Program Overview

Program times are reflected in the time zone of the host country, Paraguay.

Attendees joining us virtually for plenary sessions will be accessing the stream via Zoom. The Zoom will be hosted by the venue and links will be provided prior to the start of the day. Please check your email for this information.

Simultaneous interpretation will be provided to in-person and virtual participants only for the plenary session. Languages to be translated include English, Spanish, and Portuguese.

All in-person sessions and training take place in Room: Joao Havelange 4 at the Conmebol Convention Center.

Important Note for Training Participants (October 10)

In preparation for this activity, we suggest viewing the recorded webinar available at the following link: https://www.lacnic.net/7274/1/lacnic/ (Spanish)

Wednesday, October 9^th
October 9 | Plenary Sessions
Thursday, October 10^th
October 10 | Training Session (no virtual participation available)

Wednesday, October 9^th

	October 9 Plenary Sessions
09:00 – 09:10	Opening Remarks
09:10 – 09:50	US Elements of Effective Communications Sharon Mudd (Carnegie Mellon University / CERT, US)
09:50 – 10:25	MX Automation, LOTL and other New Ransomware Skills - Lessons Learned Gabriela Maria Ratti Bittinger (Beaconlab (Cybolt), MX)
10:25 – 11:00	LU Automating Software Identification for Vulnerability Scanners Luciano Righetti (CIRCL, LU)
11:00 – 11:30	Coffee Break
11:30 – 12:10	US Threat-Informed Defense: Adversarios en Latinoamérica Ian Davila (TidalCyber, US)
12:15 – 12:55	PY Desenmascarando la Operación Mozi en Paraguay Marcos Centurión, Ruslan Osorio (RYMTECH, PY)
13:00 – 14:00	Lunch
14:00 – 14:40	CL Panorama de Ciber Amenazas en LATAM Eduardo Bouillet (Entel Digital, CL)
14:40 – 15:20	MX An DFIR Pipeline with Velociraptor, KAPE and other Awesome Tools Gabriela Maria Ratti Bittinger, Raul Benitez Netto (Beaconlab (Cybolt), MX)
15:20 – 16:00	BR Brazil: Possibly the Best Place for an Organization to Stress Test Security Ronaldo Vasconcellos (Cyberpeace Security, BR)
16:00 – 16:30	Coffee Break
16:30 – 17:05	BR AllaSenha Threat and its Danger in Latin America – A Use Case Tiago Reis Barbosa (CAIS/RNP, BR)
17:05 – 17:45	DO Active Directory Defense Against Ransomware Attacks: Case Studies and Lessons Learned in Incident Handling (Virtual) Omar Avilez (CBRT, RD, DO)
19:00 – 00:00	LACNIC/LACNOG Social Event (Open to FIRST Attendees)

Thursday, October 10^th

	October 10 Training Session (no virtual participation available)
09:30 – 11:00	LU Introduction to MISP or Introduction to MISP: Sharing Threat Intelligence (Full Day Training) Luciano Righetti (CIRCL, LU)
11:00 – 11:30	Coffee Break
11:30 – 13:00	LU Introduction to MISP or Introduction to MISP: Sharing Threat Intelligence (Full Day Training) Luciano Righetti (CIRCL, LU)
13:00 – 14:00	Lunch Break
14:00 – 16:00	LU Introduction to MISP or Introduction to MISP: Sharing Threat Intelligence (Full Day Training) Luciano Righetti (CIRCL, LU)
16:00 – 16:30	Coffee Break
16:30 – 18:00	LU Introduction to MISP or Introduction to MISP: Sharing Threat Intelligence (Full Day Training) Luciano Righetti (CIRCL, LU)

DO
Active Directory Defense Against Ransomware Attacks: Case Studies and Lessons Learned in Incident Handling (Virtual)
Omar Avilez (CBRT, RD, DO)
In this presentation, I will explore the critical role of defending Active Directory (AD) environments against ransomware attacks through a series of real-world case studies. These case studies will illustrate how cybsercurity teams can effectively detect, respond to, and mitigate AD attacks. Each scenario will provide a detailed analysis of the attack, including detection techniques, response strategies, and lessons learned. Additionally, I will share proactive defense measures and best practices to enhance AD security. This session aims to equip participants with actionable insights and strategies to strengthen their AD defenses and improve their incident handling capabilities.
October 9, 2024 17:05-17:45
BR
AllaSenha Threat and its Danger in Latin America – A Use Case
Tiago Reis Barbosa (CAIS/RNP, BR)
This topic would be of extreme contribution to the participating community as it addresses the variant of “AllaKore,” a Windows-based Remote Access Trojan (RAT) that has been affecting Brazil through a complex infection chain. Despite its predecessor targeting Mexican financial institutions, the campaign is linked to an unidentified financially motivated threat actor based throughout Latin America. Throughout the presentation, the following topics will be covered:
1. Contextualization of the Theme: Presentation of the current scenario and importance of the topic.
2. What is AllaKore: When the simple remote access tool written in Delphi emerged and its impact for malicious purposes in Latin America.
3. AllaSenha Variant: How the infection chain, involving Python scripts and a loader developed in Delphi, operates and is being distributed using Azure Cloud C2 to exfiltrate victims' banking data.
4. Case Study: Analysis of the practical case handled by the SOC-RNP team in the second bimester of 2024.
5. Conclusions and Recommendations: Summary of the main points and recommendations for professionals in the field.
October 9, 2024 16:30-17:05
MX
An DFIR Pipeline with Velociraptor, KAPE and other Awesome Tools
Gabriela Maria Ratti Bittinger (Beaconlab (Cybolt), MX), Raul Benitez Netto (Beaconlab (Cybolt), MX)

