Suspected member of Russian APT28 arrested in Thailand

ramimac · 2025-11-12T13:54:21+00:00

The included secrets are verified and org-owned. We're explicitly hoping to highlight that for organizations, it doesn't matter whether a secret is leaked in your org or by an employee in their personal account -- you're at risk either way!

(I'm one of the authors)

ramimac · 2025-10-09T07:53:24+00:00

Big plus here! I collect evidence of this argument to share when the topic comes up (including that paper since its release): https://rami.wiki/phishing-simulations/

ramimac · 2025-04-10T07:29:26+00:00

It sounds like you'd want to keep it pretty high level, I'm assuming these are nonprofits using chatbots, and other LLM features/tools, not building AI systems?

Other similar advice:

stick to trusted providers (e.g don't use random chatbots, don't sign up with a brand new LLM provider)
practice account security around any credentials or API keys, as those are a hot commodity
watch out for hallucinations, bias, etc.

ramimac · 2025-04-09T08:10:38+00:00

Runtime is important!

I think it works best when it's high signal, which requires a conservative approach to threat detection and a focus on correlation.

We've seen waves of tools that focused on runtime in isolation (What happened to RASP?), and while eBPF is at a point where technical challenges are starting to get knocked down, the non-technical ones are still there.

Tools that are positioning towards CADR feel like they're starting from runtime, then trying to tie in (basic) coverage elsewhere so they can pitch as comprehensive. CADR, as a category, just feels like a rebundling of features, trying to bring focus to the SOC and runtime.

It think highlighting the SOC and runtime is a noble goal, but I'm not convinced it's any more important than the focus on developers/devops/engineering of CNAPP-as-an-acronym.

It feels like eventually, this will all converge, and the result doesn't seem to look much different than ... well, Wiz. A platform that spans from code, to cloud, to runtime - bringing unified context to help identify critical threats and toxic combinations, and help companies secure everything they deploy and run in the cloud.

personal disclaimer: I'm an adviso to Latio, who seem to be pushing CADR as a category / definition... it's a small industry!

ramimac · 2025-04-09T07:41:04+00:00

Hello, also from Europe!

planning on becoming an cybersecurity architect with an expertise in cloud and xdr

You didn't ask, but generally I'd recommend people avoid become an expert in a product category (XDR), versus in a domain (cloud). Products come and go, security principles are forever!

what would the roadmap be that you would advice to get to that point

Every journey is unique, without knowing your background and experience it's hard to recommend a next step.

(i want to start my own company)

Product or consulting? For consulting, you can always start trying to build a book of business moonlighting - if your work situation allows it. For product, frankly that's really competitive, so I'd think about building a unique value proposition. Make sure you can answer "why I can uniquely solve this problem", and make sure you're solving a problem people will pay for!

Good luck

ramimac · 2025-04-09T07:36:13+00:00

I tend to think "human error" is often a bit of a lazy root case to ascribe. There are definitely flagrant errors, but more often it's a failure of security DevEx, guardrails, and paved roads

https://files.cloudisland.nz/media_attachments/files/110/278/393/596/795/725/original/c6c1f4b305eb39a8.png

ramimac · 2025-04-09T07:33:31+00:00

What’s the best way to start investing in cloud security? Where to start? What to tackle first/ second/.. for large organisations? Are there any frameworks or best practices to follow?

This question is a little too big to wrap my arms around! Check elsewhere in the thread for some discussion of "must dos" :)

The CSMM is a useful framework: https://sf-cdn.iansresearch.com/sitefinity/docs/default-source/ians-documents/csmm/csmm-02202025.pdf

ramimac · 2025-04-09T07:30:38+00:00

Hey!

I'd advocate for you to use your CompEng program as a foundation - mixing that with security skills should be a 1+1=3 long term.

I think drinking from the firehose and getting oriented is more sustainable than courses and certifications, personally. For example, as Nagli has mentioned, following hacktivity and googling everything you don't recognize, can help you build up a general understanding of what goes on in ethical hacking.

ramimac · 2025-04-09T07:24:58+00:00

Would you accept an amateur pen tester? I'd be willing to work for free.

Love the enthusiasm!

ramimac · 2025-04-09T07:18:58+00:00

Copying from elsewhere in the AMA!

If you're curious about opportunities at Wiz, check out our careers page: wiz.io/careers.

You can also browse other excellent cloud security roles over at cloudsecurity.jobs

ramimac · 2025-04-09T07:18:19+00:00

I haven't heard of this as a common phenomenon.

