CFPs

I. Setting the Cloud Stage (3 minutes)

• Intro & Playbill Overview: Welcome, connecting to the “Musical” theme, and stating the talk’s focus (Actionable TI, open-source data).
• The Shifting Stage: Defining the Adversary Maturity Spectrum: Cloud-Ignorant → Cloud-Literate → Cloud-Fluent.
  • Many cloud-ignorant attackers are impacting cloud environments
  • More and more new attackers are getting to “cloud-literate”
  • A smaller, but increasing, number of attackers are progressing along the maturity curve
• Why a Playbill? The value proposition: prioritizing defense by using specific actors to talk about broad TTPs.

II. Cast & Crew Biographies: Deep Dives and Roundup (15 minutes)

• Lead 1: DPRK: Lazarus → TraderTraitor (5 min)
  • Motivation: Extreme cryptocurrency theft ($2.58B stolen in 2024). Behind notable attacks, such as ByBit.
  • Cloud Maturity: Cloud-Fluent.
  • Overall DPRK attack ecosystem: multiple bureaus with specialties
  • Note: A/B/C team, some crypto-targeting activities “smell like” C-Team
  • Detailed TTPs targeting Cloud Identity/Federation for initial access and privilege abuse
  • Threat of infostealers and session theft in the cloud
  • Supply chain pivoting
• Lead 2: Scattered Spider / UNC3944 (5 min)
  • Motivation: Data theft for extortion/financial gain.
  • Cloud Maturity: Cloud-Fluent (and cloud agnostic, seen across all major CSPs)
  • TTPs leveraging Social Engineering/Vishing for rapid, decisive lateral movement and privilege escalation in Multi-Cloud environments
  • Targets specific sectors at a time (e.g., Retail)
  • Abuse victim orchestration and software deployment tooling
  • Targets SaaS / Enterprise systems
• Feature Roles Roundup (5 min)
  • Cryptojacking Actors: TeamTNT and Diicot (Container/Kubernetes abuse)
  • AWS SES Abuse Actors: AndroxGh0st, Javagh0st, Legion (Cloud-Literate resource abuse)
  • LLMjacking: JINX-2401 (Emerging AI/ML model threats)
  • Other Nation States: TTPs of HAFNIUM, APT29, and MuddyWater focusing on Cloud-Fluent Espionage/Trusted Relationship abuse

III. Beloved Scripts & Scenes: Defensive Chokepoints (10 minutes)

Pivoting TTP analysis into critical defensive chokepoints. Example attacks in detail:

• Bybit: Compromised developer machine → Malicious JavaScript via S3 bucket write access → $1.5B stolen
• Google Cloud ThreatHorizons UNC4899: Malware via job opportunity premise → Session cookie theft → CloudFront & S3 JS modification → Cryptocurrency theft
• Pearson: Exposed GitLab token in .git/config → AWS credentials in source code → Data exfiltration
• Storm-0501: Cloud-based ransomware tactics, hybrid cloud/on-prem

Core Defenses:

• Protect credentials: on device (e.g., keychain storage), in browsers, MFA, IDPs/SSO, safe IMDS usage, secret scanning of version control
• Assess and close privilege escalation vectors in the cloud
• Secure management tooling equivalent to systems it manages
• Shut off unused/unneeded attack surface (LLMs, email sending)
• Isolate these functions to the extent viable
• Pivot when dumb attacks are detected—they co-exist with stealthy attacks
• Beware the rash of attacks on Appliances, minimize attack surface and patch promptly
• Feature Roles often use automated tooling that allows for cloud-native atomic and behavioral IOCs (e.g., Javagh0st security group “We Are There But Not Visible”)

IV. The Curtain Call (2 minutes)

• Threat actors as a cohort are getting increasingly cloud-fluent, but there are chokepoint techniques that give defenders outsized opportunities to defend and detect
• Stop Guessing, Start Directing: Differentiate threats by classifying actors based on their Cloud Maturity and Motivation for more efficient defense prioritization
• Increase your security maturity, then beware more mature actors who are increasing their cloud fluency

The vast majority of cloud security incidents stem from financially motivated commodity attacks, a trend evident since the cryptomining waves of 2017. Understanding and preventing this pervasive class of attacks is a high-leverage input for any threat-informed cloud security program.

This session provides a historical and current overview of how attackers monetize cloud incidents, combining public and private statistics with years of experience tracking and responding to cloud incidents.

