Building Your Own DFIR Sidekick: THREADS Edition

Transcript

1. Building Your Own DFIR Sidekick ChatOps for Incident Response

2. I do incident response @ GitHub Hi, I’m Scott

3. He Does Basically Everything @ GitHub This is Hubot

4. “making it easier to work together than to work alone….”

5. ๏ CHatops & Incident Response ๏ Hubot Variable Threat Response

   ๏ Deploying & Developing Hubot

6. A Brief Introduction to ChatOps

7. What is ChatOps?! DevOps + Chat = Chatops Collaborative Terminal

   Experience

8. So What Really is ChatOps?!

9. None
10. None

11. Chat

12. Chat

13. None

14. Why Chatops anyway?

15. Geographically distributed

16. None
17. None

18. asynchronous

19. multi device

20. None
21. None
22. None

23. hides the “ugly” Or at least makes interfaces consistent

24. “This was always my main motivation with Hubot - teaching

    by doing by making things visible.” - @Tomayko

25. How GitHub Uses Chatops

26. deploy & monitor servers via Puppet

27. deploy & monitor Code via Capistrano & Jenkins CI

28. Monitor Systems via Nagios

29. None
30. None

31. Update our Status Site (Hopefully rarely)

32. Lookup Funny pictures And Gifs Too!

33. None

34. Shoutout to MattJay

35. So what about DFIR?! Hint: We were already Doing It

36. Managing our pager alerts via pagerduty

37. Showing Process Lists on Hosts

38. Changing firewall rules

39. getting whois information

40. getting app logs & stats via Splunk & Graphite

41. None

42. “Swinging the BanHammer”

43. Other “secret” stuff just come ask me if you’re curious

44. “making it easier to work together than to work alone….”

45. “making it easier to Respond to Incidents together than to

    Respond alone….”

46. Hubot VTR

47. Hubot ๏ node.js based Chat bot ๏ coffeeScript based actions

    ๏ deployable anywhere you can run node.js (Unix, Windows, Heroku, etc)

48. ๏Disk Forensics ๏Network Forensics ๏Open Source Intelligence ๏Malware Analysis

49. hubot-vtr modules for dfir

50. Code name generator Because you can’t call it
 “That thing

    from January” forever

51. Geolocating IPs But not for attribution...

52. reverse dns lookups

53. checking resource reputations mywot, Google, virustotal, & Opendns

54. None

55. research links generator Robtext, CentralOps, Hurricane Electric…

56. server profiling via shodan

57. None

58. malware research via virustotal

59. passive dns via virustotal

60. detection generation via yara & Snort

61. force multipler

62. Deployment & Development

63. Deployment Local Or Heroku

64. 3 Components brain + Connector + Scripts

65. Development CoffeeScript On NodeJs

66. None

67. Docs Matter

68. None
69. None
70. None
71. None
72. None
73. None
74. None
75. None
76. None
77. None

78. Hubot’s “Voice”

79. In Conclusion…

80. ChatOps can make incident response collaborative & Hubot VTR puts

    DFIR tools & tasks in chat

81. Find Out More Hubot.GitHub.com & GitHub.com/sroberts/hubot-vtr-scripts

82. Contact Me github & twitter: @sroberts sroberts.github.io

83. Thanks!!!

84. None