Hello reader,

It’s Friday, December 20th, and this will be my final blog post this week. Please check out my prior blog posts this week and let me know what you think. It’s good to be blogging again and sharing bits, bytes, and maybe even a video. 

1-800-ChatGPT

OpenAI has released 1-800-ChatGPT, which makes ChatGPT available via phone for voice calls and even text messaging. Effective yesterday, users in the U.S. can call 1-800-ChatGPT and have a free 15-minute conversation with ChatGPT. For global users, OpenAI has also integrated ChatGPT with WhatsApp, allowing people to send messages to the same number. OpenAI has confirmed that these phone calls will not be used to train LLMs. For more information, please visit https://www.youtube.com/watch?v=LWa6OHeNK3s

National Cyber Incident Response Plan (NCIRP)

According to the executive summary, "The 2023 National Cybersecurity Strategy called for an update of the 2016 National Cyber Incident Response Plan (NCIRP), a strategic national framework for how federal, private sector, state, local, tribal, and territorial (SLTT), and international partners collectively address cyber incidents under Presidential Policy Directive 41 (PPD-41)."

CISA has released the draft of the National Cyber Incident Response Plan (NCIRP), which is open for comment until January 15, 2025, allowing folks to provide feedback via the Federal Register. After my preliminary review of the document, I have a few thoughts...

First, with the incoming new administration, what changes will be made to CISA? CISA was formed under the prior Trump administration, and since its inception, CISA has laid a solid foundation and has fostered public-private sector relationships, which are critical to cyber resiliency. Stakeholder inclusion is key to any successful response to a cyber incident... let alone a major cyber incident impacting critical infrastructure. During tabletop exercises and drills that I have led at scale, stakeholder communication, cadence, and closing communication loops are so important to ensure all stakeholders are informed and leveraging the latest intrusion intelligence to support business continuity and disaster recovery efforts. In exercises that I have facilitated in the global large enterprise and even at the national level, crisis communication and escalation paths can be pain points, which validates the need for organizations to routinely test their incident response plans through regular exercises and ensure that all stakeholders (even trusted third parties that are providing services or expertise to the organization) are included in these tabletop exercises and cyber drills.

The NCIRP is not intended to be a step-by-step guide for a response effort, but a framework. This update is clear about that in the executive summary. "At a high level, the NCIRP sets out the structures that the United States government will use to coordinate the response to cyber incidents. It also provides a framework for the potential roles of federal agencies, SLTT government, the private sector, and civil society." This is a key point as CISA is not only encouraging public comment on the NCIRP update, but also for the private sector to use the NCIRP when creating their own IR planning efforts. From my perspective, consistent language and classification (see NCIRP Figure 2 below) of cyber incidents must be consistent across cyber so stakeholders (including civil society) can translate what specific language means in an advisory or report and how it may impact their lives or businesses. I have observed so many times where organizations are exchanging intrusion intelligence or other incident-related information but failing to connect the dots because they are describing the same thing but using different terminology.

There is a lot to unravel in this document, and I encourage those performing IR to take the time to read it. It will be key to see what CISA does under the new administration and what the priorities will be. If NCIRP keeps momentum under the next administration, CISA's ability to coordinate across the federal government will be foundational before branching out within industry. CISA and NCIRP are definitely something you should watch in 2025.

What are your thoughts? Does NCIRP simplify or add complexity?

Source: https://www.cisa.gov/news-events/news/cisa-publishes-draft-national-cyber-incident-response-plan-public-comment

Thank you

This will likely be my last blog post of 2024 as I shut down and spend time with family and friends over the holidays. I hope you are getting value out of my blog posts. I would like to wish you and yours Happy Holidays and Merry Christmas. I hope you find peace, prosperity, and get some downtime as we close out 2024 and look to a fresh start in 2025. Thank you for following along.

With Gratitude,

Welcome reader! We've made it to Thursday, December 19th, 2024 (or Friday for any APJC readers out there!). Today, I am going to discuss return to office (RTO) mandates and Salt Typhoon. Both headlines have a teleco nexus, so let's dive in...

RTO Mandates

AT&T joins Amazon and a growing list of companies with return to office (RTO) mandates.

This isn't a surprise, but it also requires further analysis and may have an adverse effect. From my perspective, are employees productive? What roles are better suited for in-person? Work isn't where you are, but what you get done to align with organizational goals. Productivity is about an obsession with quality over quantity, with the end work product in mind that meets organizational objectives. My experience spans leadership roles leading global, diverse, connected teams. It's how you communicate and the workplace norms that teams set. Connectedness is so important. As a co-worker, do you turn on your camera when you are meeting with coworkers? Are your communications intentional? Should your message be an email? Phone call? We’ve all been in meetings that should've been an email and exchanged Slack/Teams/WebEx messages that should've been an email. Teams consume, disseminate, and connect in different ways. Communication expectations are mission-critical for high-performing teams. For example, if I am sending an email to a colleague in Europe late afternoon U.S. time, I do not expect that colleague to impulsively respond. It should be on his/her time when they work best and during regular business hours. Email isn't urgent communication. If you are having regular conversations with colleagues and leaders, then this expectation should be set on how you work at your best and how you can work with them at their best. I see so many organizations that get this wrong. Does your team have regular conversations on how each team member works at their best? If not, bring this up in your next team meeting with your peers and one-on-one with your manager.

