Rachael Lyon:
Hello, everyone. Welcome to this week's episode of the To The Point Podcast.

Rachael Lyon:
I'm Rachael Lyon here with my co-host, Jon Knepher. We're excited to welcome back for part two of our discussion Dr. Josh Brunty. He is a professor of Cyber Forensics and Cybersecurity with a joint appointment in the Department of Criminal Justice, Criminology and Forensic Sciences, and Department of Computer Sciences and Electrical Engineering at Marshall University. He also serves as head coach of the U.S. cyber team for the U.S. cyber Games, leading the U.S. national team in international cybersecurity competitions.

Rachael Lyon:
Now, let's get to the point.

[01:00] The Importance of Digital Forensics

Jonathan Knepher:
Maybe this is shifting gears a little bit, but, you know, you have a lot of experience on the forensic side. You've talked about, like all of the other companies and industries now that need the cybersecurity services. Can you describe why the forensic side of things is becoming more and more important and how that relates to what, what everybody should be doing for incident response?

Josh Brunty:
Yeah, yeah. So when I got into forensics years ago, it was primarily law enforcement. I mean, that was the only people doing it. And, you know, it has dramatically shifted since then. I seem to think that forensics has kind of splintered. I would be careful about how I say this, but I, I see a lot of the critical skill sets kind of splintering into reverse engineering and incident response and having those critical skill sets in that. But incident response is essentially a big component of forensics. So understanding what kind of like, elements are left behind after a breach can help recover from a breach.

Josh Brunty:
For example, they can help in criminal cases track down elements. But that incident response is critical because that evidence doesn't stay there forever. It helps us collect what exactly happened. We're kind of like the fire marshals, if I call it that, after a fire has happened, to go in and investigate that and say, okay, well, this is the cause of the fire. Right? So we're pulling log files, we're understanding and we're interpreting those, those critical pieces of evidence to say, this is how you got breached and this is what you can do to recover from that. We. But moreover, this is what we can do to harden ourself from this happening down the line. And that is a key of incident response.

Josh Brunty:
I think that shouldn't be missed in the whole grand scheme of this is that critical part of forensics is recovering, number one. But also how do you get this intelligence back to teams to know, hey, we saw an open port or we saw a vulnerable service that was open. How do we close that off to harden that down the line? We may not know that as forensic investigators how to do that, but at least we can pass that, that, that, that forensic evidence that we found off to other teams and let them, you know, make the decisions from there. So, so I think that is the, the, the considerable growth that I've seen from digital forensics and incident response. I think every time I talk about digital forensics, I mention it as DFIR now because it has that incident response component that I think not only should and from federal and state level should be following, but us in the private sector as well. So when I'm teaching students, I'm like, these skills, yes, they may be good in law enforcement, but they're also good in the private sector as well.

Rachael Lyon:
Definitely. John, do you want to ask, I know you've got a burning question.

[04:05] Analyzing the F5 Breach

Jonathan Knepher:
Well, maybe bring this to some real world stuff. Right. So breaking news is the F5 incident just kind of came to light yesterday. As of the date we're, we're taping this and you know, there's not a lot of info now, but it sounds like it was a long standing presence in their network and you know, basically getting access to information like their, their ticketing and wiki information and brickstorm as the malware. Like from a forensic standpoint, like, what would you do if you were responsible for, you know, figuring this out?

Rachael Lyon:
Right.

Jonathan Knepher:
Like, you've got to go back a long time, you've got to figure out what this malware is doing. Kind of maybe talk us through how that would work.

Josh Brunty:
Yeah, so there's, there's a playbook to this. And this is, this is the cool thing about F5. I was reading about it yesterday and I see a lot of, I see a lot of elements of this breach from past breaches. Just going through and reading older APT reports, you know, you can go back into the APT20 series and look at the threat actors and how they run their playbooks. And when you look at F5 and how that happened, it like follows that same cadence. And you know, I'm from attribution sake, but I start to break that down and say, all right, number one, F5 from everything that I've read had been embedded in for over a year. So it was there. It was there and able to be found, but it wasn't found.

