Program Overview

All Times in UTC, please check your local times

•  CA

  Augmenting Your Incident Response Capabilities with Memory Analysis

  Peter Morin (Grant Thornton, CA)

  Analyzing volatile information as part of your incident response capabilities can be the difference between fully understanding the chain of events that have occurred during an incident and merely scratching the surface. Memory forensics aims at extracting artifacts from a system’s memory. Whether it is a Windows server or Linux workstation, a physical system or virtual image, memory can provide key data points such as registers, cache contents, memory contents (passwords) network connections (IP connections), running processes as well as registry items such as shimcache and userassist. Analyzing memory can assist in identifying rogue processes, key network artifacts such as C2 communications, code injection, rootkits and potentially suspicious processes and drivers.

  During this presentation, we will:

  • Discuss how to extract data from memory using free tools such as FTK Imager
  • Use free tools such as Volatility, Rekall and Redline to analyze memory
  • Look at a number of interesting use cases involving the analysis of memory (i.e. rogue processes, C2 communications)
  • Look at user-mode process memory dumps, why they should be used and how they differ to traditional memory analysis

  October 8, 2020 14:05-14:30

  Morin-IR-Memory-Analysis-2020.pdf

  MD5: 268051c627ccc58568e1599ab4a321b1

  Format: application/pdf

  Last Update: October 15th, 2020

  Size: 2.1 Mb

•  AR

  Bot Malicioso en una Red Social (Caso de Análisis)

  Lucas Coronel (CSIRTBANELCO, AR)

  Análisis de un caso que fue detectado y alertado por Banelco CSIRT sobre un bot malicioso en la red social Instagram que robaba información de usuarios para estafas y fraude informático en tiempos de pandemia.
  
  

  Presenter's short Bio:

  Lucas Coronel es Licenciado en Sistema con posgrado en Negocios Digitales. Cuenta con Certificación PECB de Ciberseguridad. Tiene más de 15 años de experiencia en seguridad. Es Jefe de Ciberseguridad de Prisma Medios de Pagos que cuenta con el servicio de BANELCO CSIRT, siendo uno de los primeros CSIRT privados de LATAM.

  October 8, 2020 18:30-18:55

•  US

  DNS over HTTPS: An Inconvenient Misalignment

  Dr. Paul Vixie ChairmanDr. Paul Vixie Chairman (AWS, US)

  The rapid adoption of encrypted DNS and its subsequent impact on the security for enterprise networks has been a prominent discussion for the past year. This presentation will explain the two methods for encrypting DNS (DNS over HTTPS and DNS over TLS, known as DoH and DoT), and the potential threats and dangers encrypted DNS presents to enterprise networks. We will then examine the publicly-stated implementation strategies of Google, Apple, Microsoft, and Mozilla as it relates to operating system and browser support for encrypted DNS. The presentation will include recommendations and advice for how enterprise networks may adjust to the presence of applications and operating systems with support for encrypted DNS inside their networks.
  
  

  Presenter’s Bio:

  Dr. Paul Vixie is an Internet pioneer. Currently, he is the Chairman, Chief Executive Officer and Cofounder of award-winning Farsight Security, Inc. He was inducted into the Internet Hall of Fame in 2014 for work related to DNS. Dr. Vixie is a prolific author of open source Internet software including BIND, and of many Internet standards documents concerning DNS and DNSSEC. In addition, he founded the first anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). Dr. Vixie served on the ARIN Board of Trustees from 2005 to 2013, as ARIN Chairman in 2008 and 2009, and was a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He operated the ISC's F-Root name server for many years, and is a member of Cogent's C-Root team. Dr. Vixie is a sysadmin for Op-Sec-Trust. He earned his Ph.D. from Keio University for work related to DNS and DNSSEC in 2010. Dr. Vixie is a highly sought-after keynote speaker and has spoken at conferences around the world.

  October 8, 2020 15:05-15:30

  Vixie-DoH-FIRST-LAC2020-FINAL.pdf

  MD5: ca3e6e8a4e415162d2acad602d8abf4c

  Format: application/pdf

  Last Update: October 21st, 2020

  Size: 904.89 Kb

•  US

  Information Sharing: Concepts and Use Cases

  Justin NovakJustin Novak (CERT® Coordination Center – SEI, US)

  Information Sharing is an imperative for incident response teams seeking to maximize their effectiveness and operational capabilities. Understanding how CSIRTs can approach and engage in more effective cybersecurity and incident response information sharing is seen as an important service, but most teams are not conducting sharing at desired levels at this time due to capacity and other related challenges.

  The SEI’s approach to information sharing highlights best practices and general concepts of information sharing. Topics will include an introduction to information sharing, use cases (examples), sharing at the regional level, and developing an information management and sharing ecosystem. The concepts are broadly applicable to any information sharing platform, however for the purpose of examples and use cases, the SEI uses the Malware Information Sharing Platform (MISP) information sharing platform. This is due to MISP’s widespread adoption in the incident response community, its flexibility and versatility, and the fact that it is rapidly becoming a defacto standard in the incident response community.
  
