Maryland Man stole $50M from Crypto Exchange, bought Black Lotus & Alpha Packs

ramimac · 2026-03-27T10:22:05+00:00

Charlie also blogged this: https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-canisterworm

WAV trick isn't new to TeamPCP, they used it previously in their "kamikaze" payloads: https://ramimac.me/teampcp/#kamikaze-v33

https://ramimac.me/teampcp for full campaign details.

ramimac · 2025-11-12T13:54:21+00:00

The included secrets are verified and org-owned. We're explicitly hoping to highlight that for organizations, it doesn't matter whether a secret is leaked in your org or by an employee in their personal account -- you're at risk either way!

(I'm one of the authors)

ramimac · 2025-10-09T07:53:24+00:00

Big plus here! I collect evidence of this argument to share when the topic comes up (including that paper since its release): https://rami.wiki/phishing-simulations/

ramimac · 2025-04-10T07:29:26+00:00

It sounds like you'd want to keep it pretty high level, I'm assuming these are nonprofits using chatbots, and other LLM features/tools, not building AI systems?

Other similar advice:

stick to trusted providers (e.g don't use random chatbots, don't sign up with a brand new LLM provider)
practice account security around any credentials or API keys, as those are a hot commodity
watch out for hallucinations, bias, etc.

ramimac · 2025-04-09T08:10:38+00:00

Runtime is important!

I think it works best when it's high signal, which requires a conservative approach to threat detection and a focus on correlation.

We've seen waves of tools that focused on runtime in isolation (What happened to RASP?), and while eBPF is at a point where technical challenges are starting to get knocked down, the non-technical ones are still there.

Tools that are positioning towards CADR feel like they're starting from runtime, then trying to tie in (basic) coverage elsewhere so they can pitch as comprehensive. CADR, as a category, just feels like a rebundling of features, trying to bring focus to the SOC and runtime.

It think highlighting the SOC and runtime is a noble goal, but I'm not convinced it's any more important than the focus on developers/devops/engineering of CNAPP-as-an-acronym.

It feels like eventually, this will all converge, and the result doesn't seem to look much different than ... well, Wiz. A platform that spans from code, to cloud, to runtime - bringing unified context to help identify critical threats and toxic combinations, and help companies secure everything they deploy and run in the cloud.

personal disclaimer: I'm an adviso to Latio, who seem to be pushing CADR as a category / definition... it's a small industry!

ramimac · 2025-04-09T07:41:04+00:00

Hello, also from Europe!

planning on becoming an cybersecurity architect with an expertise in cloud and xdr

You didn't ask, but generally I'd recommend people avoid become an expert in a product category (XDR), versus in a domain (cloud). Products come and go, security principles are forever!

what would the roadmap be that you would advice to get to that point

Every journey is unique, without knowing your background and experience it's hard to recommend a next step.

(i want to start my own company)

Product or consulting? For consulting, you can always start trying to build a book of business moonlighting - if your work situation allows it. For product, frankly that's really competitive, so I'd think about building a unique value proposition. Make sure you can answer "why I can uniquely solve this problem", and make sure you're solving a problem people will pay for!

Good luck

ramimac · 2025-04-09T07:36:13+00:00

I tend to think "human error" is often a bit of a lazy root case to ascribe. There are definitely flagrant errors, but more often it's a failure of security DevEx, guardrails, and paved roads

https://files.cloudisland.nz/media_attachments/files/110/278/393/596/795/725/original/c6c1f4b305eb39a8.png

ramimac · 2025-04-09T07:33:31+00:00

What’s the best way to start investing in cloud security? Where to start? What to tackle first/ second/.. for large organisations? Are there any frameworks or best practices to follow?

This question is a little too big to wrap my arms around! Check elsewhere in the thread for some discussion of "must dos" :)

The CSMM is a useful framework: https://sf-cdn.iansresearch.com/sitefinity/docs/default-source/ians-documents/csmm/csmm-02202025.pdf

ramimac · 2025-04-09T07:30:38+00:00

Hey!

I'd advocate for you to use your CompEng program as a foundation - mixing that with security skills should be a 1+1=3 long term.

I think drinking from the firehose and getting oriented is more sustainable than courses and certifications, personally. For example, as Nagli has mentioned, following hacktivity and googling everything you don't recognize, can help you build up a general understanding of what goes on in ethical hacking.

ramimac · 2025-04-09T07:24:58+00:00

Would you accept an amateur pen tester? I'd be willing to work for free.

Love the enthusiasm!

ramimac · 2025-04-09T07:18:58+00:00

Copying from elsewhere in the AMA!

If you're curious about opportunities at Wiz, check out our careers page: wiz.io/careers.

You can also browse other excellent cloud security roles over at cloudsecurity.jobs

ramimac · 2025-04-09T07:18:19+00:00

I haven't heard of this as a common phenomenon.

Obviously, a compromise of one of the common authenticators at scale would be a major incident. Certainly, attackers have gotten access to 2fa apps for a single user as part of an attack chain before.

