Charlas dìa 1 Bsides Colombia 2025. Tarde.

It seems like Admin has negotiations and Matrix 777 has negotiations. So I could focus on them to see who they were trying to convince. Now, negotiation can be anything, right? Passwords, their passwords. Interesting fact, the passwords came out clear, right? I mean, they weren't hashed, they weren't skipped, they're clear. What do you see out there? Interesting. What do you see? LockBid? Do you see that one? The one that's here? La vida loca. But what does "La vida loca" tell us? That it's in Spanish. Of course, "La vida loca" is a song of... So, many people can use it. But "La vida loca" also gives us a clue that we can start looking. Ready? What do we get? There are some very well-made passwords. I'm using this to tell

the organizations, "Look, these guys know how to do it." And how am I telling them? So I said to Copilot, well, first I said, Let's do one thing. Find out MS La Vida Loca when it was created. I'm telling you this was May 7th. May 7th they do the roll call and this character was created on April 20th. And the login is "hasta la muerte" again in Spanish. It can be Latin, I don't know. But there are other clues there. So, the size of the password looks interesting. The next thing I did was, "OK, make a distribution of the size of the passwords and let's see where they focus." This image is fabulous because with this I tell the organizations, look, these are

cybercriminals, but they guarantee that their passwords are at least 10 characters old. Most of them are between 20 and 25. There are some of them that have more than 40 characters. If they work like that, maybe we can do it too. See, an incentive. What else is there in the distribution? Most of them are 20 characters. They surely use a password manager, right? Because you don't learn this, I mean, what else can we do? So I even told Copilot, "Okay, I need you to validate me now and give me a score, tell me which are strong and which are not." And he proposed a score, he said, "Look, if there are more than 12 characters and they have uppercase and lowercase and special characters,

their score will be 4, right? If it doesn't have any of that, then we start to lower it." So here I have the score distribution. In short, a good example to show an organization that this organization, cybercriminal, but organization, finally has a very good score. They are in four. And in fact, when you find those information dumps of the organizations and you find passwords, I already have that I'm going to do that analysis forward to be able to give you that result. What else? From there we can do many more things. We are going to go quickly forward. Let's talk about Bitcoins. There was a table called BTC_ADDRESSES. So, here it is already loaded. And here is the Bitcoin

table. So, it has several things there. First, the addresses. It has some fields that are in zero. We don't know why, we don't know what they are. It has a type field and an ID field, the general one. So, again, I told him, "Ok, from that table, show me the unique fields." Sorry, the unique values for each field. 59,156 IDs with 59,156 addresses, that is, I have almost 50, sorry, 60,000 Bitcoin addresses that I know are from LockBit or from LockBit affiliates. This is cybercrime. This is a delicious mass for those who do or have the opportunity to do that follow-up in these blockchains. What do you think? I thought of a couple of things, let's see them. 7 types, only 7 types.

We can try to see what's in the type. Target ID: 134. ADB ID: 34. Let's see what we find out there. The type field looks promising. I want to know what's in the type. And the type shows me a distribution, a concentration of 25, 30 and 40. If you realize, but there is a distribution between all. But the type are numbers and they are separated by five. From five to five. What is type? I don't know yet. But well, I know that more or less there goes the distribution.

At the beginning, when I saw this field of ADB ID, I thought it was the advertiser. As they publish the information of the clients and they put a banner on it, I thought it was an advertiser. So look, the distribution here, there really isn't any. The ID 0 has the vast majority. There are others that have 30, 25, etc. So it doesn't tell me much, but later on it will start telling me things. Ready. Here at this point, what can we do? We have wallets. What can we do with the wallets? Ask the crypto what happened with that wallet, right? If it has balance, if it has had movements. So I told Copilot, Copilot, as

Gustavo told me that you helped me, help me create a function that will find out if these wallets that are here, because I already have them, right? I already have them in a data frame and I pass the field to him, I say, look, this field is called wallet, take one by one and go and check and bring me the data, ready? There is a problem because it is an open API and the API has a 10 second delay. That is, I have to wait 10 seconds to ask the next question. So asking for 59,000 here gives us who knows how much. So I had already executed it, I'm going to show you the result.

In fact, I did not execute it completely. So here is the function. Let me show you quickly. This function goes to blockchain.info, puts the wallet there and returns me a rest, a value rest, a text with multiple values. As I told you, I need balance sheets and I need movements, so it only brought me balance sheets and movements, but there are many more things. And then, down here, it created a function, so I can call it whatever I want. If you notice, what I'm doing here is... One second, it's not showing right now. Here it is. Ready? So, since I already have a function for that, in this case, I tell him, look, I know

that between the ID 11100 and 11300 there are wallets that do have value. So I sent him only those. Why? Because I have my wallets in a data frame and because I already have a function for that. And the result was that there is indeed a wallet. Ready? So there were nine wallets that have balance and that have a single transaction. From now on, whatever comes to them. We already have a function, we already have the data frame, and we have, for example, this result. So now I can tell you, ready, who did you transfer it to? And do the follow-up. And there we start to make a map of how that money has been

moved by these cybercriminals. Ready? What else caught my attention? So I said, ready, I already have some wallets here. And down here I told him, I'm interested in the type field. So I already have some that do have money. Show me what information is there. And if you notice, all those who have money are of type 30. Remember that we had 7 different types? So I still don't know what type means, but I do know that type 30 generally have money. So I can now improve my search forward and focus first on the 30 and then start doing that discrimination and see what else is there. Are we doing well so far? This was done

by Copilot, as I told you, because of Gustavo. From now on, the questions you want to solve. I told you that the request returns a lot more data. There is already an impressive data chain. So what else can I do with that data? But see that we started with 26 megabytes and this is already growing. Ready? So the questions you want to ask, but I already have a data frame, I already have the data and I have a tool that I tell JM with the code "stop" and he solves it for me. He doesn't solve it all, obviously, and you have to know how to ask him. So it depends on Sherlock where we can

act. Ready. So I told you, I have a dataframe of dataframes. What does that mean? That I can see my tables here. So I have the Bitcoin address, the builds, configuration, etc. I have the chats. So I wanted to see the configuration ones. The first thing you ask is, well, the size. So I have six columns for 1,158 lines. Ready. So what's there? Again. I put the names of the fields. I wanted to do it automated, but but he didn't want to help me with the pilot, he did what he could, but I did it by hand. Again, 1158 IDs, 5 types, 1158 different configurations, date of creation. When I did this talk, based on the malware, even came users and passwords, right? Why?

Because before they deploy it, they make an intrusion and take that data and they embed it into the malware so that when it is executed, it can be deployed alone, without interaction. So, we thought that here we would find interesting data and unfortunately I didn't know. But let's try to see what else is here. So, this is one of the culprits that I would have failed the load of the data. If you realize, there is an ID, the build ID, but that configuration data, what do you think? That config field. It has the face of JSON, right? But it has the escapes. So, what did we tell Let's see the complete, here it is. So, take note, a lot more information there.

That is, it is a field that has many fields. And if I want to make filters for those subfields, then I need to extract them. So, the next thing I told him was: "Replace the escapes, right? And turn this into multiple columns from JSON." So, now you can see a little more JSON. And with this function here, which I again made it compile, I told it: "Take that, convert it into columns and paste it to the dataframe." So, I'm not going to ask for config anymore, but I'm going to ask for the config sub-values. And there it is. And it makes a lot of errors here, but it loads them. So there are values that have nothing,

but there are others that do have interesting data. For example, the company's website that is affecting, the revenue, 350,000 dollars, 5,000 dollars, etc. So I already have more information about who they attacked and what information they have obtained from them. So I can start making my filters a little bigger, right? I already have a DataFrame, there are no more than 7 fields, I think we had, but now it has many more fields, 69 fields. The problem is that this has grown, that is, what are we doing with so much information? But that is the valuable thing about data science, ready? Columns, now I do have many. So let's try to analyze, okay? Values 668, unique 351. So, between so

much information, it seems that there are elements that are unique.