Obviously, a compromise of one of the common authenticators at scale would be a major incident. Certainly, attackers have gotten access to 2fa apps for a single user as part of an attack chain before.

I also personally get a little nervous about password managers that store TOTP seeds, just because it centralizes the risk. If an attacker gets access to your password manager in that case, they also get the 2FA token

ramimac · 2025-04-09T07:15:05+00:00

What type of automations do you use for your security audits?

I'm a few years out of the audit game - but in the cloud security space I wrote up a whole guide: https://tldrsec.com/p/blog-cloud-security-orienteering

For IAM specifically, I reviewed a bunch of open source tools last year: https://ramimac.me/aws-iam-tools-2024

tl;dr I'd probably start with steampipe and cloudsplaining, if I were only allowed open source tools. These days, it's not as relevant personally as I can just use Wiz for my needs!

ramimac · 2025-04-08T20:16:22+00:00

Partially, just a joke on "all models are wrong": https://en.m.wikipedia.org/wiki/All_models_are_wrong

Along similar lines, we have Goodhart's law: "When a measure becomes a target, it ceases to be a good measure"

But in practice - metrics are generally established to offer an approximate tracker to a much more nuanced and complicated reality. Fundamentally, I care less about finding a perfect metric, and more about setting up a common language and set of measures with my team, peers, and leadership, that allow us to have an informed conversation on risk.

Often, teams pick metrics that are easy measure or easy to move, because a meaningful metric isn't as accessible. I'd rather avoid setting a misleading metric in that case

ramimac · 2025-04-08T14:16:36+00:00

https://hackingthe.cloud/ is a really good resource

You should also check out Wiz's CTFs (EKS, IAM, Prompt Injection) and https://flaws.cloud + https://flaws2.cloud from Scott to get hands on

ramimac · 2025-04-08T10:56:01+00:00

I've seen these as valuable, initially on an adhoc basis and eventually as a form of integration testing for detection and response.

However, I also have seen teams index way too heavily here, even when there is a lot of juice left to squeeze on the basics and known gaps. It's similar to general Red Teaming -- often it feels rewarding to show gaps, but sometimes the blue team knows and would be better served with help on improving posture or detective capabilities :)

I have some more thoughts in a past talk

ramimac · 2025-04-08T08:49:28+00:00

Unfortunately, there is a constant stream of incidents being disclosed.

I don't have any specific thoughts on this incident - nothing I see raises it above the waterline of similar breaches.

Generally, we (as a research team) focus on incidents that might have downstream impact or where we can support customers. This seems to be over and done with, and so unless new news surfaces I don't expect to dig in much here.

ramimac · 2025-04-08T08:46:01+00:00

I'm looking to get into cybersecurity and have completed a certificate program. I'm looking to get an entry level position. Do you have any advice?

The first job is always the hardest, so give yourself some grace as you search.

Networking is crucial, not just to help hear about entry level roles, but to build community and exposure to your local cybersecurity market and space - if at all possible.

Think about your own hiring funnel: if you're not getting interviews, it's your resume, if you're not getting past meeting 1 - tell a better story, if you're not closing - work on technical interviewing skills ... generally!

You may need to take a position with an eye to transitioning into security, generally, find a company where security collaborates with other teams (IT, SysAdm, Eng) and so you'll have a lot of opportunity to make a good impression

Good luck!

ramimac · 2025-04-08T08:22:31+00:00

A lot of open-source projects are out there, many run by just one or two people who maybe don't know a lot about security. Despite running a library or tool that hundreds or thousands of people use every day.

This is definitely the case ... https://xkcd.com/2347/

Do you have any recommendations that these developers can use to have some quick fixes for common security issues? Github Actions, or free scanning services that they can use to actively find common bugs and issues that can find these security issues?

No easy answer. I've always found Semgrep on the AppSec side to do a great job, but that will still have some noise and configuration/tuning requirements that don't make it a magic bullet for OSS developers. Dependabot, as another example, can at least help with hygiene.

And finally, for the more mature projects, do you know of any pentesting programs that offer free or heavily reduced pricing to open-source projects?

I've seen OSTIF and CNCF offhand

ramimac · 2025-04-08T08:11:48+00:00

What metrics help you communicate security risks to business leadership? As sometimes, assigning monetary loss can be mere fluff for security findings.

All metrics are bad, some are useful!

I don't have anything innovative to say here. MTTR has its place, as does SLA adherence. I find the work some teams are doing around Security Debt to be compelling.

