Program Overview

Adversaries use AI to enhance and streamline their operations - why don't IR teams do the same? This isn't hype or FUD - incident response teams must incorporate AI into their workflows, or fall behind. But where and how do we incorporate AI into our IR processes to ensure analysis integrity while taking advantage of AI's capabilities?

In this technical talk, we'll cut through the theoretical hype to showcase real-world implementations of AI that transform every phase of the IR lifecycle, from initial detection to final reporting. We'll demonstrate, with multiple tools, a comprehensive technical framework that integrates analyst workflows from EDR tooling to forensic analysis and reporting. Through demos and code walkthroughs, attendees will see how AI can enhance the following:

1. Automated evidence collection and initial analysis
2. Real-time documentation and knowledge management during the IR
3. Advanced visualization and pattern recognition across disparate artifacts
4. Comprehensive reporting tailored to different stakeholders

The goal is not to offload IR to AI, but to create a force-multiplying effect that enables teams to work more efficiently with greater confidence and consistency. This session bridges practical implementations with real challenges like alert fatigue, documentation inconsistency, and knowledge transfer. We'll focus on incremental approaches that allow teams to start small and expand over time, providing integration templates, custom code samples, and prompt engineering techniques that can be implemented immediately, regardless of team size or budget constraints.

THIS IS NOT A MARKETING TALK. ALL CONTENT, LINKS, AND SOFTWARE WILL BE OPEN SOURCE AND/OR FREE, AND AVAILABLE FOR ATTENDEES TO USE IMMEDIATELY."

Matt Bromiley brings a wealth of experience in digital forensics, incident response, and cybersecurity. Formerly at LimaCharlie, he helped organizations build robust security programs using the best technology available to complement their needs. Previously an incident response consultant at numerous renowned DFIR firms, Matt has a diverse background in assisting clients across various industries with complex cybersecurity challenges. He is recognized for his expertise in digital forensics, malware analysis, network security monitoring, and rapid forensic analysis across large enterprises. As a SANS instructor, Matt has taught courses on advanced digital forensics, network forensics, and incident response. Matt has held the following certifications: GCFA, GNFA, GCTI.

La presente propuesta de presentación tiene como propósito evidenciar, con base en datos reales obtenidos del monitoreo mensual de 47 universidades ecuatorianas a través de una herramienta de monitoreo de superficie pública, cómo el control oportuno de vulnerabilidades públicas incide directamente en la reducción del riesgo y la ocurrencia de eventos de seguridad en las instituciones. Entre enero y julio de 2025, se observó que el 100% de las instituciones presentaron vulnerabilidades críticas y medias (CVEs) sin parchear, más del 95% mantenían credenciales expuestas por hasta dos años, y un número significativo mantenía configuraciones web inseguras, como protocolos TLS obsoletos o cookies sin atributos Secure y HttpOnly. Sin embargo, instituciones que aplicaron medidas correctivas —como la Universidad Técnica del Norte, que pasó de 42 a 97 puntos en su evaluación— mostraron una mejora sustancial en su postura de seguridad. El promedio general del portafolio aumentó de 72 a 76, y el número de universidades con calificación crítica (F) disminuyó del 23.4% al 11.1%. Esto demuestra que el trabajo técnico constante sobre vulnerabilidades públicas tiene un impacto directo en la resiliencia institucional. La presentación se enfoca en traducir estas métricas en indicadores clave para equipos CSIRT y CERT, demostrando cómo el monitoreo y la remediación sistemática permiten reducir la superficie de ataque, bloquear rutas comunes de explotación, mejorar la reputación digital y prevenir incidentes antes de que ocurran. Se expondrán las vulnerabilidades más frecuentes, los indicadores de madurez y exposición, y los casos de mejora más relevantes, acompañados de recomendaciones operativas para fortalecer la respuesta institucional. Esta evidencia respalda la necesidad de adoptar una cultura de revisión permanente, automatización de alertas y coordinación técnica entre áreas de TI y seguridad. Al presentar estos hallazgos de manera clara, con visualizaciones y ejemplos aplicables, se busca empoderar a los equipos de respuesta para actuar preventivamente, reducir riesgos reales y consolidar prácticas sostenibles en ciberseguridad. La sesión está dirigida a públicos técnicos con funciones estratégicas en la protección de activos institucionales, y se propone como un ejercicio de análisis, concientización y toma de decisiones basadas en datos.