Attack Classes with Case Studies:

• Cryptomining: From browser-based Monero mining to cryptojacking in VMs, containers, and Kubernetes. Case studies: LA Times, DXC Technologies.
• Email Hijacking: Attackers using compromised accounts for mass phishing (e.g., FBot).
• LLMJacking: Attackers reselling access to cloud-hosted AI models (e.g., Storm-2139).
• Direct Cryptocurrency Theft: Targeting crypto companies to steal digital assets (e.g., ByBit).
• Data Exfiltration, Extortion, and Ransomware: (e.g., Medibank, BlackCat).

Financial Calculus:

For each attack vector, we explore the attacker’s ROI—contrasting low-return cryptomining campaigns with high-profit, sophisticated attacks.

Tailwinds & Headwinds:

• Tailwinds: Rise of crypto and dark markets for LLM access
• Headwinds: Reduced cryptomining returns (Ethereum’s shift to Proof of Stake), commoditized detections

Essential Controls:

• How to secure static credentials—a factor in ~2/3 of known incidents
• Top tactics to address the other three common entry vectors: n-day CVE exploits, misconfigured resources, and application vulnerabilities

Looking Forward:

Anticipating how trends like SMS pumping and emerging AI services could open new avenues for attacker monetization.

1. Introduction: The Partnership Imperative in Modern AppSec (5 minutes)

• Security has moved to integrate to the development process and work more collaboratively
• Security teams frequently struggle with partnership skills, failing to democratize security ownership effectively
• Partnership models: Consultative, Embedded, Champions
• Proactive vs. Reactive engagement models

2. Building the Foundation: Understanding Your Stakeholders and Earning Credibility (10 minutes)

• Stakeholders: Engineering ICs and Leaders, Security, Compliance, PMs
• Learn to speak their language:
  • PMs and EMs/TLs desire predictability and clean interfaces
  • PMs care about product requirements; EMs/TLs care about technical requirements
  • Eng ICs care about implementation details
• Effective partnership builds on understanding existing engineering processes, and the product and business
• Credibility: gained in ounces, lost in pounds
• Relationships are built in proactive partnership
• The role of shadowing and onboarding

Story: Successful partnership - patch management, aligning on timelines and mitigating controls. Leveraged credibility on risk, relationship for transparency on constraints and timelines, and understanding the engineering for a mitigation.

3. Integrating Security Proactively: Process, Standards, and Reducing Friction (10 minutes)

• The overall goal is to shift left and democratize security to move beyond manual consultations
• Communication guidelines: empathy, realistic tradeoffs, vulnerability impact without jargon, reward proactive communication

Story: Multi-quarter CI/CD security project with many stumbles but ultimate success. Lessons: capture alignment in design documents, make sure security has a centralized view of outstanding controls/tickets, start from a threat model and prioritize risks, set yourself up for incremental delivery, define ownership of security controls, handoffs, and maintenance.

• Internal standards raise the security floor and minimize consultations
  • Both inconsistent and blind application of standards carry risk
  • Hook into existing processes, like design document templates
  • Follow engineering processes within security—drink your own champagne

4. Handling Reactive Partnerships (10 minutes)

Story: Internal tooling - client side redaction as a defense-in-depth mitigation. Poor documentation of that decision. Engineers notice months later and remove the tool in concern.

• Discovery: build trust, show the security team is willing to do the legwork to build context
• Setting requirements: options can cause confusion, always document a clear decision. Resist the urge to pull in related security debt.
• Getting agreement: leave space for creative solutions. Talk in terms your partners care about. Minimize work on their part. Beware asymmetry. Center impact on people.
• Providing feedback: false positives should hit security hardest. Consider the Principal-Agent problem.

Story: Bug bounty report of lack of rate limiting on an endpoint. Checked design document—it had been called out but never tracked through to development or validated.

• Make sure changes to acceptance criteria get back-ported to documentation

5. Strategic Escalation & Sustaining Partnership (5 minutes)

• Escalations have a strategic role, but must be rare and well managed. Too many escalations are a sign of dysfunction.

Story: Suggested escalation received as conflict versus a means of prioritization. A healthy culture should make “let’s go talk to our bosses about this” non-threatening.

• Clean escalations require: background, alternatives, tradeoffs described using neutral language, ideally make a recommendation—everyone involved should agree on framing

6. Conclusion & Actionable Takeaways (2 minutes)

Story 1: A story of bad Security Partnership, told via slack screenshots.