Gabriela Maria Ratti Bittinger, Beaconlab (Cybolt). Incident Response Coordinator at Beaconlab, Cybolt, a Mexican company that recently became a FIRST member. I'm from Paraguay, i am Electronic Engineer, have a Master degree in Cybersecurity (Spain). DFIR | SOC | Threat hunting specialist. I were part and lead the National Paraguay CSIRT and the National Cybersecurity authority at the ICT Ministry in Paraguay for more than 10 years. I'm also teacher and instructor in some cybersecurity trainings and courses.

October 9, 2024 14:40-15:20
LU
Automating Software Identification for Vulnerability Scanners
Luciano RighettiLuciano Righetti (LU)

System Engineer, passionate about cybersecurity. Working at CIRCL, the Computer Incident Response Center Luxembourg, he contributes to the MISP project as a core developer. Additionally, he is involved in other tasks such as creating vulnerability scanners and other open-source projects that help CIRCL in its mission to keep Luxembourg's computing ecosystem secure.

October 9, 2024 10:25-11:00
MX
Automation, LOTL and other New Ransomware Skills - Lessons Learned
Gabriela Maria Ratti Bittinger (Beaconlab (Cybolt), MX)
Recently, at Beaconlab we were investigating an incident and discovered a relatively new ransomware actor, Red Ransomware Group, according to its public blog, or also Red CryptoApp. Like most modern ransomware groups, they use a double-extortion strategy: file encryption and data exfiltration / publication on a public blog ("Hall of Shame").

This actor exploits CVE-2023-47246 vulnerability in SysAid, reported in early November 2023, uploading JSP webshells to gain complete control of the server. They use typical pivoting and pass-the-hash techniques to move to other system of the internal network. Like many ransomware groups today, it uses legitimate IT management tools, such as RMM software (SimpleHelp, AnyDesk, ScreenConnect, etc.), legitimate anti-rootkits for EDR evasion (GMER, Avast), file transfer tools (Rclone, put.io), and other well-known software that, while legitimate, are abused for malicious intent, in what is known as the Living-of-the-Land (LotL), a increasing challenge for SOC / IR community. An interesting fact is that this group has a high level of task automation, with PDQ Deploy and other tools, achieving impact within a few days from initial compromise. In this talk, we will discuss not only the tactics, techniques, and procedures (TTPs) of this new group and some characteristics of their operation but also the lessons learned about modern ransomware group from an DFIR perspective.

Report: https://beaconlab.mx/en/red-ransomware-group-a-new-emerging-threat-in-ransomware-landscape/
October 9, 2024 09:50-10:25
BR
Brazil: Possibly the Best Place for an Organization to Stress Test Security
Ronaldo Vasconcellos (Cyberpeace Security, BR)
Innovative attacks against financial mobile applications. Persistent social engineering that defies defense capabilities on a daily basis. Brazilian cybercriminals stress test the security of your applications and procedures every day. How Brazil is a challenging geography for defense and, at the same time, a formidable place for your organization to learn.
October 9, 2024 15:20-16:00
PY
Desenmascarando la Operación Mozi en Paraguay
Marcos Centurión (RYMTECH, PY), Ruslan Osorio (RYMTECH, PY)
En esta presentación, detallamos el descubrimiento realizado por RYMTECH, relacionado con la operación Mozi dirigida a activos en Paraguay, y la posterior colaboración con el CERT-PY. Mostramos cómo la experiencia de la práctica privada, representada por RYMTECH a esta instancia, sumada a los recursos y el alcance de un CERT nacional, dio como resultado la identificación y el análisis de una campaña de explotación a gran escala en comparación con enrutadores GPON domésticos. En particular, explicaremos el proceso en el que se llevó a cabo la investigación y presentaremos los hallazgos técnicos clave, incluidas las vulnerabilidades CVE-2018-10561 y CVE-2018-10562 y el papel específico del malware Mozi en estos ataques. Terminamos abarcando la conclusión, las implicaciones para la ciberseguridad nacional y las lecciones aprendidas, concluyendo de qué manera este caso posiblemente podrá convertirse en un modelo para futuras asociaciones en el resto de la región latinoamericana y del Caribe. La charla estará compuesta por dos partes: la detección inicial por parte de nuestro SOC Team y la notificación a CSIRT y la segunda parte para explicaremos qué es la operación MOZI y cuál es su impacto en PY.
October 9, 2024 12:15-12:55
US
Elements of Effective Communications
Sharon Mudd (Carnegie Mellon University / CERT, US)

Sharon Mudd is currently a Senior Cybersecurity Operations Researcher in the CERT® division of the Software Engineering Institute @Carnegie Mellon University, helping international teams build security operations and incident management capabilities. In this role, she provides mentoring and training on a broad range of cybersecurity topics to foster the development of maturity for security incident response and security operations teams internationally. Her career spans over 30 years in IT and information security roles, focusing on information security governance, risk management, compliance, and assurance. She has been a GRC leader in several organizations with global information security responsibilities across a diverse set of industries, including financial services, retail, education, government, telecommunications, and healthcare. Sharon is also in the process of completing a PhD in Information Assurance and Cybersecurity.

