Program Overview

Times are reflected in Cali, Colombia local time, UTC-5.

Attendees joining us virtually on May 4 will be accessing the stream via the Zoom hosted by the Valle del Pacifico Convention Center. Links will be coming.

SIM3 training on May 5 will be streamed via FIRST Zoom. Zoom details will be sent to registerd virtual participants on April 29.

In-person Attendees: We will be in room Melendez 1.3 on the 1st floor.

•  DO

  Be Faster, Improving Detection and Response (Virtual y presented in Spanish)

  Omar Avilez (CSIRT-RD, DO) (DO)

  Through the daily work carried out by the Dominican Republic National Incident Response Team (CSIRT-RD), we have observed that a large percentage of cybersecurity incidents are not detected or responded to before it is too late, whether it is a breach of data or a ransomware attack, sometimes they are detected by security tools however they are not investigated and responded to in the appropriate time, the objective of this talk is to help incident monitoring and response teams to improve their detection strategies and response to make it possible to reduce the number of successful incidents and their MTTR, through a series of simple processes that have worked for us and could help them too.

  Omar is a Cybersecurity Incident Response Analyst at CSIRT-RD, Centro Nacional de Ciberseguridad de la Republica Dominicana.

  May 4, 2022 16:30-17:00

•  BR US

  Botnet Activity in the LAC Region – Data, Stats and Insights

  Fabricion Pessôa (Spamhaus, BR), Matthew Stith (Spamhaus, US)

  At Spamhaus we deal with a huge amount of threat data, being Botnet activity amongst the most relevant. To ensure the community is aware of what is going on, every quarter we release a Botnet Report with information about what we see and how things have been evolving compared to other quarters. In Q4 2021, our researchers observed that 60% of active botnet command and controllers (C&Cs) were on networks located in the LAC region. The presentation we propose is an opportunity to address these statistics (with some info from the first quarter 2022 as well), increase understanding of how to reduce botnet activity across networks, enable abuse desks to handle these abuse reports more effectively and share some insights about interesting collaboration efforts we’re engaged with — all with the ultimate goal of reducing abuse across the region.

  • Fabricio Pessôa - Despite his non-technical background, he has been an active voice within the cybersecurity community worldwide for the past 6 years taking part on several discussions and groups in different organizations like M3AAWG, FIRST, ICANN and LACNIC. After a short break during the pandemic, he is now back as the Spamhaus representative for LATAM and willing find ways of transforming this new expertise into collaboration and cooperation efforts in the region.

  • Matt is a seasoned anti-abuse advocate with over a decade of experience in email, cloud hosting, and general internet abuse. The internet community is where Matt’s passion lies. By coming together and sharing lessons learned, Matt believes that this community has the power and means to combat abuse on the internet. As Industry Liaison for Spamhaus, Matt gets to put his experience into practice; working alongside a multitude of companies and organizations to drive forward Spamhaus’ mission of making the internet a safer place for everyone. Additionally, Matt is an active participant at M3AAWG having served two terms on its Board of Directors and authoring the Hosting Committee’s best common practices.

  May 4, 2022 09:40-10:20

•  PE

  Casos de Ciberataques Tipo Ransomware en Perú y Medidas Preventivas (presented in Spanish)

  Ing. César Farro (Telefónica Tech, PE) (PE)

  Debido a los diferentes casos de ciberataques internacionales y tambien ocurridos en diferentes empresas en Perú como el ciberataque de tipo ransomware generando perdida de datos, filtración de datos e interrupción de los servicios de TI en las empresas. Los grupos de Ransomware internacional tienen un alto conocimiento técnico bajo modelos RaaS (Ransomware as a Service) donde tienen individuos de todo el mundo que constantemente están buscando ingresar a las redes aprovechando vulnerabilidades de los sistemas de TI de las empresas, como también estos ciber delincuentes se aprovechan de los usuarios finales enviandoles correos, enlaces falsos con malware sofisticado para luego ingresar a la red y extorcionar a las empresas con sus propios datos. El ramsoware es un tema complejo por ello se necesita un conocimiento técnico, social para conocer a los usuarios finales, los terceros/proveedores que se conectan a la red , para ello es necesario la cooperación y colaboración técnica local como internacional entre Csirts, SOCs, fabricantes de seguridad, policia cibernética y organizaciones de seguridad independientes para intercambio de conocimiento técnico.