I'm asking here. I don't know what I have there, but here. Ready. Information that is not null, if you saw that NAN, which means that there is nothing in that field, then we eradicate this and it tells me, yes, that it is not null, I have enough information. Okay. Here is a game of how I want to analyze it. So I told Copilot, hey, I want a cloud of words, with the top of words, because I'm not going to read that. And he said, yes, sir, here it is. If you see, ah, how good. So if you notice there, of course, the bigger it is, the more times it appears. There are some countries, there are some companies that we know. So, suddenly, it's another way to

see that information. Here, suddenly, you can tell me, focus on X, Y or Z, or maybe that one that we hadn't seen appears. I tell you that I was doing this and a company called me, to which Lockbit attacked. According to them, they were attacked on May 9th. Yes, according to them, they were attacked on May 9th. This was published on May 7th, so I said, "They won't be there." I went and looked for them, and they were there. They wrote it down on May 9th, and they created the campaign and all the data for this company on May 4th. From May 4th to May 9th, five days to start working. So, how are we going to do it? How are we going to find it? So,

I later created this function here, this series of queries. So, I'm telling them, "Eliminate those who have nothing." and within those who do have something, search for words that I want to search, so I said, for example, Colombia. And it took me, look, yes, there is information about Colombia, there are three companies in Colombia, and so I started looking and I found a couple of places. We are not going to look here because the idea is not to do so much public and public, but this is public, unfortunately. Ready. Since I already have a company in Colombia, then again I already have a datafame, I can get more data and I can start looking there.

which is interesting. So, you can see that I'm already having more information. What about time? Generally, these tables have a field called "Created in" or the date of creation. So, if you notice, it tells me that at least the information in this table started on December 18, 2024 and ended on April 28, 2025. In that time range, we have a story. And since I like to see it more in a graphic way, so this is the story of what's there. High concentration at the end of April, in fact, in April, something around here between the first days of February, but more or less that's the trend of what's here. Does it work for me? I don't know. But generally I

look at this when a client calls me and says they attacked me more or less by this date, then we go and look at this story and say, there was an active campaign. So what happened to you I'm sure it happened to others because they have something in common, right? Time to move on to another board. I'm going to skip this one because I don't like it. And let's go to what we like. The almost uncontrollable desire for gossip. How are we on time? That means now or move on. Ready. So we have one called chats. What are chats? They are communications that companies have with them. So they enter the chat and start saying, "Hey, why

did you do this to me?" A lot of information there. File names, let's see what we find there. There are names that have interesting details, but what we see is global. I'm going to run this here quickly. There is a flag, sorry, a field called flag. values 0 and 1, I wanted to see that there were concentrations, that is, those that were 1, because it really didn't tell me much. If you realize this date, no, this is not, let me go further. Ready, so here is a field that is interesting, which is the client ID. Ready, so what I did was look for how many communications there were for each client. and he makes me the summary. What does

this mean? Not, each line is a chat, that is, good afternoon is a line, and the response of the attackers, good afternoon, is another line. So, for example, for the client of 102, nine lines means that there were nine exchanges. Ready. So here what I did was increase the size to see if we didn't lose the complete gossip. Let me go further because Gustavo is making me face. And here you can see a lot of information, a little more interesting, right? I have to borrow money, I can't pay $3,200. A lot of situations here in the organizations that are already a bit sad to handle, but it has things that are not so sad anymore. For example, I came up with the idea of

looking make a bag of bad words, let's call them that, so I told him to look for words like, I put him to search Colombia, Bolivia, etc. But I told him, look for me, let's make the payment, look for me hack, suddenly they talk about how they made the entry, look for me a fuck, that is, the client got upset and he told him that he was going to die, or that you are a thief. So I put him to look for the words here, and in short, here are some interesting ones. Ready? So, as we said, look for hack, there are hack forums, Here's an interesting one that said, look at this one. "Stay still, stay still." That one. It's

like the third one. The one who entered the chat said, "You've been hacked by a encrypted channel in Moscow." Go and check it out, it's interesting how it scared them. The conversation is small, but the guys got scared. And this was very close to when they had the hacking. Down here, Who has heard that they recommended to be kind to the IAs, right? With the PROM. So, dear Copilot, if you were so kind, if you had the clickiness to collaborate with me, well, here people also estimate that writing to Mr. Hacker, "Please, collaborate with me," is another way that they will be kind to you, esteemed Mr. Hacker. So, looking around, among things, I found a very interesting conversation.

Okay? Again, as I was saying, a line for each sentence. In this line it is very interesting, among others, for several things that are here. For example this, ready? Establish the conversation, the guy shows that he can decipher it and the person who is communicating with them from the company tells them: "Look, my boss already gave me authorization, but I can't pay here. In my country it is not possible to pay here, I have to go to another city, I have to do to create a crypto wallet and pass the money. We're going to pay you. Don't worry. This is very interesting because they start saying yes, no, yes, no. At some point it looks like

they want to extend the time. And the attacker below starts to get a little confused. He says, "Look, I'm going to delete everything." Ready? I'm going to delete the crypt, there will be no solution. You think you're playing with me? And down here the character who is doing the negotiation does something interesting. He says, "Look, I tried it, but my boss didn't want to." "I would really recommend you delete the decryptor," the guy tells the attackers. And the guy says, "Yes, we're going to delete it and we're going to publish the data." And look at the last thing he says, "And if you want, hack them again." so they can learn. Who is doing this communication? Who is advising or accompanying them in that

negotiation? Never talk to cybercriminals. You don't know when someone is going to publish them on a B-Site. And the worst thing is that it's totally identifiable. If I go a little higher, they know the company, they know the name of the guy, it's a bit of a problem. But only a little. Fortunately, it's on the other side of the world. Quickly, I'm going to go ahead. Can you give me two minutes? Done. What else? What's the fun of having DataFrames? So, look, we've already done statistical analysis, we searched, we gossiped, there are a lot of things here. But we have IDs. It would be cool to be able to identify, right? I'm going to bring the client table too, I already loaded it here. Of course I don't

show it, they are the affected companies, but there is quite valuable data here. Ready? So, it occurred to me, the country of the company doesn't come. But I said, "How can I identify the company?" There are many ways. I can tell you, for example, with the data from the page, upload it to an ID and the ID tells me which country it belongs to. Because by the IP, it is very common that it is in Azure and I end up giving wrong data. But I said, "Well, let's make it easy." By the TLD. If it ends in .do, it's Dominican. If it ends in .co, it can be Colombia. I said, "Do it and put a country for each of them." Ready? So I already have my

data here. And the next thing, I said, "Okay, believe me, a relationship between the user table and the crypto wallet table, right? As I already know what the interrelation ID is, that is, it is like a SELEC asterisk front, this table with this table, joined by this ID. But I can do it here, simpler. I already executed it here. So, right now we had a table with the crypto currencies and now we have it with the name. of the attacker. So admin has that wallet, brown has that wallet, payout, bond has those three wallets. What else can I see around here? So I can tell him, look, make me a plot. So put me in the middle of the character and around

all his wallets. So I can start generating those maps. It helps me? Possibly. And then I told him, well, now let's do another merge.