English:

The purpose of this presentation is to demonstrate, based on real data obtained from the monthly monitoring of 47 Ecuadorian universities through a public surface monitoring tool, how the timely control of public vulnerabilities directly influences the reduction of risk and the occurrence of security events in institutions. Between January and July 2025, 100% of the institutions exhibited unpatched critical and medium vulnerabilities (CVEs), over 95% had exposed credentials for up to two years, and a significant number maintained insecure web configurations such as outdated TLS protocols or cookies without Secure and HttpOnly attributes. However, institutions that applied corrective measures—such as Universidad Técnica del Norte, which improved from 42 to 97 points in its evaluation—showed substantial progress in their security posture. The overall portfolio average increased from 72 to 76, while the number of universities rated as critical (F) decreased from 23.4% to 11.1%. This evidence proves that continuous technical work on public vulnerabilities has a direct impact on institutional resilience. The presentation focuses on translating these metrics into key indicators for CSIRT and CERT teams, showing how systematic monitoring and remediation help reduce the attack surface, block common exploitation paths, strengthen digital reputation, and prevent incidents before they occur. The most frequent vulnerabilities, exposure and maturity indicators, and relevant improvement cases will be presented, together with operational recommendations to strengthen institutional response. This evidence supports the need to adopt a culture of ongoing review, automated alerts, and technical coordination between IT and security teams. By presenting these findings clearly, with visualizations and applicable examples, the goal is to empower response teams to act preventively, reduce real risks, and consolidate sustainable cybersecurity practices. The session is aimed at technical audiences with strategic responsibilities in protecting institutional assets, and is proposed as an exercise in analysis, awareness, and data-driven decision-making.

Badí Quinteros Basantes: Profesional con más de 7 años de experiencia en Seguridad de la Información y más de 15 años en Telecomunicaciones, liderando iniciativas estratégicas en el sector público, académico y corporativo. Su trayectoria incluye la coordinación de la seguridad electoral del Consejo Nacional Electoral en 2017, donde, como Director Nacional de Seguridad y Manejo Integral de Riesgos, impulsó políticas de seguridad de la información aplicadas en todo el país. Posteriormente, ha gestionado la implementación de normativa interna alineada con la Ley Orgánica de Protección de Datos Personales y el Esquema Gubernamental de Seguridad de la Información en gobiernos locales, además de directrices de ciberseguridad orientadas a proteger la información de los ciudadanos. Actualmente se desempeña como Administrador del SOC-CSIRT en la Corporación Ecuatoriana de Desarrollo de la Investigación de la Academia (CEDIA), atendiendo a más de 60 universidades e instituciones de educación superior del Ecuador. Su portafolio incluye experiencia en redes, servidores, seguridad perimetral, gestión de riesgos, cumplimiento normativo y protección de datos personales, con un enfoque en la integridad, disponibilidad y confidencialidad de la información; teniendo siempre en cuenta la comunicación eficiente con las máximas autoridades y la alineación de objetivos institucionales.

English:

Badí Quinteros Basantes: Professional with more than 7 years of experience in Information Security and over 15 years in Telecommunications, leading strategic initiatives in the public, academic, and corporate sectors. His career includes coordinating electoral security for the National Electoral Council in 2017, where, as National Director of Security and Integrated Risk Management, he advanced information security policies implemented nationwide. He has also overseen the implementation of internal regulations aligned with the Organic Law on Personal Data Protection and the Governmental Information Security Scheme in local governments, in addition to cybersecurity guidelines aimed at protecting citizens’ information. He currently serves as Administrator of the SOC-CSIRT at the Ecuadorian Corporation for the Development of Research and Academia (CEDIA), supporting more than 60 universities and higher education institutions across Ecuador. His portfolio includes expertise in networks, servers, perimeter security, risk management, regulatory compliance, and personal data protection, with a strong focus on the integrity, availability, and confidentiality of information, while ensuring effective communication with senior authorities and executives and alignment with institutional objectives.