Introduction: Security Partnership

• Engagement Models: Consultative, Embedded, Champions. Proactive, Reactive.
• The stakeholders: Eng ICs, PMs, Eng Leaders, Security

Building a foundation for partnership

• Understand engineering processes
• Understand the product and the business
• Credibility: gained in ounces, lost in pounds
• Relationship: built through proactive partnership
• The role of internal standards

Story 2: Successful partnership - patch management, aligning on timelines and mitigating controls.

Handling Stakeholders: learn to speak their language

• PMs want predictability and clean interfaces
• EMs/TLs want predictability and care about technical requirements
• Eng ICs care about implementation details

The role of standards

• Blind application and inconsistent application both have risks
• Goal: reduce amount of direct partnership (“every consultation is a failure”)
• Hook into existing processes, like design document templates

Communication guidelines

• Communicate with empathy
• Realistic trade-offs
• Vulnerability impact without jargon
• Reward communication with the team

Story 3: Multi-quarter CI/CD security project with stumbles but ultimate success.

Partnering - reactive

• Discovery: build trust and show context
• Setting security requirements and acceptance criteria
• Getting agreement: broad framing, minimize work, center impact on people
• Getting the work done: ownership and sustainability
• Providing feedback: security should bear the burden of false positives

Escalations

• Too many escalations are a sign of dysfunction
• Clean escalations: background, alternatives, tradeoffs in neutral language

This is a blatant rip off of Clint Gibler’s BSidesSF 2020 talk, but focused on cloud security programs (he’s cool with it!).

Previous related talks:

• AWS Security: Easy Wins and Enterprise Scale (2020)
• Cloud Security Orienteering (2021)
• Beyond the AWS Security Maturity Roadmap (2023)

We’ll cover over a dozen tactics, building on the amazing work in the cloud security community. For example:

• Service allowlisting massively reduces the area you need to control
• Once you have service allowlisting, how do you review new services effectively?
• What can we learn from TrustOnCloud’s threat model approach, Sp0oKeR’s detection engineering, and Wiz’s Cloud Threat Landscape?

Intro (5m)

• You start with SSH to production boxes
• Maybe you move to SSM (no internet exposure) or a bastion host
• Engineers are often touching production for good reason
• Introduce Zero Touch Prod concept

Values behind Zero Touch Production (5m)

• Consider your organization and DevEx
• Values tradeoffs: carrot or stick, paved roads or goat paths, early launch timing

Taxonomy of production access needs (5m)

• Script running - predefined commands with safe arguments
• Scheduled Jobs - async, recurring, backfills
• UI-based Internal Tools
• Workbench with production data framework
• Read-only access to safe production data subset
• Break-glass JIT/Temporal Access

AWS Primitives & Vendor options (10m)

• Port Forwarding, RDS IAM auth, RunCommand as script runner
• AWS Verified Access, Cloudflare Access, Okta ASA, ZTNA tools
• JIT Access synthesis

Case Studies in DevEx (5m)

• Browser extension for Identity Center sessions
• Single opinionated CLI flow (aws-vault, granted)
• Wrapping CLIs for smart role selection, JIT integration, error guidance
• Single CLI for production access hiding SSM vs EC2 Instance Connect complexity

Introduction (5m)

• Refresher on Terraform Architecture
• Third party modules and providers

Attacking Terraform Automation (<10m)

• Review various vendor and OSS solutions
• Malicious providers and modules
• RCE in Terraform Plan / “Apply-in-Plan”
• Secrets in State Files
• “Task Runs”

Hybrid SaaS (<10m)

• SaaS control plane, customer owned compute
• Pros/Cons: customer ownership, management overhead
• Examples: Buildkite, Spacelift
• Security model: signed payloads, decreasing trust in control plane

Securing Spacelift @ Figma

Four threats:

1. “proposed runs” → if you can put up a PR, you can run a Plan
2. Compromise of engineer session on control plane
3. Compromise of admin session or Spacelift itself
4. “tracked runs” → code in master = Apply

Controls:

• GitHub Approvals + Commit Integrity
• Private Worker Pool (account isolation)
• Worker-side validation via GitHub APIs
• Permission Segmentation between Plans/Applies
• Semgrep for static analysis
• Spacelift Policies with role-based approval
• RBAC in control plane
• Disable “Task Runs”
• JIT authorization + detective controls
• Vendor all terraform modules
• Mirror for all Terraform providers
• Secrets scanning for terraform state