Josh Brunty:
So I always start at that, that point. And even when I'm teaching or from a practitioner teaching doesn't matter is most breaches aren't this like, you know, punch in real quick, get your data and then back, right back out. This is a slow, methodic, a slow methodic entry into a network foothold is a big thing. So this was discoverable for over A and we didn't catch it. So this is the key that, where I sit down and say, okay, we should constantly be looking for those indicators of compromise and looking out of the box for that. A lot of companies, you know, they plug these blinky light boxes in and they think, okay, they're going to find all threats, they're going to block all threats and we're good to go. Well, F5 is a prime example that that doesn't happen. So we need the ability to use human threat threat hunters to look for threat actors and constantly be looking for those attack vectors that sit right on the boundary that these blinky light boxes aren't catching.

Josh Brunty:
Secondly is understanding, and I know this is a weird part of the component, but understanding who your threat actor is. And there's a little bit of attribution that I'm reading and I'm not, I'm not picking on anyone, but we do have kind of honed that into a particular threat actor and a nation state actor at that. So how, how have their past attempts look compared to this and how do we look at future attempts that could be footholds right now in our critical infrastructure? So I'm kind of saying this to our government, people that are, that are possibly listening is to constantly be looking for those footholds and to see how differentiates from the baseline and once we start to identify that, how do we get them out before anything happens, before something catastrophic happened, like with F5. So that, that is how I approach that. I'm a proactive person, not a reactive person. And if you can catch it proactively and get it flushed out of your network and then understand like how did they even get that foothold, how do we patch it and how do we prevent even little breaches like that happening down the line. Once, once we kind of get an understanding on that, then we start to look at how do we get that information disseminated to the public where businesses can start to harden their networks as well on top of government. And from there I think we just kind of bond together and try to protect our overall critical infrastructure and keep our Society intact and up and running and peace around the world.

Josh Brunty:
Right. That's what we're, that's what we're all aiming for.

Jonathan Knepher:
Yeah.

Josh Brunty:
So it's, you know, I look at hacking being a people problem and we want to solve this. We don't want our infrastructure going down at all. And I want our people on the other end of that. When I teach students, like, this is a people problem and we want to solve it from a people problem. So, so put the extra grease into it and figure it out. And you might save some lives down the line because what you're doing. So I know that seems very altruistic, but, but it's, it's, it is, it's so relevant. And yesterday was just a good cautionary warning that these things can and still will happen.

Josh Brunty:
Yeah.

[09:23] Security and Organizational Resilience 

Jonathan Knepher:
I think the part that is bothering me the most. Right. Is like, we know that they've been a very security forward and important company for security relevance. And from a product standpoint, they've always done the right things isolating management interfaces from the control plane and they know what to do. How do any of us, how are any of us able to have any satisfaction that our security is good enough if it can happen to them?

Josh Brunty:
I think we have to approach it that, you know, in the past, I've always seen people like, point the fingers in place, blame, you know, like, well, you know, you should have known better. So we're going to punish you for that. And you know, our, we're, we're resilient to that. And you see, I've seen a lot of that in the past. I think we're starting to get past that and say, okay, look at what happened with CrowdStrike in the airports a while back because of some, some patches, mistakes happen. So I think collectively you back and say, okay, we're, we goof up sometimes. So how do we, how do we move past that, that we're not pointing fingers at some of these gross things that are happening and say, how do we recover from that, where we can patch harden, move forward collectively? And that, that I think is something that cybersecurity that I've seen in the past few years has, has been good at. You know, I didn't see people that were just, they didn't do that to CrowdStrike, they didn't do that to other, you know, firms.