  

  Presenter's Bio:

  Justin Novak is a Senior Security Operations Researcher at the CERT Division of the Software Engineering Institute, a Federally Funded Research and Development Center hosted at Carnegie Mellon University. At CERT, he is involved in research on the operation of CSIRTs, Sector CSIRTs, and Security Operations Centers, focusing on incident response and incident management. He is currently is the SEI lead for engagements with Foreign Military partners through the DoD’s Foreign Military Sales program. Prior to that he led the International Cybersecurity Initiatives team. Before working at CERT, Justin was an Intrusion Detection Analyst and Network Analyst for the Department of Defense. He also worked in state government as an advisor to senior lawmakers. Justin holds a bachelor’s degree in Physics from the University of Pittsburgh, a Master’s degree in Security Studies from the University of Pittsburgh, and a PhD in Public Policy from George Mason University. Justin is an active member of the FIRST community and serves on the FIRST membership committee.

  October 8, 2020 17:25-17:50

•  MX

  Iniciativa de Concientización de Ciberseguridad Dirigido a la Población Infantil en México

  Fernando Aranda (Coordinador CSIRT CUDI, MX), Silvia Chávez (Gerente del NOC CUDI, MX)

  Programa de concientización y educación de los niños y adolescentes sobre la navegación segura por Internet que se lleva a cabo a través de la colaboración entre la Red Nacional de Educación e Investigación Mexicana (CUDI) y la Asociación sin Fines de Lucro México Ciberseguro.

  La iniciativa cuenta con dos programas, uno que es la creación de una red de “voceros”, que son personas adultas -principalmente jóvenes de instituciones de educación superior- que se capacitan para realizar esta concientización. El segundo programa son las charlas que se imparten de manera presencial y/o virtual y que son organizadas através de convocatorias a los colegios públicos y privados de educación primaria y secundaria en México. En estas pláticas se les habla a los niños y adolescentes, sobre el internet, su evolución, los servicios que pueden encontrar y se les explica de una manera muy sencilla las principales problemáticas y riesgos a los que todos nos exponemos cuando navegamos por la red. Siempre tratando de que utilicen la tecnología de modo seguro y sin asustarlos.
  
  

  Presenter's Bios:

  Fernando Aranda. Ingeniero en Sistemas con más de 25 años de experiencia en el área de las TIC’s, ha colaborado para diferentes empresas en el sector privado y público en México. Ha participado como ponente en diferentes foros nacionales e internacionales para CUDI, TICAL, RedCLARA, Invation Security, entre otros. Actualmente es Coordinador del CSIRT CUDI en la Red Nacional de Educación e Investigación en México (CUDI) y participa en los grupos de trabajo de Seguridad e IPv6.

  Silvia Chávez. Ingeniera en Sistemas Computacionales, con un posgrado en Redes de Computadoras, cuenta con más de 15 años de experiencia en el área de Telecomunicaciones. Formó parte del Centro de Operación de Red UNAM (NOC UNAM) y del NOC de la Red del Caribe C@ribNET-CKLN (Caribbean Knowledge and Learning Network). Ha participado como ponente e instructora en eventos y talleres nacionales e internacionales para CUDI, MEXNOG, ANUIES-TIC, Red CLARA, LACNIC e Internet Society. Actualmente es gerente del NOC CUDI, colabora en los grupos de trabajo Ingeniería y Desarrollo de la Red y Redes Definidas por Software (SDN) y es miembro del CSIRT CUDI

  October 8, 2020 19:05-19:30

•  JP

  Phishing Trends in Japan

  Shinichi Tankyo (CAPJ committee member, JP)

  Council of Anti Phishing Japan(CAPJ) aims to curb phishing scams in Japan by collecting and providing case studies and technical information on phishing scams. We'll show the recent phishing cases, statistics from CAPJ's data and a comparison of the situation in LACNIC and Japan will be helpful in examining countermeasures against phishing scams.

  October 8, 2020 14:30-14:55

  Tankyo-Phishing-trends-in-Japan-.pdf

  MD5: 0e75192852da3792d6019bf295a609ab

  Format: application/pdf

  Last Update: October 20th, 2020

  Size: 2.99 Mb

•  US

  Trojan Explosion

  Artsiom HolubArtsiom Holub (Cisco Umbrella, US), Austin McBride (Cisco Umbrella, US)

  The global workforce may be predominately working from home during the pandemic, but that’s not stopped malicious actors from heavily targeting remote workers. Multistaged Trojan attacks hit many enterprises hard in the first half of 2020 and have become very sophisticated attacks that are being used as delivery vehicles for follow on attacks like ransomware and other malware to maximize revenue. Join us for a dive into the business impact of such malware at scale based on global DNS data with real world examples. We will discuss the similarities and differences between successful campaigns and common TTPs, showcase the distribution of victims and attackers from geographical and industry-based stand points, shed light on newly discovered techniques used by malicious actors, and outline the best approaches to protect enterprises and individuals from infection and data exfiltration.
  