The office should be a magnet for employees to collaborate to accomplish objectives and meet deadlines, so as different organizations continue to mandate return-to-office, it's important for organizations to measure how work deliverables get completed and the best format for quality regardless of geo-location. Employees must continue to advocate for themselves and let the quality of their knowledge work be how they are measured versus the quantity of hours spent in an office. Dialogue and transparency are key for teams.

Salt Typhoon

Recently, a joint advisory about Salt Typhoon (also known as Earth Estries, Ghost Emperor, Famous Sparrow, or UNC 2286) targeting U.S. telcos. On December 3, the NSA joined the FBI and CISA to issue a joint advisory . On December 4th, the White House announced that Salt Typhoon had compromised at least eight telcos, which included AT&T, Lumen Technologies, and Verizon. CSO Online has a great timeline highlighting Salt Typhoon.

If you are in cybersecurity (especially my fellow DFIR colleagues on the frontlines responding to these intrusions), please have a conversation with your loved ones over the holidays on the significance of this threat and the importance of encrypting communications.

CISA has some good guidance here that you can share and use for talking points over the holidays: https://www.cisa.gov/news-events/alerts/2024/12/18/cisa-releases-best-practice-guidance-mobile-communications

For defenders, I would also recommend reading more about Signaling System 7 (SS7) and continue to educate yourself on network protocols and vulnerabilities facing internet-facing devices; such as firewalls and routers. This will help you technically, but also begin to learn adversary tradecraft. Adversaries will continue to target network infrastructure and I could write a blog post or 1/n on this topic in the future based upon my experience. Well, that's all for today...patch your stuff, encrypt your comms, MFA everywhere, and bake your lessons learned back into your incident response plans. If you need an expert, please reach out.

References:

[i] https://www.inc.com/sarahlynch/rto-att-joins-amazon-return-to-office-are-mandates-a-good-idea/91068037

[ii] https://www.cisa.gov/news-events/alerts/2024/12/18/cisa-releases-best-practice-guidance-mobile-communications

[iii] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3982793/guidance-urges-visibility-and-device-hardening-against-prc-affiliated-threat-ac/

[iv] https://www.csoonline.com/article/3621674/salt-typhoon-poses-a-serious-supply-chain-risk-to-most-organizations.html

[v] https://www.404media.co/email/ac709882-1e4b-42fc-bcca-cf7ce4793716

Hello reader,

I hope this blog post finds you well. I am dusting off the old blog. If you are in my network, you likely know that I am currently in career transition and now that I have some much-needed creative space, I thought I would start blogging again. While I will share this out on social via LinkedIn and X, the siloed social media scene in cyber these days has led me to keep my blog posts on my own platform. What would you like to see from me? I have a unique background and skill set across not only cyber, but also aviation, academia, and law enforcement. For today's blog, I thought I would focus on a cyber headline that hit my inbox this morning via WSJ: "Apple declined to help Harris campaign over suspected hack".

Yesterday, Forbes published the story and it highlights (yet) another example of privacy and security front and center. Apple.com/privacy is clear..."Privacy is a fundamental human right." In late October, the Harris campaign had reached out to Apple for assistance in extracting a "raw image" from two senior staff members' iPhones after iVerify's product had detected spyware on these iPhones.

From my perspective, Apple and other tech giants will continue to grapple with privacy and security. Apple has been consistent with their privacy stance and I am glad to see Forbes call out the 2016 Apple vs FBI case, which set a precedent with so many other privacy issues. So why does this all matter? Your smartphone is an extension of your identity. The smartphone is heavily used in the enterprise for multi-factor authentication solutions and part of a robust zero trust strategy. Since the beginning of time, law enforcement has used novel tactics to catch adversaries. As tech companies continue to evolve privacy and security into their solutions, how do tech companies responsibly work with governments to respond to these inquiries? That's the million-dollar privacy question. What say you? Let's see where recent innovations with quantum computing and generative AI take us as a civilization and tackle espionage, which has been around for centuries.

So what else am I doing in my creative time? I am currently looking for the next career adventure and working on an FAA rating for my pilot’s certificate. I have also done some pro bono consulting and reconnecting with folks. How do you start your day? For me, it's the gym, journaling, and reading with my favorite cup of coffee/ tea. I have followed this routine since the early days of the pandemic, and it has really helped me elevate my days and how I show up for my family, the teams I have led, and key relationships with customers and clients I have served. In January, I will be attending the SANS CTI Summit. For my CTI nerds, it would be great to connect in person in D.C. next month. If you are hosting an event or looking for a speaker to support your event hit me up.