because I found it interesting a field that was in the client table that says "paid commissions" This "session key" is the ID that they put on the company. I could put the name of the company here, but that is not done. But I'm interested in the issue of commissions. Why? When someone works for commissions, what does he do to earn commissions? He makes an effort, right? If you live on commissions, you make an effort. So let's see who made the effort and how they did it. So I found here a couple of professional people in their work who are commissioners. So we already have a trend here that this man, BDTG, drug dealer, is a commissioner, he has several companies in

that period of time. Sorry, he has several companies but they have not paid him commissions. Here is another one called Brown, who has a similar trend, but he does have a commission paid here. But here's one who lives off commissions. And you can tell because he's trying. So this character is critical. Because the same data shows me that each session is a company. And under the sessions, there are several that have one. So they've already paid him. How does a commissioner work? He throws everything away, knowing that with 10% commission, he'll get a good income. It would be interesting to start identifying this commissioner. And here's James Craig. Quick, quick, I'm leaving, I'm leaving. Here I created another function, finally,

because the country theme caught my attention again. So I said, let's see if there's a trend. This man shoots at many regions, but if you notice, he likes Brazil, Colombia, so he has a close relationship with us. This man, Brown, only the international means that it was .com. So, there it's difficult, I had to go deeper. Christopher,

also like distribution globally. And James also has... So there is no particularity there. The goal was to try to find it. But it would also be good to try to see the technology of those organizations. So how can I identify the technology that has that organization? Let's see if I find that this one likes this VPN product. And there we can start to identify trends. In conclusion, because they are making me eyes here. Any leak can be favorable, let's learn from them. 26 megabytes, I think it has value. And that's how we can do it. From now on, any leak of this type, I already have a notebook that will help me analyze it. Don't talk to cybercriminals. A guy could appear and

burn them in public in a B-Site. Watch your words. There are many chats that one sees and they heat up the cybercriminal. Don't confront them. Don't do it because that can be critical. It's not that they go and delete, it's that they take measures of another type. So, if the attack wasn't so impactful and you go and chat with them and say "you're an asshole, you don't know who you're messing with", you have to be very careful with that. Copilot and Pandas, until this week I found out about Polar, so I hope to update it, but Pandas is magic, as I told you, give me a data frame and I'll move the world. And that's it. Thank

you very much. Eduardo, thank you, thank you. As always, it was very entertaining. You had everyone expecting what was going to happen. Well, a little gift for you too. Thank you very much for everything. We give space to just one question. We ran a little bit, but does anyone have a question for Eduardo? Well, Eduardo is going to be around here. Yes, I'm going. How are you, Eduardo? With Jonathan. Eduardo, I wanted to ask you, what recommendations do you give us? Well, this morning we also saw the first exhibitor who also talked to us about the guides and the potential that can be had and how we can enhance this data. At least let's say that we know that this work can

be handled a little to police entities, the FBI and all these agencies to profile these groups, but we also know how we could at least contribute from our private role where we don't get so much into in this field and I don't know if something similar happened to you in WebPuchas, I'm profiling a group, but what do I do with this information? How could we feed ourselves and how to expose this data and that it can serve us, at least to organizations, in being aware that these groups exist, that they filter this type of data and at least use it in our favor, to at least counter the attack of these criminals? It's learning. I really do it to look

for these opportunities, to show the organizations, "Look, these guys act like this, be careful, don't communicate." Those conclusions I gave them are finally opportunities for everyone. Well, you are not going to run after criminals, but my goal is to go deeper and tell you, look, this drug dealer 57, the guy loves this VPN product, which is the one you have. It's not because he's vulnerable or not, it's because he loves it. And if he loves it, he'll look for a way to get in. So you are already a client of him and he lives on commissions. So how to generate that trend. But the goal of this is also to take them to any information block they can analyze it

like that, even your own. Then a information block comes out and many times what happens is that executives or high management say, "Oh yes, a database came out and well, that's it." So with this you can say, no, the information that was lost is valuable for this, for this, for this, and a couple of graphs suddenly make you see the story in another way. So it's taking advantage of that artificial intelligence with that benefit. Give it value, but an immediate visual value. That in this case 26 megabytes were easy to analyze, but let's go to 1 gigabyte and things get complicated. If I have the opportunity to take this and execute it and get good

results to present, it's very valuable. Thank you. Thank you all. Thank you. We're going to start. While we're starting, I present Christopher Dexter from Peru. His presentation is associated with OT. We're going to talk about Industrial Inferno, the rise of the OT malware. Also from Peru, international quota, and we're very grateful that you're here with us, Christopher. Hello, I'm Christopher Dextre and today I'm going to talk to you about malware in OT. The talk is called Industrial Inferno, the Rise of OT Malware. Well, a little about me. I already mentioned my name. I was a rep teamer in the industrial sector. I currently work as a pen tester and I am part of the MalwareSpace

team together with Mauricio Jara. This is the agenda that we are going to touch today. The historical review of malware in OT that starts in 2010 and the latest malware discovered was in 2024. We are going to have the analysis of the key cases and a "what if" that is what would happen if Let's start from the beginning. Everything starts in 2010 and ends in 2024. If we can observe, from 2017 to 2022 we have a gap of five years that there was no new malware. But from 2022 we started to have more visibility of new attacks with malware, specifically in the OT sector. This is a very brief summary of what the PureView scheme is. We have five levels. The

first level is sensors and actuators. A sensor and actuator can be a light sensor, a temperature sensor, and an actuator can be an engine. In level 1 we have PLCs, RTUs, DCS controllers and SIS. In level 2 we have the HDMI, SCADA, JAN servers. And in level 3 we have things we see in IT. Level 3.5 is a barrier between OT and IT, that's why we can observe the coloration. And the last levels, which are 4 and 5, correspond purely to what is IT. Let's start with Night Dragon. I mentioned that we are going to see the issue of malware, specifically for OT. But Night Dragon is not a malware for OT, but it is an APT. And an APT is an Advanced Persistent Threat.

A persistent threat. In this case, from China. And what did they use? They used something quite common that we can replicate: Github. I think we all know Github, right? They used the RADs, the RADs are the Remote Access Trion, or TUL, and the two RADs they used, both ZxShell and Ghost, are available on Github. TTPs are the tactics and procedures that we can observe. The first attack vector was the spear phishing directed at employees. Another attack vector they had was SQL injection to web that were exposed. They used rats, they also used credential theft and lateral movement. All the tools that NinesDragon used are public. What was the objective? To filter data from oil and gas companies, technically

from the entire industrial sector, and if it could be committed to SCADA servers and intrusions, specifically in the enemy countries of China, which are the United States, Europe and some countries in Asia. For time reasons, I will be skipping some slides and here we can see what was the workflow of NiceDragon. NiceDragon was discovered by McAfee. There is currently little information because all the information that I saw in McAfee when changing owners, you can only find it in Web Archive. Now we go through the most well-known of all. I think we've all heard of Stack Next. What is the difference? That Stack Next is no longer an APT, but a malware as such. This malware was

made by two APTs. from the United States, which is the Equation Group, which belongs to the NSA, and from Israel we have unit 8200. What are the TTPs they used? 4.0 days in Linux, USB infection. I think we all know what a rubber dock is. This is the first case that a rubber dock was used in the industrial sector. They also used DLJ hacking in Step 7. Step 7 is the software of the PLC Siemens C7, which modified the logic. What STACNEC did, basically, was to stop the production or possible production of nuclear bombs or nuclear weapons in Iran, was that every time the reactors rotated at a certain speed, change this speed abruptly so that centrifuges fail. The Iranian plant team,

Natanz, realized a few months ago, because it seemed very strange to them that only all the actuators and sensors of the nuclear production part were successfully achieved. They also used a rootkit in Windows and PLCs and hiding changes and ciphered with RC4. This is the only malware for OT that has a specific discovery date, which was June 17, 2010, by the company Viruslot ADA. It is designed specifically for two PLC models, which are the Siemens S7-300 and the Siemens S7-400. It affected, apart from the Natanz plant, 200,000 PCs, 1,000 PLCs and 22 industrial installations. Here we can see the anatomy of STACNEX. We have the USB that entered a PC with Windows that was in IT and through from this UCB the barrier

between IT and OT could be broken. Here we have the PLCs, the 300 and the 400, and there we have what would be the actuators. After Stack Next, two variants appeared with a few months of difference, which are the cousins of Stack Next: Dooku and Dooku 2.0. There is no evidence, to a certain extent, that it belongs to Equation Group and the 82.00 Israel organization, but shares too much with Stack Next. So, that's why it's called, presumably. Like Stack Next, it also takes advantage of zero days vulnerability. In this case, in the type of source. It uses certificates that are stolen. For example, when you have a certificate This certificate is used to sign a firmware,

for example, it can be audio or video. And this certificate, in theory, should be protected by the creator entity of this firmware, which, for example, can be a Realtek card. What they did was steal that signature and so pass or deceive, rather, the EDRs of that time. Something also quite interesting was the use of scenography, since they used images to filter data. This group here, Xamon, this Xamon malware belongs to the APT33, which belongs to Iran. This one here is quite interesting, since it uses a new malware feature, which is the Wipe. The Wipe is the feature that gives a malware to overwrite files and leave them unusable. We have Havix. Now we start with Russia. Russia

has the most active APTs that attack IoT environments. If you see Dragonfly and EnergeticBear, it's not that they are two different APTs, but when a company discovers a new malware, it's the one that gives it the name. For example, Mandiant uses the acronym APT + NUMBER. And the rest of the companies, like ESET, Kaspersky, Clarity, give them the name they want. The most important TTPs of Dragonfly and EnergeticBear was that they attacked directly to the supply chain, not directly to the target. And what is interesting about Havix? That it had the capacity to inject an additional trojan, which in this case is Karagani, into infected systems. So it could totally compromise these systems with persistence.