A new discussion paper, “Estimating the Societal Cost of DDoS Attacks: A Dual-Lens Model for National Impact Assessment,” authored by Carlos Alvarez, Director of the Hub for the Americas and the Caribbean, has been released by the Global Forum on Cyber Expertise (GFCE), aiming to spark crucial conversations within the international cybersecurity community. This document represents the GFCE’s commitment to providing thought leadership in the field, as well as its intent to foster dialogue and collaboration among diverse stakeholders to address the evolving nature of cyber threats.

The paper highlights that traditional methods often underestimate the true impact of Distributed Denial-of-Service (DDoS) attacks, dismissing them as mere nuisances. By analyzing networks like NoName057, the discussion paper reveals that these operations possess a strategic purpose that can lead to significant systemic effects. It proposes a dual-lens model for assessing the cost of DDoS campaigns, distinguishing between quantifiable monetary damages and qualitative impacts on national stability, public trust, and geopolitical standing, thereby providing a more comprehensive understanding of their societal implications.

This document is designed to serve as a practical guide for countries and societies worldwide, enabling them to actively participate in defining the actual cost of DDoS attacks on their own societies. By doing so, it helps in identifying and prioritizing critical capacity building needs across various areas. These areas include, but are not limited to:

Updating legal frameworks to effectively address the hybrid nature of ideologically motivated cyber operations. Providing targeted training for law enforcement to better combat cybercrime. Establishing robust international cooperation mechanisms for a more coordinated response to distributed campaigns. Fostering strong public-private partnerships to enhance collective defense. Investing in national digital resilience programs that strengthen both technical defenses and societal preparedness, ultimately contributing to a more secure and stable digital future. The paper can be downloaded here: https://thegfce.org/news/estimating-the-societal-cost-of-ddos-attacks-a-dual-lens-model-for-national-impact-assessment/

Carlos Alvarez has been working at the intersection of law and technology since 1998. Through the Inter-American Committee Against Terrorism (CICTE) of the Organization of American States, he is the Director of the Hub for the Americas and Caribbean of the Global Forum on Cyber Expertise (GFCE). At the same time, he leads TangoDownSquad, an initiative that he launched in July of 2024 aimed at disrupting cybercriminal operations globally and supporting law enforcement, threat researchers, and incident response teams, as well as policymakers in key related areas.

For nearly 15 years, he was with the Internet Corporation for Assigned Names and Numbers (ICANN), first as a team leader in Contractual Compliance and later as a relationship leader for global cyber law enforcement, the cyber threat intelligence community, and the cyber incident response community. Carlos is a Member of the Board of Directors of the Forum of Incident Response and Security Teams (FIRST), where he co-founded the DNS Abuse Special Interest Group (DNS Abuse SIG), and where he co-chairs the Strategic Thinking and Planning SIG. He is also founder of the Anti-Phishing SIG and the Names and Numbers Committee, both at the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).

Strategic Advisor to the Global Cyber Alliance and Member of the Board of Directors of the Internet Fire Brigade Society, he has been recognized for his contributions to cybersecurity. In 2023, he received the Collaboration Award during a confidential meeting happening at the same time as Blackhat and Defcon in Las Vegas. Also, in 2021, he was honored with the International Partner of the Year award by the Cybercrime Bureau of the Korean National Police Agency.

