WD‑40 was invented in San Diego in 1953. The “Water Displacement, 40th attempt” formula was originally developed to protect the metal skin of the Atlas missile from rust and corrosion.  While we know it more for fixing squeaky or stuck parts today, that once single-purpose compound has become a global utility. Much like digital forensics itself, which began as a narrow investigative craft. Today, it has expanded into one of the most versatile and essential tools in the modern security arsenal. "The Birthplace of California" made a perfect backdrop for Techno Security & Digital Forensics Conference West 2025. 

Hundreds of cybersecurity defenders, forensic investigators, and law enforcement professionals come together at Town and Country San Diego's convention center for three days of sessions, training, and camaraderie between teams working to keep us all safe. This was an event where the larger mission was not just to respond, but to stop criminals driving extortion campaigns, data breaches, identity theft, and fraud rings at an industrial scale.

Here are just a few learnings from this year's West Coast edition.  

Reinforcing the Identity Perimeter

In his session, “Is Microsoft Active Directory Still Risky to Your Enterprise?” Derek Melber, Strategic Advisor for Enterprise Identity at GuidePoint Security, explained that despite decades of hardening, on-premises Active Directory, and its increasingly hybrid integration with Entra ID, continues to provide fertile ground for attackers. Derek dissected the classic kill chain: from phishing to privilege escalation to domain-wide compromise. He exposed the configuration artifacts of unconstrained SPNs, SIDHistory, and Kerberos delegation, which remain undetected by most scans, yet enable persistent, privileged access.

Derek argued that security tooling does not adequately secure identity. Multifactor authentication (MFA) and privileged access management (PAM) may authenticate and gate access, but they do nothing to correct poor identity architecture. Attack paths built on weak delegation, account sprawl, and stale permissions are living footholds for intruders. He emphasized that tiering models, where Tier 0 identities and machines are isolated, are required for modern enterprises.

He showed off tools like BloodHound and PurpleKnight, and encouraged us all to make these routine in audit and incident response work. Without clear identity scoping, you cannot prove provenance or prevent persistence. Shadow admins, misconfigured service accounts, and the abuse of trust boundaries are his major concerns, and identity controls must become defensible, auditable, and observable by design.

Classification As A Risk‑Control Foundation

John Wallace, Senior IT Auditor II at Security Service Federal Credit Union, argued in his session, “Data Classification: The Foundation of Data Protection,” that there needs to be a renewed focus on the often forgotten precursor to every effective control: knowing what data you actually have. He mapped out that unclassified data isn’t just disorganized; it’s invisible. He reminded us that invisible assets are undefendable. Classification, John argued, is what connects the digital dots: what is it, who owns it, who touched it, and what risk does it carry?

John walked through several breach examples, from Equifax, Capital One, Allianz, and the recent Tea dating app incident, showing how misclassification amplified impact. Sensitive fields were either never labeled or miscategorized and, therefore, excluded from modern protection and data loss prevention policies. That absence of labeling means slower triage and greater regulatory exposure.

He also shared practical success stories. One regional bank integrated classification into its infosec policy by aligning with business unit leaders, making the whole org resilient while helping them understand what data they even had. A manufacturing firm reduced accidental leaks by 70% using folder-level classification and auto-tagging. Classification can turn ambiguity about 'what risks does this data carry?" into clear directives during a breach.

Intrusion In the Cloud: From Token Theft to OAuth Abuse

Mark Gramajo, DART Sr. Security Researcher at Microsoft, detailed modern attacker persistence in the cloud identity plane in his session "Cloudy with a Chance of Exfil: Obscure Cyber Threat Actor Persistence and Exfiltration Mechanisms." He explained that adversaries no longer rely on malware; they rely on your identity infrastructure. 

Groups like Octo Tempest, also called Scattered Spider, now pair social engineering with identity abuse. Techniques like SIM swapping to bypass SMS based MFA, self-service password resets, and token replay to hijack cloud sessions without triggering alerts are all too common now.

Mark walked us through how adversaries replay tokens, stolen post-MFA, and impersonate valid users. OAuth enterprise applications get quietly registered, modified, and granted escalated permissions to email systems and file stores. He showed how Azure Key Vaults are enumerated through ephemeral Cloud Shell instances, often without diagnostic logging. Mailbox rules and Teams messages are hijacked to reroute direct deposits, steal credentials, or drop secondary payloads. All of this happens in low-signal environments of API calls, audit logs, federated trust alterations.

The implication for digital forensics teams is chain-of-custody now includes ephemeral tokens and adversary infrastructure includes your own OAuth apps. Detection will requiree audit logging in all identity based systems and teams need real-time access to those artifacts. Mark argued that the cloud has shifted from an attack vector to a persistence layer, and the defenders must adjust to meet this reality.

Identity Is The Modern Perimeter

Identity and data came up in almost every session at this event. Forensic professionals, law enforcement, and security leaders alike are converging on the same conclusion that we are no longer defending static networks, but dynamic trust planes.

Identity As Legal And Technical Evidence

Identity is an operational control we need to focus on, but for law enforcement, it goes deeper; it’s also a forensic artifact. When attackers escalate via SPNs or exploit OAuth tokens to access sensitive inboxes, they leave identity fingerprints that must be captured and correctly interpreted. This requires technical controls in the form of tiering, logging, and rotation. But also legal awareness of proving who accessed what, when, and why? If you can track delegation drift across domains, then you are going to have a better handle on Identity architecture, which must now be both defensible and discoverable.

Data Classification As The New Chain-of-Custody Anchor

Every incident begins and ends with data. We as defenders need to focus on what was accessed, what was taken, and what was changed. Without classification, none of those questions can be answered quickly or confidently. Classification underpins access control, but also incident reconstruction. It prioritizes response, narrows exfil investigation, and supports prosecutable attribution. It is the Rosetta Stone of digital forensics. Without it, evidence is circumstantial and slow to surface.

Detection Must Shift Left Into Identity Behavior

Threats aren’t always executable. The signals have moved upstream. We must be on guard for anomalous permissions, silent API abuse, and low-noise federated trust changes. Security operations must learn from forensics teams how to baseline normal behavior and detect the subtle deviations. Unified audit logs, app governance, and ,GraphQL monitoring are the new perimeter guardrails. Detection is now a behavioral science, and forensic readiness is a core competency.

Strategic Alignment Across Functions

This shift needs to be organizational. Identity sits at the intersection of IAM, cloud ops, legal, and incident response. Classification involves business unit ownership. Detection involves telemetry, logging, and policy. The security leader must orchestrate collaboration across silos, translating technical gaps into operational risks that resonate at the executive level. That’s how you win budget. That’s how you earn buy-in. That’s how you stop attackers from living in your environment with your own tools.

Building a Defensible Identity Future

Across the entire event, the central message almost always returned to identity, access, and controls. We’ve entered an era where attackers don’t need malware to compromise an environment; they just need your IAM missteps and your unclassified data. Your author was also able to share a session covering, in part, how many of our secrets are being leaked within the organization via generative AI, in part due to a lack of data sanitization. After this event, it is clear that better classification of data should result in teams becoming more thoughtful in what sources AI can or can not access.

No matter what area of tech or security you are working in, identity is the perimeter, and it’s under daily siege. There is some good news, though, as more and more teams are awakening to this reality, and speakers were all optimistic that tools are evolving faster than ever to help us get ahead of these attacks. If we treat classification as our evidentiary anchor and identity architecture as both a control and a dataset, we gain the upper hand. If you want to secure your organization in 2026, start with the identities and data you forgot to question. Attackers love it when you fail to understand what you have, making it easier for them to hide and exfiltrate any data they want.