In this case, unlike Staknex, it was only industrial espionage. Then we have a trilogy, also from Russia, of Black Energy. Black Energy originally started in 2007, but it was just a basic botnet that attacked any type of device. It gave it the same, that is, OT, IT and OT. But in its version 2, which is from 2009 to 2014, they already started testing with OT themes, using drivers, OAC bypass, specific exploits for the HDMI's. An HDMI is the interface that has the PLC with the human. It's like a simple screen that you can program there. But unlike the previous cases, it no longer only attacked Siemens, but attacked more brands. Then, version 3, which only lasted a year, which was

2014-2015, added an attack vector, which is Spirit Fishing, using Office macros. Then we have another malware, which is Iron Gate. This malware He couldn't find a direct responsable, so his APT and country category is in the unattributed. We return again with Siemens. And if you ask why Siemens, because Siemens is the most used PLC. So all the attackers want to attack Siemens. But we started with new techniques. In this TTP we have a man in the middle attack, in which he captured the requests of the from the PLC-SIM to the Siemens software and replaced them with DLs. It also has sandbox evasion. Sandbox evasion is the ability of a malware to verify if it is running in a physical team or if it is running

in a virtual team. Here we have the use of a new language, which is Python, which they used to infect and package Trojans. The objectives here They weren't cyber espionage, they weren't to harm any kind of company, they were simulators. All theories point to being for APTs from Asia or Middle East. Then we have Industroyer. We go back to Russia. The SatWare Group used a lot of TTPs, but More important were that they used specific modules, not for common modules like Modbus, but for the modules IEC 101, IEC 104, IEC 16, no 61, 850 and OPC. They also used dual backdoors, similar to Black Energy. Then we have DDoS, and this malware capacity was already used previously. And

what was the The main objective: sabotage the Kiep substation. This shutdown was quite important, it happened in 2016. This is the first malware that was discovered by two companies, since the others were discovered by one. It was discovered by ESET and Dragos. It is also the first modular malware and also, like Stack Next, executes payloads at specific times. predefined, which is a capacity of a logical bomb malware. Then we have evolution, which is industrial 2. What was the improvement? That they simplified the architecture. The goal was the same. This was detected in 2022, since Ukraine at that time was already at war and they began to constantly attack what are the electrical networks of Ukraine. Here we see that it reuses

two critical modules from its first version and here we can see what the difference is. If we can see, here we have the Wipe module, which has also been shared with other malwares. Then we have several services that are infected, which are the Cat Wiper, the Ortiz Tie, the Slow Read and the Awful Shirt. Here we see the difference between version 1 and 2, that version 1 only attacked to SOT networks, but instead version 2 already attacked IoT and IT. Moving on to Triton, we return to Iran again. Now we have another APT, which is the Xenotime. This malware is now specifically focused on a brand that we have not touched before, which is Tricomex, which is

the Security Industrial System. This malware not only attacks common PLCs, but also attacks PLCs that have SIS capabilities. What did it do? It deactivated security systems industrial attacks on plants, but from Saudi Arabia, and in which he intended to replicate the attack of Staknex. This malware was also discovered by two companies, which are FireEye and Dragos, when they found anomalies in Middle East plants. As I mentioned, this malware specifically attacks Trichonex 6. we have Pythedrine, we go back to Russia, but now with a new APT, which is Chernobite. Chernobite learned from the previous APTs and created a modular malware, but now it not only focused on Siemens, like its previous APTs, but it changed and now

attacked Schneider, Onron and OPC. This is a Swiss knife for manipulation of industrial environments, since it is not only based on attacking a single brand, but different brands. And it took advantage of an exploit that belonged to the Axe Rocks company, for privilege scaling. Here we can see the anatomy of this malware, which first attacked the switches, then expanded through PLCs, HDMIs and UA servers. Now we go malware that was discovered last year. Frosted Group doesn't have a specific APT assigned, but it is believed to be Russian. This is the first malware specifically for OT that uses Golang language. The characteristic that Golang language has for malware is that it is more complicated to do reversing than malware that is made, for

example, in C, because in C you have, from the beginning of the malware, You already have a lot of bookstores, but in Golan you have few bookstores. And they used an exposed protocol, which is the MOTBUS, the 502. The interesting thing is that they didn't use persistence like the previous ones. They only focused on attacking the MOTBUS protocol. The main objective was to sabotage the heating of 600 buildings. And this is the first malware that attacks civilians. The rest of the malware attacked companies. and possibly government companies. Let's continue with Fluke Next. If you noticed, I mentioned about three Russian APTs, and the Ukrainians got tired and said: "Let's attack". In this case, the APT that was in charge of this was

Blackjack, and the TTPs that it used, quite similar, was to overwrite data in EMUs, which is a WIPE feature, but it specifically attacked what are NAND and SCD memories. until they reach their writing limit and become corrupted. The objective was to sabotage the industrial sensors of Russia, of the Russian critical components. It was detected by Clarity in April, it has remote infiltration and the important thing here is that it disabled approximately 500 gateways and left 87,000 sensors without response through firmware corruption. When the Blackjack team managed to compromise a system, they left their signature.

Now we go to iControl. Again we have an Iranian group, but this time we have a very curious name, which are the Cyber Avengers. What is the difference between this malware? That we have persistence again, but this time we no longer only attack IoT networks, but we have IoT. For the C2 issue, we use a protocol called Mosquito, which is the MQTT, which this protocol is specifically for IoT devices. Most of the malware from 2016 onwards, how they can be captured. Almost all of us use VirusTotal and in VirusTotal you have a lot of data and through that data, companies like Clarity, etc. download these samples and that's how they find new malware. This type of malware

is modular, so it attacks indistinctly what are routers, cameras, PLCs, HMIs, Fireballs, basically attacks everything that is within reach. And this malware also attacks what is civil infrastructure. When they came to compromise the Orpac servers, in Telegram they sent a lot of screenshots that we are inside. Now we go with the last one, which is Chaya003. This malware is not attributed to any APT. And we go back to what is Siemens. But now, it's not just modifying the logic, but ending the processes. Siemens Portal is the software for the control of the new generation PLCs, which are the S7-1200 and 1500. It uses legitimate services for the C2, which in this case uses Discord. And it also

uses binaries with system names, like LAS, Notepad EXE, to avoid detection. Now let's go to the Wattif part. If you remember, I mentioned APTs, but I didn't mention any Latin American APT. And in my search for information about LATAM APTs, I found very little. And the most famous APT is a Colombian APT, which is the Blind Eagle. Analyzing its TTPs, it was very similar to the TTPs I mentioned before. But I don't know why nobody has attacked industrial infrastructures in LATAM. The closest attack we have by characteristics is the Medre operation that was in 2009 to 2012. This was discovered by ESET and what it did was filter all kinds of data from the BDLG

format belonging to AutoCAD. It indiscriminately attacked institutions, private companies, but specifically Elatan and all this data was filtered directly to China. Here we have a capture of an email that bounced.

