Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Your Own DFIR Sidekick: THREADS Edition

Avatar for Scott J. Roberts Scott J. Roberts
November 14, 2014
Technology
1k
2

Building Your Own DFIR Sidekick: THREADS Edition

My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.

Avatar for Scott J. Roberts

Scott J. Roberts

November 14, 2014

More Decks by Scott J. Roberts

See All by Scott J. Roberts
LLM SATs FTW
Avatar for Scott J. Roberts sroberts
0
1.3k
STRAT - A System-Centric Approach to Cyber Resilience
Avatar for Scott J. Roberts sroberts
0
78
Tortured Responders Dept - Scott & Rebekah's Edition
Avatar for Scott J. Roberts sroberts
0
170
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
Avatar for Scott J. Roberts sroberts
0
190
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
Avatar for Scott J. Roberts sroberts
0
120
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
Avatar for Scott J. Roberts sroberts
0
110
Homemade Ramen & Threat Intelligence
Avatar for Scott J. Roberts sroberts
2
610
Introduction to Open Source Security Tools
Avatar for Scott J. Roberts sroberts
3
5.1k
Building Effective Threat Intelligence Sharing
Avatar for Scott J. Roberts sroberts
1
150

Other Decks in Technology

See All in Technology
Oracle AI Database@Google Cloud:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
6
1.4k
Personal knowledge bases using LLM
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
250
TypeScriptとAngular Signal で実現する保守性の高いアプリケーション設計 - 3層アーキテクチャによる責務分離の実践(たつかわ) https://2026.tskaigi.org/talks/10
Avatar for Nealle nealle
1
170
freee-mcpを Local→Remote で出してわかった MCP認可実装のリアル
Avatar for てらら terara
2
450
ラズパイ & Picoで入門:Zephyr(RTOS)の環境構築からビルドまでの紹介
Avatar for misoji engineer iotengineer22
0
200
Geek Woman の育ち方 〜コミュニティとAIと〜
Avatar for chicaco chicaco
0
250
DI コンテナ自動生成ツールを実装してみた / intro-autodi
Avatar for uhzz uhzz
0
820
基礎から解説!Icebergで紐解くSnowflake×Databricks連携の現在地
Avatar for TomokiYasuhara cm_yasuhara
0
170
サプライチェーン攻撃への備えについて考えている #湘なんか
Avatar for すてにゃん stefafafan
3
2.3k
RubyでRuby拡張を書いたらRubyより35倍速になったってどういうこと??
Avatar for kazuho kazuho
3
540
論文紹介:Pixal3D (SIGGRAPH 2026)
Avatar for TakatoYoshikawa tenten0727
0
690
Claude Code x Accounting
Avatar for Yasunobu Kawaguchi kawaguti
PRO
0
270

Featured

See All Featured
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.3k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
413
23k
Game over? The fight for quality and originality in the time of robots
Avatar for Wayne Barker wayneb77
1
170
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
Avatar for Helen Beal helenjbeal
1
190
Evolving SEO for Evolving Search Engines
Avatar for Ryan Jones ryanjones
0
200
Prompt Engineering for Job Search
Avatar for Mfonobong Umondia mfonobong
0
310
svc-hook: hooking system calls on ARM64 by binary rewriting
Avatar for Akira Moroo retrage
2
260
Paper Plane
Avatar for Katie Cordina Lindsey katiecoart
PRO
1
50k
How To Speak Unicorn (iThemes Webinar)
Avatar for Michelle Schulp Hunt marktimemedia
1
460
Embracing the Ebb and Flow
Avatar for Simon Collison colly
88
5k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
29
4.2k
HTML-Aware ERB: The Path to Reactive Rendering @ RubyCon 2026, Rimini, Italy
Avatar for Marco Roth marcoroth
1
87

Transcript

  1. Building Your Own DFIR Sidekick ChatOps for Incident Response

  2. I do incident response @ GitHub Hi, I’m Scott

  3. He Does Basically Everything @ GitHub This is Hubot

  4. “making it easier to work together than to work alone….”

  5. ๏ CHatops & Incident Response ๏ Hubot Variable Threat Response

    ๏ Deploying & Developing Hubot

  6. A Brief Introduction to ChatOps

  7. What is ChatOps?! DevOps + Chat = Chatops Collaborative Terminal

    Experience

  8. So What Really is ChatOps?!

  9. None
  10. None

  11. Chat

  12. Chat

  13. None

  14. Why Chatops anyway?

  15. Geographically distributed

  16. None
  17. None

  18. asynchronous

  19. multi device

  20. None
  21. None
  22. None

  23. hides the “ugly” Or at least makes interfaces consistent

  24. “This was always my main motivation with Hubot - teaching

    by doing by making things visible.” - @Tomayko

  25. How GitHub Uses Chatops

  26. deploy & monitor servers via Puppet

  27. deploy & monitor Code via Capistrano & Jenkins CI

  28. Monitor Systems via Nagios

  29. None
  30. None

  31. Update our Status Site (Hopefully rarely)

  32. Lookup Funny pictures And Gifs Too!

  33. None

  34. Shoutout to MattJay

  35. So what about DFIR?! Hint: We were already Doing It

  36. Managing our pager alerts via pagerduty

  37. Showing Process Lists on Hosts

  38. Changing firewall rules

  39. getting whois information

  40. getting app logs & stats via Splunk & Graphite

  41. None

  42. “Swinging the BanHammer”

  43. Other “secret” stuff just come ask me if you’re curious

  44. “making it easier to work together than to work alone….”

  45. “making it easier to Respond to Incidents together than to

    Respond alone….”

  46. Hubot VTR

  47. Hubot ๏ node.js based Chat bot ๏ coffeeScript based actions

    ๏ deployable anywhere you can run node.js (Unix, Windows, Heroku, etc)

  48. ๏Disk Forensics ๏Network Forensics ๏Open Source Intelligence ๏Malware Analysis

  49. hubot-vtr modules for dfir

  50. Code name generator Because you can’t call it
 “That thing

    from January” forever

  51. Geolocating IPs But not for attribution...

  52. reverse dns lookups

  53. checking resource reputations mywot, Google, virustotal, & Opendns

  54. None

  55. research links generator Robtext, CentralOps, Hurricane Electric…

  56. server profiling via shodan

  57. None

  58. malware research via virustotal

  59. passive dns via virustotal

  60. detection generation via yara & Snort

  61. force multipler

  62. Deployment & Development

  63. Deployment Local Or Heroku

  64. 3 Components brain + Connector + Scripts

  65. Development CoffeeScript On NodeJs

  66. None

  67. Docs Matter

  68. None
  69. None
  70. None
  71. None
  72. None
  73. None
  74. None
  75. None
  76. None
  77. None

  78. Hubot’s “Voice”

  79. In Conclusion…

  80. ChatOps can make incident response collaborative & Hubot VTR puts

    DFIR tools & tasks in chat

  81. Find Out More Hubot.GitHub.com & GitHub.com/sroberts/hubot-vtr-scripts

  82. Contact Me github & twitter: @sroberts sroberts.github.io

  83. Thanks!!!

  84. None