Josh Brunty:
And I'm not picking on CrowdStrike, but that's a plausible thing happen to any of us. And, and how do we, how do we correct that and move forward without Major disruption and delay. So I think with that, with that being said, um, it's not always someone or something's fault that something gets breached. It's like if a house catches on fire, there could be a number of different factors that cause that house to catch on fire that you can't necessarily blame on a person. So with that understanding, that happens in cyber as well. How do we get that fire put out without a full burn down of the facility? And once we approach that and start to look at cybersecurity like we look at every other people problem out there, Solve it and move on. Solve it and move on. Make it harder to get foothold and we learn and recover from the next one even better.

Rachael Lyon:
Yeah, I like to hear that because you hear a lot of the, the statistics, right? I mean your average CISOS tenure is what, 18 months, 24 months and something happens and it's like to your point, right, it's like, well, you dropped the ball, let's bring someone else in. But it's so much more complex than that. It's really not that simple. I like to joke. I mean, short of just unplugging everything like critical infrastructure, let's just take it all back offline and go manual. That's not happening either, right? So we need to adapt, right? We need to evolve how we're approaching things.

Josh Brunty:
Now. The best, the best teams and CISOs out there are the ones you never read about. And that's the truth. You know, if you're, you're not making it into news as a ciso, you're probably doing your job. Really, that's the case. So, you know, and I have tons of friends that are CISOs and CTOs and that's, you know, that's, that's kind of how they do business. They have good teams that surround them. They know they're going to get breached at a certain point.

Josh Brunty:
They know that threat actors are going to get foothold in their system. And it's like, okay, when we discover that that happens and we know that that's happening, can we flush it out, recover and move on? And those are what the best teams out there do. They know that that facility is going to catch on fire at some point, do we have the extinguishers around the building to put out the fire as soon as it happens? The worst case scenario. And I know I go back to the fire issue, but it's the most, it's the best analogy that I can think of. The worst thing that you want to do is encounter a fire and not have an extinguisher for it. And that's the same way in cybersecurity. If I see a small fire, I want as that team to recover from that and stop the bleeding, stop the burning and move on and recover.

Rachael Lyon:
I'm going to let you take it, John.

Jonathan Knepher:
Oh, giving it to me for the next question.

Rachael Lyon:
Yes. You know, I could rat hole all day long and these things. So I don't, I don't want to, you know, manipulate the conversation.

[14:10] Cyber Talent: Academic Challenges and Opportunities 

Jonathan Knepher:
Yeah, well, I was thinking, you know, maybe let's move, move on to the next thing here. You know, you've been working on getting new cyber talent out there and, you know, our education systems keeping up or are they struggling and what are the, what are the gaps you see out there?

Josh Brunty:
I. This is a complex question, Nasi. I see some institutions that are doing well with this, and I see others that are, that are struggling primarily because you're, you're going back to these faculty that have been computer science professors all of their career. They've been working with technologies and things that, that may or may not be relevant. And you're asking them to update their own knowledge and kind of be part of this new wave of cybersecurity. So, you know, I, this has been my career. So this wave, when it hit, it was like, you know, heck, yeah, you know, bring it on, baby. You know, I'm ready for it.

Josh Brunty:
Other colleagues of mine have struggled because they've had skill sets that, that don't directly translate. So they're having to relearn and relearn their career. And that can be very tough. I can be very tough for the professors, can be very tough for the institutions. And one of the things I think we're establishing now is looking at components like NICE framework where these programs can assess their curriculum and become centers of academic excellence based upon the type of curriculum offerings that they have. So we're looking at that, we're looking at specialty areas in that cae. So if you're a good forensic school or a hardware school or a reverse engineering, you can still fall in that specialty, but you're still certified by both NIST and the NICE framework and the nsa, that those are critical skill sets that they're looking for for both in industry and government. So I think that has helped tremendously at the college level to kind of address that skills gap, because when you talk to people in industry, they're like, man, people coming out of college are just absolute idiots and you need to train them better.