And let's go to the interesting part. Do you know what this screenshot belongs to? Sure. So, if you remember, I mentioned that Stack Next is specifically designed to attack two PLC models, which are the S7300 and the S700. If we do a search in Shodan, we can find that there are 1015 PLCs. But if we go specifically to the Latam part, We can see that in Argentina we have 4, in Brazil we have 38, in Colombia we have 3, in Ecuador we have 2, in Peru we have 1, in the United States there are 183, in Paraguay we have 1 and in Venezuela we have none. We have TTPs and we have a fairly large attack surface. So why can't we create a fictitious

APT, in this case it is the VS Code. The attack vectors that I would possibly use if I were part of this APT would be Spirit Fishing, then infect directly to teams that control SCADA, like it was Chaya. And why Chaya? Because I'm not manipulating logic, I'm just killing processes. It is much more complex to detect how you kill processes, than modify the logic. Since here in OT you always have backup servers. If you modify the logic and the backup servers restore to the initial state, then all your work was in vain. Thanks, that's my network. And if you want more malware information, go to MalwareSpace. We will be in this ECO 2021. taking Malware for the first time

to Latin America. Christopher, thank you very much. A round of applause for Christopher. Well, does anyone have a question for Christopher? Thank you, Christopher. Let's say that for me, who am new in the world of cybersecurity, I have a concern about how much knowledge from the point of view of industrial control systems to approach the world of OT security. Because one thing is the domain in TI, the domain of the operating system, the characteristics of an IT environment, but the OT environment eventually has its differences. So, to approach that world of hacking in OT, what would be a roadmap, maybe certifications or maybe specific providers that you would recommend to follow? About offensive security courses

in OT, you have the SANS, you also have a Colombian company called Spartan, which has a course Hacking OT 101, then you have to read all the blogs that are from TeamClaroT82, TheDragon, those would be the ones that I would recommend you to start. Then you also have material in Udemy, . Christopher, I'm not leaving without the gift. Thank you very much for participating and for trusting in this space. Well, an announcement before the last talk. We have, as you know, there is a war driving exercise that is going to be done after the session. For those who want to participate, those who want to participate in this exercise, those who are already registered, all the information will be

in block 21, where the hands-on part is being done, on floor 3, classroom 326. Here you will see all the information, from when it comes out, how long it takes, what are the rules and what is the exercise to do in War Driving. Well, let's go with the last talk of the day. Also with international assistance, Jorge Litvin. He comes from Argentina. He brings a talk about Hacking Culture. Very happy that you are here also participating with us. And welcome here to Visite. He already put you while... A round of applause. A round of applause for Jorge. With what they have left of energy. How are you? Is it the last one? - Of the day, yes. - Is it the last

one? What a challenge. What a challenge, they are already thinking about beer. Yes, they said over there. Don't burn me. Excellent. How many of you work in companies? Today, today, raise your hand. Very good. How many of you have ever thrown the dead, as they say in Argentina, to try to raise awareness of staff? And what have you found on the other side? I hear. How? A lot of resistance. What else? People are busy in their day to day. They don't work in cybersecurity, they work in something else. They work in human resources, they work in finance, in legal. And one comes and wants to try to teach them new things. The annual talk, this, the other. Well, a little of what

we are going to talk about today is that this awareness is a necessary step but it is also insufficient. And that in reality, if what we as an objective, and today I listened to many talks about vulnerabilities and how to exploit them, humans are vulnerabilities. But, unlike the technical vulnerabilities that we have been talking about in most of this event, they are not so easy to correct. Because there is no patch, there is no update, there is nothing, we cannot draw a line of code and change the behavior of the human. and change their behavior to him, to her, to him, it's very difficult, it's very different. So we can't apply the same method for everyone. And a little bit of what I'm here to share with you today

is a little bit of a methodology that I designed and that we are implementing in Safeview, my company where we try to accompany other organizations to change their security culture. And it's a methodology that you can follow, now we're going to get to that, as to change the behavior, where to raise awareness is only one of the ten steps that this framework has. Today we are not going to arrive, for time reasons and because everyone wants to go, probably, to go through each step one by one, but yes, an overview so that they can take a look at it. But let's start with why. Why the human factor? And there are some things that they already know and others maybe not. And why do you

raise awareness of the staff? Why? Exactly. There are two main reasons why one raises awareness of people. For compliance. because we have to comply with some audit, and there is no personal data protection regulation that does not contemplate as a specific control the training and awareness of users in the management of data. Here in Colombia, in fact, the personal data protection law contemplates it. And perhaps the organization does not have to comply with a specific regulation, but if it is attached to a framework in which it is audited or it is requested by a third party. So compliance regulations are not only with authorities, but also with third parties of the private sector with which one wants to relate. So this is the

first reason, but the second reason is by risk. By risk, why? Because now we are going to see that users, the most vulnerable link is being talked about, now we are going to break that down. But first let's talk about compliance. And I was telling you, There are regulations, there are standards, and this is a great overview of some of the main ones that some logos you should know, where there are specific controls related to training and user awareness. But if we get out of the paperwork and documentation part and do it only by compliance, and you will realize which organizations do it by compliance because they seek to do an annual talk, a phishing

simulacrum, something that allows us to put a check in the box and be able to pass through the auditor's eyes. Today, the reality is that regulations, especially in financial entities, banking sector, fintech and others, are getting a little more tricky, where they will have to demonstrate that the metric of last year's phishing is not as bad as this year's. What does that mean? That there is continuous improvement, that things are changing, that the culture is improving. Why? Because if every year I do the same talk and hire the same consultant who comes to talk about the same risks, first, everyone gets bored. Second, no one pays attention to you, they are all in the email and then all we do is put a little box with a

list of assistance that we fulfill. But that is only useful for compliance, but not for what really matters to us, which is risk. We have to think for this that humans are also the ones who design and develop systems, we are the ones who choose which systems we are going to acquire, they are the ones who use the systems, they are the ones who update them, they are the ones who manage incidents. Humans, I'm a lawyer, so I can make jokes about lawyers, but lawyers are the ones who write contracts and clauses for third parties. One of the main risks of cybersecurity this year is defined as the risk management of third parties. We all

remember what happened on July 19 last year. It's still warm what happened with Cloudler, now with Google. So we started to see the fragility that exists and within the risk management of third parties is the part of the contracts. Who does that? The lawyers. So we started to see how humans In the end, no matter how much technology we have, as my colleague said, we can have a lot of technological controls, but if the human factor is not contemplated, it will not help us at all. How many, if we think about the attack surface, we have networks, right? We have a little more devices than networks, surely. We have applications, but if we start to look at the size of our attack surface, probably

the most we have are humans. So, this makes us the attack surface not only the most extensive, but also the most vulnerable and the most complex to control. That's why I said it's not as easy as parsing, configuring or developing something with which we can change people's behavior. And what kind of human errors are there? Or what is the human factor in security? Because one would think, and everyone would go very quickly to say: I clicked on that email, I shouldn't have done it. But there are errors that go beyond that and there are incidents that are produced by analogical issues, not only digital ones. And we can talk about neglecting devices. Here, in fact,

I know that Medellín is a city where half of the people who live here are working remotely and come from elsewhere. And it's like a place for co-working. Well, how does our staff take care of people when they go to work from a co-working or that is remotely? They get up, order a coffee and leave the computer unattended. Disregarding information, neglecting physical security, neglecting policies, neglecting digital hygiene, which is generally what we are in charge of or the first thing we think when we talk about raising awareness with the issue of phishing, social engineering and others. neglecting safe development practices and there is no longer the end user. Many of those who are here are

in the development areas and now we are going to see what percentage of human error is not from the end user area or the technological muggle, for those who are familiar with Harry Potter, but from the more technical area: neglecting the management of technologies, neglecting the management of incidents. So there is a lot of human activity and a lot of human errors that are not of the humans that we think. And when I say that they are not of all what we think, most of the human errors come from the development area, from the areas that one would think that they are not wrong or that they do not have so much impact on security.

The second is the famous SIDA/SMIN. Then the final user comes and then we have a cake spread among the others. I'm not saying it, it says the report from last year of Verizon, the Data Bridge Report 2024, you can look for it, I always recommend it, it's still warm the one that came out this year, the 2025, very interesting. Now, if we think about the incidence of the human factor and how it evolved in cyber incidents, Let's start in 2022 and we see that the metric is improving. Some years ago, 95% of the attacks, as the reports said, were linked to some kind of human error, not necessarily the click, remember. And now, in this last one that came out,

it's about 60%. Why do you think it's going down? Don't speak inwardly. Because of the awareness, it's one. Why else? Who gives more?

