Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Your Own DFIR Sidekick: THREADS Edition

Building Your Own DFIR Sidekick: THREADS Edition

My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.

Scott J. Roberts

November 14, 2014
Tweet

More Decks by Scott J. Roberts

Other Decks in Technology

Transcript

  1. Building Your Own
    DFIR Sidekick
    ChatOps for Incident Response

    View Slide

  2. I do incident response @ GitHub
    Hi, I’m Scott

    View Slide

  3. He Does Basically Everything
    @
    GitHub
    This is Hubot

    View Slide

  4. “making it easier to work together than
    to work alone….”

    View Slide

  5. ๏ CHatops & Incident Response
    ๏ Hubot Variable Threat Response
    ๏ Deploying & Developing Hubot

    View Slide

  6. A Brief
    Introduction to
    ChatOps

    View Slide

  7. What is ChatOps?!
    DevOps + Chat = Chatops
    Collaborative Terminal Experience

    View Slide

  8. So What Really is
    ChatOps?!

    View Slide

  9. View Slide

  10. View Slide

  11. Chat

    View Slide

  12. Chat

    View Slide

  13. View Slide

  14. Why Chatops
    anyway?

    View Slide

  15. Geographically
    distributed

    View Slide

  16. View Slide

  17. View Slide

  18. asynchronous

    View Slide

  19. multi device

    View Slide

  20. View Slide

  21. View Slide

  22. View Slide

  23. hides the “ugly”
    Or at least makes interfaces
    consistent

    View Slide

  24. “This was always my main motivation
    with Hubot - teaching by doing by
    making things visible.”
    -
    @Tomayko

    View Slide

  25. How GitHub Uses
    Chatops

    View Slide

  26. deploy
    &
    monitor servers
    via Puppet

    View Slide

  27. deploy
    &
    monitor Code
    via Capistrano & Jenkins CI

    View Slide

  28. Monitor Systems
    via Nagios

    View Slide

  29. View Slide

  30. View Slide

  31. Update our
    Status Site
    (Hopefully rarely)

    View Slide

  32. Lookup Funny
    pictures
    And Gifs Too!

    View Slide

  33. View Slide

  34. Shoutout to MattJay

    View Slide

  35. So what about
    DFIR?!
    Hint: We were already Doing It

    View Slide

  36. Managing our
    pager alerts
    via pagerduty

    View Slide

  37. Showing Process
    Lists on Hosts

    View Slide

  38. Changing
    firewall rules

    View Slide

  39. getting whois
    information

    View Slide

  40. getting app
    logs & stats
    via Splunk & Graphite

    View Slide

  41. View Slide

  42. “Swinging the
    BanHammer”

    View Slide

  43. Other “secret”
    stuff
    just come ask me if you’re curious

    View Slide

  44. “making it easier to work together than
    to work alone….”

    View Slide

  45. “making it easier to Respond to Incidents
    together than to Respond alone….”

    View Slide

  46. Hubot VTR

    View Slide

  47. Hubot
    ๏ node.js based Chat bot
    ๏ coffeeScript based actions
    ๏ deployable anywhere you can run
    node.js (Unix, Windows, Heroku, etc)

    View Slide

  48. ๏Disk Forensics
    ๏Network Forensics
    ๏Open Source Intelligence
    ๏Malware Analysis

    View Slide

  49. hubot-vtr
    modules for dfir

    View Slide

  50. Code name
    generator
    Because you can’t call it

    “That thing from January” forever

    View Slide

  51. Geolocating IPs
    But not for attribution...

    View Slide

  52. reverse dns
    lookups

    View Slide

  53. checking
    resource
    reputations
    mywot, Google, virustotal, & Opendns

    View Slide

  54. View Slide

  55. research links
    generator
    Robtext, CentralOps, Hurricane
    Electric…

    View Slide

  56. server profiling
    via shodan

    View Slide

  57. View Slide

  58. malware
    research
    via virustotal

    View Slide

  59. passive dns
    via virustotal

    View Slide

  60. detection
    generation
    via yara & Snort

    View Slide

  61. force multipler

    View Slide

  62. Deployment
    &
    Development

    View Slide

  63. Deployment
    Local
    Or
    Heroku

    View Slide

  64. 3 Components
    brain
    +
    Connector
    +
    Scripts

    View Slide

  65. Development
    CoffeeScript
    On
    NodeJs

    View Slide

  66. View Slide

  67. Docs Matter

    View Slide

  68. View Slide

  69. View Slide

  70. View Slide

  71. View Slide

  72. View Slide

  73. View Slide

  74. View Slide

  75. View Slide

  76. View Slide

  77. View Slide

  78. Hubot’s “Voice”

    View Slide

  79. In
    Conclusion…

    View Slide

  80. ChatOps can make incident
    response collaborative
    &
    Hubot VTR puts DFIR tools
    & tasks in chat

    View Slide

  81. Find Out More
    Hubot.GitHub.com
    &
    GitHub.com/sroberts/hubot-vtr-scripts

    View Slide

  82. Contact Me
    github & twitter: @sroberts
    sroberts.github.io

    View Slide

  83. Thanks!!!

    View Slide

  84. View Slide