Cyberspace Incidence Response teams have options when it comes to communication tools: Microsoft Teams, Slack, Zoom and many more. Some require a membership or commercial license – others are free. Some are niche tools specifically designed for event response. There are some common business communication tools that IR teams have adapted for use during cyber security incidents.
Professionals working in response to an event are aware that sometimes, in the event of a live event, ideal communication channels may be unexpectedly unavailable for reasons you cannot control. For example, if ransomware has brought your Exchange server down, good luck sending emergency emails to your team. If Slack is your main tool and the channel is loaded with malicious traffic, team communication may be compromised.
This capability for communication disruption means that many tools and avenues that team members can use mean rapid restoration of communication and time spent figuring out how to restore business in general. There may be difference. With this in mind, an unconventional option to consider adding to your team’s toolbox is the collaboration tool Discord.
What happens and what does it do?
Gaming was originally created with this in mind, as the platform evolved a lot. As streaming platforms such as Twitch have adapted to include content beyond gaming (performing arts, live music, news and educational content), Discord has expanded its horizons with features that extend beyond functions to gaming.
It’s free and easy to use, and you can bring in new members for a few seconds.
Should Discord Be in Your Incident Response Toolbox?
It allows rapid file and other information sharing, and works on device platforms (from Windows, MacOS and Linux to iOS and Android). Need to reach another platform quickly? There is a browser client that will let you do this.
It is easy to start using Discord. Choose a username, supply your email address, and verify with captcha.
Conversations within Discord are organized into “servers” – groups in which users are public or may be restricted by invitation (how would you use this in an incident response context).
After gaining access to the platform, users are free to search for existing servers or make their own debut. Team members have access to a Discord bot that will automatically notify them or others when changes or updates occur on the server.
Using Sacrifice in Your Program
The communication takes place inside the server, which can have multiple “channels”. This approach is very flexible. For example, you can create a server for your security operations center, IT department, or any group of users who may need to collaborate during an incident.
In fact, you can have multiple servers and switch between them to increase efficiency and scale or adapt to different environments. You can have a text channel to send pictures or documents from your laptop. You can use a separate channel for voice communication from your mobile phone.
You probably already see the power of this. For example, after sharing artifacts such as code, packet capture, samples, or log data, team members can immediately connect to a voice channel to talk about those samples. They can set up private chat sessions in the device to work individually. Switching between voice, text, and file-sharing channels can be significantly faster than with other devices.
Of course, the elephant in the room that you must address with the powers that are in your organization is the security of the platform. Can renunciation be considered credible for facilitating interaction of such importance?
It uses TLS1.3 for user connections, so the information is encrypted in transit. Pictures and links are projected through the system to prevent DDoS attacks against individual users. When you click on a link, a pop-up shows you that you are leaving the site.
Discord has built-in IP location tracking, so when you log in with a different IP address, you should confirm that it is still you.
One possible consideration is that according to the terms of service, you cannot upload or transmit (or attempt to upload or transmit) viruses into Trojan horses, worms, time bombs, cansbots, corrupted files or data, or in any way.