Look, there are several factors and surely we will not be able to list them all, but without a doubt there are many more companies and SANS has a report of annual security awareness that I recommend you to read and compare what happens year by year, where in version 2022 even, It took a metric of the maturity level in the awareness of companies, of whether their awareness programs were based on compliance or already based on cultural change or based on metrics. It is evolving, it is like CMMI that marks the levels of maturity of the controls. Well, there is a kind of CMMI for cultural change and that is from SANS. And in 2022 still, Most

companies were based on compliance, the awareness of this annual talk, and in 2023 the metric begins to change and it is invested and most companies begin to look for something more. And this continues to evolve and more and more companies realize that awareness is enough but unnecessary and that they have to do more things because they cannot change the behavior of the user with an annual talk or an annual phishing simulacrum to the entire company in general. Regulations have been helping and pushing that, but other things have happened, like the risks associated with the incidents caused by third parties, or by the third parties of our third parties, the fourth parties. The issue of the generative IA and how the access barrier to

hacking has also lowered has also made there more malware exploits, although most of the attacks today are based on identities, more than malware itself. So, other types of attacks have begun to take on the spotlight and people are more scared. Because something that seemed like a black mirror a few years ago, today all the time is afraid to scan a QR code somewhere. Because of things that are happening, because of the massification of social networks, as it is shown, and in the end, consciousness ended up being generated a little by the fear factor in people who do not understand much, so they do not do it in the doubt. And then we have a problem

in companies that one tells the other: "Did you see the excel I sent you?" "No, I don't open the mail." No doubt, I don't open the mail. But that's not what we want. So, if it goes down, we'll see how it keeps evolving. This is from the Verizon report this year. And there are a few challenges that we have. And you were asking when I started the talk, and I'm going to try to go fast with this. But we have a great lack of awareness about the lack of awareness. And we have directives like the CEO, who can say: "I heard all the excuses that you imagine. It's not going to happen to us, we're

not that big or that important. that doesn't want to talk directly to humans. We have a lot of tools, the security manager tells us, with which I have a whole technological stack. I have CrowdStrike, Cloudflare, Proofpoint, I have everything. I don't need a little figure, so I feel safe. We already give a talk a year, it tells you Human Resources, which is in charge of training. And nobody forces us to do it, says the legal manager. So there are many excuses that end up demonstrating the lack of awareness of those who make decisions and lead the culture of companies. Because in my experience, and I tell you that many times, I am that consultant to

whom companies called to say: "We want you to give the annual cybersecurity talk." And I arrived at a auditorium like this, bigger, and there was the whole company, you know who? The directory. What was the message that gave that to people? This is not so important, because if the owners of the business are not listening to this, it is because for the business it is not important, if it is not important for him, what matters to me? Basically that is the message that is translated when the directory is not literally on board. There is too much content, because everything we have to teach It's a lot. The amount of attacks, risks, threats, the amount of

digital care. I always have the parallelism that in 2020 I wrote a book called "Hackeds", 57 pages, it's written completely in rhymes, so you can read it rapping, but it's made so that anyone can understand it. And a little bit I made in that book a parallelism between what was happening, because I published it in 2020 as a result of what was happening with COVID, is Cybercrime or cybersecurity is a bit like what happened during the pandemic. There is a very contagious virus going around, in this case there are many, but just so people understand it. And there are a series of hygiene measures that we have to start adopting and that we were not

used to. We were not used to using shingles, we were not used to using alcohol and gel all the time, to be careful with what surface we were in contact with. But if we didn't do it, we ended up infected. In the digital environment, digital hygiene habits are much more than a barbeque, alcohol, gel and being careful that we touch. So the amount of content we have to share is a lot and we have to think about the amount of content we are obliged to, we have to think about the amount of content that is really relevant for the risks of our company, not the risks at a general level. Because in general everyone seeks

I see a lot of awareness programs where in the ABC they are all the same and there are things that conflate, but there are companies that have risks different from others. In fact, they all have different risks from others or even having the same risk, they should worry differently because in a risk analysis, the probability and the impact are very different and we have to prioritize what is relevant for our business, not the rest. And what do we have to focus on? Considering the range of things we have to raise awareness, what we are forced to raise awareness and what is relevant at risk. In the end, what the user can process. Someone said they

don't have time. And what confluxes in this event, in this is what we have to focus on. In seeing everything we have to share that is relevant for the business. What are we forced to do for some regulation or requirement of a third party? And finally, how much time do people have? And what of all that can we share in the time that people have? In the basic "there is no money" that they usually say, well, there is money for the EDR, for the XDR, there is money for the CIEM, there is money for everything. But when we get to the part of awareness among users, like, give the talk to you, they say. Like,

why don't you give it to her? And here I always suggest, as a strategy, first share budget with other areas. Why? Because the awareness of user training impacts human resources and also impacts the area of legal and compliance, which has to demonstrate and show that it is doing so. So I always suggest inviting those players to the table and telling them: I'm going to tell you what the content of the risks is, but even if you look at ISO 27001, For the part of awareness and training, control of the NETSOA 6.3, if I remember correctly, is among those that are categorized as controls linked to human resources. With which, to human resources, you say: "This

is yours, I tell you what, how you do it. Legal, you need to show this in an audit? Well, you are part of the table too and the one who is going to put his hand in the pocket. That's a strategy. Try to semi-automate at least everything that is manual. Today with IA, a lot of what is template fishing generation, all that is content to send awareness emails, everything that has to do even for design. Canva has a whole part of IA, other tools for content generation can also be leveraged in that when they are alone against the world and despite all this, they were thrown at you. Try to do outsourcing when possible and again, rely on generative IA. But,

To put on the screen a little bit what are the main risks, each one of you will feel which one hurts more, which one hurts less, but these are all the things that I have raised over the years that are happening to those who work in security within a company and for thinking that they work in security, the company entrusts you with awareness and user training as if it were only your role and your responsibility. And these are some of the pains, do not worry about taking pictures because I can share them later, there is no problem, they ask me for it on LinkedIn. And then, before this question, which I answered at the beginning

of the talk, is: "Is it enough to raise awareness?" And the reality is that it is not enough to raise awareness, because there is much more. And what is there after raising awareness? After raising awareness, it is only to inform users about the risks associated with technology. Awareness is when you drive and see a sign that says: "If you go to the wheel, don't take it." "If you go to the wheel, don't use the phone." And yet, I don't know how it happens here, but when I'm driving in Argentina, there are a lot of signs that say: "If you go to the wheel, don't look at the phone." And I look to the right and

I look to the left and I have two people like that with the wheel in the other hand. I say: "I'm alive as hell." And those people are aware of the risk, but they don't feel it's going to happen to them. Because we feel that there is a kind of, by nature, we have a kind of light beam that illuminates us and exudes us from the risks that happen to others. So when we see that there is a risk, we feel that there is a risk, but that it doesn't affect us. So we need to train people. And train, unlike being aware, is that besides giving you the information, I'm going to give you a

skill. And that skill has to do with: I'm going to teach you what you have to do and how you have to do it. That's why there are the Fishing Drills, right? Or the Fishing Simulator. We are going to put people at risk in a simulation way, so that they know how to identify, how to report, how to act. That's training. That is to constantly reinforce that there is something that the user has to do. Not just know. We need him to act. And we don't need him to be afraid of the mail, because that's not our purpose. Our purpose is that every mail he receives, he reads it, analyzes it and says: "Oh, this

is suspicious." I report it through the channel that informed me. That's what we all dreamed of. But that requires more than just giving talks. requires practice, like everything that is trained. And finally, changing the culture has to do with incorporating ideas, incorporating customs. In the company it is done like this. And a little bit, putting in the organizational DNA that everyone behaves in a way that we are already used to and it is a habit and you don't have to think about it so much. So that each new person who enters the company, the team in which he works will already lead him to work safely. Why? Because he already has those habits developed and

they are part of the culture. So, suddenly we have an army of Security Champions that are going to be infecting the habits that we already form. And when we really generate a culture, We are being discharged the backpack that we have on our back of how much it weighs to have to take charge of changing the behavior of the users because they are our own users or our own colleagues who are helping us to the new ones who entered continue to reaffirm that behavior of that culture. As I was saying, to be aware is only to inform about the risks, but and let the will of the individuals be free of how they handle themselves.