His expertise spans cyber policy, legislation, and regulation. With a legal background and strong analytical and communication skills, he effectively bridges the gap between technical topics and non-technical audiences, including policymakers and C-suite executives. As a cybercrime investigations and threat intelligence expert, he has supported numerous cybercrime units and cyber threat intelligence teams in real-world investigations. Since 2000, he has organized and delivered numerous training sessions and events for law enforcement, the private sector, and government officials.

Before joining ICANN, Carlos participated in the International Attorneys Program at Holland & Knight in Miami and led the Legal & Business Affairs Division at Sony Music for Colombia, Ecuador, Venezuela, and Peru. In this role, he was a member of the Andean legal committee of the International Federation of the Phonographic Industry (IFPI). A pioneer in Latin America in software anti-piracy, information security law, and cybercrime, he has published articles on piracy and terrorism, cybercrime, botnets, digital evidence, criminal aspects of honeypots, legal considerations of information security standards, legislation and regulation, DDoS attacks, and related topics.

He has also taught computer law, legal aspects of information security, and intellectual property at two universities in Bogotá. Additionally, he has lectured before C-suite executives, government officials, regulators, law enforcement, and military and intelligence personnel across four continents.

Carlos holds a law degree from Universidad de los Andes in Bogotá, a Master of Laws (LL.M.) from the University of Southern California Gould School of Law, and has completed studies in networking with TCP/IP at the University of California, Los Angeles (UCLA).

This session will explore the critical role of cross-functional engagement in enhancing organisational resilience and response times during cyber incidents. We will explore practical frameworks for identifying and mapping key stakeholders, grouping them and determining the level of engagement with each group. We will also examine how to tailor communication strategies to build trust and ensure a swift response. Attendees will gain hands-on experience in creating targeted communication templates for diverse stakeholder groups, enabling cybersecurity teams to foster stronger internal engagement and mitigate escalation risks. We will go through the various stages of the AIDA (Awareness🡪Interest🡪Desire 🡪Action) model, explaining how to grab the target audience’s attention, deliver a message impactfully, and encourage them to take action. Throughout the presentation, the examples and cases used will be from the 'field' – based on what we have encountered, spotted and discovered about incident response while delivering projects and providing training around the world. The intention is to leave listeners with an understanding of how the AIDA framework works and how they can use it in their everyday tasks to make their communication more impactful.

Živilė Nečejauskaitė is the Marketing and Communications Director at NRD Cyber Security. A communication specialist with over 15 years' experience, she has focused on the cybersecurity sector for the past seven years, specializing in impact, change and crisis communications. In her role, she actively engages with media professionals to improve public understanding of cybersecurity issues and through these efforts, she contributes to strengthening cybersecurity resilience by fostering informed public discourse and promoting best practices in the digital landscape. Zivile co-facilitates a cyber crisis management training course and is actively involved in several international organisations, including the TF CSIRT PR Group and the GFCE Working Group D. She is also co-chairing the Communications SIG at FIRST.

Security analysts and threat hunters often want to sharpen their ability to detect and respond to malicious network activity, especially without relying on expensive commercial platforms. In this presentation we will review a curated set of free, open-source tools, which provide deeper visibility into organizational network traffic and uncover threats before they escalate. The presentation begins with a quick dive into core network traffic collection methods, such as packet capture, logging, and NetFlow analysis. We will also explore the daily workflows and investigative mindset of an effective threat hunter. Lastly, we will go through how to identify suspicious patterns, enrich findings with intelligence feeds from the Malware Information Sharing Platform (MISP), and connect the dots between seemingly unrelated events.

Through brief case studies and live-style investigative walkthroughs, you will see how theory translates into practice. The session will conclude with a guided, hands-on demonstration of open-source tools in action—equipping participants with ready-to-use techniques to strengthen their monitoring and detection capabilities immediately.

