Should Discord Be in Your Incident Response Toolbox?

the discord communication tool popular with gamers could be a good choice for incident response teams.

Cybersecurity incident response teams have choices when it comes to communication tools: Microsoft Teams, Slack, Zoom and numerous others. Some require a subscription or commercial license -- others are free. Some are niche tools specifically designed for incident response. Some are generic business communication tools that IR teams have adapted for use during a cybersecurity incident.

Professionals working in incident response know that sometimes, in a live event situation, normative communication channels unexpectedly may be unavailable for reasons that you can't control. For example, if ransomware has brought down your Exchange server, good luck sending emergency emails to your team. If Slack is your main tool and channels are clogged with malicious traffic, team communications can be compromised.

This potential for communication disruption means that having multiple tools and pathways that team members can use can mean the difference between rapid resumption of communications and costly time spent trying to figure out a way to restore business as usual. With this in mind, one unorthodox choice to consider adding to your team's toolbox is the collaboration tool Discord.
Discord registered daily users
Now I know what you're thinking: "Isn't Discord for gaming? Incident response is way too serious for fun and games."

It turns out, though, that Discord is not a toy. Instead, it's a full-featured communications platform with tons of features that incident response teams can make use of right away. At a bare minimum, it's another communication channel to have available should your preferred ones be unavailable -- but I suspect that after you've used it, you'll come to realize it has some advantages over other platforms.

What Is Discord and What Does It Do?

At its core, Discord is a system designed to allow real-time voice and text communication. Designed originally with gaming in mind, the platform since has evolved to be much more. Just as streaming platforms like Twitch have adapted to include content beyond gaming (performance art, live music, news and educational content), Discord has expanded its horizons with features that lend themselves to tasks beyond gaming.

For example, collaboration within Discord is fluid and seamless -- you can have synchronous voice communication happening at the same time as asynchronous text exchanges.

It's free and easy to use, and you can bring new members on in a manner of a few seconds.
It allows rapid file and other information sharing, and it works across device platforms (from Windows, macOS and Linux to iOS and Android). Need access quickly from some other platform? There's a browser client that will let you do that too.

It's easy to get started using Discord. You can download the Discord client or simply use it in your browser. Pick a user name, supply your email address, and verify with captcha.
Conversations within Discord are organized into "servers" -- groups consisting of users that can be public or restricted by invitation (how you would use it in an incident response context).

After gaining access to the platform, users are free to search for existing servers or start their own. Team members even have access to a Discord bot that automatically will notify them or others when there is a change or update on the server.

Using Discord in Your Program

Communications take place inside servers, which can contain multiple "channels." This approach is very flexible. For example, you might create a server for your security operations center, IT department, or any group of users who might need to collaborate during an incident.

In fact, you can have multiple servers and switch between them to increase efficiency and scale, or to adapt to different environments. You might have a text channel for sending pictures or documents from your laptop. You might use a separate channel for voice communications from your mobile phone. Or you could do both at the same time.

You probably see the power of this already. For example, after sharing artifacts like code, packet captures, samples or log data, team members instantly can join a voice channel to talk through those samples. They can establish private chat sessions in the tool to work individually. Switching among voice, text and file-sharing channels can be significantly faster than it is with other tools.

Of course, the elephant in the room that you'll need to address with the powers that be in your organization is the security of the platform. Can Discord be trusted to facilitate conversations of such importance?

It turns out that Discord takes security very seriously. It uses TLS1.3 for user connections, so information is encrypted in transit. Images and links are proxied through the system to prevent DDoS attacks against individual users. When you click on a link there is pop-up that lets you know you're leaving the site.
Discord has built-in IP location tracking, so when you log in from a different IP address you must confirm it's still you. It has two-factor authentication capability and built-in virus scanning.

One potential consideration is that, according to the Discord Terms of Service, you cannot "upload or transmit (or attempt to upload or transmit) files that contain viruses, Trojan horses, worms, time bombs, cancelbots, corrupted files or data, or any other similar software or programs or engage in any other activity that may damage the operation of the Service or other users' computers."
This has the potential to constrain usage somewhat, as to remain in strict adherence to the terms, you would not be able to directly share malware or other samples. Should you adopt the tool for security use, you would need to take care that engineers would not violate the terms inadvertently, by informing them of this constraint clearly and in advance.

My closing argument is that Discord provides robust communication and collaboration capabilities that can be incorporated directly into an incident response team's available resources. It has the advantage of being "youth friendly" -- meaning, new entrants to your team would have a much higher likelihood of already knowing how to use the tool right from the get-go.

In a pinch and when the chips are down, why stand on ceremony? Make use of a valuable tool that can help you do what you need to get done -- even if the tool in question originally was designed for gaming.
Previous
Next Post »