And that people know, and this is important, that they take it as a concept, that people know does not mean that they care or that they are interested. So, if we think that by the mere fact of telling them: "This can happen to you" and it is very important for the company, which makes it even less important, because people care about their information or what can happen to them, they do not care what can happen to the company they work for. unless they are the owner of the company. And this is a reality. So we have to start from that premise that we need something more than just informing. And this is how this framework

is born. All this was the introduction, so at any time someone is going to come and throw me, but this is how this framework of 10 steps to change the security culture of a company is born. 10 steps that have to do with the government, have to do with doing a diagnosis, have to do with planning, with involving. There it just appears to raise awareness. in fifth place, empower people, evaluate people, reinforce, measure and then improve. And this, as seen in the clock hands, is a cycle that repeats itself and that I consider as a spiral. As a spiral that now you will understand why. Because if we go, for example, to evaluate users, which in general

we do a general phishing campaign, The first time we go through that circle, we will do a phishing for the entire company. But when we go through the evaluation again, we will surely have to do a level up and do a spear phishing to certain people. And it is not the same content that we are going to send or how we are going to evaluate those who passed the first test than those who did not do so well in the first test. So we have to start tuning and each circle, each turn we take in this spiral, takes us from the general to the particular and we put a degree more of difficulty. This that

I say to evaluate is the same to raise awareness, where maybe we will start with a general program and then we will start to segment. Why? Because in general, where most companies fail is in understanding that everyone learns the same. Assuming that everyone learns the same. And how am I going to explain to people of legal, security, the same way I speak to T.I.V.A. Development? How am I going to explain to human resources that have different risks to the area of finance or payment to suppliers, which has to be more attentive to the BEC, for example, while the marketing area has to be very attentive to how it handles the data of our users and

our clients and prospects in the CRM that we use. So, each area has different risks, each area has a different way of learning and we have to understand that. And as we advance in this spiral, we will have to start to delve into those concepts and what we want to generate is a security culture. And in this first step I'm going to put, although government appeared in the framework, for me government is something that actually involves everything, because we need government in all these steps. And what does the diagnosis imply? And one would think that it is only to do a phishing campaign, but the diagnosis is first to understand what are the risks we

have. Who wants to harm us? And that has to do with threat intelligence. How vulnerable are our users? And there we do talk about phishing in general. So we do a campaign to measure where we are standing. Have we had any incident before where humans have participated? Any involvement of human error? Then we have to think about what they are asking us, or what they are going to ask us. Is the company certified? Is it audited? Is it regulated? What standards? What do they ask for? What is the maturity of our current culture? To know what is our baseline to move forward. What audience are we going to see? Are we going to see the whole company? Are we going to see third parties? Are we going to see

suppliers? Are we going to see consumers? Something that everyone who works in B2C business has to ask themselves. Why? Because suddenly there are financial institutions, insurers, airlines and a lot of other companies that their customers, their consumers, are stafed by abusing their brand. And we all know this, right? The criminal goes, creates a fake account on Etsy or Instagram, makes himself go through a bank and writes to the user to take away the funds. So the regulations ask them to make third parties aware. Well, this is also part of what we have to contemplate. What are the needs of the company and also what is the budget of the company? All this is part of

the pre-diagnosis to understand how to start. But If we make a diagnosis and then we try to execute without a plan, we will have some problem. And what is the main thing that you have to ask yourself before setting up a plan of awareness or cultural change? What behaviors do I want to change? Why? Because if I start to go Talking about risks, like a machine gun, they will shoot me very few bullets. You have to be frank-shooters and understand that the amount of behaviors that we can change in a year are between 4 and 6, no more than that. So we have to focus on 4 or 6 behaviors. How do we choose what behavior we are going

to change? For some previous incident, who else? For risks, right?

Without a doubt. So, we are going to go through all possible behaviors by a sieve to understand which are the ones we want to change. And those are only some of the behaviors that hurt the companies that people have. The fact that they do not report suspicious activities, that they do not protect the data, the lack of common sense, perhaps the safe use of Wi-Fi. Suddenly we have a lot of people traveling and connecting from airports, from public Wi-Fi, from cafes, from whatever they want. So, what are the the behaviors that most expose the organization to the risks that we already evaluate in the organization. And something like that would be seen as they have to do a awareness campaign, if you want a cultural change plan in six

months, where they can use a framework that is known in English as TRAM, which has to do with Train, Reinforce, Assess and Manage. Ten minutes. Well, I bet 2.0 like WhatsApp. But more or less this is what you should contemplate for each stage. Set goals and setting goals means that you should be able to make a table like this, like where we are and where we want to be, so that when the execution of the plan ends, we know effectively if it worked or not. If we don't measure it, how do we know? If we don't measure it, how do we improve it? Involve. What does it mean to involve and who do we have to involve? We need allies. because we already talked a little about that

awareness does not fall on TI or cybersecurity, but there are other areas that should be involved, especially human resources, TI, compliance, even marketing or the areas of internal communication. Why? Because they are going to give us the guidelines that everything we communicate is in line with the brand manual and has more sense of belonging. They are small details, but the devil is in the details. So reading something generic, it has a different impact on the user than if you see something corporate, institutional, with our logo, with our colors, etc. Communicate. One of the most important things when you are going to make a cultural change program is how you start and with the communication of

that program. How do most companies do it? First, they don't communicate it and suddenly they start doing fishing simulations and sending videos. So the user is like: "I have to do more work than the one they hired me for. This was not in my job description." What is the least worse step they usually take? Looking at the current risk scenario, the company has made the decision that we are going to have to go through a training to protect the company's assets and interests from the risks and threats we are exposed to. Everyone cares about an egg. Why? Because we were talking about the company. And then, Communication, or at least the one we promote, would go as follows:

A lot of things are happening out there and you see the newspapers, you see the news, you have some friends and it didn't happen to you that they hacked your WhatsApp, Instagram, a bank account. They have a very close acquaintance who has already passed this point in life. With which in the company we understand that the security of our collaborators has to be a benefit too. And we care about people's safety. So we are going to start training you in security so that you can protect yourselves in this digital environment and from threats so that something doesn't happen to you that you have to regret later. Which one of the three do you think is

better? Why? Because the user, in the end, I'm going to send him the same content, but he feels that I'm sending it to him, not to the company. So, I'm going to start to raise awareness about things that may not have as much relevance for the company at first, such as basic digital hygiene in their social media accounts, how to take care of their children under age in the digital environment. They are in the full room, everyone wants to attend to that and that generates great engagement, a lot of involvement and suddenly the habits that as they are habits cannot be excluded from how we are in our personal life and in the work environment,

they are going to transfer and people start to behave more safely because he does it for him and then in the same way the company behaves. So communication is key and also who comes that this message, I always ask that it come from the highest responsible of the company, if you can, the general manager, the director, the CEO, whoever, or someone at least from management. Why? Because if someone from IT goes and says: "We want you to start taking care of it", we are in the oven. Why? Because they feel it is a project of IT or a particular area. and it has to be a project of the company and the organization at a

general level. Programs of incentives and disincentives and very important the involvement of C-Level and management as I told you. Cybersecurity is something that does not apply only to culture, but it is important that it is always known and it is something that will allow you to pitch any project internally. It is not everyone's responsibility, but it clearly depends on everyone. And each of these areas has a role not only in the security culture, but also in the general security of the company. If finances do not open the budget tap, we can't do anything. If managers and media managers, every time someone is watching a awareness video, tell them: "What are you doing watching a video?