  Por lo anterior, propongo el siguiente contenido:

  Parte 1: Vectores de infección y ejecución: Se explicarán casos reales de ransomware, vectores iniciales de infección frecuentes, movimiento lateral, hacking de servidores críticos DB, AD, fuga de información, ejecución de ransomware, estadísticas en base a observación en el sector público y privado.

  Parte 2: Hallazgos: -Cantidad de Servicios RDP 3389/tcp, SMB 445/tcp en los rangos públicos. -Cantidad de Servicios VPN Server Vulnerability en los rangos públicos.

  Parte 3: Recomendaciones: Basado en Defense in depth

  César tiene más de 21 años de experiencia en ciberseguridad, actualmente trabajo en Telefónica Tech como Cyber Security Advisor donde ha desarrollado proyectos en Perú y Brasil para Bancos, Mineras, Gobierno, Grupos Empresariales y Pymes, frecuentemente es speaker en eventos de seguridad en Perú y en el extranjero.

  May 4, 2022 17:30-18:00

  FIRST-LACNIC37-CesarFarro-09May22v1.pdf

  MD5: f86f301428853de0aefdf8a57e0b8f94

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 5.16 Mb

•  CO

  Cloud OSINT

  Giovanni Cruz ForeroIvan Garzon HernandezGiovanni Cruz Forero (7 Way Security, CO), Ivan Garzon Hernandez (7 Way Security, CO)

  • Giovanni is a cybersecurity professional with more than 15 years of experience in pentesting, incident response, digital forensics, research and development and teaching. CEO of 7 Way Security and CSIETE, Master in Information Security, enjoys sharing information, playing drums, tasting beer and discussing music.

  • Ivan is a systems Engineer, with 8 years of experience as cybersecurity consultant, after that he starts in the field of digital investigations and threat hunting. Actually is the team leader of digital investigations and DFIR at 7 Way Security, his main focus is investigation and forensic analysis for prosecution cases.

  May 5, 2022 09:30-11:00, May 5, 2022 11:15-13:00

•  US

  Dealing with Blockchain Technology for Incident Responders (Virtual)

  Samuel PerlSamuel Perl (CERT/CC, US)

  This talk will seek to first cover the fundamentals of Blockchain technology for Incident Responders and show examples of blockchain based technology projects such as Smart Contracts. Then the talk will cover how to think about approaching incident response activities for blockchain based activity, and to speculate (a little) on how the projects that use this technology may affect the future workload of Incident Responders and Coordination Centers.

  Incident Response and Incident Coordination teams have begun seeing an ever increasing share of incidents involving blockchain and cryptocurrency technologies. These types of incidents include Ransomware Payments, Money Laundering, Theft, Financial Transactions for : Criminal Activity, Sanctions Avoidance, and much more. In order to combat illegal activity, and to continue to respond to increasingly financially oriented incidents, these teams will need to develop increasing skill in Blockchain Technology, how it works, and how to approach Incident Response for blockchain related events.

  The technology involved in cryptocurrencies (generally P2P networks, PKI, and Hash Functions) will be familiar to many Incident Responders but the ways in which they are being applied such as to create distributed networks, Smart Contracts, NFTs, Governance or Utility tokens, and other coins, and the sizable sums involved may be quite new. IR teams might need to understand blockchain ecosystems, culture, ethos, and activities to deal with current and future incidents. Practices may include: Cryptocurrency Forensics Investigations, Exchange Investigations, Tracking or Recovering Stolen Funds, Frauds, Digital Asset (NFT) Scams, Anonymization Tracking, Client Code Vulnerability Coordination, Smart Contract Vulnerability Coordination, Secure Coding, Bug Bounty Programs and more.