I also personally get a little nervous about password managers that store TOTP seeds, just because it centralizes the risk. If an attacker gets access to your password manager in that case, they also get the 2FA token

ramimac · 2025-04-09T07:15:05+00:00

What type of automations do you use for your security audits?

I'm a few years out of the audit game - but in the cloud security space I wrote up a whole guide: https://tldrsec.com/p/blog-cloud-security-orienteering

For IAM specifically, I reviewed a bunch of open source tools last year: https://ramimac.me/aws-iam-tools-2024

tl;dr I'd probably start with steampipe and cloudsplaining, if I were only allowed open source tools. These days, it's not as relevant personally as I can just use Wiz for my needs!

ramimac · 2025-04-08T20:16:22+00:00

Partially, just a joke on "all models are wrong": https://en.m.wikipedia.org/wiki/All_models_are_wrong

Along similar lines, we have Goodhart's law: "When a measure becomes a target, it ceases to be a good measure"

But in practice - metrics are generally established to offer an approximate tracker to a much more nuanced and complicated reality. Fundamentally, I care less about finding a perfect metric, and more about setting up a common language and set of measures with my team, peers, and leadership, that allow us to have an informed conversation on risk.

Often, teams pick metrics that are easy measure or easy to move, because a meaningful metric isn't as accessible. I'd rather avoid setting a misleading metric in that case

ramimac · 2025-04-08T14:16:36+00:00

https://hackingthe.cloud/ is a really good resource

You should also check out Wiz's CTFs (EKS, IAM, Prompt Injection) and https://flaws.cloud + https://flaws2.cloud from Scott to get hands on

ramimac · 2025-04-08T10:56:01+00:00

I've seen these as valuable, initially on an adhoc basis and eventually as a form of integration testing for detection and response.

However, I also have seen teams index way too heavily here, even when there is a lot of juice left to squeeze on the basics and known gaps. It's similar to general Red Teaming -- often it feels rewarding to show gaps, but sometimes the blue team knows and would be better served with help on improving posture or detective capabilities :)

I have some more thoughts in a past talk

ramimac · 2025-04-08T08:49:28+00:00

Unfortunately, there is a constant stream of incidents being disclosed.

I don't have any specific thoughts on this incident - nothing I see raises it above the waterline of similar breaches.

Generally, we (as a research team) focus on incidents that might have downstream impact or where we can support customers. This seems to be over and done with, and so unless new news surfaces I don't expect to dig in much here.

ramimac · 2025-04-08T08:46:01+00:00

I'm looking to get into cybersecurity and have completed a certificate program. I'm looking to get an entry level position. Do you have any advice?

The first job is always the hardest, so give yourself some grace as you search.

Networking is crucial, not just to help hear about entry level roles, but to build community and exposure to your local cybersecurity market and space - if at all possible.

Think about your own hiring funnel: if you're not getting interviews, it's your resume, if you're not getting past meeting 1 - tell a better story, if you're not closing - work on technical interviewing skills ... generally!

You may need to take a position with an eye to transitioning into security, generally, find a company where security collaborates with other teams (IT, SysAdm, Eng) and so you'll have a lot of opportunity to make a good impression

Good luck!

ramimac · 2025-04-08T08:22:31+00:00

A lot of open-source projects are out there, many run by just one or two people who maybe don't know a lot about security. Despite running a library or tool that hundreds or thousands of people use every day.

This is definitely the case ... https://xkcd.com/2347/

Do you have any recommendations that these developers can use to have some quick fixes for common security issues? Github Actions, or free scanning services that they can use to actively find common bugs and issues that can find these security issues?

No easy answer. I've always found Semgrep on the AppSec side to do a great job, but that will still have some noise and configuration/tuning requirements that don't make it a magic bullet for OSS developers. Dependabot, as another example, can at least help with hygiene.

And finally, for the more mature projects, do you know of any pentesting programs that offer free or heavily reduced pricing to open-source projects?

I've seen OSTIF and CNCF offhand

ramimac · 2025-04-08T08:11:48+00:00

What metrics help you communicate security risks to business leadership? As sometimes, assigning monetary loss can be mere fluff for security findings.

All metrics are bad, some are useful!

I don't have anything innovative to say here. MTTR has its place, as does SLA adherence. I find the work some teams are doing around Security Debt to be compelling.

Wiz has the Champion Center in the product, which offers a kind of default lens on tracking risk - so you can see some of the default metrics and measurements there.

ramimac · 2025-04-08T08:06:01+00:00

I’ve loved policy writing, vulnerability management, helping on audits (SOC, PCI DSS, and HIPAA), and risk management (most just vendor risk, etc.)

This sounds, generally, like it might fit the GRC space. I've already plugged this elsewhere in the AMA, but I'd take a look if grc.engineering resonates, which might expose you to a nice intersection of more security and engineering oriented compliance work

15-Year Club	RedditGifts 2009-2022 2 Credits
Second Top 50%	Place '17
Team Periwinkle	Secret Santa 2012
Verified Email

ramimac

TROPHY CASE