  

  Presenter's Bio:

  Austin McBride is a Threat Analytics Researcher at Cisco Umbrella who analyzes and evaluates the impact of security threats on customers, identifies unclassified threat vectors and discovers emerging trends in malware distribution. His current research focuses on the significance of cryptocurrency in the ever-evolving threat landscape, which abets malicious actors to remain anonymous while buying infrastructure and avariciously amassing profit that has been unprecedented in traditional financial markets in recent history. His background is in data mining, analytics, security research and data visualization. McBride regularly speaks at international and national security conferences like BlackHat, RSAC, and THEFirst. He lives in San Francisco with his wife, son and their dog Spock.

  Artsiom Holub is a Senior Security Analyst on the Cisco Umbrella Research team. Throughout the course of the day, he works on Security Threat Reports for existing and potential clients, finds new threats and attacks by analyzing global DNS data coming from Cisco Umbrella resolvers, and designs tactics to track down and identify malicious actors and domains. Holding AS degree from City College of San Francisco in Computer Networking and Information Security with completed Network Security and Advanced Cybersecurity certificates. Frequent presenter at major cybersecurity conferences including Black Hat and THEFirst. Currently focused on analysis and research of various cybercrime campaigns, and building defensive mechanisms applying OSIT and HUMINT approaches powered with ML.

  October 8, 2020 18:05-18:30

  Austin-and-Artsiom-Trojan-Explosion.pdf

  MD5: 473ed2427ccd5f7d63c71f3851584c64

  Format: application/pdf

  Last Update: October 16th, 2020

  Size: 4.95 Mb

•  RU

  ULTRARANK: The Unexpected Twist of a JS-Sniffer Triple Threat

  Alexander Kalinin (CERT-GIB, RU), Gleb Martyanov (CERT-GIB, RU)

  Group-IB Threat Intelligence experts provide evidence linking three campaigns with the use of various JavaScript-sniffer families – an instrument used by cybercriminals to steal text bank card data – previously wrongly attributed by cybersecurity researchers to various Magecart groups, to the same hacker group. This group was dubbed UltraRank by Group-IB.
  
  

  Presenter's short Bio:

  Alexander Kalinin, Head of CERT-GIB. Group-IB’s Computer Emergency Response Team (CERT-GIB) CERT-GIB leads the way in security event and incident management, being the first such team in Eastern Europe and providing round-the-clock assistance.

  October 8, 2020 17:00-17:25

  Kalinin-Ultrarank_Group-IB.pdf

  MD5: 5d7f94d83db938fad2c99673902f636d

  Format: application/pdf

  Last Update: October 15th, 2020

  Size: 1.29 Mb

•  IN

  Uncovering Badness Using Passive DNS

  Swapneel PatnekarSwapneel Patnekar (Founder & CEO, Shreshta IT Technologies Pvt. Ltd., IN)

  DNS(Domain Name System) is the critical & ubiquitous fabric of the Internet and it is used for legitimate purposes and also abused by bad actors for malicious purposes. Statistically, based on a number of research papers, the majority of the newly registered domains are used for malice (phishing, ransomware, malware etc). Passive DNS technique provides an option to Security professionals( Incident Responders, SOC Analysts, Malware Researchers ) and Law enforcement to dive into mapping the DNS infrastructure of the bad actors and facilitate takedowns. In this talk, I will share,

  1. Domain hijacking at GoDaddy - Since the early part of last year, there have been multiple incidents of domain hijacking at GoDaddy on a very large scale. I will present the modus operandi of the incident using Passive DNS

  2. As a security practitioner, I will present and share my experiences of utilizing Passive DNS to map the DNS infrastructure of bad actors and report for takedown Note - As a bonus for Star Wars fans, the talk has a few references to Droids

  Reference:

  • Uncovering badness using Passive DNS at APNIC 50 First Security 1 - https://youtu.be/WKJzVOkMbc0?t=2792
  • Presentation - https://brainattic.in/talks/2020/APNIC50-Uncovering-badnessusing-Passive-DNS-Current.pdf

  
  Presenter’s Bio:

  Swapneel is network engineer & researcher working in. DNS, DNSSEC, BGP, Unix systems and security. As a technical trainer, he regularly conducts workshops on DNS, DNSSEC, Routing, Unix etc. He is also an APNIC Community Trainer & a RIPE Atlas Ambassador. He is also the Managing Director of Shreshta IT Technologies Pvt. Ltd, a company based out of Belgaum, building & securing networks of micro, small & medium enterprises & network operators in Tier-II and Tier-III cities.

  October 8, 2020 15:30-15:55

  Patnekar-Uncovering-badness-using-Passive-DNS.pdf

  MD5: 49a3e6cebc19d6ff186c6bff6101a196

  Format: application/pdf

  Last Update: October 16th, 2020

  Size: 9.59 Mb

• 2020 FIRST Virtual Symposium Latin America and Caribbean
  • Program Overview
  • Registration
  • LACNIC 34 event site