Josh Brunty:
And, you know, and Then you'll hear other places like, well, you know, I hired a person from your school and they're absolutely phenomenal. You know, thanks for like giving them hands on skill. And I think the balance for us in academia is finding that hands on skill coupled with that theoretical skill. Because those soft components and those hard components, I can't require a person, I'll just get on the soapbox here. I can't require a person to break a crypto service if they have not taken first the relevant math that like discrete mathematics is the foundational skill of learning what applied cryptography is. But do I have an applied cryptography course on top of that discrete math course that they're taking and then on top of that, how do I give them another class to where they learn the hands on skill of how to apply discrete and applied cryptography in the workforce. So the programs that are really doing it good are doing it well, are balancing that, they're balancing that very intricately and, and they're producing the best graduates because of that. They're the people that come out that, that have the people skills, they have the technical skills, but they can articulate that to a, to a, you know, a, a C suite executive on all of those components that they learn in their discrete math course.

Josh Brunty:
So I, I, I hope, I hope as an educator that, that we've, we've met that balance quite, quite delicately. But my, my latest thing that I'm looking at is why aren't we doing that at the K through 12 level?

Rachael Lyon:
Yes.

Josh Brunty:
So why aren't we teaching those skills early on? Like discrete, you know, we're, why aren't we pushing discrete mathematics early in high school so when they get to college we can, we can take them to the next level from a hands on and applied skills. So that's a key element. But we can't require high school teachers to start teaching that if we don't have curriculum and assistance for them. So it's like a chicken and egg issue. So I've been really focused lately on how do we make the workforce better. I think it's an effort between K12 and higher ed to start offloading that vice versa. And I think we'll be okay in the long run. But gosh, it's been a growing pain so far and it's not, it's just the way new fields grow up 100%.

[19:00] Education Initiatives: Industry's Roles and Outreach

Rachael Lyon:
Is there an opportunity here? You know, I know like government agencies and there's other partners, you know, to can more organizations get involved in helping move this forward A little more quickly. You know, could it be like cybersecurity companies maybe sponsoring a program and you know, at the K2 through 12 level? Or, you know, kind of industry needs to give back. Right. And help develop the next generation? Like what, what are you seeing and. Or what. What needs to be happening to. To make that happen?

Josh Brunty:
Well, I think a big key if, you know, if you're an industry, you know, how is your. Is your company involving itself in some of the initiatives that are out there? And are you setting aside people to involve themselves with that? I know like some of the Fortune 5, Fortune 10 companies, they all have teams of people that work with this. But what about those other companies that kind of sit down, you know, in the Fortune 500 levels? Are they involving outreach that account for this? Are they helping with curriculum development? Are they getting involved with NICE and the NICE framework and nsa? I know NSA had these gen cyber camps that they were doing at high schools. So. So are they getting involved at the K12 and the higher ed level? I say this as for every dollar I think that you spend towards like a competitive college team or high school to get these initiatives off the ground, you're going to have grassroots efforts to produce the employees that you're wanting. Right. So I think rather than putting money into marketing and stuff like that, build the people that you want to hire eventually. So, so go down to the high school, go down to the colleges and work with them and say, I want these individuals.

Josh Brunty:
How do you build them for me? And what initiatives can we get involved in to help build those individuals that I can then hire? Other industries do this, Engineering does this, the medical field does this, all of these other entities do this. And I see cyber starting to kind of trickle into that, but they haven't fully invested in that yet. So if there's any listeners out there, reach out, start getting involved, put employees on it, put money into it. It's a sound investment and there's lots of opportunities to jump in on this.

Rachael Lyon:
Yeah, I think about it too, as we look at kind of the future of business and what we're starting to see now as well. Right. I mean, you have to have board members with cybersecurity experience. I mean, it almost seems part and parcel. Should MBA programs start, you know, incorporating more of these cybersecurity skills and knowledge? Because you're seeing that there's also now fiduciary responsibilities being laid on boards and others as a result of breaches or other things that happen. So it seems like we absolutely need to Be doing more sooner in curriculum.