  Samuel has been at CERT since 2011 and has performed research in a variety of areas including insider threat, vulnerability assessment, security incident and threat data analysis, threat modeling, information sharing, artificial intelligence, cognitive processes, formal methods, and incident management team development. Prior to CERT, Perl gained over 10 years of industry experience working with client organizations to manage their most challenging IT security risk issues. Perl holds a M.S. in Information Security Management from Carnegie Mellon University and a B.S in Information Systems from Carnegie Mellon University. He has also held appointments as an adjunct instructor in the Carnegie Mellon University's Information Systems (IS) program, Heinz College of Information Systems Policy and Management, and in the West Virginia University Honors College. He is also a member of the graduate faculty at the Florida Institute of Technology where he serves as a cybersecurity advisor on thesis and project committees.

  May 4, 2022 14:40-15:20

  FIRST-LACNIC-Blockchain-for-IR-Samuel-Perl.pdf

  MD5: 29328281cf820582d111020720181e3e

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 6.28 Mb

•  BR

  Every Attitude Matters: Good Safety Behaviors Generate Rewards (Virtual)

  Leticia Freitas (Globo Comunicação e Participações S.A, BR) (BR)

  When a media company positions itself as a "mediatech", its exposure also increases, driving a change in security culture. In this session, the guests will get to know the awareness campaign "Every attitude matters" from the largest Latin American company in its market (Globo): conception, actions and formats used; furthermore, one support plan - a rewards program. The rewards program generates "points" based on positive behaviors: reporting incidents and piracy, participating in workshops, webinars… As well as the loss of points in phishing simulations, building weak passwords or other risks behaviors.

  Leticia has been working in Information Security area for 8 years, focused on governance and awareness. She has knowledge of standards, controls and information security frameworks. At Globo Comunicação e Participações S.A, she is a technical leader in the Security Awareness Team, working on actions to improve the security culture. Leticia also supports strategies and security projects. She is a content creation volunteer at Womcy (LATAM Women in Cybersecurity).

  May 4, 2022 14:00-14:40

  Presentation_2022_05_04-LetA-cia-Freitas.pdf

  MD5: 040394c15a0f36b7dd23607860b1dd0d

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.69 Mb

•  MX

  FLOOD DDoS en Servicios Globales (presented in Spanish)

  Jorge VarelaJorge Varela (Truxgo, MX)

  Las direcciones IP normalmente utilizadas por Botnets para realizar un ataque DDoS actualmente carecen de una sintomatología de detección previa, ya que no tienen historial negativo, no están en blacklist y no están reportadas en alguna otra plataforma de detección, esto solo deja a las organizaciones mitigar y analizar peticiones confusas que se pueden convertir en falsos positivos.

  Se presentarán de 2 diversos casos de Flood DDoS; HTTPS y UDP En cada caso se presentará una situación muy peculiar que sucede en los servicios que requieren tener un puerto abierto en especifico, dejando la opción de bloquear el puerto atacado como no válida, en este tipo de ataques DDoS mitigar las direcciones IP por tráfico enviado o por número de conexiones tampoco son una opción, ya que el Flood es muy avanzado.

  También se hablará del comportamiento, alcance, motivo del ataque, direcciones IP utilizadas por los botnets, afectación que realizó en el momento del ataque, mitigación y solución.

  Jorge Varela - Desarrollador empresario mexicano, socio fundador y CEO de Truxgo con más de 10 años de experiencia en programación. Implementó la mayor parte de las bases estructurales de Truxgo para su funcionamiento y creó el proyecto de ciberseguridad CERT TRUXGO desde su formación hasta obtener el nombramiento ante Carnegie Mellon University. Actualmente dirige Truxgo en las relaciones de negocios, estableciendo y formando un Internet Exchange Point (IXP), búsqueda y desarrollo de peering, políticas de ruteo, implementación a MANRS, soluciones avanzadas de IPv4-IPv6, así como la creación de nuevas tecnologías y soluciones de ciberseguridad.