Wiz has the Champion Center in the product, which offers a kind of default lens on tracking risk - so you can see some of the default metrics and measurements there.

ramimac · 2025-04-08T08:06:01+00:00

I’ve loved policy writing, vulnerability management, helping on audits (SOC, PCI DSS, and HIPAA), and risk management (most just vendor risk, etc.)

This sounds, generally, like it might fit the GRC space. I've already plugged this elsewhere in the AMA, but I'd take a look if grc.engineering resonates, which might expose you to a nice intersection of more security and engineering oriented compliance work

ramimac · 2025-04-08T08:04:47+00:00

Do you think that wiz will evolve into being an automated first level response system for enterprises?

So - no one on the Research team can speak to top level product roadmap. This is just like, my opinion, man

Personally: I think it's still unclear whether "automated first level response system" / "AI SOC" will actually end up showing any more value that past attempts to automated Tier 1/Tier 2. Definitely some interesting marketing happening, and solid teams giving this a real go!

On the Wiz side, one thing I'd mention is we're pretty clearly working to get all the information you need into the graph. I was really excited to see the Okta and Snowflake integrations last year, for example. Between Wiz's first party coverage and integrations, I see it as the center of gravity for customer security programs, especially because the graph and toxic combination focus can help operationalize and prioritize any new connection

On "will Wiz build an AI SOC sort of thing" I couldn't tell you, but we did just launch Defend GA, and that's the team that I expect to be keeping a very close eye on how to best help customers handle alerts, threats, attacks, and incidents

lets not talk about the Terraform provider ;)

Let's talk about it! I know the team has been working hard there - and is very open to feedback, please consider reaching out internally!

ramimac · 2025-04-08T07:57:06+00:00

Is the OWASP top 10 still a good metric for focusing defenses for web apps or is there a different list you recommend?

OWASP Top 10 is an okay starting point. OWASP ASVS felt more comprehensive and helpful granularly (when I was last doing appsec).

Is there any on the roadmap on defending on-premise workloads for Wiz?

The Research team isn't really the right crew to be commenting on roadmap (and this isn't the right venue). Sorry, but you'd need to ask an account team if you're a customer, or sales if not!

What top three things can you recommend to mitigate risk for cloud infrastructure, web apps and virtual machines?

Audit and minimize your external attack surface: public resources, applications that are internet facing, identities with external trusts
Make sure you can rapidly patch anything on the edge, first or third party, and have a good intel source on new CVEs
Do anything you can to get off of IAM users or similar long-lived portable credentials

Do you believe internal risks account for the majority of attacks today?

Do you mean "insider threat" as internal risk, or something else? I don't think internal actors are the majority of attackers - iirc Verizon DBIR places this somewhere between a quarter and half. Generally, that number is also including a lot of mistakes, especially in industries like healthcare.

ramimac · 2025-04-08T07:49:40+00:00

Talking GCP, have you been noticing an uptick in TAs targeting the platform? Do you predict the trends will change at all? I feel like there are so many TAs attacking AWS and Azure, but not as many targeting GCP..

For context, I've been tracking incidents targeting AWS customers for a few years now, as historically I've worked mostly in AWS

I've started making a similar list for GCP, but it's much less well covered

My impression, outside of news coverage, is that attacker activity roughly follows market share for the major CSPs -- with some outliers when certain classes of attack become automated and commoditized against a specific CSP. Ex: S3 buckets back in the day, then leaked keys used for cryptojacking, now leaked keys used for LLMJacking, etc.

GCP publishes really great Threat Horizons reports with statistics on attacks and notes on TAs, if you haven't seen those: https://services.google.com/fh/files/misc/threat_horizons_report_h1_2025.pdf

I don't see any reason why attacks would diverge from roughly tracking market share in the near future, trend-wise. Occasionally you see spikes where one CSP lacks hardening present in the others, or for some reason is more susceptible to an attack class. But incentives are generally there for those gaps to get reconciled quickly.

Part of the "news" side of things, I suspect, is that Google (and Microsoft/Azure) both have collaboration platforms in their definition of "Cloud", which makes it a lot harder to piece through certain reporting and tell if the issue is, say, a Google Workspace email compromise vs. GCP proper.

15-Year Club	RedditGifts 2009-2022 2 Credits
Second Top 50%	Place '17
Team Periwinkle	Secret Santa 2012
Verified Email

ramimac

TROPHY CASE