Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Your Own DFIR Sidekick: THREADS Edition

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Scott J. Roberts Scott J. Roberts
November 14, 2014
Technology
2
980

Building Your Own DFIR Sidekick: THREADS Edition

My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.

Avatar for Scott J. Roberts

Scott J. Roberts

November 14, 2014
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
LLM SATs FTW
Avatar for Scott J. Roberts sroberts
0
1k
STRAT - A System-Centric Approach to Cyber Resilience
Avatar for Scott J. Roberts sroberts
0
57
Tortured Responders Dept - Scott & Rebekah's Edition
Avatar for Scott J. Roberts sroberts
0
140
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
Avatar for Scott J. Roberts sroberts
0
160
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
Avatar for Scott J. Roberts sroberts
0
98
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
Avatar for Scott J. Roberts sroberts
0
94
Homemade Ramen & Threat Intelligence
Avatar for Scott J. Roberts sroberts
2
580
Introduction to Open Source Security Tools
Avatar for Scott J. Roberts sroberts
3
5k
Building Effective Threat Intelligence Sharing
Avatar for Scott J. Roberts sroberts
1
130

Other Decks in Technology

See All in Technology
FinTech SREのAWSサービス活用/Leveraging AWS Services in FinTech SRE
Avatar for maaaato maaaato
0
130
Agile Leadership Summit Keynote 2026
Avatar for seki at druby.org m_seki
1
650
配列に見る bash と zsh の違い
Avatar for kazzpapa3 kazzpapa3
3
160
Cosmos World Foundation Model Platform for Physical AI
Avatar for Takuya MINAGAWA takmin
0
940
Greatest Disaster Hits in Web Performance
Avatar for Estela Franco guaca
0
270
こんなところでも(地味に)活躍するImage Modeさんを知ってるかい?- Image Mode for OpenShift -
Avatar for Masataka Tsukamoto tsukaman
1
160
仕様書駆動AI開発の実践: Issue→Skill→PRテンプレで 再現性を作る
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
2
680
SREのプラクティスを用いた3領域同時 マネジメントへの挑戦 〜SRE・情シス・セキュリティを統合した チーム運営術〜
Avatar for coconala_engineer coconala_engineer
2
670
【Oracle Cloud ウェビナー】[Oracle AI Database + AWS] Oracle Database@AWSで広がるクラウドの新たな選択肢とAI時代のデータ戦略
Avatar for oracle4engineer oracle4engineer
PRO
2
170
10Xにおける品質保証活動の全体像と改善 #no_more_wait_for_test
Avatar for nihonbuson nihonbuson
PRO
2
320
Introduction to Sansan for Engineers / エンジニア向け会社紹介
Avatar for Sansan, Inc. sansan33
PRO
6
68k
Bill One 開発エンジニア 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
5
17k

Featured

See All Featured
Mind Mapping
Avatar for Hélio Medeiros helmedeiros
PRO
0
88
Marketing to machines
Avatar for Jono Alderson jonoalderson
1
4.6k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
57
6.8k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
74
11k
Ten Tips & Tricks for a 🌱 transition
Avatar for Manu Carrasco Molina stuffmc
0
70
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
74
5k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
Avatar for Mike Taylor tmiket
0
77
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
37
6.3k
SEO in 2025: How to Prepare for the Future of Search
Avatar for Michael King ipullrank
3
3.3k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
17k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
432
66k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
65
8.4k

Transcript

  1. Building Your Own DFIR Sidekick ChatOps for Incident Response

  2. I do incident response @ GitHub Hi, I’m Scott

  3. He Does Basically Everything @ GitHub This is Hubot

  4. “making it easier to work together than to work alone….”

  5. ๏ CHatops & Incident Response ๏ Hubot Variable Threat Response

    ๏ Deploying & Developing Hubot

  6. A Brief Introduction to ChatOps

  7. What is ChatOps?! DevOps + Chat = Chatops Collaborative Terminal

    Experience

  8. So What Really is ChatOps?!

  9. None
  10. None

  11. Chat

  12. Chat

  13. None

  14. Why Chatops anyway?

  15. Geographically distributed

  16. None
  17. None

  18. asynchronous

  19. multi device

  20. None
  21. None
  22. None

  23. hides the “ugly” Or at least makes interfaces consistent

  24. “This was always my main motivation with Hubot - teaching

    by doing by making things visible.” - @Tomayko

  25. How GitHub Uses Chatops

  26. deploy & monitor servers via Puppet

  27. deploy & monitor Code via Capistrano & Jenkins CI

  28. Monitor Systems via Nagios

  29. None
  30. None

  31. Update our Status Site (Hopefully rarely)

  32. Lookup Funny pictures And Gifs Too!

  33. None

  34. Shoutout to MattJay

  35. So what about DFIR?! Hint: We were already Doing It

  36. Managing our pager alerts via pagerduty

  37. Showing Process Lists on Hosts

  38. Changing firewall rules

  39. getting whois information

  40. getting app logs & stats via Splunk & Graphite

  41. None

  42. “Swinging the BanHammer”

  43. Other “secret” stuff just come ask me if you’re curious

  44. “making it easier to work together than to work alone….”

  45. “making it easier to Respond to Incidents together than to

    Respond alone….”

  46. Hubot VTR

  47. Hubot ๏ node.js based Chat bot ๏ coffeeScript based actions

    ๏ deployable anywhere you can run node.js (Unix, Windows, Heroku, etc)

  48. ๏Disk Forensics ๏Network Forensics ๏Open Source Intelligence ๏Malware Analysis

  49. hubot-vtr modules for dfir

  50. Code name generator Because you can’t call it
 “That thing

    from January” forever

  51. Geolocating IPs But not for attribution...

  52. reverse dns lookups

  53. checking resource reputations mywot, Google, virustotal, & Opendns

  54. None

  55. research links generator Robtext, CentralOps, Hurricane Electric…

  56. server profiling via shodan

  57. None

  58. malware research via virustotal

  59. passive dns via virustotal

  60. detection generation via yara & Snort

  61. force multipler

  62. Deployment & Development

  63. Deployment Local Or Heroku

  64. 3 Components brain + Connector + Scripts

  65. Development CoffeeScript On NodeJs

  66. None

  67. Docs Matter

  68. None
  69. None
  70. None
  71. None
  72. None
  73. None
  74. None
  75. None
  76. None
  77. None

  78. Hubot’s “Voice”

  79. In Conclusion…

  80. ChatOps can make incident response collaborative & Hubot VTR puts

    DFIR tools & tasks in chat

  81. Find Out More Hubot.GitHub.com & GitHub.com/sroberts/hubot-vtr-scripts

  82. Contact Me github & twitter: @sroberts sroberts.github.io

  83. Thanks!!!

  84. None