Program Overview

All times in UTC, please check your local times.

Trainings will be held in Spanish. Registration for training will be open to Members and Invited Guests.

A detailed plenary program agenda is coming soon!

•  GT

  Central American & Caribbean Incidents with Some Hard Lessons Learned (Spanish to English Translation Available)

  Camilo Fernandez (DSOC-CERT, GT)

  In this talk we will cover some mayor incidents detected and managed within our services and how where they made (technically), the impact they had and how we can detect and prevent future breaches.

  Camilo Fernandez founded DEVELGROUP a Cybersecurity Firm in Central America and Caribbean, with more than 15 years in Cybersecurity doing incident handling, bug hunting and malware analysis on the financial sector. https://www.linkedin.com/in/camilo-fernandez-DEVEL/

  May 13, 2021 18:05-18:30

•  US

  Cybercriminal Underground Economy of Exploits

  Mayra Rosario Fuentes (Trend Micro, US)

  There is little, if any, research that follows CVEs from zero-day status until “end of life,” which can mislead cybersecurity practitioners to believe old exploits to be harmless. New research following the lifecycle of a CVE, using recent examples from the underground, will prove that putting off patching can leave you, and others, susceptible to exploitation for years to come.

  Mayra Fuentes is a Senior Threat Researcher with Trend Micro. She has more than 14 years’ experience in cyber threat intelligence working for the Department of Defense, U.S. Intelligence agencies and the private sector. Ms. Fuentes has presented before for Interpol, Countermeasures, and the Counsel of Europe. Her current research interest includes underground cybercriminal forums, gaming, IoT botnets, Middle East underground, and the dark web. She resides in Washington DC with her two dogs.

  May 13, 2021 15:30-15:55

•  UY

  DNS Open Resolvers con IPv4 en la región de Latinoamérica y el Caribe (Spanish to English Translation Available)

  Guillermo Pereyra (CSIRT LACNIC, UY)

  En esta presentación mostraremos los resultados del estudio que el CSIRT de LACNIC y el CSIRT de CEDIA realizaron para identificar servidores de DNS abiertos asociados a una dirección IPv4, con el fin de informar a los miembros que tienen asignados estos recursos de la situación, sugerir alternativas para corregir la configuración de estos e intentar disminuir de forma significativa la cantidad de open resolvers en nuestra región. En ésta presentación mostraremos el proyecto y sus resultados.

  In this talk we will show the results of a study conducted by LACNIC CSIRT and CEDIA CSIRT to identify open DNS servers associated with an IPv4 address in order to inform the members who were assigned these resources of the situation, suggest alternatives to correct the configuration of their servers, and try to significantly reduce the number of open resolvers in our region. We will show the proyect and results.

  Guillermo Pereyra is currently Security Analyst at LACNIC’s CSIRT, whose mission is to carry out the necessary coordination functions to strengthen the capacities to respond to security incidents, linked to Internet resources in Latin America and the Caribbean. He is a student of the electrical engineering career at the UDELAR - Uruguay. He has six years of incident response experience at Uruguay’s national ISP.

  May 13, 2021 14:30-14:55

•  AR

  Ensembling para Detectar Hosts Infectados en la Red (Spanish to English Translation Available)

  Paula Venosa (CERT UNLP, AR)

  En la charla se propone compatir la experiencia de este proyecto, realizado en el marco de mi tesis de postgrado, describiendo en particular:

  • El diseño de una metodologı́a para detectar hosts infectados en la red aplicando Ensemble Learning.
  • El procedimiento establecido para testear la metodologı́a a través de experimentos usando datasets reales y sus resultados.
  • El diseño y propuesta de implementación del módulo de Ensembling integrado a Slips (Stratosphere Linux IPS) en el marco de un trabajo de colaboración con el Laboratorio Stratosphere de la Universidad Técnica de República Checa de Praga.
  • La integración de este mecanismo al proceso actual de monitoreo y detección de hosts infectados en CERTUNLP.

  This talk will share the experiences of this project, carried out within the framework of my postgraduate thesis, describing in particular:

  • The design methodology to detect infected hosts on a network by applying Ensemble Learning.
  • The established procedure to test the methodology through experiments using actual datasets and their results.
  • The design and implementation proposal of the Ensembling module integrated into Slips (Stratosphere Linux IPS) in the framework of collaborative work with the Laboratory Stratosphere of the Technical University of the Czech Republic in Prague.
  • Integration of this mechanism into the current host discovery and monitoring process infected in CERTUNLP.

