Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Your Own DFIR Sidekick: THREADS Edition

Scott J. Roberts
November 14, 2014
Technology
2
850

Building Your Own DFIR Sidekick: THREADS Edition

My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.

Scott J. Roberts

November 14, 2014
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
STRAT - A System-Centric Approach to Cyber Resilience
sroberts
0
7
Tortured Responders Dept - Scott & Rebekah's Edition
sroberts
0
100
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
sroberts
0
87
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
sroberts
0
54
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
sroberts
0
33
Homemade Ramen & Threat Intelligence
sroberts
2
520
Introduction to Open Source Security Tools
sroberts
3
4.9k
Building Effective Threat Intelligence Sharing
sroberts
1
120
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
120

Other Decks in Technology

See All in Technology
3月のAWSアップデートを5分間でざっくりと!
kubomasataka
0
110
食べログが挑む!飲食店ネット予約システムで自動テスト無双して手動テストゼロを実現する戦略
hagevvashi
3
410
LangChainとLangGiraphによるRAG・AIエージェント実践入門「10章 要件定義書生成Alエージェントの開発」輪読会スライド
takaakiinada
0
140
Dynamic Reteaming And Self Organization
miholovesq
2
160
バックオフィス向け toB SaaS バクラクにおけるレコメンド技術活用 / recommender-systems-in-layerx-bakuraku
yuya4
5
500
AWSで作るセキュアな認証基盤with OAuth mTLS / Secure Authentication Infrastructure with OAuth mTLS on AWS
kaminashi
0
110
Стильный код: натуральный поиск редких атрибутов по картинке. Юлия Антохина, Data Scientist, Lamoda Tech
lamodatech
0
680
20250413_湘南kaggler会_音声認識で使うのってメルス・・・なんだっけ?
sugupoko
1
460
Would you THINK such a demonstration interesting ?
shumpei3
1
200
CBになったのでEKSのこともっと知ってもらいたい!
daitak
1
160
20250408 AI Agent workshop
sakana_ai
PRO
15
3.8k
Classmethod AI Talks(CATs) #20 司会進行スライド(2025.04.10) / classmethod-ai-talks-aka-cats_moderator-slides_vol20_2025-04-10
shinyaa31
0
150

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
21k
The Invisible Side of Design
smashingmag
299
50k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.7k
Rails Girls Zürich Keynote
gr2m
94
13k
Agile that works and the tools we love
rasmusluckow
328
21k
The World Runs on Bad Software
bkeepers
PRO
67
11k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
19
1.1k
Speed Design
sergeychernyshev
29
890
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.2k
Unsuck your backbone
ammeep
670
57k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
119
51k

Transcript

  1. Building Your Own DFIR Sidekick ChatOps for Incident Response

  2. I do incident response @ GitHub Hi, I’m Scott

  3. He Does Basically Everything @ GitHub This is Hubot

  4. “making it easier to work together than to work alone….”

  5. ๏ CHatops & Incident Response ๏ Hubot Variable Threat Response

    ๏ Deploying & Developing Hubot

  6. A Brief Introduction to ChatOps

  7. What is ChatOps?! DevOps + Chat = Chatops Collaborative Terminal

    Experience

  8. So What Really is ChatOps?!

  9. None
  10. None

  11. Chat

  12. Chat

  13. None

  14. Why Chatops anyway?

  15. Geographically distributed

  16. None
  17. None

  18. asynchronous

  19. multi device

  20. None
  21. None
  22. None

  23. hides the “ugly” Or at least makes interfaces consistent

  24. “This was always my main motivation with Hubot - teaching

    by doing by making things visible.” - @Tomayko

  25. How GitHub Uses Chatops

  26. deploy & monitor servers via Puppet

  27. deploy & monitor Code via Capistrano & Jenkins CI

  28. Monitor Systems via Nagios

  29. None
  30. None

  31. Update our Status Site (Hopefully rarely)

  32. Lookup Funny pictures And Gifs Too!

  33. None

  34. Shoutout to MattJay

  35. So what about DFIR?! Hint: We were already Doing It

  36. Managing our pager alerts via pagerduty

  37. Showing Process Lists on Hosts

  38. Changing firewall rules

  39. getting whois information

  40. getting app logs & stats via Splunk & Graphite

  41. None

  42. “Swinging the BanHammer”

  43. Other “secret” stuff just come ask me if you’re curious

  44. “making it easier to work together than to work alone….”

  45. “making it easier to Respond to Incidents together than to

    Respond alone….”

  46. Hubot VTR

  47. Hubot ๏ node.js based Chat bot ๏ coffeeScript based actions

    ๏ deployable anywhere you can run node.js (Unix, Windows, Heroku, etc)

  48. ๏Disk Forensics ๏Network Forensics ๏Open Source Intelligence ๏Malware Analysis

  49. hubot-vtr modules for dfir

  50. Code name generator Because you can’t call it
 “That thing

    from January” forever

  51. Geolocating IPs But not for attribution...

  52. reverse dns lookups

  53. checking resource reputations mywot, Google, virustotal, & Opendns

  54. None

  55. research links generator Robtext, CentralOps, Hurricane Electric…

  56. server profiling via shodan

  57. None

  58. malware research via virustotal

  59. passive dns via virustotal

  60. detection generation via yara & Snort

  61. force multipler

  62. Deployment & Development

  63. Deployment Local Or Heroku

  64. 3 Components brain + Connector + Scripts

  65. Development CoffeeScript On NodeJs

  66. None

  67. Docs Matter

  68. None
  69. None
  70. None
  71. None
  72. None
  73. None
  74. None
  75. None
  76. None
  77. None

  78. Hubot’s “Voice”

  79. In Conclusion…

  80. ChatOps can make incident response collaborative & Hubot VTR puts

    DFIR tools & tasks in chat

  81. Find Out More Hubot.GitHub.com & GitHub.com/sroberts/hubot-vtr-scripts

  82. Contact Me github & twitter: @sroberts sroberts.github.io

  83. Thanks!!!

  84. None