  May 4, 2022 10:20-11:00

  PresentaciA-FIRST-Lacnic-Cali-Jorge-Varela.pptx

  MD5: 7f999559006ccd1fe9ea9f974fee4abf

  Format: application/vnd.openxmlformats-officedocument.presentationml.presentation

  Last Update: June 7th, 2024

  Size: 5.9 Mb

•  US AE

  Inside the Hive. Deep Dive into Hive RaaS, Analysis of Latest Samples (Virtual)

  Jesper JurcenoksSvetlana OstrovskayaJesper Jurcenoks (Group-IB, US), Svetlana Ostrovskaya (Group-IB, AE)

  The Hive Ransomware-as-a-Service (RaaS) is aggressively expanding its operations, and has targeted hundreds of organizations since its first appearance in June.

  Threat analysts determined that as of mid-October, 355 companies had fallen victim to the ransomware as a service (RaaS) operation, which was first detected in June. From September to October, the number of victims grew by 72%, from 181 organizations to 312. Group-IB analysts attributed the "main factors of the rise of the ransomware empire" to the use of double-extortion tactics and data leak sites (DLS), as well as the "active development of the RaaS program market," both of which apply to Hive. The efforts made by the developers of Hive indicate that they are planning to take this threat further. Moreover, the accelerated growth of the RaaS-based model—and threat actors’ new franchise model within—is a further indication of a maturing enterprise-like business.

  • Jesper Jurcenoks - First XOR Encryption in 1983, first reverse engineering of a Virus in 1988, Programmer, Network Admin, Systems integrator, ISP (1995-2001), DIFO/DK-Hostmaster Board (~2000-01), Discovered 27 CVE (2006-2007), SC Magazine innovator of the Year (2010), FIRST CVSS SIG. Founder of Several CyberSecurity companies. Country Manager for Alert Logic Colombia - Cali (2019-2020), Head of CyberSecurity Division for Group-IB (2021- )

  • Svetlana Ostrovskaya is a Principal DFIR Analyst at Group-IB. Besides active involvement in incident response engagements, Svetlana has co-authored articles on information security and computer forensics as well as a book dedicated to practical memory forensics.

  May 4, 2022 11:30-12:15

  Inside-the-HIVE-by-Jesper-Jurcenoks-and-Svetlana-Ostrovskaya.pdf

  MD5: 21142a05e8450a25c97f163de947c893

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 11.42 Mb

•  EC

  Los Retos de la Automatización del Threat Hunting (presented in Spanish)

  Ramiro Pulgar (Blue Hat CERT, EC) (EC)

  Se habla, sobre todo por fabricantes de soluciones de software, de la automatización de la detección y respuesta de amenazas, pero al no tener claridad sobre cuales son las amenazas comunes y avanzadas que enfrentan los activos de información de la Organización, no se podrá automatizar, y en peores escenarios se llenarán de falsos positivos, saturando y decepcionando al CSIRT. Se analizará una metodología de definición de Casos de Uso para manejar incidentes basado en Ciber-Riesgos.

  Master en Ciberseguridad, director del Blue Hat CERT en Ecuador, y posee 30 certificaciones internacionales vigentes relacionadas a Ciberseguridad.

  May 4, 2022 17:00-17:30

  FIRST_RetosAutomatizaciA-nThreatHunting-Ramiro-Pulgar.pdf

  MD5: 53d458d5499ccfa5ddb7ac5b56318b86

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 5.16 Mb

•  US

  On the CASE: Evidence Collection for Incident Triage (Virtual)

  Christopher Ian RodmanChristopher Ian Rodman (CERT/CC, US)

  When responding to incidents, security practitioners are often faced with complex scenarios, advanced adversaries and constantly changing variables. Stress factors can be extremely high for responders who are charged with gathering evidence, analyzing artifacts, and providing a response to the incident. High levels of stress can lead to mistakes in evidence collection. As a result,missing evidence can cascade into incorrect analysis of the attack and may potentially cause reinfection of systems or incomplete adversary removal. This presentation aims to demonstrate challenges with incident triage and offers a methodology to ensure consistent data collection using a repeatable cycle known as CASE (Canvass, Attach, Search, Extract). The phases of CASE provide the analyst with guidance for incident situational awareness, connecting to compromised systems, assessing which artifacts to collect, and methods to successfully extract evidence. These phases also offer methods to determine which evidence artifacts can be used for fast triage or full forensic investigation. Lastly, we will demonstrate the phases of CASE using open-source incident response tools and identify tools for collecting evidence from disk, memory, and network.

