Happy New Year everyone! I hope you enjoyed your holidays with loved ones and are re-energized for the new challenges in 2025. Welcome to my first blog post of 2025. Yes, I am back to blogging after a brief hiatus, but I assure you there’s a good reason. I have been working on my "IR" (not Incident Response) while I have been in career transition. I am happy to announce that I passed my FAA Checkride a couple of days ago and I am now an instrumented rated pilot! I had pure inner joy once my DPE (Designated Pilot Examiner) advised me that I had passed. For me, it was an excellent reminder of how hard I had worked (plus all the folks supporting me), while equally humbling because the more I learn as a pilot, the more I recognize what I do not know, but that keeps pilots alive and humble. I am already working on my next rating and endorsement. Always be learning.

Shoutout to David Cowen! In case you missed it, David is back with his Forensic Lunch and is blogging again as well. David posted on LinkedIn about a blogging challenge and it was the nudge that I needed to knock the dust off this blog.

David hosted Wyatt Roersma who shared some of his research on training AI models. Checkout David's full blog post for details: https://www.hecfblog.com/2025/01/daily-blog-714-forensic-lunch-11025.html

Over the holidays, I began testing EXO Labs solution to start testing AI models on some old hardware that I have and wanted to put to use. I am wanting to build and maintain my own private model for research. You can learn more about exo here: https://github.com/exo-explore/exo

There's a lot of opportunity within DFIR to build models that can be leveraged for DF, IR, TI, and threat research.

Look for ways to truly connect with humans in 2025 and unique ways to combine your skill sets. I am looking for ways to weave and integrate my cybersecurity/ DFIR background with aviation. In the age of AI, it's more critical now than ever, to find unique ways to combine your skills across industries. That’s all for today. Off to fly!

Hello reader,

It’s Friday, December 20th, and this will be my final blog post this week. Please check out my prior blog posts this week and let me know what you think. It’s good to be blogging again and sharing bits, bytes, and maybe even a video. 

1-800-ChatGPT

OpenAI has released 1-800-ChatGPT, which makes ChatGPT available via phone for voice calls and even text messaging. Effective yesterday, users in the U.S. can call 1-800-ChatGPT and have a free 15-minute conversation with ChatGPT. For global users, OpenAI has also integrated ChatGPT with WhatsApp, allowing people to send messages to the same number. OpenAI has confirmed that these phone calls will not be used to train LLMs. For more information, please visit https://www.youtube.com/watch?v=LWa6OHeNK3s

National Cyber Incident Response Plan (NCIRP)

According to the executive summary, "The 2023 National Cybersecurity Strategy called for an update of the 2016 National Cyber Incident Response Plan (NCIRP), a strategic national framework for how federal, private sector, state, local, tribal, and territorial (SLTT), and international partners collectively address cyber incidents under Presidential Policy Directive 41 (PPD-41)."

CISA has released the draft of the National Cyber Incident Response Plan (NCIRP), which is open for comment until January 15, 2025, allowing folks to provide feedback via the Federal Register. After my preliminary review of the document, I have a few thoughts...

First, with the incoming new administration, what changes will be made to CISA? CISA was formed under the prior Trump administration, and since its inception, CISA has laid a solid foundation and has fostered public-private sector relationships, which are critical to cyber resiliency. Stakeholder inclusion is key to any successful response to a cyber incident... let alone a major cyber incident impacting critical infrastructure. During tabletop exercises and drills that I have led at scale, stakeholder communication, cadence, and closing communication loops are so important to ensure all stakeholders are informed and leveraging the latest intrusion intelligence to support business continuity and disaster recovery efforts. In exercises that I have facilitated in the global large enterprise and even at the national level, crisis communication and escalation paths can be pain points, which validates the need for organizations to routinely test their incident response plans through regular exercises and ensure that all stakeholders (even trusted third parties that are providing services or expertise to the organization) are included in these tabletop exercises and cyber drills.

