Program Overview

Adversaries use AI to enhance and streamline their operations - why don't IR teams do the same? This isn't hype or FUD - incident response teams must incorporate AI into their workflows, or fall behind. But where and how do we incorporate AI into our IR processes to ensure analysis integrity while taking advantage of AI's capabilities?

In this technical talk, we'll cut through the theoretical hype to showcase real-world implementations of AI that transform every phase of the IR lifecycle, from initial detection to final reporting. We'll demonstrate, with multiple tools, a comprehensive technical framework that integrates analyst workflows from EDR tooling to forensic analysis and reporting. Through demos and code walkthroughs, attendees will see how AI can enhance the following:

1. Automated evidence collection and initial analysis
2. Real-time documentation and knowledge management during the IR
3. Advanced visualization and pattern recognition across disparate artifacts
4. Comprehensive reporting tailored to different stakeholders

The goal is not to offload IR to AI, but to create a force-multiplying effect that enables teams to work more efficiently with greater confidence and consistency. This session bridges practical implementations with real challenges like alert fatigue, documentation inconsistency, and knowledge transfer. We'll focus on incremental approaches that allow teams to start small and expand over time, providing integration templates, custom code samples, and prompt engineering techniques that can be implemented immediately, regardless of team size or budget constraints.

THIS IS NOT A MARKETING TALK. ALL CONTENT, LINKS, AND SOFTWARE WILL BE OPEN SOURCE AND/OR FREE, AND AVAILABLE FOR ATTENDEES TO USE IMMEDIATELY."

Matt Bromiley brings a wealth of experience in digital forensics, incident response, and cybersecurity. Formerly at LimaCharlie, he helped organizations build robust security programs using the best technology available to complement their needs. Previously an incident response consultant at numerous renowned DFIR firms, Matt has a diverse background in assisting clients across various industries with complex cybersecurity challenges. He is recognized for his expertise in digital forensics, malware analysis, network security monitoring, and rapid forensic analysis across large enterprises. As a SANS instructor, Matt has taught courses on advanced digital forensics, network forensics, and incident response. Matt has held the following certifications: GCFA, GNFA, GCTI.

La presente propuesta de presentación tiene como propósito evidenciar, con base en datos reales obtenidos del monitoreo mensual de 47 universidades ecuatorianas a través de una herramienta de monitoreo de superficie pública, cómo el control oportuno de vulnerabilidades públicas incide directamente en la reducción del riesgo y la ocurrencia de eventos de seguridad en las instituciones. Entre enero y julio de 2025, se observó que el 100% de las instituciones presentaron vulnerabilidades críticas y medias (CVEs) sin parchear, más del 95% mantenían credenciales expuestas por hasta dos años, y un número significativo mantenía configuraciones web inseguras, como protocolos TLS obsoletos o cookies sin atributos Secure y HttpOnly. Sin embargo, instituciones que aplicaron medidas correctivas —como la Universidad Técnica del Norte, que pasó de 42 a 97 puntos en su evaluación— mostraron una mejora sustancial en su postura de seguridad. El promedio general del portafolio aumentó de 72 a 76, y el número de universidades con calificación crítica (F) disminuyó del 23.4% al 11.1%. Esto demuestra que el trabajo técnico constante sobre vulnerabilidades públicas tiene un impacto directo en la resiliencia institucional. La presentación se enfoca en traducir estas métricas en indicadores clave para equipos CSIRT y CERT, demostrando cómo el monitoreo y la remediación sistemática permiten reducir la superficie de ataque, bloquear rutas comunes de explotación, mejorar la reputación digital y prevenir incidentes antes de que ocurran. Se expondrán las vulnerabilidades más frecuentes, los indicadores de madurez y exposición, y los casos de mejora más relevantes, acompañados de recomendaciones operativas para fortalecer la respuesta institucional. Esta evidencia respalda la necesidad de adoptar una cultura de revisión permanente, automatización de alertas y coordinación técnica entre áreas de TI y seguridad. Al presentar estos hallazgos de manera clara, con visualizaciones y ejemplos aplicables, se busca empoderar a los equipos de respuesta para actuar preventivamente, reducir riesgos reales y consolidar prácticas sostenibles en ciberseguridad. La sesión está dirigida a públicos técnicos con funciones estratégicas en la protección de activos institucionales, y se propone como un ejercicio de análisis, concientización y toma de decisiones basadas en datos.