  Key take-aways, at the end of this session, attendees should be able to:

  • Understand the challenges with triaging cybersecurity incidents
  • Determine which evidence artifacts to collect using the CASE methodology
  • Distinguish artifacts to collect for incident response and forensic investigation
  • Identify tools for collecting different types of digital evidence

  Christopher began his professional career following the completion of his Bachelor of Science degree in Information Science and Technology from the University of Penn State. In the years that followed, he worked in roles for application performance and crisis management, incident response, data loss prevention, and vulnerability management. With a focus on security, Christopher obtained his Master of Science degree in Information Security and Assurance from Robert Morris University in 2016. In 2018 he joined the CERT division of the SEI to build high fidelity exercises for the United States Department of Defense. The following year he joined the Monitoring and Response directorate as a Cybersecurity Operations Researcher and assist customers with capacity building and security operations assessment. The culmination of 12 years of industry experience before joining CERT has allowed him to help build knowledge and skillsets of infrastructure, applications, and security to serve his customers for any situation.

  May 4, 2022 12:15-13:00

•  EC

  SIM3 Maturity Model and How to Apply it to CSIRTs (in Spanish only)

  Ing. Paul F. BernalErnesto Pérez EstévezIng. Paul F. Bernal (CSIRT CEDIA, EC), Ernesto Pérez Estévez (CSIRT CEDIA, EC)

  Overview of the Security Incident Management Maturity Model (SIM3). How to understand SIM3, and how to use it in real life to measure CSIRT maturity, target improvements based on the results, and keep a check on progress. Important applications of SIM3 like FIRST's new membership application program, and the GCMF approach for national teams, will also be explained, including the use of free online tools.

  During the second part of the activity, the participants will have time to test the tool through an auto-evaluation, review the results and clear up doubts with the instructors."

  • Both Paul and Ernesto, run CEDIA's Incident Response Team and have many years of experience in the deployment of solutions based on Free Software, including several security related tools. They enjoy being able to exchange experiences and knowledge in the technical and cybersecurity area, with other teams and individuals of the area.

  May 5, 2022 14:00-15:30, May 5, 2022 16:00-18:00

  FIRST-LACNIC-SIM3-Modelo-de-madurez-de-los-CSIRT-Paul-Bernal.pdf

  MD5: 227c5013a6ddcfd542522e227b8b3c63

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 441.04 Kb

•  BR US

  Strengthening Cyber Security Through Information Sharing (Virtual)

  Jacques CoelhoLorena MillerJacques Coelho (FS-ISAC USA, BR), Lorena Miller (FS-ISAC, US)

  How companies in the financial sector can expand their network of contacts with sources of information about attacks, cyber threats and systemic vulnerabilities. How to work together in communities of interest to anticipate cyber risks. How to ensure that best practices applied to cyber defenses reach security teams faster.

  Cómo las empresas del sector financiero pueden ampliar su red de contactos con fuentes de información sobre ataques, ciberamenazas y vulnerabilidades sistémicas. Cómo trabajar juntos en comunidades de interés para anticipar los riesgos cibernéticos. Cómo garantizar que las mejores prácticas aplicadas a las defensas cibernéticas lleguen más rápido a los equipos de seguridad.

  Jacques Coelho is an administrator and specialist in finance, graduated from the University of the City of São Paulo. He is the current FS-ISAC Regional Director for Latin America and the Caribbean. He served as Director of Strategy and Risk at ALIVI Corporate and as Director of Risk at HCAS in the US. He was Minister and Trainer of Compliance and Regulatory Adequacy at GE Bank. Specialist in the assessment of behavioral trends of fraudsters, he has 24 years of experience in the Financial Sector, 18 of which are dedicated to risk areas

  Additional co-speaker support provided by Anne Meriwether, Lorena Miller, and Teresa Walsh.

  May 4, 2022 15:20-16:00

  FS-ISAC-LATAM-Overview-2022-SPANISH-3-Jacques.pdf

  MD5: c95ef6db3658d729ff06073f4dc2cfde

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 1.89 Mb