r\nlength of time. This could be required if a legal hold is put in place on the organization for the incident.\r\nAdditionally, examine the security and usage around the solution you use; don’t just find something that is\r\nconvenient. For example, many organizations I have talked to on Tabletop Exercises state that they use SMS\r\ntexting or a free application, like WhatsApp, on personal devices for OOB. That sounds great until they realize\r\nthat there may be little security around those applications and that using them on personal devices may also mean\r\nhttps://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response\r\nPage 2 of 3\n\nthat they could be compelled to turn those devices over during litigation. (It’s funny how often requirements\r\nchange once someone realizes that their personal device may be used in a work litigation.)\r\nWhen should you set up OOB?\r\nYesterday.\r\nOOB communications need to be set up before an incident occurs. Organizations that wait for an incident to find\r\nOOB solutions waste valuable time that could otherwise be spent investigating and recovering and may even find\r\ntheir OOB solution pulled away from them.\r\nA great example of this occurred when the city of Baltimore was responding to their 2019 ransomware attack.\r\nThey had instructed city employees to create Gmail accounts to continue operations. This not only violated\r\nGoogle’s policies for free accounts, but it also set off security alarms when many Gmail accounts were created\r\nfrom the same location. Google subsequently locked or deleted all the new accounts, and Baltimore’s OOB email\r\nsystem was no more.\r\nAdditionally, don’t set up your OOB and forget about it. Test your OOB on a yearly basis (at minimum) to ensure\r\nthat it works as expected and that everyone can connect. You may also consider having devices, such as tablets,\r\nthat are preconfigured to connect to OOB platforms. This will ensure that operators can open the tablets and\r\nconnect without having to remember how to use OOB.\r\nDon’t reinvent the wheel!\r\nThe good news is that organizations may already have OOB systems. Communications and business continuity\r\nteams frequently have OOB systems for disaster recovery or to communicate with employees during events, such\r\nas severe weather. Incident Response teams can often piggyback on these solutions to use during a cyber security\r\nincident, and if you already have the solution in-house, chances are the procedures to use them have already been\r\nwritten.\r\nOOB communication systems are a reality that organizations need to plan for. Taking the time now to set up OOB\r\nfor needed communications will save the organization many headaches–both technical and operational. In turn,\r\nthis allows responders to focus on what matters–getting the organization back up and running.\r\nSource: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response\r\nhttps://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response"
	],
	"report_names": [
		"to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response"
	],
	"threat_actors": [],
	"ts_created_at": 1775434708,
	"ts_updated_at": 1775791202,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd707c47db0777dec784fcb032927a976dd43c1d.pdf",
		"text": "https://archive.orkl.eu/bd707c47db0777dec784fcb032927a976dd43c1d.txt",
		"img": "https://archive.orkl.eu/bd707c47db0777dec784fcb032927a976dd43c1d.jpg"
	}
}