  Paula Venosa es miembro fundador de CertUNLP (CSIRT Académico de la Universidad Nacional de La Plata), Profesora Adjunta e Investigadora en el LINTI (Laboratorio de Investigación en Nuevas Tecnologías Informáticas) de la Facultad de Informática de la UNLP. Es Magister en Redes de Datos y Licenciada en Informática de la Universidad Nacional de La Plata. Especialista en Redes y Ciberseguridad. Desde el año 2002 es docente a cargo de las cátedras "Redes y comunicaciones" y "Seguridad y Privacidad en Redes" de las carreras de Lic. en Informática y Lic. en Sistemas. También es docente de Redes III en el master de Redes de Datos en la misma casa de estudios, donde se imparten contenidos relacionados a Seguridad. Dicta diversos cursos en el marco del Doctorado en Ciencias Informáticas de la UNLP relacionados a temas actuales de Ciberseguridad.

  Paula Venosa is a founding member of CertUNLP (Academic CSIRT of the National University of La Plata), an Associate Professor and Researcher at the LINTI (Laboratory for Research in New Information Technologies), and Faculty of Informatics at the UNLP. She has a Master in Data Networks and a Bachelor of Computer Science from the National University of La Plata. She is a Network and Cybersecurity Specialist. Since 2002 she has been a teacher in charge of the "Networks and Communications" and "Security and Privacy in Networks" chairs of the Bachelor's degree in Computer Science and Bachelor's Degree in Systems. She is also a teacher of Networks III in the Master of Data Networks in the same house of studies, where contents related to Security are taught. She teaches various courses within the framework of the Doctorate in Computer Science at the UNLP related to current issues of Cybersecurity.

  May 13, 2021 14:05-14:30

•  GT

  From Forensics to Live Action in a Blink. How I Spied on the Attacker’s Remote Connection

  Luis Cordón (Devel SOC-CERT, GT)

  This talk is about an incident where a company got compromised and the attacker was using their systems to give free services on the side. It all started as a standard forensic investigation but after some days this forensic analysis became a live hunting of the adversary. Using mostly basic tools I was able to identify the attacker techniques and logic. This led me to being able to hook into the attacker’s RDP session and see all the activities the attacker did while inside the company’s network. The talk will show the indicators that gave me information on the whole context of the attack and a brief explanation on how I hooked into the RDP connection.

  Luis Fernando has been in the cyber security field for more than 10 years. A vast part of my experience comes from conducting pentesting in Central America mayor financial institution. Now day I am in charge of leading the Purple team for Devel Group and I’m one of the main teammates for Devel Group CSIRT.

  May 13, 2021 17:25-17:50

• How to Retrieve Useful Data from a Honeypot [TLP:RED]

  Paul Bernal, Ernesto Pérez (CSIRT CEDIA)

  Paul Bernal, Ernesto Pérez (CSIRT CEDIA)
  Both runs CEDIA's Incident Response Team and have many years of experience in the deployment of solutions based on Free Software, including several security related tools. They enjoy being able to exchange experiences and knowledge in the technical and cybersecurity area, with other teams and individuals of the area.

  • How to implement a Honeypot
  • How to configure a honeypot to send data to a remote syslog
  • How to implement a remote syslog with capacity to process the info
  • How to generate and view the data for further analysis
    
    

  Spanish version

  Cómo visualizar y aprovechar la data proveniente de un honeypot [TLP:RED]

  Paul Bernal, Ernesto Pérez (CSIRT CEDIA)
  Ambos conforman el equipo de respuesta a incidentes de CEDIA y tienen muchos años de experiencia en el despliegue de soluciones basadas en Software Libre, incluyendo varias herramientas orientadas a la seguridad. Disfutan de poder intercambiar experiencias y conocimientos en el área técnica y de ciberseguridad, con otros equipos e individuos del área.

  • Implementación de un honeypot,
  • Configuración del honeypot para enviar data a un syslog remoto,
  • Implementación del syslog remoto con capacidad de procesar y visualizar la información recibida.
  • Generación y visualización para análisis de datos

  May 12, 2021 14:00-18:00

•  CO

  La Seguridad soy yo (Spanish to English Translation Available)

  Capitán John Albeiro Guevara (CISO Policía Nacional de Colombia, CO)

  This talk is about the experience of the National Police of Colombia, in the implementation of information security and how Csirtponal was a determining actor to get it, considering the needs for technical controls and its lessons learned but reaching the urgent need to teach the end user in a clear non-technical way what information security is and what their role is within it by providing them with a web service that helps them to analyze suspicious files, urls, informative bulletins and at the end allowing users to be trained in basic security techniques.

