loader image
img not found!

Speaker: David Bernal Michelena

Profile


Incident Response Manager at Mandiant, Global Cybersecurity Trainer and Speaker

David Bernal Michelena is a cybersecurity strategist with an elite track record in handling high-complexity incident response. He currently serves as the Incident Response and Investigations Manager at Mandiant (Google Cloud) for Latin America.

As an instructor, he has proven his ability to transfer knowledge in the most demanding scenarios worldwide, having delivered specialized incident response training at Black Hat USA, DEF CON Blue Team Village, Mandiant mWISE, and the Microsoft Digital Crimes Consortium. His teaching experience is backed by a history of success at SANS Institute, where he achieved a satisfaction rating of 4.87/5 and a 99% score on his GCIH certification, in addition to being the first professional in Mexico to obtain the GSE (GIAC Security Expert) certification.

He is a recurring speaker at the most influential industry forums, participating as a speaker at Black Hat USA, SANS Threat Hunting Summit, 8.8 Computer Security Conference, Bsides, among others. With 16 active GIAC certifications, his approach combines the technical rigor of modern Incident Handling—including Cloud and AI security—with the tactical experience of someone leading critical operations in the region. Outside of the technical realm, David plays music, enjoys being in nature, and works out.

Workshop:

YARA Unchained: Modern Detection Engineering for Blue Teamers

This workshop is designed to elevate the capabilities of security analysts, transitioning from a static signature-based approach to dynamic and resilient detection engineering, integrating the most advanced tools available in 2026.

Module 1: The Cybersecurity Ecosystem and the Role of YARA

Before diving into the syntax, we will set the strategic context where YARA acts as the connecting tissue of defense operations:

  • Incident Response (IR): YARA as a fast “triage” tool to identify compromised hosts and determine the scope of a breach.
  • Threat Hunting: Hypothesis creation based on behaviors to search for “live” threats that have evaded traditional security controls.
  • Malware Analysis: Using YARA for family classification, identifying specific functionalities, and discovering similarities between samples.
  • Threat Intelligence (CTI): How to transform tactical and technical reports into operational detections to prevent future attacks.
  • Value Map: Identifying at which stage of each process YARA provides the greatest competitive advantage for the Blue Team.

Module 2: High-Fidelity Fundamentals and Syntax

  • What is YARA? Origin, “pattern matching” philosophy, and anatomy of a rule (Meta, Strings, Condition).
  • Advanced Syntax: Mastering modifiers to capture malware variants.
  • Condition Engineering: Writing efficient logic to minimize CPU impact and optimize scans in production environments.
  • Structural Detection with Modules:
    • PE Module: Using imphash, sections, and resources to detect malware families.
    • ELF Module: Signatures for threats in Linux environments and containers.
    • Math Module: Calculating entropy to identify packers and encrypted files.

Module 3: Generative Artificial Intelligence (Gen AI) with Gemini

  • Gemini as Copilot: Prompt engineering for automatic pattern extraction from disassembled code and intelligence reports.
  • Translating CTI to YARA: Automating the workflow: from a security blog post to a functional rule in seconds.
  • The Human Factor (QA): Manual review techniques to correct AI hallucinations and refine detection logic.

Module 4: Threat Hunting in Memory (Volatility 3, Velociraptor)

  • Modern Forensic Analysis: Transitioning from outdated tools to Volatility 3.
  • Lifeless Detection: Identifying code injections, reflective DLLs, and hidden processes in RAM dumps.
  • Beacon Hunting: Locating command and control (C2) beacons using YARA signatures applied to active processes.

Module 5: Network Visibility and Detection (Zeek)

  • Traffic Analysis with YARAZeek: Implementing the author’s tool for extracting and analyzing files in transit.
  • PCAP Inspection: Techniques for feeding back network detection by analyzing historical capture files.
  • Exfiltration Detection: Using YARA to identify patterns of sensitive data leaving through common protocols.

Module 6: Global Ecosystem and Scalability

  • VirusTotal Retrohunt: Validating rules against petabytes of historical samples to measure effectiveness and reach.
  • VirusTotal Livehunt: Proactively adding rules to receive notifications as soon as samples from the family of interest are uploaded.
  • Fighting False Positives:
    • Creating and maintaining “Goodware” repositories.
    • Filtering strategies to avoid unnecessary alerts in the SOC.
  • Response Automation: Integrating YARA scans into incident response (IR) pipelines and conceptual integration with EDRs.