Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building Your Own DFIR Sidekick: THREADS Edition
Search
Scott J. Roberts
November 14, 2014
Technology
2
890
Building Your Own DFIR Sidekick: THREADS Edition
My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.
Scott J. Roberts
November 14, 2014
Tweet
Share
More Decks by Scott J. Roberts
See All by Scott J. Roberts
LLM SATs FTW
sroberts
0
500
STRAT - A System-Centric Approach to Cyber Resilience
sroberts
0
24
Tortured Responders Dept - Scott & Rebekah's Edition
sroberts
0
120
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
sroberts
0
120
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
sroberts
0
74
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
sroberts
0
51
Homemade Ramen & Threat Intelligence
sroberts
2
550
Introduction to Open Source Security Tools
sroberts
3
4.9k
Building Effective Threat Intelligence Sharing
sroberts
1
120
Other Decks in Technology
See All in Technology
claude codeでPrompt Engineering
iori0311
0
370
AIを使っていい感じにE2Eテストを書けるようになるまで / Trying to Write Good E2E Tests with AI
katawara
2
1.5k
ゼロから始めるSREの事業貢献 - 生成AI時代のSRE成長戦略と実践 / Starting SRE from Day One
shinyorke
PRO
0
230
MCP とマネージド PaaS で実現する大規模 AI アプリケーションの高速開発
nahokoxxx
1
1.4k
Shadow DOM & Security - Exploring the boundary between light and shadow
masatokinugawa
0
650
QAを早期に巻き込む”って どうやるの? モヤモヤから抜け出す実践知
moritamasami
2
170
Maintainer Meetupで「生の声」を聞く ~講演だけじゃないKubeCon
logica0419
1
160
Data Engineering Study#30 LT資料
tetsuroito
1
550
Snowflake のアーキテクチャは本当に筋がよかったのか / Data Engineering Study #30
indigo13love
0
240
会社もクラウドも違うけど 通じたコスト削減テクニック/Cost optimization strategies effective regardless of company or cloud provider
aeonpeople
2
130
OTel 公式ドキュメント翻訳 PJ から始めるコミュニティ活動/Community activities starting with the OTel official document translation project
msksgm
0
200
Step Functions First - サーバーレスアーキテクチャの新しいパラダイム
taikis
1
270
Featured
See All Featured
Designing for humans not robots
tammielis
253
25k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Art, The Web, and Tiny UX
lynnandtonic
301
21k
Become a Pro
speakerdeck
PRO
29
5.4k
Writing Fast Ruby
sferik
628
62k
Agile that works and the tools we love
rasmusluckow
329
21k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
5.9k
Typedesign – Prime Four
hannesfritz
42
2.7k
How to Ace a Technical Interview
jacobian
278
23k
GitHub's CSS Performance
jonrohan
1031
460k
Site-Speed That Sticks
csswizardry
10
710
Transcript
Building Your Own DFIR Sidekick ChatOps for Incident Response
I do incident response @ GitHub Hi, I’m Scott
He Does Basically Everything @ GitHub This is Hubot
“making it easier to work together than to work alone….”
๏ CHatops & Incident Response ๏ Hubot Variable Threat Response
๏ Deploying & Developing Hubot
A Brief Introduction to ChatOps
What is ChatOps?! DevOps + Chat = Chatops Collaborative Terminal
Experience
So What Really is ChatOps?!
None
None
Chat
Chat
None
Why Chatops anyway?
Geographically distributed
None
None
asynchronous
multi device
None
None
None
hides the “ugly” Or at least makes interfaces consistent
“This was always my main motivation with Hubot - teaching
by doing by making things visible.” - @Tomayko
How GitHub Uses Chatops
deploy & monitor servers via Puppet
deploy & monitor Code via Capistrano & Jenkins CI
Monitor Systems via Nagios
None
None
Update our Status Site (Hopefully rarely)
Lookup Funny pictures And Gifs Too!
None
Shoutout to MattJay
So what about DFIR?! Hint: We were already Doing It
Managing our pager alerts via pagerduty
Showing Process Lists on Hosts
Changing firewall rules
getting whois information
getting app logs & stats via Splunk & Graphite
None
“Swinging the BanHammer”
Other “secret” stuff just come ask me if you’re curious
“making it easier to work together than to work alone….”
“making it easier to Respond to Incidents together than to
Respond alone….”
Hubot VTR
Hubot ๏ node.js based Chat bot ๏ coffeeScript based actions
๏ deployable anywhere you can run node.js (Unix, Windows, Heroku, etc)
๏Disk Forensics ๏Network Forensics ๏Open Source Intelligence ๏Malware Analysis
hubot-vtr modules for dfir
Code name generator Because you can’t call it “That thing
from January” forever
Geolocating IPs But not for attribution...
reverse dns lookups
checking resource reputations mywot, Google, virustotal, & Opendns
None
research links generator Robtext, CentralOps, Hurricane Electric…
server profiling via shodan
None
malware research via virustotal
passive dns via virustotal
detection generation via yara & Snort
force multipler
Deployment & Development
Deployment Local Or Heroku
3 Components brain + Connector + Scripts
Development CoffeeScript On NodeJs
None
Docs Matter
None
None
None
None
None
None
None
None
None
None
Hubot’s “Voice”
In Conclusion…
ChatOps can make incident response collaborative & Hubot VTR puts
DFIR tools & tasks in chat
Find Out More Hubot.GitHub.com & GitHub.com/sroberts/hubot-vtr-scripts
Contact Me github & twitter: @sroberts sroberts.github.io
Thanks!!!
None