BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//fwd-cloudsec-2026//speaker//9XDB3R
BEGIN:VTIMEZONE
TZID:PST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T100000Z
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T110000Z
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-fwd-cloudsec-2026-YHBEPL@pretalx.com
DTSTART;TZID=PST:20260602T103000
DTEND;TZID=PST:20260602T105000
DESCRIPTION:When a cloud IR team can’t systematically categorize what the
 y’re seeing across incidents\, every engagement starts from scratch. In 
 2019\, when a security incident response team tried to discuss incident pa
 tterns internally\, they hit the same wall every time—no shared vocabula
 ry\, no common framework. One responder would describe an attack as 'crede
 ntial theft\,' another as 'privilege escalation\,' and they'd spend 20 min
 utes just aligning on what actually happened before we could extract any l
 essons.  \n\nThat's when we realized: if we couldn't discuss patterns amon
 g ourselves\, how could we possibly share impactful lessons learned with c
 ustomers or the broader security community? This talk chronicles our journ
 ey from that frustrating moment to launching an open-source threat intelli
 gence resource now used globally—the Threat Technique Catalog for AWS\, 
 written and released by the AWS Customer Incident Response Team. \n\nThe T
 hreat Technique Catalog for AWS was built out of necessity\, and it transf
 ormed how CIRT operated. For the first time\, they could track incident ty
 pes and threat actor activity systematically. This visibility enabled the 
 ability to prioritize authoring playbooks for the most common incidents\, 
 identify gaps in our response capabilities\, and take action on opportunit
 ies that we hadn't known existed before. \n\nWe’ll talk through how syst
 emic incident categorization enabled a cloud IR team to identify response 
 capability gaps\, prioritize playbook development for the most frequently 
 observed techniques\, and build an evidence base that drove platform-level
  security improvements – including contributing to the decision to enfor
 ce mandatory MFA for root users across all AWS account types.  \n\nSince t
 he first launch in June 2025\, the catalog has become a living resource—
 the March 2026 update just added new techniques like Cogito that we're see
 ing in active campaigns right now. Every quarter brings fresh intelligence
 : novel attack patterns\, emerging threat actor behaviors\, and the techni
 ques CIRT observes most frequently in the wild. This isn't a static refere
 nce—it's an evolving playbook that turns every security incident into an
  opportunity to educate the community while we work in parallel to make AW
 S more secure by default. \n\nThe Talk covers three phases: building the i
 nternal taxonomy and the operational improvements it unlocked\; using aggr
 egated incident data to advocate for systemic security changes\; and the p
 rocess of taking internal threat intelligence public through a quarterly-u
 pdated open-source catalog. We’ll share specific examples of how inciden
 t metadata revealed patterns that weren’t visibile at the individual cas
 e level\, and how those patterns translated into concrete actions – from
  new detection logic to publicly available IR workshops covering scenarios
  like unauthorized credential use\, ransomware\, cryptomining\, and SSRF. 
  \n\nAttendees will leave with a practical framework for building their ow
 n incident categorization system\, concrete examples of how threat intelli
 gence devised from IR engagements can drive both tactical and strategic im
 provements\, and an understanding of how to evaluate whether their current
  monitoring would catch the techniques cloud IR teams see most frequently.
DTSTAMP:20260502T113342Z
LOCATION:Room 2
SUMMARY:Transforming security incident metadata to security outcomes: the T
 hreat Technique Catalog for AWS Journey - Cydney Stude\, Steve de Vera
URL:https://pretalx.com/fwd-cloudsec-2026/talk/YHBEPL/
END:VEVENT
END:VCALENDAR