Hello reader,

Welcome to another edition of Brad Bits. I am fresh off CyberLawCon, and I wanted to share my experience with you.

Executive Summary

This was the first edition of what will likely be an annual conference that brings experts together from law and cybersecurity to explore the rapid and evolving landscape of cyberlaw. Chris Krebs was the keynote speaker and addressed the following key points in his keynote as it relates to what's driving cyber risk:

• Threat Landscape: from geopolitics to cyber regulation. The complex cyber threat landscape is what keeps us up at night as professionals and how prepared our organizations are to respond to a cyber incident.

• Complexity in the Enterprise: no surprise here, and just as organizations are on a digital transformation that is in overdrive due to Gen AI, organizations’ cyber capabilities, technical debt, and business priorities are not aligned.

• Product Quality: all you have to do is read about the impact of vulnerabilities in the enterprise and how organizations are not prepared for supply chain and third-party risk. This also starts with the Secure Development Lifecycle (SDL) into building great software and great products.

• Business Priorities: IT and security teams not properly aligned with the business. For me, this was a theme throughout the conference and what we can do as practitioners to thread the needle and collaborate across the organization to ensure priorities are aligned. There was even one panel discussion from general counsel at a major technology company that discussed tips on building on those internal personal relationships in the enterprise to drive alignment.

My Key Takeaways

• Collaboration: Business is about connecting with and adding value. Collaboration across stakeholders to drive alignment, influence decisions, and deliver value is intimately connected. Collaboration and communication were themes on all the panels and how lawyers and practitioners in cybersecurity can work together. Several of the lawyer panelists discussed how they focus on being catalysts for their clients and organizations vs blocking an initiative.

• Regulatory and Enforcement Insights: From the SEC, DOJ, and CIRCIA, it was great to hear from the legal community on compliance, avoiding regulatory issues, but also some practical tips for responding to regulators.

• Emerging Tech: Generative AI was the centerpoint for emerging tech. I won't belabor this topic, but the use of Generative AI within the organization and its workforce will present legal challenges.

• Incident Response: My bread and butter. The topics ranged from attorney-client privilege, to pay or not to pay the ransom, and integrating eDiscovery capabilities for Incident Response. I have observed organizations and even the legal community cross the streams on Cyber Incident Response and eDiscovery. It was great to hear from long-time legal vets to remind attendees that these are not the same. I will say the debate between whether to complete a DFIR report, or not to complete a DFIR report nor provide mitigation recommendations continues no matter what side of the aisle you fall on. As an IR expert, I see both sides. In anticipation of litigation and depending on if a prior relationship existed, I can see why a verbal readout of any findings and recommendations may be required. On the flip side, I've had to testify in court on digital evidence before and a forensic report to refer to when I am deposed years down the road or required to testify in court, I want to refer to the forensic deliverable.

In Closing

I am grateful I was able to attend CyberLawCon last week to catch up with old colleagues and meet new folks. It's so refreshing to see the larger legal community really embed themselves in cyber and becoming a conduit to enable the business. Finally, I won't list all of my lawyer friends here, or colleagues I was able to catch up with last week in D.C., but a special shoutout to Eric P and John H for their support and putting on a great conference. Well done! Until next time...

Encore: I am considering a video blog (vlog) to go with my blog posts that would be exclusive for my followers/fans/subscribers. If you are interested, please consider joining my mailing list.

For more information on CyberLawCon, please visit CyberLawCon.com.

Happy New Year everyone! I hope you enjoyed your holidays with loved ones and are re-energized for the new challenges in 2025. Welcome to my first blog post of 2025. Yes, I am back to blogging after a brief hiatus, but I assure you there’s a good reason. I have been working on my "IR" (not Incident Response) while I have been in career transition. I am happy to announce that I passed my FAA Checkride a couple of days ago and I am now an instrumented rated pilot! I had pure inner joy once my DPE (Designated Pilot Examiner) advised me that I had passed. For me, it was an excellent reminder of how hard I had worked (plus all the folks supporting me), while equally humbling because the more I learn as a pilot, the more I recognize what I do not know, but that keeps pilots alive and humble. I am already working on my next rating and endorsement. Always be learning.

Shoutout to David Cowen! In case you missed it, David is back with his Forensic Lunch and is blogging again as well. David posted on LinkedIn about a blogging challenge and it was the nudge that I needed to knock the dust off this blog.