English:

The purpose of this presentation is to demonstrate, based on real data obtained from the monthly monitoring of 47 Ecuadorian universities through a public surface monitoring tool, how the timely control of public vulnerabilities directly influences the reduction of risk and the occurrence of security events in institutions. Between January and July 2025, 100% of the institutions exhibited unpatched critical and medium vulnerabilities (CVEs), over 95% had exposed credentials for up to two years, and a significant number maintained insecure web configurations such as outdated TLS protocols or cookies without Secure and HttpOnly attributes. However, institutions that applied corrective measures—such as Universidad Técnica del Norte, which improved from 42 to 97 points in its evaluation—showed substantial progress in their security posture. The overall portfolio average increased from 72 to 76, while the number of universities rated as critical (F) decreased from 23.4% to 11.1%. This evidence proves that continuous technical work on public vulnerabilities has a direct impact on institutional resilience. The presentation focuses on translating these metrics into key indicators for CSIRT and CERT teams, showing how systematic monitoring and remediation help reduce the attack surface, block common exploitation paths, strengthen digital reputation, and prevent incidents before they occur. The most frequent vulnerabilities, exposure and maturity indicators, and relevant improvement cases will be presented, together with operational recommendations to strengthen institutional response. This evidence supports the need to adopt a culture of ongoing review, automated alerts, and technical coordination between IT and security teams. By presenting these findings clearly, with visualizations and applicable examples, the goal is to empower response teams to act preventively, reduce real risks, and consolidate sustainable cybersecurity practices. The session is aimed at technical audiences with strategic responsibilities in protecting institutional assets, and is proposed as an exercise in analysis, awareness, and data-driven decision-making.

Badí Quinteros Basantes: Profesional con más de 7 años de experiencia en Seguridad de la Información y más de 15 años en Telecomunicaciones, liderando iniciativas estratégicas en el sector público, académico y corporativo. Su trayectoria incluye la coordinación de la seguridad electoral del Consejo Nacional Electoral en 2017, donde, como Director Nacional de Seguridad y Manejo Integral de Riesgos, impulsó políticas de seguridad de la información aplicadas en todo el país. Posteriormente, ha gestionado la implementación de normativa interna alineada con la Ley Orgánica de Protección de Datos Personales y el Esquema Gubernamental de Seguridad de la Información en gobiernos locales, además de directrices de ciberseguridad orientadas a proteger la información de los ciudadanos. Actualmente se desempeña como Administrador del SOC-CSIRT en la Corporación Ecuatoriana de Desarrollo de la Investigación de la Academia (CEDIA), atendiendo a más de 60 universidades e instituciones de educación superior del Ecuador. Su portafolio incluye experiencia en redes, servidores, seguridad perimetral, gestión de riesgos, cumplimiento normativo y protección de datos personales, con un enfoque en la integridad, disponibilidad y confidencialidad de la información; teniendo siempre en cuenta la comunicación eficiente con las máximas autoridades y la alineación de objetivos institucionales.

English:

Badí Quinteros Basantes: Professional with more than 7 years of experience in Information Security and over 15 years in Telecommunications, leading strategic initiatives in the public, academic, and corporate sectors. His career includes coordinating electoral security for the National Electoral Council in 2017, where, as National Director of Security and Integrated Risk Management, he advanced information security policies implemented nationwide. He has also overseen the implementation of internal regulations aligned with the Organic Law on Personal Data Protection and the Governmental Information Security Scheme in local governments, in addition to cybersecurity guidelines aimed at protecting citizens’ information. He currently serves as Administrator of the SOC-CSIRT at the Ecuadorian Corporation for the Development of Research and Academia (CEDIA), supporting more than 60 universities and higher education institutions across Ecuador. His portfolio includes expertise in networks, servers, perimeter security, risk management, regulatory compliance, and personal data protection, with a strong focus on the integrity, availability, and confidentiality of information, while ensuring effective communication with senior authorities and executives and alignment with institutional objectives.