Context (12m)

• Biases: engineering oriented security program, zero trust, selling a software product
• The baseline via Scott’s Cloud Security Maturity roadmap
• The Netflix influence: “Netflix exists in order to spite the gods, copy them not”
• Build v. Buy framework from Sabry Tozin

Meat (25m)

Problem space and solutions for:

• Asset inventory / continuous compliance
• Secrets Management
• Secure IAC modules
• SSH replacement
• Least Privilege / IAM
• Account management, vending, and sandbox accounts
• DFIR
• Automated remediation
• Runtime Security
• Endpoint Monitoring
• Egress / Perimeter (data, network)
• Honeytokens

Context (6m)

• Biases on “the sort of cloud security program” I’m talking about
• The Netflix influence
• When I joined Figma: “we’ve shipped the roadmap, help us figure out what’s next”
• Build v. Buy framework

Meat (14m)

Specific OSS and commercial solutions for:

• Asset inventory / continuous compliance
• Secrets Management
• Secure IAC modules
• SSH replacement
• Least Privilege / IAM
• Account management and sandbox accounts
• DFIR
• Automated remediation
• Runtime Security
• Endpoint Monitoring
• Egress / Perimeter
• Honeytokens

This panel gathers participants from the tldrsec Staff+ Engineering guide.

Format:

• 90 second introductions from each panelist
• Pre-seeded questions to start discussion
• Open floor for audience questions

Sample questions:

• What’s a week like as a Staff+ engineer?
• What are the hardest parts of being a Staff+ engineer?
• What should you do if you feel “stuck” at Senior?
• What about your Staff+ journey is specific to Security?
• Is there an IC/Manager Pendulum in Security?
• What comes after Staff+ for you?

Why this talk?

1. Vendor agnostic (⅔ of sources reviewed were vendor blogs)
2. Built on comprehensive literature review (PTES, Gartner, CREST, NCSC)
3. Includes survey data from TL;DR Sec’s 8,000+ community

Outline:

1. Types of Security Services
2. Common motivations: Compliance, Sales, Investment/M&A, internal attestation, post-breach, risk reduction
3. Types of Vendors: Enterprise consulting, boutique, specialty, sole practitioner, MSSP, VAR
4. How to find vendors: Network, research, conference speakers, published research, certifications
5. Client-side scoping and requirements
6. Requesting and reviewing proposals (RFP process)
7. Contracting: Quotes, negotiation, vetting, rules of engagement
8. Pre-assessment preparation
9. After the assessment: Readout, reading reports, ingesting results
10. What comes next

Operating principles:

• This is a maturity shortcut
• Focus on separating signal from noise
• Only bring things into your program that you understand
• Identify a need → fill it

Resources covered:

• Training: PagerDuty’s sudo, PortSwigger Web Security Academy, Security Champions Playbook
• Incident management: PagerDuty response guide, Etsy’s blameless postmortems
• Risk Assessment: Mozilla’s Rapid Risk Assessment, Google’s VSA process
• Vulnerability Reporting: Disclose.io, Bug Bounty COI
• Compliance: Adobe CCF, GDPR Checklist, JupiterOne policy templates
• Hiring: Interview question collections
• Full programs: GitLab handbook, 18F engineering security

Prior art:

• SANS Cloud Security Summit talks
• fwd:cloudsec “The Usual Suspects”
• F5 breach highlights

Case Studies:

• Exposed S3 buckets, managed Elasticsearch
• CapitalOne
• Code Spaces
• DNC Hack (GRU)
• LA Times, OneLogin, Uber, Imperva, Tesla
• JW Player, TeamTNT botnet, Cryptomining AMI

Root Causes: Correlate breaches and establish common root causes, comparing to MITRE ATT&CK Cloud matrix.

Introduction (10m)

• The Cloud, AWS, Shared Responsibility Model
• Key background: VPCs, EC2, security groups, NACLs
• IAM: Principal Types, Credentials, Policies, Policy Evaluation

Easy (15-20m)

• Single account best practices and security services
• Common account compromise footholds
• Single account auditing
• Turnkey encryption

Hard (15-20m)

• Organizational Architecture
• Security at scale
• Encryption and Least Privilege
• Logging/Monitoring/Alerting
• Preparing for Incident Response
• Visibility and multi-account auditing
• Governance: IaC, AWS Config, SCPs
• Automatic Remediation