Arūnas Venclovas, Director of Product Development at NRD Cyber Security

Arūnas is an experienced leader in product development with a deep understanding of cybersecurity, IT, and telecommunication markets. Currently serving as the Director of Product Development at NRD Cyber Security, Arūnas is responsible for deploying cyber security solutions in National and sectorial CERTs with the aim to automate operations, build capacity and empower for successful work. Arunas has played a major role in automating and modernizing CSIRTMalta (Malta Critical Infrastructure Protection) operations by improving Incident Detection, Response and Threat Intelligence actualization. Also, he is working closely with multiple CIRT's (Eg-FinCIRT, etc.) in assisting them to improve network detection capabilities by automating threat hunting, rulesets adjustment and solving other related challenges. 

The ransomware ecosystem has become highly professionalized, though the techniques used are not always sophisticated. Most attacks succeed by exploiting known vulnerabilities, misconfigurations, or stolen credentials. This session will cover common weaknesses and effective controls for preventing ransomware attacks or, at least, detecting them in the early stages before the impact is complete.

Lucimara Desiderá is a Security Analyst at CERT.br/NIC.br, where she works in the areas of Internet security awareness and outreach. Her activities include promoting and encouraging the adoption of security best practices, developing new best practices and awareness materials, collaborating with other incident response teams and with international organizations such as FIRST, LACNIC, LACNOG, and M3AAWG, as well as with various sectors of the Internet in Brazil. Lucimara holds a Master's degree in Electrical Engineering from UNICAMP and is a Certified Information Systems Security Professional (CISSP) and CERT Incident Response Process Professional.

Effective incident response depends not only on detection and mitigation but on the ability to coordinate quickly, collaborate across organizations, and communicate with clarity. This session introduces a practical framework, the “3C’s” developed from direct experience with CSIRTs and national-level response teams across multiple regions. Using real-world cases involving phishing, brand abuse, and infrastructure-level threats, the presentation will highlight how misalignment across internal teams, delayed external coordination, and unclear messaging can cause preventable escalation. It will offer concrete strategies to improve readiness: establishing trusted channels, aligning roles before incidents, and streamlining decision-making under pressure.

Designed for CSIRTs, infrastructure operators, and incident coordinators, the session focuses on improving the human and procedural layers of response, especially in environments where cross-border cooperation is essential.

Mirza Asrar Baig is the Founder and CEO of CTM360, a globally recognized name in cybersecurity innovation. With a career spanning decades, Mirza has built a reputation for transforming complex cyber challenges into clear strategies that drive action and results. He brings real-world insight to the boardroom, helping leaders understand digital risk in a way that’s practical, relevant, and easy to grasp. His guidance has shaped cybersecurity programs across financial institutions, government bodies, and enterprises around the world. Under his leadership, CTM360 has emerged as a global leader in digital risk protection. Much of this success stems from Mirza’s core belief in thinking differently. He empowers his team to challenge norms, unlock potential, and always aim for the best possible outcome.

Phishing and websites with malware are becoming sophisticated, often designed to evade detection through techniques such as geoblocking or the use of distributed infrastructure. This presentation demonstrates how RIPE Atlas, a globally distributed network of probes, can be used by security analysts to study the behavior of such sites from different geographical locations.

An analysis methodology based on DNS, Traceroute, TLS, and Ping measurements will be presented, enabling the collection of technical evidence regarding the activity of malicious websites. These tools can help identify geographic restrictions, changes in attacker infrastructure, and evasion patterns. Real-world phishing cases will be examined, illustrating how periodic measurements reveal domain lifecycles and their eventual deactivation. Additional use cases, such as detecting IDN homograph attacks, will also be explained. The session will also address the limitations of RIPE Atlas and how to combine it with other data sources to improve analysis and reporting effectiveness.

Guillermo Pereyra is the Security Analyst of LACNIC’s CSIRT, whose mission is to carry out the necessary coordination functions to strengthen incident response capabilities related to Internet resources in Latin America and the Caribbean. Guillermo holds the CERT Incident Response Process Professional certification from the Software Engineering Institute (SEI) at Carnegie Mellon University. Guillermo has over 15 years of experience in IT. He formerly worked for six years, as an incident responder at Uruguay's national ISP CSIRT.