David hosted Wyatt Roersma who shared some of his research on training AI models. Checkout David's full blog post for details: https://www.hecfblog.com/2025/01/daily-blog-714-forensic-lunch-11025.html

Over the holidays, I began testing EXO Labs solution to start testing AI models on some old hardware that I have and wanted to put to use. I am wanting to build and maintain my own private model for research. You can learn more about exo here: https://github.com/exo-explore/exo

There's a lot of opportunity within DFIR to build models that can be leveraged for DF, IR, TI, and threat research.

Look for ways to truly connect with humans in 2025 and unique ways to combine your skill sets. I am looking for ways to weave and integrate my cybersecurity/ DFIR background with aviation. In the age of AI, it's more critical now than ever, to find unique ways to combine your skills across industries. That’s all for today. Off to fly!

Hello reader,

It’s Friday, December 20th, and this will be my final blog post this week. Please check out my prior blog posts this week and let me know what you think. It’s good to be blogging again and sharing bits, bytes, and maybe even a video. 

1-800-ChatGPT

OpenAI has released 1-800-ChatGPT, which makes ChatGPT available via phone for voice calls and even text messaging. Effective yesterday, users in the U.S. can call 1-800-ChatGPT and have a free 15-minute conversation with ChatGPT. For global users, OpenAI has also integrated ChatGPT with WhatsApp, allowing people to send messages to the same number. OpenAI has confirmed that these phone calls will not be used to train LLMs. For more information, please visit https://www.youtube.com/watch?v=LWa6OHeNK3s

National Cyber Incident Response Plan (NCIRP)

According to the executive summary, "The 2023 National Cybersecurity Strategy called for an update of the 2016 National Cyber Incident Response Plan (NCIRP), a strategic national framework for how federal, private sector, state, local, tribal, and territorial (SLTT), and international partners collectively address cyber incidents under Presidential Policy Directive 41 (PPD-41)."

CISA has released the draft of the National Cyber Incident Response Plan (NCIRP), which is open for comment until January 15, 2025, allowing folks to provide feedback via the Federal Register. After my preliminary review of the document, I have a few thoughts...

First, with the incoming new administration, what changes will be made to CISA? CISA was formed under the prior Trump administration, and since its inception, CISA has laid a solid foundation and has fostered public-private sector relationships, which are critical to cyber resiliency. Stakeholder inclusion is key to any successful response to a cyber incident... let alone a major cyber incident impacting critical infrastructure. During tabletop exercises and drills that I have led at scale, stakeholder communication, cadence, and closing communication loops are so important to ensure all stakeholders are informed and leveraging the latest intrusion intelligence to support business continuity and disaster recovery efforts. In exercises that I have facilitated in the global large enterprise and even at the national level, crisis communication and escalation paths can be pain points, which validates the need for organizations to routinely test their incident response plans through regular exercises and ensure that all stakeholders (even trusted third parties that are providing services or expertise to the organization) are included in these tabletop exercises and cyber drills.

The NCIRP is not intended to be a step-by-step guide for a response effort, but a framework. This update is clear about that in the executive summary. "At a high level, the NCIRP sets out the structures that the United States government will use to coordinate the response to cyber incidents. It also provides a framework for the potential roles of federal agencies, SLTT government, the private sector, and civil society." This is a key point as CISA is not only encouraging public comment on the NCIRP update, but also for the private sector to use the NCIRP when creating their own IR planning efforts. From my perspective, consistent language and classification (see NCIRP Figure 2 below) of cyber incidents must be consistent across cyber so stakeholders (including civil society) can translate what specific language means in an advisory or report and how it may impact their lives or businesses. I have observed so many times where organizations are exchanging intrusion intelligence or other incident-related information but failing to connect the dots because they are describing the same thing but using different terminology.

There is a lot to unravel in this document, and I encourage those performing IR to take the time to read it. It will be key to see what CISA does under the new administration and what the priorities will be. If NCIRP keeps momentum under the next administration, CISA's ability to coordinate across the federal government will be foundational before branching out within industry. CISA and NCIRP are definitely something you should watch in 2025.

What are your thoughts? Does NCIRP simplify or add complexity?

Source: https://www.cisa.gov/news-events/news/cisa-publishes-draft-national-cyber-incident-response-plan-public-comment

Thank you

This will likely be my last blog post of 2024 as I shut down and spend time with family and friends over the holidays. I hope you are getting value out of my blog posts. I would like to wish you and yours Happy Holidays and Merry Christmas. I hope you find peace, prosperity, and get some downtime as we close out 2024 and look to a fresh start in 2025. Thank you for following along.

With Gratitude,