A new discussion paper, “Estimating the Societal Cost of DDoS Attacks: A Dual-Lens Model for National Impact Assessment,” authored by Carlos Alvarez, Director of the Hub for the Americas and the Caribbean, has been released by the Global Forum on Cyber Expertise (GFCE), aiming to spark crucial conversations within the international cybersecurity community. This document represents the GFCE’s commitment to providing thought leadership in the field, as well as its intent to foster dialogue and collaboration among diverse stakeholders to address the evolving nature of cyber threats.

The paper highlights that traditional methods often underestimate the true impact of Distributed Denial-of-Service (DDoS) attacks, dismissing them as mere nuisances. By analyzing networks like NoName057, the discussion paper reveals that these operations possess a strategic purpose that can lead to significant systemic effects. It proposes a dual-lens model for assessing the cost of DDoS campaigns, distinguishing between quantifiable monetary damages and qualitative impacts on national stability, public trust, and geopolitical standing, thereby providing a more comprehensive understanding of their societal implications.

This document is designed to serve as a practical guide for countries and societies worldwide, enabling them to actively participate in defining the actual cost of DDoS attacks on their own societies. By doing so, it helps in identifying and prioritizing critical capacity building needs across various areas. These areas include, but are not limited to:

Updating legal frameworks to effectively address the hybrid nature of ideologically motivated cyber operations. Providing targeted training for law enforcement to better combat cybercrime. Establishing robust international cooperation mechanisms for a more coordinated response to distributed campaigns. Fostering strong public-private partnerships to enhance collective defense. Investing in national digital resilience programs that strengthen both technical defenses and societal preparedness, ultimately contributing to a more secure and stable digital future. The paper can be downloaded here: https://thegfce.org/news/estimating-the-societal-cost-of-ddos-attacks-a-dual-lens-model-for-national-impact-assessment/

Carlos Alvarez leads ICANN's engagement with the trust and public safety communities (civil/criminal law enforcement, national cyber security centers, consumer protection, incident response teams, threat intelligence, operational security). His portfolio includes trust-groups, national/defense/police response teams, and organizations like the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), the Forum of Incident Response and Security Teams (FIRST), the National Cyber Forensics and Training Alliance (NCFTA), the Global Cyber Alliance or the Cyber Defence Alliance, among others.

Carlos is an attorney graduated from the Universidad de los Andes in Bogota. He holds a Master of Laws degree from the University of Southern California Gould School of Law, and has studies on networking with TCP/IP from UCLA.

This session will explore the critical role of cross-functional engagement in enhancing organisational resilience and response times during cyber incidents. We will explore practical frameworks for identifying and mapping key stakeholders, grouping them and determining the level of engagement with each group. We will also examine how to tailor communication strategies to build trust and ensure a swift response. Attendees will gain hands-on experience in creating targeted communication templates for diverse stakeholder groups, enabling cybersecurity teams to foster stronger internal engagement and mitigate escalation risks. We will go through the various stages of the AIDA (Awareness🡪Interest🡪Desire 🡪Action) model, explaining how to grab the target audience’s attention, deliver a message impactfully, and encourage them to take action. Throughout the presentation, the examples and cases used will be from the 'field' – based on what we have encountered, spotted and discovered about incident response while delivering projects and providing training around the world. The intention is to leave listeners with an understanding of how the AIDA framework works and how they can use it in their everyday tasks to make their communication more impactful.

