Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building Your Own DFIR Sidekick: THREADS Edition
Search
Scott J. Roberts
November 14, 2014
Technology
2
780
Building Your Own DFIR Sidekick: THREADS Edition
My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.
Scott J. Roberts
November 14, 2014
Tweet
Share
More Decks by Scott J. Roberts
See All by Scott J. Roberts
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
sroberts
0
43
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
sroberts
0
19
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
sroberts
0
14
Homemade Ramen & Threat Intelligence
sroberts
2
460
Introduction to Open Source Security Tools
sroberts
3
4.8k
Building Effective Threat Intelligence Sharing
sroberts
1
100
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
100
Crisis Communication for Incident Response
sroberts
1
300
Hipster DFIR on OSX - BSidesCincy
sroberts
3
3.2k
Other Decks in Technology
See All in Technology
データ分析基盤を作ってみよう~設計編~
nrinetcom
PRO
1
110
テストケースの自動生成に生成AIの導入を試みた話と生成AIによる今後の期待
shift_evolve
0
180
AI研修【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
130
エンジニアの生存戦略 〜クラウド潮流の経験から紐解く技術トレンドのメカニズムと乗りこなし方〜
shimy
9
1.9k
Azure AI ことはじめ
tsubakimoto_s
0
130
AWSサービスメニュー開発をしていてAWSを好きだ!と感じた瞬間
toru_kubota
0
130
サーバーレスAPI(API Gateway+Lambda)とNext.jsで 個人ブログを作ろう!
shuntaka
PRO
0
560
大規模ドラレコデータ収集・機械学習基盤を支える AWS CDK 〜導入・運用事例紹介〜
pemugi
0
110
E2Eテスト自動化プラットフォームにおけるAIの活用
shift_evolve
0
180
エンジニア向け会社紹介資料
caddi_eng
14
220k
開発生産性をむしろ向上させる セキュリティパートナーの作り方 / Dev Productivity Con 2024
flatt_security
0
360
20240717_イケコパ代表Copilot_in_Teams会社でこう使ってます
ponponmikankan
2
430
Featured
See All Featured
Producing Creativity
orderedlist
PRO
340
39k
Mobile First: as difficult as doing things right
swwweet
219
8.8k
Infographics Made Easy
chrislema
238
18k
Git: the NoSQL Database
bkeepers
PRO
423
64k
Designing on Purpose - Digital PM Summit 2013
jponch
113
6.6k
From Idea to $5000 a Month in 5 Months
shpigford
377
46k
Optimising Largest Contentful Paint
csswizardry
18
2.6k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
17
8.7k
Fashionably flexible responsive web design (full day workshop)
malarkey
399
65k
In The Pink: A Labor of Love
frogandcode
139
22k
Teambox: Starting and Learning
jrom
130
8.6k
The Cost Of JavaScript in 2023
addyosmani
31
4.7k
Transcript
Building Your Own DFIR Sidekick ChatOps for Incident Response
I do incident response @ GitHub Hi, I’m Scott
He Does Basically Everything @ GitHub This is Hubot
“making it easier to work together than to work alone….”
๏ CHatops & Incident Response ๏ Hubot Variable Threat Response
๏ Deploying & Developing Hubot
A Brief Introduction to ChatOps
What is ChatOps?! DevOps + Chat = Chatops Collaborative Terminal
Experience
So What Really is ChatOps?!
None
None
Chat
Chat
None
Why Chatops anyway?
Geographically distributed
None
None
asynchronous
multi device
None
None
None
hides the “ugly” Or at least makes interfaces consistent
“This was always my main motivation with Hubot - teaching
by doing by making things visible.” - @Tomayko
How GitHub Uses Chatops
deploy & monitor servers via Puppet
deploy & monitor Code via Capistrano & Jenkins CI
Monitor Systems via Nagios
None
None
Update our Status Site (Hopefully rarely)
Lookup Funny pictures And Gifs Too!
None
Shoutout to MattJay
So what about DFIR?! Hint: We were already Doing It
Managing our pager alerts via pagerduty
Showing Process Lists on Hosts
Changing firewall rules
getting whois information
getting app logs & stats via Splunk & Graphite
None
“Swinging the BanHammer”
Other “secret” stuff just come ask me if you’re curious
“making it easier to work together than to work alone….”
“making it easier to Respond to Incidents together than to
Respond alone….”
Hubot VTR
Hubot ๏ node.js based Chat bot ๏ coffeeScript based actions
๏ deployable anywhere you can run node.js (Unix, Windows, Heroku, etc)
๏Disk Forensics ๏Network Forensics ๏Open Source Intelligence ๏Malware Analysis
hubot-vtr modules for dfir
Code name generator Because you can’t call it “That thing
from January” forever
Geolocating IPs But not for attribution...
reverse dns lookups
checking resource reputations mywot, Google, virustotal, & Opendns
None
research links generator Robtext, CentralOps, Hurricane Electric…
server profiling via shodan
None
malware research via virustotal
passive dns via virustotal
detection generation via yara & Snort
force multipler
Deployment & Development
Deployment Local Or Heroku
3 Components brain + Connector + Scripts
Development CoffeeScript On NodeJs
None
Docs Matter
None
None
None
None
None
None
None
None
None
None
Hubot’s “Voice”
In Conclusion…
ChatOps can make incident response collaborative & Hubot VTR puts
DFIR tools & tasks in chat
Find Out More Hubot.GitHub.com & GitHub.com/sroberts/hubot-vtr-scripts
Contact Me github & twitter: @sroberts sroberts.github.io
Thanks!!!
None