Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates. For example, cryptographic keys for encrypted files are delivered using a different channel than the file.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| SC-37 | Out-of-band Channels | Protects | T1071 | Application Layer Protocol |
| SC-37 | Out-of-band Channels | Protects | T1071.001 | Web Protocols |
| SC-37 | Out-of-band Channels | Protects | T1071.002 | File Transfer Protocols |
| SC-37 | Out-of-band Channels | Protects | T1071.003 | Mail Protocols |
| SC-37 | Out-of-band Channels | Protects | T1071.004 | DNS |