Živilė Nečejauskaitė is the Marketing and Communications Director at NRD Cyber Security. A communication specialist with over 15 years' experience, she has focused on the cybersecurity sector for the past seven years, specializing in impact, change and crisis communications. In her role, she actively engages with media professionals to improve public understanding of cybersecurity issues and through these efforts, she contributes to strengthening cybersecurity resilience by fostering informed public discourse and promoting best practices in the digital landscape. Zivile co-facilitates a cyber crisis management training course and is actively involved in several international organisations, including the TF CSIRT PR Group and the GFCE Working Group D. She is also co-chairing the Communications SIG at FIRST.

The ransomware ecosystem has become highly professionalized, though the techniques used are not always sophisticated. Most attacks succeed by exploiting known vulnerabilities, misconfigurations, or stolen credentials. This session will cover common weaknesses and effective controls for preventing ransomware attacks or, at least, detecting them in the early stages before the impact is complete.

Lucimara Desiderá is a Security Analyst at CERT.br/NIC.br, where she works in the areas of Internet security awareness and outreach. Her activities include promoting and encouraging the adoption of security best practices, developing new best practices and awareness materials, collaborating with other incident response teams and with international organizations such as FIRST, LACNIC, LACNOG, and M3AAWG, as well as with various sectors of the Internet in Brazil. Lucimara holds a Master's degree in Electrical Engineering from UNICAMP and is a Certified Information Systems Security Professional (CISSP) and CERT Incident Response Process Professional.

Effective incident response depends not only on detection and mitigation but on the ability to coordinate quickly, collaborate across organizations, and communicate with clarity. This session introduces a practical framework, the “3C’s” developed from direct experience with CSIRTs and national-level response teams across multiple regions. Using real-world cases involving phishing, brand abuse, and infrastructure-level threats, the presentation will highlight how misalignment across internal teams, delayed external coordination, and unclear messaging can cause preventable escalation. It will offer concrete strategies to improve readiness: establishing trusted channels, aligning roles before incidents, and streamlining decision-making under pressure.

Designed for CSIRTs, infrastructure operators, and incident coordinators, the session focuses on improving the human and procedural layers of response, especially in environments where cross-border cooperation is essential.

Mirza Asrar Baig is the Founder and CEO of CTM360, a globally recognized name in cybersecurity innovation. With a career spanning decades, Mirza has built a reputation for transforming complex cyber challenges into clear strategies that drive action and results. He brings real-world insight to the boardroom, helping leaders understand digital risk in a way that’s practical, relevant, and easy to grasp. His guidance has shaped cybersecurity programs across financial institutions, government bodies, and enterprises around the world. Under his leadership, CTM360 has emerged as a global leader in digital risk protection. Much of this success stems from Mirza’s core belief in thinking differently. He empowers his team to challenge norms, unlock potential, and always aim for the best possible outcome.

Phishing and websites with malware are becoming sophisticated, often designed to evade detection through techniques such as geoblocking or the use of distributed infrastructure. This presentation demonstrates how RIPE Atlas, a globally distributed network of probes, can be used by security analysts to study the behavior of such sites from different geographical locations.

An analysis methodology based on DNS, Traceroute, TLS, and Ping measurements will be presented, enabling the collection of technical evidence regarding the activity of malicious websites. These tools can help identify geographic restrictions, changes in attacker infrastructure, and evasion patterns. Real-world phishing cases will be examined, illustrating how periodic measurements reveal domain lifecycles and their eventual deactivation. Additional use cases, such as detecting IDN homograph attacks, will also be explained. The session will also address the limitations of RIPE Atlas and how to combine it with other data sources to improve analysis and reporting effectiveness.

Guillermo Pereyra is the Security Analyst of LACNIC’s CSIRT, whose mission is to carry out the necessary coordination functions to strengthen incident response capabilities related to Internet resources in Latin America and the Caribbean. Guillermo holds the CERT Incident Response Process Professional certification from the Software Engineering Institute (SEI) at Carnegie Mellon University. Guillermo has over 15 years of experience in IT. He formerly worked for six years, as an incident responder at Uruguay's national ISP CSIRT.