Josh Brunty:
Exactly. And I always say this, the most technically able people in the job, in the workforce right now are generally your younger ones and, and they're the most motivated. And how do you get them involved in co ops and internships very early on where they're helping the security posture of your company as a part time student, remotely or on campus, wherever. Microsoft has been really good with that, Google has been really good with that. But we're starting to see at the university level programs like, and I'm just naming out a couple, I hope that's okay. But they won't care, I guess. But Intuit for example, you know, they have a lot of product but they're rolling out and starting to look at cyber security as an internship pathway, as a fellowship pathway. So you know, it's not just business being that pathway now and you know, finance and tech, it's about, you know, learning, putting, gauging, engaging students with the professionals that work for that company to help improve their security posture.

Josh Brunty:
So I think companies that, that are leaning hard into that the payoff is going to be phenomenal because you're getting top tier talent. I mean they're coming fresh out of my classes, you know, motivated. Like I just learned this so I have these ideas that I can roll out and this is a fault that I see that's currently going on. You, you want that, that, that excitement in your job force, even as an intern?

Rachael Lyon:
Absolutely. It's. No, it's exciting to hear. Now I have like another sidebar question for you because I'm really, with all the talent that you're working with and that you're seeing, are you ever tempted or have you maybe are you investing in any of these kind of future ideas or these future, you know, heads of industry that are coming through your curriculum or cyber team?

Josh Brunty:
Oh my gosh, yes. You know, when you see the top tier talent that our country has to offer, I've thought many times I thought man, if I could just start a company with all of this talent and just reach out to them and be like, hey, I've got venture capital to start a security operations firm and here is the best talent that this country has to offer. See, I think about that all the time. I was like, man, how, how awesome would that be to just, you know, roll in with like the world's literally the world's best talent.

Rachael Lyon:
Right?

Josh Brunty:
But it's, it's phenomenal to watch those individ work in a team environment because just the way that their brains work the way that they come to problem solves, I've never seen anything like it. I've never seen anything like it. Not just with my team with Team usa, but watching other teams throughout Europe and Asia work as a team and can come to problem solves as a team. How they prepare as a team is also another phenomenal thing. And without, you know, showing our hand, we have an entire proprietary tooling that we have built internally for Team USA for attack and defense solely that has been built by, you know, years of other team members that are providing. So you know, these individuals have been working on tooling for years that, that they've built in house, open source. But, and, and that also shows, you know, okay, well, we also don't want other teams throughout the world to know what our, what we're doing in that tooling. So it kind of trains them very early on of how like NDAs and you know, things like that work.

Josh Brunty:
So I, I was like, man, if we could like roll out that some of the elements of that tooling into products, you know, we, we'd be pretty lethal. And they do, that's the thing, you know, they're working on strategies and tooling that they're going to work for these companies and say, hey, I used this in a competition and it worked against top tier talent. Let's roll this into our product and make our product even better. So I, I know that that's happened, I know that that's happened with some very well known products out there.

Rachael Lyon:
Wow.

Josh Brunty:
So I guess that's a good plug to like hire our students. You know, it's a good investment. So it's, I don't think you'll go wrong with, with picking up any of them at all at any point, government or otherwise.

Rachael Lyon:
I'm really excited to see kind of what the next 10, 20 years bring us because it, it is such phenomenal talent and you're seeing it younger and younger and younger. I mean there's like, like 12 year old CEOs, 10 year old CEOs now. It's like what have I been doing with my life? You know, but it's, it gets me really excited because you know that there's just going to be these amazing breakthroughs ahead that we haven't even thought about. And to see that talent, you know, growing and having opportunities to learn and go hands on is only going to, I think, thrust that forward more quickly.