Get to work." We are in trouble. So, everyone has a role in this and it is important that we know it to also involve them. And here, look at how the order of the factors alters the product. Because in general, when someone is going to look for a budget to raise awareness in the company, part of the premise of "we need a platform of awareness and training to send video and simulation of phishing" as a security project, which can try to tie it to an objective like: It will help us because we are looking to certify ISO 27001 or SOC type 2 or we have to be PCI compliance or something like that. And finally, the business goal is left as for the end, if it remains and someone

remembers. And when a manager is going to present this to you, he tells you, give the talk to you, if it's the same. Now, how does it change if I actually go to the management and I tell them one of the business objectives is to expand to the European market. In the European market, GDPR is imperative, which is the most important and most demanding regulation of personal data at a global level today. that will require a lot of awareness and awareness to all our users segmented by the level of access and the sensitivity of the data to which they have access and that they are manipulating. So, if we want to expand to the European

market, we will need to start doing this and the only way we can do it without having to hire a whole team that comes out to raise awareness and educate people all the time, is through a platform that allows us to automate the process. Take the budget. Why? Because we are talking about business first and it's a tip I give you to present any project. The fourth step, we just got into talking about awareness. And to be aware, the only thing I want you to take are some do's and don'ts. On this side, the yes and on the other side, the no. And when I talk about X, it's keep it simple, stupid. They know that acronym and it's less is more in general. People don't have much

time, people don't want complexity, they don't understand it, so it's not time to go and demonstrate that we know a lot at the technical level. Why? Because they won't understand us on the other side. So it has to be short, concrete, simple. The good thing is that when it's short, it's doubly good. I'm not going to go one by one because of time, because they're going to tag me soon so I can get off the stage. But you can take this and then I'm going to send it to you so you have the yes and the no when you become aware. When we move on to the empowerment stage, we are talking about that stage

of training, of giving skill. And giving skill They have to know that not everyone trains in the same way, that not everyone learns in the same way, and that each learning method has a different impact. And if you think about it, today you will get 5% of what you heard from me, probably. And in this pyramid or this learning cone of Edgar Dale, which is very well known, what we can see is how The different activities that we can expose to people make the content or the knowledge of what we are doing, hit them differently. And it will happen to you. How many of you are teachers? Doesn't it happen to teachers who feel that

they learn more when they give classes? Why? Because one has to prepare so much to be able to convey it clearly that it ends up internalizing and perfecting it. That's why people keep 90% of what they teach, and it's the highest grade, and they have to keep that in mind, so they don't always do the same thing, in the sense that they don't always send videos, they don't only send newsletters, because the retention percentages of that knowledge are very, very low.

There is a difference between power and evaluate, although for both we will surely do simulations, for example. But when we come to evaluate the yes and the no of social engineering, and this is in the part perhaps of hacking people. When we are looking to do social engineering to see how many fall. And it's not just phishing, we are already doing many deep fake simulations. Voice cloning, face cloning, So new forms of control that we have to consider begin to emerge, but here they have a small do and don'ts of things to follow and also to avoid. The reinforcement part has to do with the fact that after we evaluate, we know where we are standing and whether or not the stage of awareness and

empowerment has actually come into effect. Did people understand, learn, develop the skill or not? Only with that can we see where we are weak on paper to say: "Here I have to give it a twist of a nutmeg, here I have to..." And in general it is segmented. Why? Because there are groups that react differently to the different stimuli. That is why segmentation is so important by areas, by risks, by roles, even by ages. Because we cannot pretend that people who are in their sixties learn in the same way as those who are in their twenties or thirties. because some will want to play video games and others may prefer to read a little text.

Everything is worth it in the reinforcement. Everything is worth it. Why? Because in the end we don't know where we're going to get into the user, which of the bullets is going to impact him. So we have to shoot all of them. All of them, of course, according to the plan. So here's the blog, the newsletter, the podcast, doing events. My team one day fell and told me, We were about to organize a cybersecurity fair. I said, what is a cybersecurity fair? And suddenly, in a bank, they took it as if it were a festival of these Americans with games and they fished fish. I said, they're all crazy. And it worked. Why? Because people

had fun and generated a different engagement where they ended up carrying concepts to do something fun. And it doesn't matter if the concept was small. Then the reporting metric was much lower. The penultimate step is to measure. And measure has to do with, well, now we know how it was, and we need different types of reports. Reports that are detailed reports, that maybe the CISO asks us, that maybe the human resources areas ask us, where we have to see the risk classifications, the Propension to Phishing report, how it evolved over time, how many people participated, what groups participated, the level of participation, etc. And then we need executive reports. Why? Because we have to go to the directors much more easily, in a much more graphic,

much more Power BI, much more graphic cake. We did so many training, so many were fulfilled, we did so many fishing simulacros, so many were fulfilled. The level of propension to fishing went down so much and not much more than that. Everything is working. The budget you enabled us comes great. And here comes the last stage that has to do with the improvement. Now that we know how it was, do you remember the circular graph. From there we can start a new stage where everything starts again, but from a different point to the original. So my final question for you is: considering that culture is not something we can ignore, and we only have to choose between two, and it is the one we forge or the one we

ignore because we will finally have one of the two and each one of us is a change agent and to be a change agent, which is what we ask our users to change the behavior of how they are doing or how they are behaving we have to understand that in the same way that when someone asks us something for the mere fact of saying no It doesn't mean that we get involved or that we feel we have to do it. It takes much more than being aware to change people's behavior in cybersecurity. So, without much more, I thank you for your time, for your attention, to the organization, for the invitation, and I leave you

my networks and a QR code in case you want to scan, without any fear. There is more information, there is the book I told you about, and much more. Thank you. Jorge, thank you very much. Excellent talk. Any questions for Jorge? Hacked. Easy. Question? Anyone? Well, you had us all there, going around with what you said, but spectacular. And to close, wait a second, here the detail of Visites. Thank you very much. Thank you for trusting the space and well, we continue. Thank you. Well, to close today, simply remember the spaces we have. We have several spaces, both today, what is left of today and tomorrow. Without a doubt, it has been a super-nourishing day in

the talks. If you noticed, from the part of Hacking Culture, everything we saw in terms of IA, ERs, research, car hacking, all the part of phishing, all the part of research, I think it has been super-nourishing and varied. Even the part of CECIRT, also complemented us a lot with different topics and that's what we're looking for. That you see all those vectors that exist of knowledge and where we have to focus. Simply to close, they already changed the site of the part of ward driving, where we are going to do, those who are going to go to ward driving stay here please, here after closing the space, they will comment on how the tour is going to be and how we are going to be doing this

task. Gio. Everyone is invited. For the wardriving everyone is invited. We have a limited capacity. We have two buses. I think that with the ones we are with, we all change. So, what is the wardriving going to be? Nicolás is coming right now. He is going to dictate a previous workshop to explain to you so that everyone has the same knowledge. After the workshop, We start, the buses pick us up in Barranquilla, it will be a tour of about three hours around the city. We return here to the university and well, it's to share, learn and do the world driving. So, all those interested and the idea is that we can share there. Welcome. Ready?

That would be for today. That's what we have for today. Tomorrow we have Eco Kids. Many have approached me asking, I already signed up with my son, what happened? We have not sent you an email because basically those who managed to make the registration have secured their cupo. We are going to send you an email right now, but everyone can come. Tomorrow we start at 8:30. Come with your son, you don't need to bring anything else. The space is ready, Sol is ready, prepared for the space, all the people who are going to be there. So welcome. If anyone has not made the registration, there are still cups. So, welcome and you can do Eco

Kids. What is Eco Kids? Eco Kids is going to be a space where we are going to be with children from 7 to 13 years old, allowing them to be, play and from there learn another way of thinking. Ready? So that's what we're going to have in Eco Kids tomorrow morning. Additionally, tomorrow we will have talks from 8:30 in the morning. And tomorrow night, the official party of the event, from 8:30 pm, we will be in Martín Moreno again. Something very important for everyone, the Batch. Without the Batch, you can't enter. But with the badge you already have the entrance secured, so please, so that they take care of it, they load it, it is important tomorrow for the party. And

to get here too, that is, tomorrow there is no registration for those who have a badge, then they pass directly, then they will not forget it, regardless of how they end today, please bring it. Yes, it is important that you are already accredited as attendees to the event. So we have that. Tomorrow there's also a hands-on for the VIPs, I think there are two. Yes, there are two hands-on and also remember what Nicolás talked about starting, for the part of the Backdoors and Breaches game, which is also the card game that we also have, there are some prizes for those who participate and finish the game. and well, continue enjoying these spaces. Yes, thank you all very much for your assistance and well, Nicolás

is coming in, so I hope, I imagine that everyone is going to stay and then we'll start for the War Driving. Thank you.