This session provides guidance and resources on effective communications planning, considerations and best practices for communications responsibilities in support of incident response services. Communications, both in times of crisis and during normal operations, are essential to the overall success and sustainability of an incident response or security operations team. How you plan for and manage these communications and how they are received and actioned by your audience will influence your trustworthiness, reputation, and ultimately your ability to perform incident management services effectively. This presentation leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Forum of Incident Response and Security Teams (FIRST) CSIRT Services Framework to present communications responsibilities as part of both the standard incident management lifecycle and as an integral piece of crisis management support.

Attendees will learn the building blocks for developing or enhancing an effective communications plan including what communication types or mechanisms are useful. This session helps to lay the foundation for managing communications with constituents, the public, and the media during normal operations and crisis situations.
October 9, 2024 09:10-09:50
LU
Introduction to MISP or Introduction to MISP: Sharing Threat Intelligence (Full Day Training)
Luciano RighettiLuciano Righetti (LU)
MISP Threat Sharing is an open-source threat intelligence platform. The tool is designed to help analysts share threat intelligence, indicators of compromise, and much more. This session begins with a basic introduction to MISP, explaining how to install it, its data model, and practical use cases, focusing on the encoding of real-world cybersecurity incidents.

System Engineer, passionate about cybersecurity. Working at CIRCL, the Computer Incident Response Center Luxembourg, he contributes to the MISP project as a core developer. Additionally, he is involved in other tasks such as creating vulnerability scanners and other open-source projects that help CIRCL in its mission to keep Luxembourg's computing ecosystem secure.

En Espanol:

Título: Introducción a MISP o Introducción a MISP: Compartiendo Inteligencia de Amenazas Descripción:

MISP Threat Sharing es una plataforma de inteligencia de amenazas de código abierto. La herramienta está diseñada para ayudar a los analistas a compartir información de inteligencia de amenazas, indicadores de compromiso y mucho más.

Esta sesión comienza con una introducción básica a MISP, explicando cómo instalarlo, su modelo de dato y casos de uso prácticos, centrándose en la codificación de incidentes de ciberseguridad del mundo real.

Bio: Luciano Righetti es un ingeniero en sistemas apasionado por la ciberseguridad. Trabajando en CIRCL, el Equipo de Respuesta ante Emergencias Informáticas de Luxemburgo, contribuye al projecto MISP como core developer. Además realiza otras tareas como creación de escáners de vulnerabilidades y otros proyectos de código abierto que ayudan a CIRCL en su misión de mantener el ecosistema informático de Luxemburgo seguro.
October 10, 2024 09:30-11:00, October 10, 2024 16:30-18:00, October 10, 2024 11:30-13:00, October 10, 2024 14:00-16:00
CL
Panorama de Ciber Amenazas en LATAM
Eduardo Bouillet (Entel Digital, CL)

Eduardo Bouillet Director del Centro de Ciber Inteligencia en Entel Digital www.linkedin.com/in/eduardo-bouillet

En 2023, Latinoamérica se ha visto significativamente afectada por ciberataques, y Chile no ha sido la excepción. Todas las organizaciones, independientemente de su tamaño o sector, se han enfrentado a ciberamenazas que han revelado importantes brechas de seguridad.
October 9, 2024 14:00-14:40
US
Threat-Informed Defense: Adversarios en Latinoamérica
Ian Davila (TidalCyber, US)
Threat-Informed Defense is a concept that has existed for many years but perhaps it is not well understood nor implemented in the cyber space. Humans have used information gained from their adversaries to prepare themselves in the case of an attack since before computers existed. In cybersecurity though, understanding what adversaries are doing or what they could do is not that simple. Adversaries are stealthy and are good at making slight modifications to avoid being detected. Detecting Indicators of Compromise (IOCs) is no longer good enough to detect adversaries and Threat-Informed Defense offers a better approach to be able to detect the same adversaries by narrowing down on adversary behaviors. In this talk, we will focus on how adversaries in Latin America have been known to operate and how we can leverage that public data to improve and prioritize our defensive efforts. We will leverage the MITRE ATT&CK®, a globally accessible knowledgebase of adversary behaviors, to communicate how we can log, detect, protect, mitigate, hunt adversary behaviors that matter to you. The Threat-Informed Defense methodology will help you get a deep visibility into your defenses, and most importantly, guide your time and efforts on improvements that will benefit you the most. I will share free resources that you can use today to start moving towards detecting and testing against the adversary behaviors that are likely to target you.
October 9, 2024 11:30-12:10