Josh Brunty:
Yeah. So the key thing here on our US team, we have a 17 year old player that is still a high school student and is one of our most talented players, has no formal education at the college level, and is quite possibly one of the most talented minds I've ever seen. So you look at that, you see this raw talent that if you develop that talent over the next seven or eight years with soft skills that can talk to a C suite executive, oh, my gosh, you have, like, this Frankenstein monster in cybersecurity that's just going to be a force to be reckoned with. And that's what you want to see. You want to start pairing up this raw, technical talent that still needs to learn how to, you know, how to talk to a boardroom, how these boardrooms react and teach them those soft skills and give them mentorship throughout that process. That's the key element where I think that we can do so much over the next few years to start interfacing this young, raw talent to with people who are seasoned professionals in this field. And that's going to, I think, protect our critical infrastructure more than anything over the next 10 to 20 years. I really do believe that.

Rachael Lyon:
Absolutely. Well, I know we're coming up on time, so I'm respectful of your schedule today, but, Josh, thank you so much. This is so much fun to have these conversations and get me. I get so excited about what's ahead and what's possible with the industry, particularly when you start looking at AI Quantum and all the things that are coming and coming on very strong. So thank you for what you're doing to develop this talent, because it matters. It really. I mean, it truly matters at the most fundamental level of society. So thank you.

Josh Brunty:
Yeah. The future is bright for us, I think. I think seeing young talent really kind of leaning into this. I know sometimes we look at the bleak and the grim part of this, and post Quantum, all the encryption's gonna be broken. We have some young talent coming in through the door that I think is motivated and wants to really not just represent our country, but really learn this and be valuable to society. So it keeps me hopeful that we're doing things right even to this day. And I'm proud of that. I'm proud that we're getting a program off the ground that wins, represents, and just has a lot of fun doing it.

Josh Brunty:
And so thank you guys for having me, and thank you for letting us highlight what we do. That's a big element.

Rachael Lyon:
Well, and we're sending you all the great wishes for Tokyo for really, really good standing there. I think that's. I'm excited to see how that goes for you guys. It sounds like you're doing all the right things.

Josh Brunty:
We're working hard. We're working hard every evening and they're putting in a lot of work. And I can, the only thing that I can promise at this point that they're going to play hard for the country over there. We do know that they did so in Poland. We'll do so in Tokyo. And we'll, we'll give it our best shot. And with some, with some luck and, and some good effort, hopefully we'll, we'll come home with maybe being on the podium. I don't know.

Josh Brunty:
I don't know. We'll see what happens.

Rachael Lyon:
I'm so excited for you. Well, and to all of our listeners who thank you again for joining us with another exceptional guest. And as always, John, what are we encouraging folks to do?

Jonathan Knepher:
Smash that subscribe button.

Rachael Lyon:
And you get a fresh episode every single Tuesday. So until next time, everybody stay secure. 

About Our Guest

Josh Brunty, US Cyber Team Head Coach, US Cyber Games

Dr. Josh Brunty is a Professor of Cyber Forensics & Cybersecurity with a joint appointment in the Department of Criminal Justice, Criminology, and Forensic Sciences and Department of Computer Sciences and Electrical Engineering. He also serves as the Research Lead for the Institute of Cyber Security. Prior to joining Marshall University in 2012, he served 7 years as a Digital Forensics Examiner, Technical Leader, and Technical Assessor for both the state and federal government sectors. He currently serves as Head Coach of the US Cyber Team for the US Cyber Games, leading the US national team in international cybersecurity competitions. Since 2013, he has served as Faculty Advisor and coach of Marshall University’s Collegiate Cyber Defense Competition Team, which won the National Cyber League Championship in 2020. 

He serves on the editorial boards of Forensic Science International: Digital Investigation and the Journal of Forensic Sciences, and is a member of the NIST Organization of Scientific Area Committee (OSAC) on Digital Evidence. He is a Fellow of the Digital and Multimedia Sciences Section of the American Academy of Forensic Sciences (AAFS) and has received multiple awards for teaching and research excellence. His research has been funded by organizations including the United States Secret Service, Department of Homeland Security, and National Institute of Justice. He has published extensively on digital forensics, most notably co-authoring the textbook Social Media Investigation for Law Enforcement and award-winning research on forensic analysis of wearable devices.