  Resumen Es una charla que busca contar la experiencias de la Policia Nacional de Colombia, en la implementación de la seguridad de la información y como el Csirtponal fue un actor determinante, abordando la necesidad de contar con controles tecnicos y sus lecciones aprendidas. pero llegando a la imperiosa necesidad de enseñar de forma clara no tecnica al usuario final que es la seguridad de la información y cuales es su rol dentro de ella, dotandolos de un servicio web que ayude a la poblacion en general a analizar sus archivos sospechos, url, boletintes informativos y al final permitirles un entrenamiento en tecnicas basicas de seguridad.

  Capitán John Albeiro Guevara - Electronic Engineer, Police Service Specialist and Magister in Information Security from the Universidad de los Andes. Captain of the National Police with more than 12 years of experience in Information Security and university professor. He has participated in the Certification of the SGSI of the National Police of Colombia, the creation and FIRST´s membership process of the Computer Incident Response Team of the National Police. He was part of the working tables and action plans of the CONPES 3701 "Cybersecurity Guidelines and Cyber Defense ”and CONPES 3854 “National Digital Security Policy” of Colombia.

  Biografia Ingeniero Electrónico, Especialista en servicio de policía y Magister en Seguridad de la Información de la Universidad de los Andes, Capitán de la Policía Nacional con experiencia de once (12) años en el campo de la seguridad de la información y docente universitario, participo en la certificación del SGSI de la Policía Nacional de Colombia, la creación y membresía ante el FIRST del Equipo de Respuestas a Incidentes Informáticos de la Policía Nacional, hizo parte de las mesas de trabajo y planes de acción de los CONPES 3701 “Lineamientos de Ciberseguridad y Ciberdefensa” y CONPES 3854 “Política Nacional de Seguridad Digital” para Colombia.

  May 13, 2021 19:05-19:30

•  ES

  Malware Triage During IR

  Javier Berciano (Citrix, ES)

  Javier Berciano works as Principal Incident Response Engineer at Citrix. Former DFIR specialist at One eSecurity and head of Spanish National CSIRT (INCIBE-CERT). He is focused on incident response, computer forensics, threat analysis and monitoring, threat hunting and CTI. Javier is also currently one of the board members of the Forum of Incident Response and Security Teams (FIRST).

  He takes more than 15 years professionally dedicated to computer security. He held some cybersecurity certifications as CISSP, GCFA, GNFA, CISA, etc. He has also participated as speaker in some international conferences like FIRST Conference and Symposiums, Microsoft DCC, National CSIRT meetings, TF-CSIRT, Trusted Introducer, Microsoft DCU Threat Intelligence, etc.

  A course focused around rapid triage of malicious content and next steps during Incident Response. These steps can be taken by a small team when targeted by specific malware. After completion of this process you can hand off to your AV vendor with a summary of your findings and links to any reports that you have generated. The aim is to complete this process in about 30 minutes, have a definite answer whether something is malware or not, and give the AV vendor enough to go on as a starting point.

  • The malware ecosystem
  • Analyzing Malware Artifacts
  • Sharing Artifact information

  Spanish version

  Triaje de código malicioso (malware) en el proceso de respuesta a incidentes

  Javier Berciano trabaja como Ingeniero Principal de Respuesta a Incidentes en Citrix. Anteriormente ha trabajado como Consultor Principal DFIR en One eSecurity y como responsable de Respuesta a Incidentes del CSIRT Nacional de España (INCIBE-CERT). Especializado en respuesta a incidentes, análisis forense en sistemas de información, análisis y monitorización de amenazas, ciberinteligencia y caza de amenazas. Javier es actualmente miembro electo de la Junta Directiva de Forum of Incident Response and Security Teams (FIRST).

  Cuenta con más de 15 años de experiencia profesional en ciberseguridad, además de múltiples certificaciones especializadas como CISSP, GCFA, GNFA, CISA, etc. Además, en los últimos años ha participado como ponente en algunas conferencias internacionales como: Conferencia y Simposios de FIRST, Microsoft DCC, Conferencia de CSIRT nacionales, TF-CSIRT, Trusted Introducer, Microsoft DCU Threat Intelligence, etc.

  El objetivo de esta formación es realizar un triaje rápido de ficheros maliciosos durante el proceso de respuesta a incidentes, así como profundizar en los siguientes pasos de este proceso. Este proceso se puede aplicar en pequeños equipos de seguridad que estén investigando una infección con código malicioso, obteniendo como resultado un reporte documentando los principales hallazgos. El objetivo es completar este proceso de triaje aproximadamente en 30 minutos, obteniendo indicadores claros sobre si se trata de un código malicioso o no, que permitan al fabricante de antivirus con el que trabajemos realizar un análisis más en profundidad.