The NCIRP is not intended to be a step-by-step guide for a response effort, but a framework. This update is clear about that in the executive summary. "At a high level, the NCIRP sets out the structures that the United States government will use to coordinate the response to cyber incidents. It also provides a framework for the potential roles of federal agencies, SLTT government, the private sector, and civil society." This is a key point as CISA is not only encouraging public comment on the NCIRP update, but also for the private sector to use the NCIRP when creating their own IR planning efforts. From my perspective, consistent language and classification (see NCIRP Figure 2 below) of cyber incidents must be consistent across cyber so stakeholders (including civil society) can translate what specific language means in an advisory or report and how it may impact their lives or businesses. I have observed so many times where organizations are exchanging intrusion intelligence or other incident-related information but failing to connect the dots because they are describing the same thing but using different terminology.

There is a lot to unravel in this document, and I encourage those performing IR to take the time to read it. It will be key to see what CISA does under the new administration and what the priorities will be. If NCIRP keeps momentum under the next administration, CISA's ability to coordinate across the federal government will be foundational before branching out within industry. CISA and NCIRP are definitely something you should watch in 2025.

What are your thoughts? Does NCIRP simplify or add complexity?

Source: https://www.cisa.gov/news-events/news/cisa-publishes-draft-national-cyber-incident-response-plan-public-comment

Thank you

This will likely be my last blog post of 2024 as I shut down and spend time with family and friends over the holidays. I hope you are getting value out of my blog posts. I would like to wish you and yours Happy Holidays and Merry Christmas. I hope you find peace, prosperity, and get some downtime as we close out 2024 and look to a fresh start in 2025. Thank you for following along.

With Gratitude,

Hello reader,

I hope this blog post finds you well. I am dusting off the old blog. If you are in my network, you likely know that I am currently in career transition and now that I have some much-needed creative space, I thought I would start blogging again. While I will share this out on social via LinkedIn and X, the siloed social media scene in cyber these days has led me to keep my blog posts on my own platform. What would you like to see from me? I have a unique background and skill set across not only cyber, but also aviation, academia, and law enforcement. For today's blog, I thought I would focus on a cyber headline that hit my inbox this morning via WSJ: "Apple declined to help Harris campaign over suspected hack".

Yesterday, Forbes published the story and it highlights (yet) another example of privacy and security front and center. Apple.com/privacy is clear..."Privacy is a fundamental human right." In late October, the Harris campaign had reached out to Apple for assistance in extracting a "raw image" from two senior staff members' iPhones after iVerify's product had detected spyware on these iPhones.

From my perspective, Apple and other tech giants will continue to grapple with privacy and security. Apple has been consistent with their privacy stance and I am glad to see Forbes call out the 2016 Apple vs FBI case, which set a precedent with so many other privacy issues. So why does this all matter? Your smartphone is an extension of your identity. The smartphone is heavily used in the enterprise for multi-factor authentication solutions and part of a robust zero trust strategy. Since the beginning of time, law enforcement has used novel tactics to catch adversaries. As tech companies continue to evolve privacy and security into their solutions, how do tech companies responsibly work with governments to respond to these inquiries? That's the million-dollar privacy question. What say you? Let's see where recent innovations with quantum computing and generative AI take us as a civilization and tackle espionage, which has been around for centuries.

So what else am I doing in my creative time? I am currently looking for the next career adventure and working on an FAA rating for my pilot’s certificate. I have also done some pro bono consulting and reconnecting with folks. How do you start your day? For me, it's the gym, journaling, and reading with my favorite cup of coffee/ tea. I have followed this routine since the early days of the pandemic, and it has really helped me elevate my days and how I show up for my family, the teams I have led, and key relationships with customers and clients I have served. In January, I will be attending the SANS CTI Summit. For my CTI nerds, it would be great to connect in person in D.C. next month. If you are hosting an event or looking for a speaker to support your event hit me up.