  • Ecosistema del código malicioso (malware)
  • Análisis de artefactos maliciosos
  • Compartición de información sobre artefactos

  May 12, 2021 14:00-18:00

•  RU

  RANSOMWARE UNCOVERED 2020—2021

  Alexander Kalinin (CERT-GIB, RU)

  If there is one thing most cybersecurity experts agree on, it is that ransomware continues to be Public Enemy No. 1. It is no longer surprising that ransomware attacks are becoming more sophisticated and threat actors more successful with every passing year. This presentation was designed for incident response analysts, threat hunters, SOC and CERT specialists, СTI analysts, and IS and IT specialists who want to learn more about the ransomware threat landscape, the latest attacker TTPs, and technical mitigations for each step of the kill chain.

  Alexander Kalinin, Head of CERT-GIB. Kalinin Alexander is a head of CERT-GIB (Group-IB) since 2011 year, has 10 years of experience in information technology and cybersecurity. Alexander has finished National Research Nuclear University MEPhI in Moscow, qualification of mathematician and systems programmer. Author of several patents, multiple appearances on TV and in the media, speaker at various cyber conferences.

  May 13, 2021 17:00-17:25

•  PE

  Resumen de Ciberataques en Perú Durante el Año 2020 (Spanish to English Translation Available)

  César Farro (Telefónica Tech, PE)

  Se ha realizado un resumen documentado y recolectando ciberataques ocurridos en Perú durante el año 2020, datos generales de los ciberataques como: la victima anomizada, persona natural, empresa, institución del gobierno, tipo de ciberataque, impacto del ciberataque y tipo de ciberataque. El objetivo de este resumen es mostrar con ejemplos reales la importancia del perfil del profesional de ciberseguridad y que la colaboración y compartición de experiencias con instituciones independientes es clave para comprender y responde frente a un ciber incidente.

  A documented summary has been made and collecting cyberattacks that occurred in Peru during 2020, general data of cyberattacks such as: the anonymized victim, natural person, company, government institution, type of cyberattack, impact of the cyberattack and type of cyberattack. The objective of this summary is to show with real examples the importance of the profile of the cybersecurity professional and that collaboration and sharing of experiences with independent institutions is key to understanding and responding to a cyber incident.

  César has more than 20 years of experience working in the cybersecurity area at Telefónica del Perú. He has studied Electronic Engineering and a Master in Cybersecurity at the Catholic University of Murcia Spain (UCAM) and a Master in Marketing at the Universidad del Pacífico Peru. He has certifications in Security: SANS GIAC Firewall Analyst, SANS GIAC Network Auditor, Lead Auditor ISO 27001, ISS / IBM Security Analyst, Fortinet Network Security Expert NSE1, NSE2 and NSE3. Additionally, he has a Cybersecurity Blog: https://cesarfarro.medium.com/

  May 13, 2021 18:30-18:55

•  GH

  StoAP – Security Tools Automation Platform

  Danny Afahounko (Cloud-Inspire AFRICA), Jean-Robert Hountomey (AfricaCERT, GH)

  STOAP is the new generation of CSIRT automation platform based on Infrastructure as Code (IaC), engineered and developed by AfricaCERT.

  Relocate your energy on your core business and build your customers success stories, while StoAP takes care of technology and engineering.

  Danny Afahounko is an Open-Source advocate and IT passionate. He has cumulated over 15 years of experience in the IT industry and has been part of the most influential companies in IT namely AFRINIC as System Engineer and the world market leader in Open-Source Red Hat France as Cloud Architect. A disruptor by nature, Danny’s ideology is to change the way IT is perceived. His mission is to breakdown the complexity of IT and make it accessible for everyone in Africa through education. He is actively engaged in training and capacity building, leading the Network Management track at AFNOG every year. Danny has been volunteering at AfricaCERT to automate open-source tooling for incident response teams. Danny is CEO and Founder of Cloud-Inspire. If you are an IT enthusiast and eager to learn more about Infra as Code and Cloud as Service, this is where you can reach out to him.

  Jean-Robert Hountomey - A researcher at heart, Jean-Robert Hountomey's research focuses on law, technology, and Internet governance issues. An Internet pioneer in West Africa, he is also a founding member of the Africa Forum of computer security and incident response team (AfricaCERT) and the African Anti Abuse Working Group.

  Jean-Robert Hountomey - bio coming soon.

  May 13, 2021 15:05-15:30

• 2021 FIRST Virtual Symposium Latin America and Caribbean
  • Program Overview
  • Call for Speakers
  • LACNIC 35 Event Site